Information Technology Policy

Revision: 6

Information Security Standards and Guidelines

Effective Date: 11/30/2023
Information Security Standards and Guidelines

Contents
1. Purpose ..........................................................................................................................................6
2. Scope ..............................................................................................................................................6
3. Responsibilities ............................................................................................................................6
4. Document and Policy Approval Process .................................................................................... 7
5. Security Exceptions ...................................................................................................................... 7
5.1. Exceptions to Security Policies ........................................................................................... 7
6. Users Acceptable Use ................................................................................................................... 7
6.1. General Use and Ownership ................................................................................................ 7
6.2. Unacceptable Use .................................................................................................................. 8
7. Hardware Inventory and Control ............................................................................................... 8
7.1. City-Owned Devices ............................................................................................................. 8
7.2. Personal Devices ...................................................................................................................9
8. Software Inventory and Control .................................................................................................9
8.1. Gold Images and Templates ................................................................................................9
8.2. Citywide Applications ...........................................................................................................9
8.3. Departmentwide Applications .............................................................................................9
8.4. Unsupported Applications ...................................................................................................9
8.5. Vendor-supported Applications..........................................................................................9
9. Physical Security ........................................................................................................................ 10
9.1. Physical Data Protection .................................................................................................... 10
9.2. Physical Access ................................................................................................................... 10
10. Vulnerability Management .................................................................................................... 10
10.1. Patch Management ............................................................................................................. 10
10.2. Vulnerability Scanning ....................................................................................................... 10
10.3. Vulnerability Assessment .................................................................................................. 10
11. Configuration Management ................................................................................................... 11
11.1. Governance ........................................................................................................................... 11
11.2. Change Management........................................................................................................... 11
11.3. Configuration Modifications .............................................................................................. 11
12. Log Management and Monitoring ......................................................................................... 11
12.1. Security Information and Event Management ................................................................. 11
13. Malware Defenses ................................................................................................................... 11
13.1. Endpoint Protection ............................................................................................................ 11
14. Network Management ........................................................................................................... 12

Rev: 6 Page 2 of 22 Date:11/30/2023

Information Security Standards and Guidelines

14.1. External Connections to City Network ............................................................................. 12

14.2. Remote Access ..................................................................................................................... 12
14.3. Domain Name System ........................................................................................................ 12
14.4. Network Equipment ....................................................................................................... 12
14.5. DMZ ...................................................................................................................................... 12
14.6. Firewall Rules .................................................................................................................. 13
15. Media Disposal ........................................................................................................................ 13
15.1. Document Shredding .......................................................................................................... 13
15.2. Computer Destruction ........................................................................................................ 13
16. Data Protection ....................................................................................................................... 13
16.1. Data Classification .............................................................................................................. 13
16.2. Data Storage and Transfer ................................................................................................. 14
16.3. Data Access .......................................................................................................................... 15
17. Identity Access Management ................................................................................................ 15
17.1. Principle of Least Privilege ................................................................................................ 15
17.2. User Accounts and Access .................................................................................................. 15
17.3. Applications and Services .................................................................................................. 16
18. Service Accounts ..................................................................................................................... 16
19. Key Management .................................................................................................................... 17
20. Security Awareness and Training ......................................................................................... 17
20.1. Cyber Security Training ..................................................................................................... 17
21. Application Software Security ............................................................................................... 17
21.1. Software Development Lifecycle ....................................................................................... 17
21.2. Software Updates ................................................................................................................ 17
22. Cloud Providers and Services ................................................................................................ 17
22.1. Cloud Service Solutions ...................................................................................................... 17
23. Incident Response and Management ................................................................................... 18
23.1. Reporting Policies ............................................................................................................... 18
23.2. User Responsibilities ...................................................................................................... 18
23.3. Incident Management ........................................................................................................ 19
23.4. Incident Response Plan .................................................................................................. 19
24. Compliance .............................................................................................................................. 19
24.1. Legal Requirements ............................................................................................................ 19
24.2. Compliance Policies ........................................................................................................ 19
25. References ...............................................................................................................................20

Rev: 6 Page 3 of 22 Date:11/30/2023

Information Security Standards and Guidelines

25.1. External Resources .............................................................................................................20

25.2. Internal Resources ..........................................................................................................20
Appendices .......................................................................................................................................... 21
Appendix A – Security Objectives ................................................................................................. 21
Appendix B - Contacts ................................................................................................................... 22

