The 2018 Kansas Cybersecurity Act created the Kansas Information Security Office (KISO) to reduce state agencies’ cybersecurity risk. KISO offers agencies 3 cybersecurity service levels--basic, intermediate, and advanced--that appear to align with the Cybersecurity Act requirements we could review. However, KISO’s services may not have as many effects as the Legislature intended because few agencies use intermediate or advanced services. Agency officials we surveyed had mostly positive opinions about KISO’s services but officials may not always know what their agencies’ needs are or what KISO services they receive. That may be because KISO’s communication with agencies isn’t proactive enough.
KISO is funded through fees it collects from agencies. Its revenues appeared to be less than its costs in fiscal years 2020-2021. But we don't know if KISO’s services are cost-effective because of data limitations and neither do KISO officials or most of the 7 agencies we interviewed. KISO officials described steps they take to limit their costs, some of which may have unintended negative effects.
The 2018 Kansas Cybersecurity Act created the Kansas Information Security Office (KISO) to reduce state agencies’ cybersecurity risk. KISO offers agencies 3 cybersecurity service levels--basic, intermediate, and advanced--that appear to align with the Cybersecurity Act requirements we could review. However, KISO’s services may not have as many effects as the Legislature intended because few agencies use intermediate or advanced services. Agency officials we surveyed had mostly positive opinions about KISO’s services but officials may not always know what their agencies’ needs are or what KISO services they receive. That may be because KISO’s communication with agencies isn’t proactive enough.
KISO is funded through fees it collects from agencies. Its revenues appeared to be less than its costs in fiscal years 2020-2021. But we don't know if KISO’s services are cost-effective because of data limitations and neither do KISO officials or most of the 7 agencies we interviewed. KISO officials described steps they take to limit their costs, some of which may have unintended negative effects.
Welcome to the rundown, your source for the latest news and updates from the Kansas legislative division of post audit, featuring LPA staff talking about recently released audit reports and discussing their main findings key takeaways in why it matters. I'm Brad Hoff in July, 2022, LPA released to performance audit examining whether Kansas' centralized cyber security services are cost effective and meet statutory requirements and state agency's needs. I'm with Andy Brienza principal auditor at legislative post audit who supervise this audit also joining us is Sam dads. One of the audit team members. Welcome to the rundown, Andy and Sam.
Speaker 2:Thanks Brad. Thanks Brad.
Speaker 1:So before we begin discussing the audits findings, uh, let's talk about the Kansas cyber security act and the responsibilities, the Kansas information security office, otherwise known as Keso has in helping reduce state agencies, cyber security risks.
Speaker 2:Okay, so the 2018 Kansas cyber security act created the Kansas information security office, or Keso as part of the office of information technology services or O I Ts. So I Ts provides information technology services to Kansas state agencies. This includes things like, um, statewide data center services, the can win telecommunications network, those ks.gov email addresses that state, uh, employees use things like that. So Keso as part of O I T S is responsible for coordinating cybersecurity services for state agencies. Now, notably the cybersecurity act primarily requires it to facilitate agencies cybersecurity rather than directly provide a bunch of services. So the cyber security act included 15 requirements for Keso. We outlined that in the report in figure one, all the things that they're supposed to do, some of them are related to providing services to state agencies. Others are sort of generalized, um, responsibilities that go beyond providing specific security services, but agencies are not required to use most of Keso services. The cyber security act retained state agencies responsibility for their own cyber security. So it's really up to them whether they decide to use most of, of ke so's services. Um, a few examples would include like providing a cyber security training program to state agencies or helping facilitate agencies, cybersecurity governance, helping them develop compliance, cybersecurity programs, things of that nature.
Speaker 1:The team found that Keso offers agencies three cyber security service levels. Talk about, uh, what these levels are, uh, how state agencies access them and how many agencies use each level.
