The City and County of San Francisco is dedicated to building a strong cybersecurity program to support, maintain, and secure its information and systems. The Cybersecurity Awareness and Training Standard is an implementing standard of the Citywide Cybersecurity Policy.


This document establishes the City and County of San Francisco (CCSF) Cybersecurity Awareness and Training Standard. The standard will help CCSF mitigate cybersecurity risks by training users, documenting the training, and communicating with them about cybersecurity best practices.

The goals of the Cybersecurity Awareness and Training Standard include:

  1. Improving user awareness of the need to protect technology, information, and systems.
  2. Ensuring users clearly understand their responsibilities for protecting information and systems.
  3. Ensuring users are knowledgeable about CCSF cybersecurity policies, standards, guidelines, procedures and practices.
  4. Developing user knowledge and skills so they can perform their jobs securely.
  5. Ensuring that CCSF complies with federal, state and local government regulations and other requirements.

This standard applies to all CCSF information systems users with access to critical systems. These users may include: officers, elected officials, employees (including permanent civil service, exempt, temporary, full and part time, and provisional), consultants, vendors, interns, volunteers, or any other individual working on behalf of the City and County of San Francisco. These individuals are referred to collectively as “users” for purposes of this standard.


Users of CCSF information systems with access to critical systems shall participate in cybersecurity awareness training, including:

  1. All users are required to take annual cybersecurity awareness training in the form of Computer- Based-Training (CBT) or instructor led workshops.
  2. All new users are required to take mandatory cybersecurity awareness training in the form of the CBT or instructor led workshops.
  3. Awareness reinforcement and additional training may be provided through newsletters, posters, phishing campaigns, screensavers, webcasts, workshops and national cybersecurity related events.

Records of training completion are required to be retained by and accessible to the Departmental Information Security Officer (DISO) and departmental human resources (HR) staff. Records shall be retained for a minimum of 2 years from last date of completion, or longer depending on departmental requirements.