Rev: 6 Page 4 of 22 Date:11/30/2023

Information Security Standards and Guidelines

Document History

Version Date Author Changes

3.0.0 2/4/19 Kyle/Ryan Rework of Policy
3.0.1 2/4/19 Kyle Added - 14.2.5
3.0.2 5/14/19 Kyle/Ryan/Becca Changed password length from 8 to 12
Added 14.2.1.2, 16.1.1.8, 17.2.7, 23.1.4
3.0.3 6/27/19 Jon Added 16.2.8
3.1.0 1/15/20 Jon/Kyle Added 21.2, 21.2.1-6
3.1.1 7/20/20 Jonathan Mui Added 15.2.1.1, Added 25
3.1.2 12/14/20 Jonathan Mui Corrected Section 20.1
3.1.3 1/27/21 Jonathan Mui Added to Section 17
3.1.4 10/5/21 Luan Tran Updated Contacts in Appendix B
3.1.5 10/17/22 Brendan Daly Updates to Sections 10, 11, 14. Updated
hyperlinks. Added External Reference.
Updated Contacts in Appendix B
3.1.6 11/21/23 Brendan Daly/Joe Added Sections 7.2, 7.3, 18
Schiffman General language updates

Document Approval

Version Approver Name Title Approver Signature Date

3.1.6 Joe Schiffman Cybersecurity Manager 11/30/23

Chief Information Security

3.1.6 Brendan Daly
Officer 11/30/23

3.1.6
Jonathan
Chief Information Officer
12/01/23
Behnke

Rev: 6 Page 5 of 22 Date:11/30/2023

Information Security Standards and Guidelines

1. Purpose
1.1. The purpose of this document, in conjunction with other referenced security
policies, regulations and documentation, is to provide security, confidentiality,
integrity and accountability within the City of San Diego.
2. Scope
2.1. The City of San Diego Information Security Policy document encompasses all data,
devices and information systems that exist in or interact with any environment or
resources owned, operated or utilized by the City of San Diego.
2.2. City employees, third-party contractors or other entities utilizing internal City
resources or services, hereby referred to as “users”, shall read, understand and
carry out the policies outlined in this document.
3. Responsibilities
3.1. The City of San Diego Cyber Security Team shall review and update this document
on at least an annual basis.
3.2. The City of San Diego Cyber Security Team reserves the right to change, modify or
otherwise adjust this document at any time to satisfy modern technologies,
manage new threats, adhere to industry regulations or better comply with best
practices.
3.3. The City of San Diego Cyber Security Team reserves the right to shut down,
remove or disable systems, services, applications, accounts or devices that pose a
security risk to the City of San Diego, its employees, its partners or its residents.
3.4. The City of San Diego Cyber Security Team reserves the right to monitor all
systems, services, applications, accounts, data and devices used for City business,
or connected to City systems, services, applications, accounts, data or devices.
3.5. The City of San Diego Cyber Security Team reserves the right to obtain and retain
root access to any City system at any time in the interest of auditing, incident
response or secure implementation.
3.6. Modifications or additions to City information systems that affect security
controls must be explicitly approved by the City of San Diego Cyber Security Team
prior to being implemented.
3.7. New or modified information technology contracts between the City and third
parties must be explicitly reviewed and approved by the City of San Diego
Cybersecurity Team.
3.8. Third party contracts pertaining to information technology software and/or
services are expected to contain adequate security controls, service definitions and
service delivery levels.
3.9. Department Directors, Information Systems Analysts and Information Security
Liaisons are responsible for assisting the City of San Diego Cybersecurity Team in
carrying out the policies outlined in this document.
3.10. Supervisors are responsible for notifying their department’s Information Systems
Analysts of staff changes such as new hires, transfers or departures within one
day of awareness.
3.11. Information Systems Analysts are responsible for notifying the Department of
Information Technology of staff changes within one day of awareness.

Rev: 6 Page 6 of 22 Date:11/30/2023

Information Security Standards and Guidelines

3.12. Department Policies, performance plans, and work standards as applicable, must
include requirements for compliance with information security policies and
standards.
3.13. Questions regarding terms, policies or details of this document may be directed to
the City of San Diego Cybersecurity Team.
4. Document and Policy Approval Process
4.1. The following steps outline the general process to be taken by the City of San Diego
Cybersecurity Team when updating this document:
4.1.1. New or changing technologies, threats, industry regulations or best practices
are identified.
4.1.2. Research is conducted to target effective response strategies.
4.1.3. New policy, process or is decided upon and written into this document.
4.1.4. Deputy CISO reviews and approves new policy.
4.1.5. CISO reviews and approves new policy.
4.1.6. CIO reviews and approves new policy.
4.1.7. Policy update is communicated to relevant stakeholders.
4.1.8. Updated document is uploaded to IT Cybersecurity Site.
5. Security Exceptions
5.1. Exceptions to Security Policies
5.1.1. Departments must employ all security controls as outlined in this document
unless specific, documented exceptions are explicitly granted by the City of San
Diego Cybersecurity Team.
5.1.2. Policy violations that haven’t been formally documented as an exception will be
treated as security incidents.
6. Users Acceptable Use
6.1. General Use and Ownership
6.1.1. City of San Diego business data stored on devices whether owned or leased by
the City of San Diego, an employee or a third party, remains the sole property
of the City of San Diego.
6.1.2. Users are responsible for reporting potential security incidents per Incident
Response and Management – User Responsibilities.
6.1.3. Users may access, use or share City of San Diego sensitive information only to
the extent it is authorized by Federal, State and Local laws and regulations, City
policy and only as necessary to fulfill assigned job duties.
6.1.4. Users that are not City employees must sign an NDA and be sponsored by a
Deputy Director (or above) with the City prior to use of City systems.
6.1.5. Users are responsible for exercising good judgment regarding the
reasonableness of personal use outside of the unacceptable use statement.
6.1.6. Users are responsible for securing their devices when not in use.
6.1.7. Workstations are to be locked behind a password when not in use.
6.1.8. Service Owners are responsible for the security of their systems unless
otherwise designated in the Service Design Package.
6.1.9. The City of San Diego Cybersecurity Team reserves the right to audit or perform
penetration testing on networks and systems at any time.