Speaker 2:So, as you mentioned, Keso organized the services that it provides agencies into three levels. Um, they have technical names, but for the purposes of simplicity, we will call them basic intermediate and advanced services. So there's 18 basic services that Keso offers to agencies. These actually fall into two different categories. Um, some are automatic and others are opt in. So eight of them are automatic basic services. So as I mentioned earlier, OITs provides centralized it services to state agencies. Things like can win or ks.gov email and Keso secures those services. So these basic automatic services are focused on securing OIT S's services. Agencies may not know they're getting them. They kind of operate in the background, but these would be things like suspicious email filtering, um, of the, for the ks.gov email addresses that SA employees use agencies that use can win, can also opt into 10 additional basic services. These don't, um, require contracts or for agencies to pay anymore. Um, and those are more focused on, um, securing the agencies meeting the agency's needs than the automatic basic services, which as I mentioned, we're focused on securing O I T S's services. Um, so these are more tailored to the agencies. They're things like scanning agency systems for vulnerabilities or giving agency staff security awareness training. Okay. So intermediate level services, there's five of those agencies can opt into those two. These are generally higher level versions of the basic services they are tailored to the agency. And one of the critical distinguishing features is that they involve giving Keso some level of control. So Keso might come in and set up and manage a firewall for the agency's system. For example, and agencies that want these services typically have to sign a contract with Keso and pay a little bit more for them. And then finally we have advanced services. So this is really Keso providing an information security officer to the agency to provide, um, cyber security leadership. So this is things like, uh, developing agency policies that comply with state and federal requirements. Some of those governance things that, um, a specialist who knows cyber security, um, can do for agencies. Uh, and this is also something that agencies generally have to sign a contract for, um, with<inaudible> and, and pay more for. So, as I mentioned before, agencies don't have to use most of these services. Um, there's about 74 agencies, um, and 65 of them received at least automatic basic services just because they use can win. But then we see the numbers drop off as we get into the higher level services. So only 15 of 74 agencies had contracts with Keso for intermediate services. And 10 of 74 agencies had contracts with Keso for advanced services. When we reviewed, um, agencies service usage in February of 2022.
Speaker 1:Now, while question, one of the audit touched upon Keso services alignment with the cyber security act, the teams worked focused primarily on whether the Keso cyber security services actually meet state agencies needs. How did you approach answering this question?
Speaker 2:So in order to get at, um, whether Keso services met state agencies needs, we primarily relied on what state agencies thought about whether ke so's services met their needs. So we did this in a couple of different ways. The primary way we got at this was through a survey that Sam's gonna talk about in just a minute, but we also talked to the it leadership from a, a selection of seven different executive branch agencies. So this included agencies that used a lot of QSO services, some that only benefited from a few basic, uh, services. We, um, also tried to introduce some variety into our selection in terms of how well the agencies did on LPA, cyber security audits, um, in terms of how many cyber security control issues they had. And I'll get into that more, uh, in a little bit, but we ended up with seven agencies, as I mentioned, the board of healing arts, the department of agriculture department of revenue, Kansas public employees, retirement system, the racing and gaming commission, secretary of state's office and the state treasurer's office. And of course, everything that, you know, they told us was reflective of their opinions. And isn't something that we could, we could project to all state agencies or assume that all state agencies would agree with, but that it gave us the opportunity to dive into a little bit more detail with, um, the it leadership in some agencies and, and sort of supplement what we were hearing in the survey.
Speaker 3:Uh, as Andy had mentioned, uh, we did conduct a survey, uh, for this survey. Uh, we surveyed 57 executive branch agency officials whose agencies are on the can win network. Those officials self-identified as the best participants for our survey, from their respective agencies out of those 57 officials, 50 responded to our survey for about an 88% response rate of those 50 respondents, eight officials work for OITs as part of the state's it consolidation efforts. And a few agencies also share cybersecurity staff. So those responses may reflect the experiences of the responding officials for all of the agencies they represent. This means that survey responses are not projectable to all state agencies. Uh, we asked, uh, respondents questions about the types of cybersecurity services their agency consumes from Keso. Uh, they were also asked about the quality and the cost effectiveness of those services. The questions consisted of multiple choice and open ended responses. So we could get, uh, some additional qualitative context to the quantitative information we were receiving back.
