Findings. | |
Purpose of Chapter. | |
Definitions. | |
Office of Cyber Security. | |
City Chief Information Security Officer. | |
City Departments. |
On June 4, 2021, Mayor London Breed issued Executive Directive No. 21-02, announcing that protecting the City’s technology and information is vital to the proper functioning of the City and the ability of City departments and personnel to serve residents. In order to further the protection of City assets, the prevention, detection, and remediation of cyber-related incidents is a top priority of the City and essential to the security of San Francisco government and its residents. In the directive, the Mayor directed the City’s Chief Information Officer and the City Administrator to recommend changes to the Administrative Code to formalize and strengthen the City’s cyber security functions and programs.
(Added by Ord. 49-22, File No. 211294, App. 3/31/2022, Eff. 5/1/2022)
(a) The purpose of this Chapter 22I is to strengthen and coordinate the City’s security of information resources. The creation of the Office of Cyber Security will improve the City’s information security by doing the following:
(1) ensure coordination of City Departments’ response to cyber security threats;
(2) identify primary responsibility for the City’s response during emergencies caused by cyber security attacks;
(3) share best information security practices, procedures, and requirements with City Departments;
(4) provide review of proposed technology purchases by City Departments to address cyber security risks during procurement; and
(5) avoid uncoordinated and duplicative information or system security purchases by City Departments when such technology can be more effectively purchased as part of a coordinated City effort for maximum cost effectiveness and use.
(b) In enacting and implementing this Chapter 22I, the City is assuming an undertaking only to promote the general welfare. It is not assuming, nor is it imposing on its officers and employees, an obligation for breach of which it is liable in money damages to any person who claims that such breach proximately caused injury.
(c) Municipal Transportation Agency. Consistent with Charter Section 8A.101(d), the Municipal Transportation Agency shall comply with the provisions of this Chapter 22I
and shall be solely responsible for its administration and enforcement with respect to matters within the Municipal Transportation Agency’s jurisdiction. The Municipal Transportation Agency Board of Directors shall provide the City Administrator with an annual report of reported incidents and its compliance with the established City information security standard.
(d) Public Utilities Commission. Consistent with Charter Section 8B.121(a), the Public Utilities Commission shall comply with the provisions of this Chapter 22I
and shall be solely responsible for its administration and enforcement with respect to matters within the Public Utilities Commission’s jurisdiction. The Public Utilities Commission shall provide the City Administrator with an annual report of reported incidents and its compliance with the established City information security standard.
(Added by Ord. 49-22, File No. 211294, App. 3/31/2022, Eff. 5/1/2022)
For purposes of this Chapter 22I, the following definitions shall apply:
“City” means the City and County of San Francisco and all of its units or components of government.
“Chief Information Officer” means the Chief Information Officer for the City appointed pursuant to Administrative Code Section 22A.4.
“City Department” means any unit or component of City government, including but not limited to named departments, boards and commissions, offices, agencies, and officials.
“Committee on Information Technology” or “COIT” means the committee established in Administrative Code Section 22A.3.
“Information and Communications Technology” or “ICT” means information and communications technology and computer-based equipment and related services designed for the storage, manipulation, and retrieval of data by electronic or mechanical means, or both.
“Information Resources” means Information and Communications Technology operated by or for the City, including equipment, facilities, systems, applications, and cloud services that relate directly to data processing equipment or services which are directly managed by various departmental divisions for Management Information Systems (MIS), including but not limited to, the Controller’s Information Services Division (ISD), the Airport’s MIS Division, the Public Utilities Commission’s Bureau of MIS, and the Department of Public Health’s MIS.
“Information Security Standards” means standard requirements created by the Chief Information Security Officer for the protection and resiliency of the City’s information resources.
(Added by Ord. 49-22, File No. 211294, App. 3/31/2022, Eff. 5/1/2022)
(a) Establishment. The Office of Cyber Security is hereby created within the Department of Technology and shall be headed by the Chief Information Security Officer and staffed by such officers and employees as are authorized pursuant to the budgetary and fiscal provisions of the Charter.
(b) Mission and Purposes. The Office of Cyber Security shall have these missions and purposes:
(1) Advising the Mayor, the Board of Supervisors, the City Administrator, the City Chief Information Officer, and City Departments regarding information security for City Departments.
(2) Advising the Committee on Information Technology (COIT) on compliance with adopted information security standards, policies, and funding plans, and serving as a permanent member of COIT.
(3) Protecting City-connected technology and information resources.
(4) Continuously improving the City’s ability to detect cyber security events, contain and eradicate compromises to security, and restore information resources to a secure and operational status.
(5) Evaluating technology vendors and partners to identify cyber security risks to City operations.
(Added by Ord. 49-22, File No. 211294, App. 3/31/2022, Eff. 5/1/2022)
Loading...