Rev: 6 Page 7 of 22 Date:11/30/2023

Information Security Standards and Guidelines

6.1.10. Information Technology systems must be reviewed and approved by the City of
San Diego Cybersecurity Team prior to development, implementation or use.
6.1.11. Service delivery reports and other records from third party providers
outsourced IT services must be reviewed by the City of San Diego Cyber Security
Team at least annually to ensure compliance with contract requirements
related to information security.
6.2. Unacceptable Use
6.2.1. Users may not use City information technology resources for non-job-related
functions.
6.2.2. Mechanisms that circumvent the authorized access control mechanisms found
in operating systems, access control packages, or network devices are not
permitted and shall not be used.
6.2.3. The City of San Diego Cybersecurity Team may not conduct cyber investigations
unrelated to potential security incidents without the express knowledge and
approval of the Human Resources Department.
7. Hardware Inventory and Control
7.1. City-Owned Devices
7.1.1. An inventory of City-owned hardware must be maintained and updated
regularly by the Department of Information Technology.
7.1.2. Departments must maintain the accuracy and currency of all hardware assets
within their business control. This is to include IOT devices and any devices to
support their department or facility.
7.1.3. Non-information/data assets within the city’s information systems
environment (computer equipment, peripheral devices, etc.) shall be owned by
the Department of Information Technology.
7.1.4. Unknown and non inventoried devices can be removed from the network at any
time.
7.2. Managed Systems
7.2.1. Managed systems are City owned systems such as personal computers, laptops,
mobile devices, virtual machines and infrastructure components that are
managed by the City or a contracted IT Managed Service Provider (MSP).
7.2.2. Managed systems must have the City’s standard set of end point and security
management agents installed and operational.
7.2.3. Managed systems not operating the City’s standard set of end point and
security management agents can be removed from the network at any time.

7.3. Trusted Systems

7.3.1. Trusted systems are non-City owned systems such as personal computers,
laptops mobile devices, virtual machines and infrastructure components that
the City Cybersecurity team has approved for limited, trusted access to City
systems.
7.3.2. Written approval from the City Cybersecurity Team must be obtained prior to a
trusted system connection to any City system.
7.3.3. Trusted systems must have the City’s standard set of security management and
end point protection agents installed and operational.

Rev: 6 Page 8 of 22 Date:11/30/2023

Information Security Standards and Guidelines

7.3.4. Trusted systems not fully operating the City’s standard set of security
management and end point protection agents may be removed City system
access at any time.
7.3.5. The City Cybersecurity Team reserves the right to remove trusted system access
at any time.

7.4.Personal Devices
7.4.1. Individuals must not use their personally owned systems in any City facility.
7.4.2. Personal devices are not permitted to be attached to any City network.
7.4.3. Personal devices accessing non-network City resources must be in compliance
with all standards outlined in this document.
7.4.4. Mobile Device Management (MDM) – iOS and Android
7.4.4.1. Personal iOS and Android devices used to access city data must follow the
Mobile Device Management: Policy Document
7.4.5. A device must be either Enrolled or Registered in the City’s MDM solution in
order to access city data.
8. Software Inventory and Control
8.1. Gold Images and Templates
8.1.1. Gold images and templates are defined as master images or base images used
for initial system installation or for system re-installations. The use of golden
images can save time and ensure security and consistency by eliminating the
need for repetitive configuration changes and performance tweaks. Gold
Images must be reviewed and updated on at least a quarterly basis.
8.1.2. Gold images and templates must be scanned, reviewed and approved by the
City of San Diego Cybersecurity Team prior to production deployment.
8.1.3. Gold images and templates must include City of San Diego Cybersecurity
standard suite of endpoint protection, detection and response agents.
8.1.4. Gold images and templates are required to be used.
8.2. Citywide Applications
8.2.1. Citywide applications must retain full and proper documentation regarding
policies, procedures and security points of contact.
8.2.1.1. This documentation must be reviewed and updated at least annually by the
document owner or department.
8.3. Departmentwide Applications
8.3.1. Departmentwide applications must be supported by a designated service owner
and security contact within their department.
8.3.2. Departmentwide applications must retain full and proper documentation
regarding policies, procedures and security points of contact.
8.3.2.1. This documentation must be reviewed and updated at least annually by the
document owner or department.
8.4. Unsupported Applications
8.4.1. Applications not supported by the Department of Information Technology or
the department of the user, must be explicitly approved for use by the City of
San Diego Cybersecurity Team.
8.4.1.1. Unsupported applications discovered are subject to immediate removal.
8.5. Vendor-supported Applications