Speaker 1:So, Sam, you mentioned you had 50 respondents for the survey. So what kinds of opinions did the respondents have about Keso based on their survey responses?
Speaker 3:So respondents generally had positive opinions about Keso cybersecurity services overall, for example, 34 respondents, which was about 68% said that Keso provided quality services overall and 30 respondents, which was about 60% said Keso services had improved their agency cybersecurity. Uh, but the most positive opinions were expressed about ke so's intermediate and advanced cybersecurity services. For example, 12 respondents, or about 92%, uh, whose agencies received ke so's advanced services said those services mostly met or exceeded their agency's needs while 34 respondents, which was about 68% said key so's automatic, basic cyber security services, mostly met or exceeded their agency's needs. Uh, however officials didn't always know their agencies cybersecurity needs or what cyber security services their agencies received from Keso for example, 11 respondents, or about 22% didn't know if their agencies had cyber security needs Keso wasn't meeting and 16 respondents, or about 32% didn't know whether their agency signed contracts for ke so's intermediate cyber security services.
Speaker 1:So, as Andy mentioned, the audit team talked to seven, uh, state agencies and their officials talk a little bit about how the takeaways from the survey compared to what you learned from talking to officials from those seven state agencies.
Speaker 2:Yeah. What we heard from the more in depth conversations we had the chance to have with the, uh, seven state agencies we reviewed was pretty similar to what Sam just outlined from the, the survey. So for example, officials from five of the seven agencies, we reviewed had positive overall opinions of Keso services or staff, um, and a few of'em, they, they praise specific things like, uh, ke so's vulnerability, scanning their security awareness training and the quality of their information security officers. We also got the sense that they had limited knowledge about Keso services. For example, three suggested that they may have used more of Keso services if Keso had made them better aware of those services, suggesting that there's not always a lot of insight into what is out there, um, for agencies to make use of. And then two said they didn't know whether their agency or Keso was responsible for basic tasks, like fixing issues identified by vulnerability scans, which suggests a lack of insight into the services that they are using, how those are supposed to be working and how to tell sort of if they're working, we also found that two of the seven agencies we reviewed had contracts for intermediate or advanced services, but neither said they used their contracts to ensure that Keio provided the right services. Um, and officials from one agency said that they'd never looked at their contract and weren't sure what their responsibilities were. So again, that, that suggests that state agencies don't have a lot of insight or may not be fully aware of how the services that they are getting are supposed to work. And actually contract problems was something we found pretty commonly. So we actually reviewed all 15 agencies contracts for intermediate services, which is kind of that middle service level. As I mentioned, and 12 agencies had contracts with errors like, um, incorrect billing practices or the wrong service provider or agencies getting services being identified, which suggests again that neither the agencies nor Keso were really reviewing these contracts and using them to determine whether the agreed upon services were being provided as, as they were supposed to.
Speaker 1:Now, as part of field work, the audit team also looked at the result from previous LPA cybersecurity audits of the seven selected agencies. And in doing so concluded that using Keso services doesn't automatically correspond to better audit results. Explain why that is.
