The City and County of San Francisco (City) is dedicated to building a strong cybersecurity program to support, maintain, and secure critical infrastructure and data systems. The following policy is intended to maintain and enhance key elements of a citywide cybersecurity program.


The COIT Cybersecurity Policy lays the foundation for the City’s Cybersecurity Program as a whole and articulates executive level support for the effort. Cybersecurity operations across the City are in different stages of deployment. The Cybersecurity Policy supports the City’s Cybersecurity Program established to:

  • protect our connected critical infrastructure
  • protect the sensitive information placed in our trust
  • manage risk
  • continuously improve our ability to detect cybersecurity events
  • contain and eradicate compromises, restoring information resources to a secure and operational status
  • ensure risk treatment is sufficient and in alignment with the criticality of the information resource
  • facilitate awareness of risk to our operations within the context of cybersecurity

The requirements identified in this policy apply to all information resources operated by or for the City, and County of San Francisco and its departments, and commissions. Elected officials, employees, consultants, and vendors working on behalf of the City and County of San Francisco are required to comply with this policy.


The COIT Cybersecurity Policy requires all departments to:

  1. Appoint a Departmental Information Security Officer (DISO) to coordinate cybersecurity efforts. Larger Departments may appoint a Chief Information Security Officer (CISO) to recognize the increased scope of responsibility.
  2. Adopt a cybersecurity framework as a basis to build their cybersecurity program. The City recommends adopting the National Institute of Standards and Technology (NIST) Cybersecurity Framework as a methodology to secure information resources.
  3. Support cyber incident response as needed in accordance with Emergency Support Function 18 (ESF-18) Unified Cyber Command.
  4. Conduct and update, at least annually, a department cybersecurity risk assessment. Departments with dedicated Risk Management staff may elect to integrate cybersecurity risk management into the department’s Risk Management program.
  5. Develop and update, at least annually, department cybersecurity requirements to mitigate risk and comply with legal and regulatory cybersecurity requirements. Department will develop and adopt cybersecurity requirements that should be equivalent to or greater than the citywide security requirements.
  6. Participate in citywide cybersecurity forum meetings.