Rev: 6 Page 9 of 22 Date:11/30/2023

Information Security Standards and Guidelines

8.5.1. Applications supported by third parties and associated vendor third party must
be explicitly approved by the City of San Diego Cybersecurity Team.
9. Physical Security
9.1. Physical Data Protection
9.1.1. Physical copies of Protected data must not be visible in plain sight.
9.1.2. Removeable media such as diskettes, zip drives, tapes, CDs, DVDs, USB or
memory cards containing Protected data must be secured at all times.
9.1.3. Workstations must be locked when not in use.
9.2. Physical Access
9.2.1. Systems with access to City networks must be physically secured via room
locks, facility controls or being physically controlled by the user of the
system(s) at all times.
9.2.2. Facilities housing Protected data must have physical barriers such as walls or
fences controlled with entry gates, access card entry doors, cipher logs,
security guards or manned reception desks.
9.2.3. Rooms housing Protected data must be restricted to authorized persons only.
9.2.4. Access to areas housing Protected data must be traceable.
9.2.5. Smoke/fire alarm and suppression systems are required for all data centers,
server rooms and telecommunication closets.
9.2.6. Environmental controls such as temperature, humidity, and ventilation
control measures must be in place for all data centers and server rooms.
9.2.7. Physical and electronic keys (such as RSA or YubiKey) must be tracked and
issued to authorized users and not be shared with other users.
10. Vulnerability Management
10.1. Patch Management
10.1.1. Systems must be patched on at least a monthly basis.
10.2. Vulnerability Scanning
10.2.1. Workstation scans must be performed on at least an annual basis.
10.2.2. Server scans must be performed on at least a monthly basis.
10.2.3. New or modified servers must be scanned, and security vulnerabilities
remediated before being connected to the network.
10.2.4. Vulnerabilities discovered on existing systems must be remediated within at
least 30 days of discovery.
10.2.5. Discovered vulnerabilities shall be assigned a risk ranking such as Critical,
High, Medium, and Low.
10.2.5.1. Critical and High rated vulnerabilities must be patched/remediated within
24 hours.
10.2.5.2. The Cybersecurity Team may adjust the remediation timeframe for any
vulnerability regardless of the initial vulnerability rating.
10.2.6. All Application, Service and Systems must be scanned, and security
vulnerability remediated prior to product deployment and/or external
exposure.
10.3. Vulnerability Assessment
10.3.1. Vulnerability assessments must be performed on at least an annual basis.
10.3.2. Vulnerability assessments on production systems must include a
communication plan with said system owners.

Rev: 6 Page 10 of 22 Date:11/30/2023

Information Security Standards and Guidelines

10.3.3. Vulnerability assessments may only be managed by the City of San Diego
Cybersecurity Team.
10.3.4. The City of San Diego Cybersecurity Team reserves the right to perform
vulnerability assessments at any time without notice to end users.
11. Configuration Management
11.1. Governance
11.1.1. New or significant changes to systems must go through the Department of
Information Technology governance process and be approved by the City of
San Diego Cybersecurity Team. This includes the following:
11.1.1.1. New service or product including new module implementation.
11.1.1.2. New system feature implementation.
11.1.1.3. Application upgrades greater than n-1.
11.1.2. Changes that may impact security of City systems need to be approved by the
City of San Diego Cybersecurity Team prior to being made.
11.2. Change Management
11.2.1. Changes to enterprise-wide systems must go through the City’s Change
Management process.
11.2.2. Changes that result in significant security risks, as designated by the City of
San Diego Cybersecurity Team, must be rolled back immediately or otherwise
mitigated.
11.2.3. Changes intended to remediate significant security risks, as designated by the
City of San Diego Cybersecurity Team, must be made “Urgent” or
“Emergency” changes.
11.3. Configuration Modifications
11.3.1. Configuration modifications that do not qualify for change management must
be documented and include communications to stakeholders.
11.3.2. Configuration modifications that result in significant security risk, as
designated by the City of San Diego Cybersecurity Team, must be rolled back
immediately.
12. Log Management and Monitoring
12.1. Security Information and Event Management
12.1.1. Systems storing or transferring Protected data must have logs that permit
traceability.
12.1.1.1. Said logs must have a retention policy of at least 90 days.
12.1.2. Security, audit, and activity logs must be sent to the City’s Security
Information Event Management (SIEM) tool.
13. Malware Defenses
13.1. Endpoint Protection
13.1.1. City-owned workstations, mobile devices and servers must have City-standard
Anti-Virus and Endpoint Detection and Response agents installed and
running.
13.1.1.1. City-standard Anti-Virus and Endpoint Detection and Response agents
are determined by the City of San Diego Cybersecurity Team.
13.1.2. If a device does not have endpoint protection such as Anti-virus or Advance
Endpoint protection it may be removed from the City’s Network.

