Purpose and Scope
Chapter 22I of the City Administrative Code establishes the City Chief Information Security Officer’s duty to develop and update citywide cybersecurity requirements to mitigate the City’s risk and comply with legal and regulatory cybersecurity requirements. The purpose of these requirements is to establish a policy for both secure and cost-effective management of mobile devices, such as smartphones and tablets, used for City business.
The requirements identified in this document apply to digital information and technology operated by or for the City and County of San Francisco and its departments and commissions. Elected officials, employees, contractors, partners, bidders, and vendors working on behalf of the City and County of San Francisco are required to comply with this policy.
Cybersecurity Officers, Liaisons, Information Technology (IT) Professionals, and Finance/Budget Professionals have a joint responsibility to implement the following technical and fiscal requirements. Departments should subsequently develop departmental policies or processes that should be equivalent to or greater than these Citywide requirements to encompass department-specific practices, promote cost-effectiveness, and reduce potential risks.
Policy Requirements
All City departments must adopt the following minimum requirements:
Issuance and Decommissioning of City-Owned Mobile Devices
- New Device Procurement – Telecommunication carriers often offer beneficial pricing for device models released 12-24 months prior to the latest device model. These earlier models have substantially similar technical capabilities with the latest models, and departments should strongly consider procuring these earlier device models to maximize potential cost benefits and minimize potential equipment charges in the event of early termination of services.
- Issuance Approval – A departmental process and criteria for requesting, reviewing, and approving or rejecting the issuance of City-owned mobile device(s) must be established. See Appendix A for sample approval form.
- Record of Devices – Issuance and approval of City-owned mobile devices must be recorded with appropriate business justification and information regarding the requester, approver, and device.
- Replacement of Lost or Damaged Devices – Departmental approval and issuance processes should track and manage requests for replacement devices.
- Review of Device Inventory – Inventory of City-owned mobile devices must be reviewed quarterly, at a minimum, to affirm that devices are necessary for City business, identify mobile devices with no activity, and to facilitate the suspension of City payments for mobile devices no longer needed for City business.
- Return and Decommissioning – City-owned mobile devices must be returned to the City when no longer in use or not required for City business for re-issuing or decommissioning. City-owned devices must be wiped and re-imaged prior to re-issuing or decommissioning the device.
- Separation from the City – City data on City-owned mobile devices must be deleted upon separation of staff from City employment or contract.
Configuration of City-Owned Mobile Devices
- Device Version and Model – City-owned mobile devices must meet minimum version(s) and type(s) of operating system and minimum device model(s) that support City technical safeguards. Note: minimum device models are not necessarily the newest available model.
- Security Configuration – City-owned mobile devices must be configured with approved safeguards (e.g., approved mobile apps for City data) before being used for City business.
- Updated Operating System – City-owned mobile devices must be updated to the latest patch level of a supported operating system no later than 14 days of the update being issued by the operating system manufacturer.
- Device Lock Required – City-owned mobile devices must require a passcode, at a minimum, to unlock the device.
- Deleting City Data – City data on City-owned mobile devices must be automatically deleted if an incorrect passcode is repeatedly entered, upon detection of tampering with device’s operating system (i.e., jailbreaking), or if the mobile device does not connect with City systems for a designated period of time.
Data and Legal Protection
- City Data and Document Storage – City data and documents must be stored and accessed using approved and protected mobile applications.
- Public Records Laws – City data and documents are subject to public records laws.
- Information Security Records – Information security records, such as data generated by mobile authentication apps or security codes and passwords sent to mobile devices, are generally exempt from public records disclosure under California Public Records Act exemptions.
Physical Security Protection
- Theft or Loss Protection – City-owned mobile devices must be protected from loss due to theft or vandalism and must remain in the possession of a person to whom the device is issued, unless they have been deposited in a secure location such as a locked City office, locked location at home, trunk of a car, or a hotel safe.
- Immediate Reporting Lost Devices – Lost or stolen City-owned mobile devices must be reported immediately. City data must be deleted from these devices and City-owned mobile devices must be disabled.