75-7240. Executive branch agency heads; responsibilities; reports; training; breach protocol. The executive branch agency heads shall:
(a) Be solely responsible for security of all data and information technology resources under such agency's purview, irrespective of the location of the data or resources. Locations of data may include: (1) Agency sites; (2) agency real property; (3) infrastructure in state data centers; (4) third-party locations; and (5) in transit between locations;
(b) ensure that an agency-wide information security program is in place;
(c) designate an information security officer to administer the agency's information security program that reports directly to executive leadership;
(d) participate in CISO-sponsored statewide cybersecurity program initiatives and services;
(e) implement policies and standards to ensure that all the agency's data and information technology resources are maintained in compliance with applicable state and federal laws and rules and regulations;
(f) implement appropriate cost-effective safeguards to reduce, eliminate or recover from identified threats to data and information technology resources;
(g) include all appropriate cybersecurity requirements in the agency's request for proposal specifications for procuring data and information technology systems and services;
(h) (1) submit a cybersecurity assessment report to the CISO by October 16 of each even-numbered year, including an executive summary of the findings, that assesses the extent to which a computer, a computer program, a computer network, a computer system, a printer, an interface to a computer system, including mobile and peripheral devices, computer software, or the data processing of the agency or of a contractor of the agency is vulnerable to unauthorized access or harm, including the extent to which the agency's or contractor's electronically stored information is vulnerable to alteration, damage, erasure or inappropriate use;
(2) ensure that the agency conducts annual internal assessments of its security program. Internal assessment results shall be considered confidential and shall not be subject to discovery by or release to any person or agency outside of the KISO or CISO. This provision regarding confidentiality shall expire on July 1, 2023, unless the legislature reviews and reenacts such provision pursuant to K.S.A. 45-229, and amendments thereto, prior to July 1, 2023; and
(3) prepare or have prepared a summary of the cybersecurity assessment report required in paragraph (1), excluding information that might put the data or information resources of the agency or its contractors at risk and submit such report to the house of representatives committee on government, technology and security or its successor committee and the senate committee on ways and means;
(i) participate in annual agency leadership training to ensure understanding of: (1) The information and information systems that support the operations and assets of the agency; (2) the potential impact of common types of cyberattacks and data breaches on the agency's operations and assets; (3) how cyberattacks and data breaches on the agency's operations and assets could impact the operations and assets of other governmental entities on the state enterprise network; (4) how cyberattacks and data breaches occur; (5) steps to be undertaken by the executive director or agency head and agency employees to protect their information and information systems; and (6) the annual reporting requirements required of the executive director or agency head; and
(j) ensure that if an agency owns, licenses or maintains computerized data that includes personal information, confidential information or information, the disclosure of which is regulated by law, such agency shall, in the event of a breach or suspected breach of system security or an unauthorized exposure of that information:
(1) Comply with the notification requirements set out in K.S.A. 2018 Supp. 50-7a01 et seq., and amendments thereto, and applicable federal laws and rules and regulations, to the same extent as a person who conducts business in this state; and
(2) not later than 48 hours after the discovery of the breach, suspected breach or unauthorized exposure, notify: (A) The CISO; and (B) if the breach, suspected breach or unauthorized exposure involves election data, the secretary of state.
History: L. 2018, ch. 97, § 5; July 1.
Copyright ©2024 LegalFix. All rights reserved. LegalFix is not a law firm, is not licensed to practice law, and does not provide legal advice, services, or representation. The information on this website is an overview of the legal plans you can purchase—or that may be provided by your employer as an employee benefit or by your credit union or other membership group as a membership benefit.
LegalFix provides its members with easy access to affordable legal services through a network of independent law firms. LegalFix, its corporate entity, and its officers, directors, employees, agents, and contractors do not provide legal advice, services, or representation—directly or indirectly.
The articles and information on the site are not legal advice and should not be relied upon—they are for information purposes only. You should become a LegalFix member to get legal services from one of our network law firms.
You should not disclose confidential or potentially incriminating information to LegalFix—you should only communicate such information to your network law firm.
The benefits and legal services described in the LegalFix legal plans are not always available in all states or with all plans. See the legal plan Benefit Overview and the more comprehensive legal plan contract during checkout for coverage details in your state.
Use of this website, the purchase of legal plans, and access to the LegalFix networks of law firms are subject to the LegalFix Terms of Service and Privacy Policy.