SEC. 22I.5. CITY CHIEF INFORMATION SECURITY OFFICER.

(a) Establishment of Position. There is hereby created the position of Chief Information Security Officer (CISO) for the City and County of San Francisco. The CISO shall:

(1) Be appointed by the Chief Information Officer following consultation with the City Administrator.

(2) Serve as a permanent member of COIT with the authority and responsibility to develop information security recommendations and implement COIT information security standards, policies, and procedures for all City Departments.

(3) Head the Office of Cyber Security.

(b) Purpose and Duties. The CISO’s duties shall include, but are not limited to the following:

(1) Develop and maintain a centralized cyber security detection, response, and recovery program, tools and operational capability for preventing and responding to compromises of City information resources for City Departments.

(2) Develop and maintain training, tools, and operational capability to minimize cyber security vulnerabilities of City information resources for City Departments.

(3) Provide a citywide information security standard to reduce the risk of compromise to the City’s information resources, including but not limited to receiving and responding to security incidents from City Departments, and mitigating the risks to City information resources.

(4) Conduct risk-based assessment of new vendor technologies or technology-related services during the procurement process.

(5) Support City Departments’ cyber emergency exercises and conduct periodic citywide cyber security emergency exercises with City Departments.

(6) Test cyber security preparedness of City Departments on a regular basis.

(7) Work with City Departments through the designated Departmental Information Security Officers to reduce the City’s risk to cyber security incidents.

(8) Develop and update citywide cyber security requirements to mitigate the City’s risk profile, and comply with legal and regulatory cyber security requirements.

(9) Support City Departments’ implementation of the City’s information security standards.

(10) Provide the Mayor and City Administrator with an annual report of reported incidents and each City Department’s compliance with the established City information security standard.

(Added by Ord. 49-22, File No. 211294, App. 3/31/2022, Eff. 5/1/2022)

Disclaimer: This Code of Ordinances and/or any other documents that appear on this site may not reflect the most current legislation adopted by the Municipality. American Legal Publishing provides these documents for informational purposes only. These documents should not be relied upon as the definitive authority for local legislation. Additionally, the formatting and pagination of the posted documents varies from the formatting and pagination of the official copy. The official printed copy of a Code of Ordinances should be consulted prior to any action being taken. For further information regarding the official version of any of this Code of Ordinances or other documents posted on this site, please contact the Municipality directly or contact American Legal Publishing toll-free at 800-445-5588.

Hosted by: American Legal Publishing

Back to Code Library

Previous Doc

Next Doc