Chapter 22I — OFFICE OF CYBER SECURITY AND DUTIES OF THE CHIEF INFORMATION SECURITY…

San Francisco Administrative Code · edición 2025 · actualizado 2026-07-08 · San Francisco

Esta sección aún no está traducida y se muestra en inglés.

Sec. 22I.1. Findings.

Sec. 22I.2. Purpose of Chapter.

Sec. 22I.3. Definitions.

Sec. 22I.4. Office of Cyber Security.

Sec. 22I.5. City Chief Information Security Officer.

Sec. 22I.6. City Departments.

SEC. 22I.1. FINDINGS.

Esta sección aún no está traducida y se muestra en inglés.

On June 4, 2021, Mayor London Breed issued Executive Directive No. 21-02, announcing that protecting the City’s technology and information is vital to the proper functioning of the City and the ability of City departments and personnel to serve residents. In order to further the protection of City assets, the prevention, detection, and remediation of cyber-related incidents is a top priority of the City and essential to the security of San Francisco government and its residents. In the directive, the Mayor directed the City’s Chief Information Officer and the City Administrator to recommend changes to the Administrative Code to formalize and strengthen the City’s cyber security functions and programs.

(Added by Ord. 49-22, File No. 211294, App. 3/31/2022, Eff. 5/1/2022)

SEC. 22I.2. PURPOSE OF CHAPTER.

Esta sección aún no está traducida y se muestra en inglés.

(a) The purpose of this Chapter 22I is to strengthen and coordinate the City’s security of information resources. The creation of the Office of Cyber Security will improve the City’s information security by doing the following:

(1) ensure coordination of City Departments’ response to cyber security threats;

(2) identify primary responsibility for the City’s response during emergencies caused by cyber security attacks;

(3) share best information security practices, procedures, and requirements with City Departments;

(4) provide review of proposed technology purchases by City Departments to address cyber security risks during procurement; and

(5) avoid uncoordinated and duplicative information or system security purchases by City Departments when such technology can be more effectively purchased as part of a coordinated City effort for maximum cost effectiveness and use.

(b) In enacting and implementing this Chapter 22I, the City is assuming an undertaking only to promote the general welfare. It is not assuming, nor is it imposing on its officers and employees, an obligation for breach of which it is liable in money damages to any person who claims that such breach proximately caused injury.

(c) Municipal Transportation Agency. Consistent with Charter Section 8A.101(d), the Municipal Transportation Agency shall comply with the provisions of this Chapter 22I and shall be solely responsible for its administration and enforcement with respect to matters within the Municipal Transportation Agency’s jurisdiction. The Municipal Transportation Agency Board of Directors shall provide the City Administrator with an annual report of reported incidents and its compliance with the established City information security standard.

(d) Public Utilities Commission. Consistent with Charter Section 8B.121(a), the Public Utilities Commission shall comply with the provisions of this Chapter 22I and shall be solely responsible for its administration and enforcement with respect to matters within the Public Utilities Commission’s jurisdiction. The Public Utilities Commission shall provide the City Administrator with an annual report of reported incidents and its compliance with the established City information security standard.

(Added by Ord. 49-22, File No. 211294, App. 3/31/2022, Eff. 5/1/2022)

SESC. 22I.3. DEFINITIONS.

For purposes of this Chapter 22I, the following definitions shall apply:

“City” means the City and County of San Francisco and all of its units or components of government.

“Chief Information Officer” means the Chief Information Officer for the City appointed pursuant to Administrative Code Section 22A.4.

“City Department” means any unit or component of City government, including but not limited to named departments, boards and commissions, offices, agencies, and officials.

“Committee on Information Technology” or “COIT” means the committee established in Administrative Code Section 22A.3.

“Information and Communications Technology” or “ICT” means information and communications technology and computer-based equipment and related services designed for the storage, manipulation, and retrieval of data by electronic or mechanical means, or both.

“Information Resources” means Information and Communications Technology operated by or for the City, including equipment, facilities, systems, applications, and cloud services that relate directly to data processing equipment or services which are directly managed by various departmental divisions for Management Information Systems (MIS), including but not limited to, the Controller’s Information Services Division (ISD), the Airport’s MIS Division, the Public Utilities Commission’s Bureau of MIS, and the Department of Public Health’s MIS.

“Information Security Standards” means standard requirements created by the Chief Information Security Officer for the protection and resiliency of the City’s information resources.

(Added by Ord. 49-22, File No. 211294, App. 3/31/2022, Eff. 5/1/2022)

SEC. 22I.4. OFFICE OF CYBER SECURITY.

Esta sección aún no está traducida y se muestra en inglés.

