75-7206a. Judicial branch chief information security officer; position established; duties.

574 words·~3 min read·/ks/chapter-75/75-7206a

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

(a)There is hereby established the position of judicial branch chief information security officer. The judicial chief information security officer shall be in the unclassified service under the Kansas civil service act, shall be appointed by the judicial administrator, subject to approval by the chief justice and shall receive compensation determined by the judicial administrator, subject to approval of the chief justice.

(b)The judicial chief information security officer shall:

(1)Report to the judicial administrator;

(2)establish security standards and policies to protect the branch's information technology systems and infrastructure in accordance with subsection (c);

(3)ensure the confidentiality, availability and integrity of the information transacted, stored or processed in the branch's information technology systems and infrastructure;

(4)develop a centralized cybersecurity protocol for protecting and managing judicial branch information technology assets and infrastructure;

(5)detect and respond to security incidents consistent with information security standards and policies;

(6)be responsible for the cybersecurity of all judicial branch data and information resources;

(7)collaborate with the chief information security officers of the other branches of state government to respond to cybersecurity incidents;

(8)ensure that all justices, judges and judicial branch employees complete cybersecurity awareness training annually and if an employee does not complete the required training, such employee's access to any state-issued hardware or the state network is revoked;

(9)review all contracts related to information technology entered into by a person or entity within the judicial branch to make efforts to reduce the risk of security vulnerabilities within the supply chain or product and ensure each contract contains standard security language; and

(10)coordinate with the United States cybersecurity and infrastructure security agency to perform annual audits of judicial branch agencies for compliance with applicable state and federal laws, rules and regulations and judicial branch policies and standards. The judicial chief information security officer shall make an audit request to such agency annually, regardless of whether or not such agency has the capacity to perform the requested audit.

(c)The judicial chief information security officer shall develop a cybersecurity program of each judicial agency that complies with the national institute of standards and technology cybersecurity framework

(CSF)2.0, as in effect on July 1, 2024. The judicial chief information security officer shall ensure that such programs achieve a CSF tier of 3.0 prior to July 1, 2028, and a CSF tier of 4.0 prior to July 1, 2030.

(1)If an audit conducted pursuant to subsection (b)(10) results in a failure, the judicial chief information security officer shall report such failure to the speaker and minority leader of the house of representatives and the president and minority leader of the senate within 30 days of receiving notice of such failure. Such report shall contain a plan to mitigate any security risks identified in the audit. The judicial chief information security officer shall coordinate for an additional audit after the mitigation plan is implemented and report the results of such audit to the speaker and minority leader of the house of representatives and the president and minority leader of the senate.

(2)Results of audits conducted pursuant to subsection (b)(10) and the reports described in subsection (d)(1) shall be confidential and shall not be subject to discovery or disclosure pursuant to the open records act, K.S.A. 45-215 et seq., and amendments thereto.

(e)This section shall expire on July 1, 2026.