Rev: 6 Page 11 of 22 Date:11/30/2023

Information Security Standards and Guidelines

14. Network Management

14.1. External Connections to City Network
14.1.1. External connections and any modifications to the City’s network must be
explicitly approved by the City of San Diego Cybersecurity Team prior to being
activated.
14.2. Remote Access
14.2.1. Remote access to the City’s network, including Cloud and Software as a Service
(SaaS) must be explicitly approved by the City of San Diego Cybersecurity Team
prior to use.
14.2.1.1. Client VPN connections are required for remote access.
14.2.1.2. VPN for non-City employees requires City sponsorship from an
appointing authority or higher.
14.2.1.3. Site-to-site VPN connections with the City’s network are not permitted.
14.2.2. Remote access authentication and access logs must be monitored.
14.2.3. Individual remote access sessions must not exceed 24 hours.
14.2.4. Users are not permitted to access the City’s network, systems or service from
outside of the USA without formal approval from the City of San Diego
Cybersecurity Team.
14.2.5. The City of San Diego Cybersecurity Team reserves the right to revoke remote
access at any time.
14.3. Domain Name System
14.3.1. Changes to the City’s external DNS records must be approved by the City of San
Diego Cybersecurity Team.
14.3.2. New internal or external DNS zones must be approved by the City of San Diego
Cybersecurity Team.
14.3.3. DNS records inoperative for 30 or more days must be removed promptly.
14.3.4. All devices on the network need to be registered in DNS. The only exception
are domain joined client systems.
14.4. Network Equipment
14.4.1. Network equipment on the City’s network must be approved by the City of San
Diego Cybersecurity Team and installed and configured by the City of San Diego
Network Team.
14.4.2. Different parts of the City defined by unique functions and/or data must be
logically segmented.
14.5. DMZ
14.5.1. Any new systems or services as well as all changes to the City’s DMZ
environment must be explicitly approved by the City of San Diego Cybersecurity
Team, in advance of being implemented.
14.5.2.External services connecting internal web services, APIs, and web applications
shall use reverse proxies.
14.5.3. Reverse Proxy Standards
14.5.3.1. Must use modern and current encryption methodologies
14.5.3.2. All URLs shall be case-insensitive, this shall not be achieved via redirect.
14.5.3.3. All subdomains must have a separate SSL certificates for that subdomain,
and must not use the wildcard sandiego.gov certificate (IE *.sandiego.gov
not allowed, {subdomain}.sandiego.gov)
14.5.3.4. Proxies shall be Linux and Apache based

