ITEC Policy 7300 - Information Technology Security Council Charter

1.0       TITLE: Information Technology Security Council Charter

1.1       EFFECTIVE DATE: January 01, 2020

1.2       REVISED: January 16, 2015

1.3       REVISED: December 10, 2019

1.3       TYPE OF ACTION: Revision

2.0 PURPOSE:

To establish an Information Technology Security Council (ITSC) that is advisory to the Information Technology Executive Council (ITEC).

3.0 ORGANIZATIONS AFFECTED:

All Branches, Boards, Commissions, Departments, Divisions, and Agencies of state government, hereafter referred to as entities.

4.0 REFERENCES:

4.1       K.S.A. 1998 Supp. 75-7203 authorizes the ITEC to: Adopt information resource policies and procedures and provide direction and coordination for the application of the state's information technology resources for all state entities.

5.0 DEFINITIONS:

5.1       Information Technology (IT) - an inclusive and broad term to address the services and functions commonly associated with information systems and telecommunications.

6.0 POLICY:

6.1       The Information Technology Security Council shall:

6.1.1    Address information technology security issues by providing policy, standards, guidelines, or procedural recommendations to the Information Technology Executive Council.

6.1.2    Provide guidance to state entities on security policies, standards, and guidelines enacted through the Information Technology Executive Council.

6.1.3    Promote security controls for statewide contracts for information technology requirements from suppliers qualified by the Division of Purchases.

6.1.4    Provide guidance to the Kansas Chief Information Technology Architect or designee regarding security aspects of the Kansas Information Technology Architecture.

6.1.5    Promote coordination among state entities for secure integration and use of information technology security.

6.1.6    Address information technology security issues at the request of the ITEC and make recommendations thereon.

7.0 PROCEDURES:

7.1       The ITSC shall be composed of the following voting members:

7.1.1    A representative from the Kansas Information Security Office (KISO).

7.1.2    A representative from the Kansas Adjutant General’s Department.

7.1.3    A representative from the Department of Administration.

7.1.4    A representative from the Kansas Department of Agriculture.

7.1.5    A representative from the Office of the Kansas Attorney General.

7.1.6    A representative from the Kansas Department of Corrections and Institutions.

7.1.7    A representative from the Kansas Department of Health and Environment.

7.1.8    A representative from the Kansas Bureau of Investigation.

7.1.9    A representative from the Judicial Branch.

7.1.10  A representative from the Legislative Branch.

7.1.11  A representative from the Kansas Board of Regents.

7.1.12  A representative from the Kansas Department of Revenue.

7.1.13  A representative from the Kansas Department of Transportation.

7.1.14  A representative from the Kansas Department of Education.

7.1.15  A representative from the Kansas Department for Children and Families.

7.1.16  A representative from the Kansas Department for Aging and Disability Services.

7.1.17  A representative from the Kansas Insurance Department.

7.1.18  A representative from the Secretary of State.

7.1.19  A representative from the State Treasurer.

7.1.20  A representative from the Department of Commerce.

7.1.21  A representative from the Kansas Highway Patrol.

7.1.22  A representative from the Department of Labor.

7.1.23  A representative from the Department of Wildlife, Parks and Tourism.

7.1.24  Four representatives from other state agencies.

State agencies without a voting member will be notified by the security council chair when there is a vacancy in voting membership. The chair of the security council will contact the agency head or their designee. In-turn, agencies will notify the security council chair with contact information for potential voting members. The chair is responsible for contacting the state agencies and ensuring these positions are filled within 90 days of a vacancy.

7.1.25 Four representatives from separate regents’ institutions.

The four representatives from separate regents’ institutions will be appointed by the Regents Information Technology Council (RITC). The chair is responsible for contacting RITC and ensuring these positions are filled within 90 days of a vacancy.

7.2       Each entity or group specified in section 7.1 shall appoint as their representative to the ITSC, the persons most qualified to discharge the intent of this charter. Each entity or group is responsible for notifying the Kansas Information Security Office of their designated representative for service on the ITSC.

7.3       The Chair, or if unavailable the Vice Chair, may appoint individuals to provide expertise or serve on subcommittees as needed.

7.4       Chair and Vice Chair of the ITSC will be appointed at the first meeting of the fiscal year through a voting process. The Chair and Vice Chair must be voting members in good standing and must not be a member of KISO.

7.5       Duties of the Chair include, but are not limited to, conducting ITSC meetings, publishing agendas and minutes of the meetings, ensuring membership positions from other state agencies are filled in accordance with 7.1.24, and ensuring membership positions from regents’ institutions are filled in accordance with 7.1.25.

7.6       Duties of the Vice Chair include, but are not limited to, assisting the Chair in fulfilling the purpose of the ITSC, and conducting ITSC meetings in the Chair’s absence.

7.7       For normal business, an affirmative vote from a majority of voting members present is required for passage.

7.8       A quorum is necessary to vote on changes to this Charter and a quorum is defined as a simple majority of all voting members.

7.9       Meetings shall occur at a minimum quarterly and as often as needed.

8.0 RESPONSIBILITIES:

8.1       For administrative purposes, the ITSC will receive staff support from the Kansas Information Security Office.

8.2       The Kansas Information Security Office is responsible for the maintenance of this policy.

9.0 CANCELLATION:

9.1       None.