(a) Establishment. The Office of Cyber Security is hereby created within the Department of Technology and shall be headed by the Chief Information Security Officer and staffed by such officers and employees as are authorized pursuant to the budgetary and fiscal provisions of the Charter.

(b) Mission and Purposes. The Office of Cyber Security shall have these missions and purposes:

(1) Advising the Mayor, the Board of Supervisors, the City Administrator, the City Chief Information Officer, and City Departments regarding information security for City Departments.

(2) Advising the Committee on Information Technology (COIT) on compliance with adopted information security standards, policies, and funding plans, and serving as a permanent member of COIT.

(3) Protecting City-connected technology and information resources.

(4) Continuously improving the City’s ability to detect cyber security events, contain and eradicate compromises to security, and restore information resources to a secure and operational status.

(5) Evaluating technology vendors and partners to identify cyber security risks to City operations.

(Added by Ord. 49-22, File No. 211294, App. 3/31/2022, Eff. 5/1/2022)

SEC. 22I.5. CITY CHIEF INFORMATION SECURITY OFFICER.

Esta sección aún no está traducida y se muestra en inglés.

(a) Establishment of Position. There is hereby created the position of Chief Information Security Officer (CISO) for the City and County of San Francisco. The CISO shall:

(1) Be appointed by the Chief Information Officer following consultation with the City Administrator.

(2) Serve as a permanent member of COIT with the authority and responsibility to develop information security recommendations and implement COIT information security standards, policies, and procedures for all City Departments.

(3) Head the Office of Cyber Security.

(b) Purpose and Duties. The CISO’s duties shall include, but are not limited to the following:

(1) Develop and maintain a centralized cyber security detection, response, and recovery program, tools and operational capability for preventing and responding to compromises of City information resources for City Departments.

(2) Develop and maintain training, tools, and operational capability to minimize cyber security vulnerabilities of City information resources for City Departments.

(3) Provide a citywide information security standard to reduce the risk of compromise to the City’s information resources, including but not limited to receiving and responding to security incidents from City Departments, and mitigating the risks to City information resources.

(4) Conduct risk-based assessment of new vendor technologies or technology-related services during the procurement process.

(5) Support City Departments’ cyber emergency exercises and conduct periodic citywide cyber security emergency exercises with City Departments.

(6) Test cyber security preparedness of City Departments on a regular basis.

(7) Work with City Departments through the designated Departmental Information Security Officers to reduce the City’s risk to cyber security incidents.

(8) Develop and update citywide cyber security requirements to mitigate the City’s risk profile, and comply with legal and regulatory cyber security requirements.

(9) Support City Departments’ implementation of the City’s information security standards.

(10) Provide the Mayor and City Administrator with an annual report of reported incidents and each City Department’s compliance with the established City information security standard.

(Added by Ord. 49-22, File No. 211294, App. 3/31/2022, Eff. 5/1/2022)

SEC. 22I.6. CITY DEPARTMENTS.

Esta sección aún no está traducida y se muestra en inglés.

(a) City Departments. Each City Department, (“Department”) shall:

(1) Appoint a Departmental Information Security Officer (DISO) to coordinate cyber security efforts with the CISO.

(2) Adopt the City’s information security standard for reducing the risk of compromise to the City’s information resources as a basis of their Department’s cyber security program.

(3) Consult with the Office of Cyber Security to evaluate cyber security risk prior to initiating new information technology projects, implementing major changes to information systems, or selecting vendors of technologies or vendors providing technology-related services.

(4) Support cyber incident response in accordance with the then-existing San Francisco Unified Cyber Command Plan.

(5) Conduct and update a Department cyber security risk assessment based on standards established by the Office of Cyber Security.

(6) Test and update the Department’s cyber security emergency response plan based on standards established by the Office of Cyber Security.

(7) Maintain Department cyber security requirements that are equivalent to or greater than the citywide information security standards and provide non-standard Department requirements to the Office of Information Security.

(8) Participate in citywide cyber security forum meetings organized by the Office of Cyber Security.

(b) Given the broad definition of “City Department” under Section 22I.3, and the wide range of sizes of City Departments, the requirement in subsection (a), above, that each City Department appoint a DISO shall not be understood to preclude the same person from serving as DISO for more than one City Department, nor preclude the DISO for a City Department from having other responsibilities.

(Added by Ord. 49-22, File No. 211294, App. 3/31/2022, Eff. 5/1/2022)

GoCodebook ofrece acceso público limitado, búsqueda, citas, explicación multilingüe e interpretación práctica de normas de construcción legalmente adoptadas. No sustituye a las publicaciones oficiales del ICC ni de los códigos de California.