Rev: 6 Page 12 of 22 Date:11/30/2023

Information Security Standards and Guidelines

14.5.3.5. Remote Administrators and user connections to proxy via SSH or other
remote access protocol shall not be accessible from outside of SANNET.
14.5.3.6. Only port 443 with HTTPS shall be allowed to connect to a proxy from
outside of SANNET.
14.6. Firewall Rules
14.6.1. Firewall rule changes must be explicitly approved by the City of San Diego
Cybersecurity Team prior to implementation and follow the City’s Change
Management process.
15. Media Disposal
15.1. Document Shredding
15.1.1. The disposal of all business-related paper documents which contain Protected
data must involve cross-cut or ‘confetti’ shredding.
15.2. Computer Destruction
15.2.1. Computers or external storage devices no longer needed must have their
storage drives erased or overwritten using secure data destruction technologies
(either physical or via software “wiping”).
15.2.1.1. If a software wipe is utilized, we require a minimum or 3 passes
through the software.
16. Data Protection
16.1. Data Classification
16.1.1. Confidential - The loss of confidentiality, integrity, or availability could be
expected to have a severe or catastrophic adverse effect on organizational
operations, organizational assets, or individuals. A severe or catastrophic
adverse effect means that, for example, the loss of confidentiality, integrity, or
availability might cause a severe degradation in or loss of mission capability to
an extent and duration that the organization is not able to perform one or more
of its primary functions, result in major damage to organizational assets, result
in major financial loss, or result in severe or catastrophic harm to individuals
involving loss of life or serious life-threatening injuries. Examples include but
are not limited to:
16.1.1.1. Health Insurance Portability and Accountability Act (HIPAA) data
16.1.1.2. Protected Health Information (PHI)
16.1.1.3. California Law Enforcement Telecommunication System (CLETS)
16.1.1.4. Attorney-client data
16.1.1.5. Payment Card Industry (PCI)
16.1.1.6. Personally Identifiable Information (PII)
16.1.1.7. City IT system data
16.1.1.8. Per California Assembly Bill No. 375, now known as the California
Consumer Privacy Act, vendors must be pursuing compliance or be
compliant with this bill.
16.1.2. Private - The loss of confidentiality, integrity, or availability could be expected
to have a serious adverse effect on organizational operations, organizational
assets, or individuals. A serious adverse effect means that, for example, the
loss of confidentiality, integrity, or availability might cause a significant
degradation in mission capability to an extent and duration that the
organization is able to perform its primary functions, but the effectiveness

Rev: 6 Page 13 of 22 Date:11/30/2023

Information Security Standards and Guidelines

of the functions is significantly reduced, result in significant damage to

organizational assets, result in significant financial loss, or result in
significant harm to individuals that does not involve loss of life or serious life-
threatening injuries. Examples include but are not limited to:
16.1.2.1. Financial Reports
16.1.2.2. Audit Reports
16.1.2.3. Configuration files
16.1.3. Sensitive (FOUO) - The loss of confidentiality, integrity, or availability could
be expected to have a limited adverse effect on organizational operations,
organizational assets, or individuals. A limited adverse effect means that, for
example, the loss of confidentiality, integrity, or availability might cause a
degradation in mission capability to an extent and duration that the
organization is able to perform its primary functions, but the effectiveness of
the functions is noticeably reduced, result in minor damage to organizational
assets, result in minor financial loss, or result in minor harm to individuals.
Examples include but are not limited to:
16.1.3.1. Sensitive Emails
16.1.3.2. Draft Documents
16.1.3.3. Contract Evaluations
16.1.4. Protected – Sensitive, Private or Confidential data as defined above.
16.1.5. Public – The loss of confidentiality, integrity, or availability could be expected
to have a minimal effect on organizational operations, organizational assets,
or individuals only to the degree that data might have been exposed in a
manner not initially intended. This includes the following:
16.1.5.1. Data that has been explicitly approved for public release by an appropriate
authority
16.2. Data Storage and Transfer
16.2.1. Data classified as Protected must be clearly marked as such.
16.2.2. Different types and classifications of data must be logically segregated.
16.2.3. Data must be automatically backed up on a continual basis.
16.2.3.1. Backups must be tested on at least a biannual basis.
16.2.4. Data stored or transmitted by the City of San Diego or on the behalf of the City
must be encrypted at rest and in transit.
16.2.4.1. Data must be encrypted utilizing an approved cypher at 256 bits or higher.
16.2.5. The location of any data at rest must be shared with the City of San Diego
Cybersecurity Team.
16.2.6. Data leaving the City of San Diego’s intranet must be approved by the City of
San Diego Cybersecurity Team prior to being shared or exposed.
16.2.7. All applications, systems, and services with the capability to share with 3rd
parties must be reviewed and approved by the City of San Diego Cybersecurity
Team.
16.2.8. All new or modified data storage must be configured to allow the City’s data
classification and auditing tools.
16.2.8.1. A ticket must be submitted for the security team to configure the
storage so that the necessary tools are compatible.
16.2.8.2. Until approval from the City of San Diego Cybersecurity Team, the
storage cannot be used in a production environment.

