COIT Policy

COIT policies apply to all City departments. Policy supports strategic goals like cybersecurity, disaster preparedness, and environmental sustainability. 

Designing services

Buying technology

  • Cloud Acquisition and Management Policy The City and County of San Francisco encourages the use of cloud services when cost efficiencies are available, risk mitigation strategies are in place, and the services support the City’s data sharing strategy through interoperable systems.
  • Green Technology Purchasing Policy The purpose of this Green Policy is to establish green information technology purchasing requirements that improve the environmental profile of City government operations, and that foster expanded environmental stewardship in the IT industry.
  • Software Evaluation Policy The purpose of the COIT Software Evaluation policy is to ensure that all departments thoroughly and fairly evaluate software alternatives, including open source prior to acquiring new software.

Managing data

  • Data Classification Standard The Data Classification Standard requires departments to categorize and label or mark data per classification levels and review classification of data on a regular basis.
  • Data Management Policy This policy establishes a framework for the management of data as an asset across the City.
  • Metadata Standard The Metadata Standard helps users search, find, and understand published data.
  • Data Custodian and Stewardship Policy The Data Custodian and Stewardship Policy clarifies data ownership and responsibilities for the Department of Technology and City departments.

Protecting privacy

  • Citywide Employee Drone Policy This policy authorizes select departments to use drones. Departments are required to follow a variety of protections that emphasize public safety and the privacy of San Francisco residents.
  • Surveillance Technology Inventories In 2019, San Francisco’s Board of Supervisors passed the Acquisition of Surveillance Technology Ordinance requiring an inventory of all surveillance technologies that are in possession or in use by City departments.

Risk management

  • Citywide Cybersecurity Policy The Cybersecurity Policy is intended to maintain and enhance key elements of a citywide cybersecurity program to support, maintain, and secure critical infrastructure and data systems.
  • Cybersecurity Awareness & Training Standard All users of CCSF information systems shall participate in cybersecurity awareness training.
  • Disaster Preparedness, Response, Recovery, and Resiliency Policy (DPR3) The DPR3 policy requires all City and County of San Francisco departments to develop and implement disaster-related planning for information technology systems and data
  • Citywide Technology Resilience Standard The Citywide Technology Resilience Standard is required for City Disaster Preparedness, Response, Recovery, and Resilience (DPR3) Policy compliance. The Citywide DPR3 Policy requires the City Chief Information Officer (CCIO) and City Chief Information Security Officer (CCISO) to develop achievable Technology  Resilience Standards that ensure the delivery of public services during and after a disaster.

Technology infrastructure

  • Email Policy This policy outlines the standards for use and management of email systems in the City and County San Francisco.
  • Service Set Identifier (SSID) Standard All City-owned and operated public wireless networks located in the City and County of San Francisco must use the City SSID standard.

Using technology

  • Acceptable Use Policy Outline of the acceptable use of all City-owned or leased computer equipment. Inappropriate use of equipment exposes the City to risks including virus attacks, compromise of network systems and services, breach of confidentiality, and legal liability.
  • Software License Compliance Policy The purpose of the Software License Compliance Policy is to establish the policy for software licenses compliance and tracking.
  • Technology Project Management Policy This policy establishes the technology project management policy standard for the City and County San Francisco.
  • Mobile Device Use Policy. The purpose of this policy is to establish the secure and cost-effective management of mobile devices, such as smartphones and tablets, used for City business. 
Last updated September 28, 2023