Speaker 2:So as a little bit of context, um, state law gives our office the authority to audit agencies, cyber security controls. I mentioned this very briefly before. So what we do is we have an, uh, a cybersecurity audit team that reviews, whether agencies have the controls in place that allow them to meet state requirements and best practices. So we looked at the most recent LPA, uh, cybersecurity audit results for the seven agencies that we reviewed. And we honed in on three particular areas that we thought aligned closely with ke so's basic and intermediate services. So the cybersecurity audit team reviews a lot of areas, not all of them are specifically related to things that ke so's services would help improve, but we thought these three gave us the opportunity to see how well Keso services were improving the audit outcomes for these seven agencies. And we found that the agencies using Keso services did not always have better audit outcomes than non-user. So I'll give you an example. Vulnerability scanning is one of the areas that, um, our audit team cybersecurity audit team looks at, and that Keso provides, it's a service that Keso provides to agencies. And three of the seven that we reviewed used ke so's vulnerability, scanning our cybersecurity auditors found that two of those three agencies had significant control issues in this area. And that's the, the worst category that an agency can fall into in these LPA cybersecurity audits. And one had major control issues, which is the second worst by contrast four agencies didn't use Keso scanning. And although two also had significant control issues. One had minor issues in this area and one had none. So as you can see, the, the performance of the agencies that were not using Keso services in this area were overall better than, than the Keso service users. And this was, uh, fairly consistent across the, the services that we looked at. And in talking to the agencies whose audits we reviewed, we found that, you know, the agencies that were more actively engaged in their cyber security seemed to have the fewest issues. And officials from those agencies indicated that they performed best. And they really understood ke SOS and their roles in ensuring ke so's services worked. Because even when an agency uses one of Keso services, the agency still has a role to play in ensuring the services work as, as expected. Um, and that they are indeed performing as, as they're supposed to. And they are achieving the level of cybersecurity that they should be
Speaker 1:In reading the report. It looked like the team concluded that some of the issues identified through the survey and the review of the seven selected agencies, ultimately stemmed from ke so's communication practices. Talk about, uh, this conclusion in more detail, uh, the recommendation that came out of it and how Keso responded to the recommendation
Speaker 3:From the survey we gathered that agencies may have a limited awareness of Keso cyber security services to give you an example, 21 respondents, which was about 42% didn't know that Keso published a service catalog that outlines the cyber security services that they offer to agencies. Uh, also when we asked respondents what would cause their agencies to enroll in ke so's optional, basic cybersecurity services that their agencies don't currently use, the most frequent responses we received were that they would like better education of the services. And they would like to have greater awareness of those services. Additionally, some respondents also told us that they're not cybersecurity experts and that it's difficult for them to understand cybersecurity requirements. And I think this ties into what Andy was saying, um, about agencies understanding their roles and their roles of Keso, uh, in terms of meeting the agency's cybersecurity needs. Uh, some officials responded that they would like more guidance from Keso about cybersecurity, best practices and things like trusted applications that they can use in their own environments. What this means is that non experts are relying on Keso to distill complex cybersecurity topics into something that laypersons can understand and implement.
Speaker 2:And so, based on the survey results that Sam just mentioned, and our conversations with the seven agency officials from the seven agencies, we selected for review our recommendation to Keso was that they should more actively educate state agencies about cyber security and ke so's available services. Um, and Keso officials agreed that they could communicate better. They said that more proactive agency education and communication may help agencies understand cyber security, why it's important, what services are available through Keso, how they're supposed to work and what agencies would would get from them. Um, and they said that they're working toward more regular contact with agency officials through things like trainings, meetings, regular information bulletins. And ultimately they said, they'd like to hire a public information officer who is focused on more proactively educating, um, and communicating with agency officials about Keso and its services.
Speaker 1:Now, there was a second question in the audit that the team was trying to answer, and that was whether Keso services are cost effective. However, there were data limitations that LPA, uh, ran up against. And as a result, LPA in the report, uh, basically says, you know, we, we can't say one way or the other, whether these services are cost effective. Talk a little bit about what these data limitations were
Speaker 2:In order to answer the second question, which is about whether Keso services are cost effective. We needed to understand how much they cost Keso to provide. And then also of course, how much they would cost agencies to, to pay for them. So Keso is a fee funded agency. It doesn't receive appropriation. And because of that, it charges agencies for all of the services that it provides them. And that's how it funds those services and its general operations. But although we could tell overall how much Keso is spending to provide services and then how much it is receiving in fees from agencies. We couldn't tell how much Keso spends on each individual service, which was an important part of determining whether the services are cost effective. And there were two reasons for this. So the first one is that Keso doesn't track how much it costs to provide each individual service because it's staff software and tools support multiple services and service levels. So as an example of this, Keso officials said that they use the same staff and tools to provide both basic and intermediate level services. And it wouldn't be feasible to divide up, for example, an individual software license and determine how much of that individual license, each of Keso services that use the license is responsible for. And then identify that as one of the costs of each individual service visual service. The other thing is that Keso doesn't track how much it costs to provide cyber security for each of OIT S's services. So, as I mentioned towards the beginning, O I T S provides centralized it services like the can win, um, statewide telecommunications network or ks.gov email or statewide data center, and Keso secures them. But these security efforts, Keso security efforts for these services are also shared. For instance, Keso staff may work on securing multiple O I T S services. Now Keso estimates how much of its costs come from securing each of O I T S's services. And they use that to decide how much to charge fruit service, but they're not sure exactly how accurate those estimates are partially because Keso just switched to this method of determining its costs and its agency fees starting in fiscal year 2021. So, so the data for the O I Ts services is, is very new. And it's, it's too to tell whether those estimates are accurate.