Rev: 6 Page 14 of 22 Date:11/30/2023

Information Security Standards and Guidelines

16.2.9. Any data that is classified as Protected, per section 16.1 must be encrypted at
transit and at rest.
16.3. Data Access
16.3.1. Access to data must be limited to those who have job requirements facilitating
the need to view it.
16.3.2. Access to data classified as Protected must have access logging.
16.3.3. Changes to data access in which the data is classified as Protected must have
audit logs.
16.3.4. Sensitive data is not to leave the City environment without prior written
approval by the City of San Diego Cybersecurity Team.
17. Identity Access Management
17.1. Principle of Least Privilege
17.1.1. Users must be assigned ‘Least Privilege access’ to all data storage,
applications, systems and systems access as required by their assigned work
responsibilities.
17.1.2. Individuals responsible for performing system or user account administration
functions shall not have the authority to approve system or user account
changes.
17.1.3. Access to systems containing Protected data must be audited on at least an
annual basis.
17.2. User Accounts and Access
17.2.1. The San Diego Cybersecurity Team will be responsible for Identity Access
Management, user accounts and access.
17.2.2. Users must have a unique ID for authentication.
17.2.3. User account passwords must meet the following complexity requirements:
17.2.3.1. Passwords must be at least 12 characters
17.2.3.2. Passwords must contain characters from at least 3 of the following
categories:
17.2.3.2.1. Upper-case alpha letters (A-Z)
17.2.3.2.2. Lower-case alpha letters (a-z)
17.2.3.2.3. Base-10 (Arabic) numerals (0-9)
17.2.3.2.4. The following symbols: ~,!,@,#,$,%,^,&,*,(,),-,_
17.2.3.3. Users cannot repeat their last 24 passwords
17.2.3.4. Passwords cannot contain 3 or more of the same characters in a single
sequence.
17.2.4. User account passwords must expire every 90 days.
17.2.5. Non-City employee user accounts and access must be approved by the City of
San Diego Cybersecurity Team.
17.2.6. User account access must be revoked immediately when a user no longer
requires said access.
17.2.7. Account and access provisioning and deprovisioning procedures for City
systems must be documented.
17.2.8. San Diego Cybersecurity Team requires access to any City system upon
request.
17.2.9. Accounts with elevated access must have their permission set reviewed and
validated at least annually.
17.2.10. All accounts with elevated access require an account owner or designee.

Rev: 6 Page 15 of 22 Date:11/30/2023

Information Security Standards and Guidelines

18. Password Management

18.1. Administrators or users with elevated job functions must utilize the City’s
Privileged Access Management (PAM) system for accessing elevated credentials.
18.1.1. Other elevated job functions are users that manage any financial or sensitive
data.
18.2. Social Media accounts in use for the City must use complex passwords per section
17.2.3 and multifactor authentication (MFA)

19. Applications and Services

19.1.1. Authentication credentials must be encrypted in transit using modern
encryption methodologies.
19.1.2. Audit logs must be maintained and made available to the City of San Diego
Cybersecurity Team.
19.1.3. Administrative logins and actions must be monitored, log and sent the City’s
SIEM.
19.1.4. Access must be regularly audited on at least an annual basis by the application
owner.
19.1.5. User Access to applications shall follow the model of least privileged access
19.1.5.1. Users shall not have access that is higher than their responsibilities
require.
19.1.5.2. Users shall not have access to data not required by work responsibilities.
19.1.5.3. When users change job roles, function or responsibilities their user
access must be reviewed and changed to their new responsibilities.
19.1.5.4. Departments are responsible for notifying the City of San Diego
Cybersecurity Team and other stakeholders of changes to users’
responsibilities, roles or functions within 24 hours.
19.1.6. Applications or Services are not permitted to connect directly to the Active
Directory LDAP from outside of City’s Internal Network.
19.1.7. Simple authentication shall not be used with City applications or Services.
19.1.8. Web applications and Services must be authenticated to through the City’s
Single Sign-on solution with Security Assertion Markup Language version 2.0
(SAML 2.0) or higher.
19.1.9. Services or Applications that are available outside of the City Internal Network
that contain Protected data must have at least 2-factor authentication setup.
19.1.10. Applications or Services that have Administrative activities that are accessible
from outside of the City’s internal network must require admin users use 2-
factor authentication.
20. Service Accounts
20.1. Service accounts must have a documented owner and description.
20.1.1. The owner will be responsible for managing the account and will serve as the
primary point of contact for the account.
20.1.2.The description should entail what the account will be used for.
20.2. Service accounts may only have a single application or service use.
20.3. Service accounts must not have the ability to perform interactive logins.
20.3.1. Service accounts must not have normal user login abilities enabled.
20.4. Service account passwords must expire every 180 days.

Rev: 6 Page 16 of 22 Date:11/30/2023

Information Security Standards and Guidelines

20.5. Service accounts cannot have domain administrator permissions.

20.6. Service accounts must only be shared with users who are responsible for the
account.
20.7. Service accounts must be audited on at least an annual basis.

