Kansas Cybersecurity Audit
| Submitted | Aug. 5, 2016 |
MuckRock users can file, duplicate, track, and share public records requests like this one. Learn more.
Communications
From: Alex Koma
To Whom It May Concern:
Pursuant to the Kansas Open Records Act (K.S.A. 45-215), I hereby request the following records:
Any overview of the results of the most recent cybersecurity audit or risk assessment conducted by the Office of Information Technology Services, or by a third party on behalf of the office.
The requested documents will be made available to the general public, and this request is not being made for commercial purposes.
In the event that there are fees, I would be grateful if you would inform me of the total charges in advance of fulfilling my request. I would prefer the request filled electronically, by e-mail attachment if available or CD-ROM if not.
I recognize that these types of documents contain sensitive information about the state's networks, and could be subject to an exemption to protect public safety. However, I'm not looking for specific details on the networks or their vulnerabilities, merely any summaries or aggregated data produced for the state to get an overall picture of cybersecurity concerns.
Thank you in advance for your anticipated cooperation in this matter. I look forward to receiving your response to this request within 3 business days, as the statute requires.
Sincerely,
Alex Koma
From: MuckRock.com
To Whom It May Concern:
I wanted to follow up on the following Freedom of Information request, copied below, and originally submitted on Aug. 5, 2016. Please let me know when I can expect to receive a response, or if further clarification is needed.
Thanks for your help, and let me know if further clarification is needed.
From: Todd Fertig
I am following up a message I just sent in response to a request for information from the Kansas Department for Children and Families.
I would like to have confirmation that my message made it to the right person, and I would like to communicate via email to clarify the request.
Please respond. Thank you!
Todd Fertig
Public Information Officer
Kansas Department for Children and Families
785-368-6613
-
image001
From: Todd Fertig
August 10, 2016
Alex Koma
Muckrock
Dept. MR 27268
411A Highland Ave.
Somerville, MA 02144-2516
requests@muckrock.com<mailto:requests@muckrock.com>
Alex,
I am writing to advise you that the Kansas Department for Children and Families (DCF) received your faxed request on August 5, 2016, for the results of the most recent cybersecurity audit or risk assessment conducted by the Office of Information Technology Services.
In accordance with K.S.A. 45-218 (d), we have begun the process of determining if we possess any public records meeting the terms of your request and how best to proceed. Soon we will provide you with one or more of the following:
1. Copies of the requested public records.
2. A statement concerning our inability to locate any public records meeting the terms of your request.
3. A request for clarification concerning the types of records or information you are seeking.
4. Record requests that can be provided with less than one hour of staff time or less than 25 pages will be provided at no charge. If we determine that our office possesses the public records you request, but are voluminous, difficult to locate, and/or contain information that may include open and closed information, we will provide you with a written estimate of the fees that we will require be pre-paid in order to pay for the actual costs associated with (a) locating and/or retrieving the public records from storage, (b) staff time spent in assisting with making copies of the records, including staff time spent examining the records for possible closure and/or redaction, and (c) copying and mailing the requested public records.
* For requests that exceed one hour of staff time or more than 25 pages, the following rates shall apply:
* Copies, 25 cents per page; mailing, 50 cents for the first five pages, 25 cents for additional five-page increments; fax, 65 cents per 10 pages
* Staff time will be charged at the rate of pay for each person whose time is used in order to assist and/or respond to a specific request. This may include the time spent to access records maintained on computer facilities, review records to determine whether closure exceptions apply and /or to redact open from closed information. For the purpose of transparency, our rates are as follows: general staff time will be charged at $20 per hour, legal and information technology (IT) services will be charged at $38 per hour.
* Additional fees may be assessed if any other costs are incurred by DCF in connection with complying with a record request. DCF will provide an estimate of the fees which shall be paid prior to the department gathering the records. In order to ensure payment, the final cost of providing access to or furnishing copies must be paid before the records are provided. If the final cost is less than the estimate, the requestor will be reimbursed for the difference.
5. If we determine that we do possess the records, but that the records are closed by law, we will provide you with that information with a written citation to the laws allowing or requiring that type of public record to be closed.
We will respond as soon as possible to your Kansas Open Records Act Request. Please feel free to contact me with any questions.
Sincerely,
[cid:image001.png@01D1F312.0562FFB0]
Theresa Freed
Director of Communications
Kansas Department for Children and Families
785-296-0537
Todd Fertig
Public Information Officer
Kansas Department for Children and Families
785-368-6613
-
image001
From: Alex Koma
Hi Todd
Thanks so much for following up. You can reach me at alex.koma@statescoop.com if you need to clarify anything.
Reach out any time.
Alex Koma
From: Todd Fertig
August 15, 2016
Alex Koma
Muckrock
Dept. MR 27268
411A Highland Ave.
Somerville, MA 02144-2516
requests@muckrock.com<mailto:requests@muckrock.com>
Dear Mr. Koma,
I am writing on behalf of the Kansas Department for Children and Families (DCF) in regards to your KORA request of Aug. 5, 2016, for "[a]ny overview of the results of the most recent cybersecurity audit or risk assessment conducted by the Office of Information Technology Services, or by a third party on behalf of the office."
Although you state that you are not looking for specific details on the networks or their vulnerabilities, you acknowledge that there may be exemptions that allow the agency not to disclose such information. You further state that the information will be made available to the general public. DCF is not required to disclose such information pursuant to K.S.A. 45-221, entitled "Certain records not required to be open; separation of open and closed information required; statistics and records over 70 years old open," subsections (a)(12) and (45), which state:
(a) Except to the extent disclosure is otherwise required by law, a public agency shall not be required to disclose:
...
(12) Records of emergency or security information or procedures of a public agency, or plans, drawings, specifications or related information for any building or facility which is used for purposes requiring security measures in or around the building or facility or which is used for the generation or transmission of power, water, fuels or communications, if disclosure would jeopardize security of the public agency, building or facility.
...
(45) Records, other than criminal investigation records, the disclosure of which would pose a substantial likelihood of revealing security measures that protect: (A) Systems, facilities or equipment used in the production, transmission or distribution of energy, water or communications services; (B) transportation and sewer or wastewater treatment systems, facilities or equipment; or (C) private property or persons, if the records are submitted to the agency. For purposes of this paragraph, security means measures that protect against criminal acts intended to intimidate or coerce the civilian population, influence government policy by intimidation or coercion or to affect the operation of government by disruption of public services, mass destruction, assassination or kidnapping. Security measures include, but are not limited to, intelligence information, tactical plans, resource deployment and vulnerability assessments.
Furthermore, the Kansas Legislative Post Audit Committee also has recommended, as a standard, the withholding of such information pursuant to K.S.A. 45-221(a)(45).
For the reasons stated above, we respectfully decline to disclose the information requested.
Please feel free to contact me with any questions.
Sincerely,
[cid:image001.png@01D1F70B.8F43EF30]
Theresa Freed
Director of Communications
Kansas Department for Children and Families
785-296-0537
Todd Fertig
Public Information Officer
Kansas Department for Children and Families
785-368-6613
-
image001
Files
pages