Speaker 1:Now, while there were these data limitations, you did, uh, collect some information, uh, via the survey, uh, about ke so's cost effectiveness. So what did survey respondents and officials from your, uh, seven selected agencies, uh, say about ke so's cost effectiveness?
Speaker 3:So like Keso cyber security services survey respondents generally had positive opinions about ke so's cost effectiveness, and their opinions were more positive about the cost effectiveness of ke so's, intermediate and advanced cyber security services. For example, of the agencies using ke so's intermediate services, 10 respondents, or about 71% said those services were cost effective and reasonably priced. But survey respondents may not be knowledgeable about Keso cybersecurity pricing. Uh, we got feedback from the qualitative portions of the survey where one respondent told us that they couldn't tell if the basic services are cost effective, because ke so's basic service costs are bundled into O I T S service fees. And another respondent said they don't have anything to compare ke so's rates against to know if Keso services are cost effective.
Speaker 2:Some of the things we heard from the seven agencies that we talked to in greater detail also supported the idea that, um, agency officials don't always have great insight into the cost effectiveness of Keso services. So officials from five of the seven agencies, we reviewed said they couldn't comment on the cost effectiveness of Keso services. Two of the seven though thought Keso services were reasonably priced. Um, so they had positive things to say about Keso services. One said Keso charged fees that were similar to those about their service providers. Um, and then the other said that they would have to pay more to get, uh, some of the basic services that Keso provides them.
Speaker 1:Finally, what's the main takeaway of this audit report?
Speaker 2:I think the main takeaway is that although the legislature passed the cybersecurity act in 2018 to help improve executive branch agencies, cyber security, by creating a, a centralized cyber security office in the form of Keso, it's not clear whether this is happening to the extent that the legislature intended the Kansas cyber security act, retained agencies responsibility for, um, their own cyber security and gave them the option to use QSO services or not. And as we've seen a lot of agencies, don't most agencies, in fact, don't use those intermediate and advanced services, which are important parts of how Keso meets its obligations under the Kansas cyber security act. So Keso officials told us that in order for agencies to have the most robust cybersecurity posture, it would be best for them to use all three levels. Cuz then every element of the cybersecurity act would be addressed, but that's not happening. And it's, this seems to be because agency officials don't always have great insight into cybersecurity, what Keso offers and why it's important to use. And so in order for the Kansas cybersecurity act to have the intended effect and for Keso to do as much as it could do in order to secure state agencies in Kansas, better communication from Keso about these issues and greater agency use of its services is probably required.
Speaker 1:Andy Brienza is a principal auditor and Sam dads is an auditor at legislative post audit. They worked on a performance audit examining Kansas' centralized cyber security services. Thanks for joining me today, Andy and Sam.
Speaker 2:Thanks Brad. Thank you, Brad.
Speaker 1:Thank you for listening to the rundown to receive newly released podcasts, subscribe to us on Spotify or apple podcast. For more information about legislative post audit and to read our audit reports, visit Ks lpa.org. Follow us on Twitter K audit or visit our Facebook page.