Cloud acquisition and management policy

The City and County of San Francisco encourages the use of cloud services when cost efficiencies are available, risk mitigation strategies are in place, and the services support the City’s data sharing strategy through interoperable systems.

The City and County of San Francisco encourages the use of cloud services when cost efficiencies are available, risk mitigation strategies are in place, and the services support the City’s data sharing strategy through interoperable systems.

Purpose and scope

The purpose of the Cloud Acquisition & Management Policy is to ensure City departments incorporate the appropriate requirements, processes, and risk mitigation strategies in the use and procurement of cloud services. This policy encompasses the City’s use of all cloud services, which includes but is not limited to: storage, software-as-a-service (SaaS), and platform-as-a-service (PaaS) products.


The requirements identified in this policy apply to all information resources operated by or for the City, and County of San Francisco and its departments, and commissions. Elected officials, employees, consultants, and vendors working on behalf of the City and County of San Francisco are required to comply with this policy.

Policy statement

Before the purchase or use of cloud services, the Cloud Acquisition & Management Policy requires all departments to incorporate the following procedures:


Acquisition Requirements - Conduct a formal evaluation and document the following:

  • The department CIO or IT Manager must explicitly express approval before the use of any cloud service. City employees may not provision cloud products without approval from the department CIO or IT Manager and must follow the Office of Contract Administrations procurement policies.
  • Departments shall use existing contracts as to maximize the City’s purchasing power where appropriate.

Data Standards & Risk Mitigation

For all cloud services, departments shall:

  • Conduct a risk assessment of data privacy risks with the service. Products that contain level 3-5 data should have added level of review and comply with the department’s cybersecurity requirements and identity access and management rules. To classify data, department should refer to the COIT Data Classification Standard.
  • Verify the City retains ownership and rights to City Data, including derivative works made from City Data and the licensing applied to the data.
  • Define data retention standards for all data stored with cloud services.
  • Consider the interoperability of a cloud service with the City’s data and systems. Departments should prioritize products that use application programming interface (API) standards that support the City’s data sharing goals.

In all instances, departments should consult with the Department of Technology on the appropriate technology strategies.

 

Approved March 21, 2019

Documents

COIT Cloud Acquisition and Management Policy - download full policy document