21. Key Management

21.1. Cryptographic keys (hereby referred to as “key” or “keys”) and key access must be
audited on at least an annual basis.
21.2. City access keys must be centrally managed and maintained by the City of San Diego
Cyber Security Team.
21.3. Key access must be logged and monitored.
21.4. Keys must have an expiration date that is no greater than 2 years from the creation
date.
22. Security Awareness and Training
22.1. Cyber Security Training
22.1.1. Cyber Security training must be completed by all employees on an annual
basis.
22.1.2. All employees must review and acknowledge Administrative Regulation 90.63
on an annual basis.
23. Application Software Security
23.1. Software Development Lifecycle
23.1.1. Production systems must have at least one mirrored non-production system.
23.1.2. Non-production and production environments must be logically separated.
23.1.3. Only system administrators may move software from non-production to
production.
23.2. Software Updates
23.2.1. Software must be no more than 1 version behind the current security patch
level.
23.2.2. Software patches labeled critical by the software vendor must be applied
within 24 hours of release.
23.2.3. Applications must be built on a supported platform that receives regular
security updates.
23.2.4. Software must be developed with modules, packages, APIs, SDKs, and/or
libraries that receive regular security updates.
23.2.5. Software modules, packages, APIs, SDKs, and/or libraries must be updated
within 30 days of a security update release.
23.2.6. Software must be able to run on no more than 1 major version behind the
latest host operating system release version, web browser, firmware or
workstation operating System.
24. Cloud Providers and Services
24.1. Cloud Service Solutions
24.1.1. Cloud tenants must be securely architected using industry standards.
24.1.2.Cloud solutions must rest on the City’s standard tenant.
24.1.3. Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as
a Service (SaaS) solutions must be proposed through the City’s IT Governance

Rev: 6 Page 17 of 22 Date:11/30/2023

Information Security Standards and Guidelines

process and approved by the City of San Diego Cybersecurity Team during
planning and prior to being implemented.
24.1.3.1. Proposals must include documentation which shall be created and
maintained by the proposing entity. At minimum, documentation should
include the following information:
24.1.3.1.1. Network Diagrams
24.1.3.1.2. Access Lists
24.1.3.1.3. Firewall Rules
24.1.3.1.4. IAM Information
24.1.3.1.5. Data Classification Usage
24.1.3.1.6. Overall Security Plan
24.1.3.2. Modifications to documentation presented at time of proposal must be
recorded and approved by the City of San Diego Cybersecurity Team
during planning and prior to being implemented.
24.1.4. The City of San Diego Cybersecurity Team shall receive and retain root
administrative access to any cloud hosting services.
24.1.5.The City of San Diego Cybersecurity Team shall receive and retain full read
access to real-time logs of any PaaS or SaaS systems.
25. Incident Response and Management
25.1. Reporting Policies
25.1.1. User reports must be discrete and will be classified as Confidential data.
25.1.2. Users must comply and cooperate with the City of San Diego Cybersecurity
Team during an incident relevant to their system(s).
25.1.3. Any attempt to interfere with, prevent, obstruct or dissuade an employee or
other user in their efforts to report potential security-related concerns is
strictly prohibited.
25.1.4. Any attempt to destroy incident related materials is strictly prohibited.
25.2. User Responsibilities
25.2.1. Supervisors must report subordinates believed to be potential security risks to
their Information Security Liaison and the City of San Diego Cybersecurity
Team in a timely manner.
25.2.2. Users must report theft, loss or unauthorized disclosure of City of San Diego
Protected data to their Information Security Liaison and the City of San Diego
Cyber Security Team in a timely manner.
25.2.3. Users must report unauthorized access to physical areas housing Protected
data to their Information Security Liaison and the City of San Diego Cyber
Security Team in a timely manner.
25.2.4. Users must report identified system flaws, misconfigurations or vulnerabilities
to their Information Security Liaison and the City of San Diego Cybersecurity
Team immediately.
25.2.5. Users must report anomalous or suspicious activities to their Information
Security Liaison and the City of San Diego Cybersecurity Team immediately.
25.2.6. Users must report lost or stolen devices to their Information Security Liaison
and the City of San Diego Cyber Security Team immediately.
25.2.7. Users must send suspicious emails as an attachment to anti-
spam@sandiego.gov.

Rev: 6 Page 18 of 22 Date:11/30/2023

Information Security Standards and Guidelines

25.2.8. Users found to be involved in or associated with incidents must retake the
Cybersecurity Training.
25.3. Incident Management
25.3.1. Incident information is classified as Confidential data and must be handled and
protected as such.
25.3.1.1. Incident information is distributed at the sole discretion of the City of San
Diego Cyber Security Team.
25.3.2. Incident priority levels are determined and modified at the sole discretion of
the City of San Diego Cybersecurity Team.
25.3.3. Incident management standard operating procedures must be reviewed on at
least an annual basis.
25.4. Incident Response Plan
25.4.1. The Incident Response Plan shall be maintained by the City of San Diego
Cybersecurity Team.
25.4.2. The Incident Response Plan shall be reviewed on at least an annual basis.
25.4.3. The Incident Response Plan shall be tested as follows:
25.4.3.1. Incident Response Team will engage in a tabletop exercise that would
simulate the appropriate response to a theoretical Cybersecurity
Incident on at least an annual basis.
25.4.3.2. Designated staff will participate in any testing of the Incident Response
Plan at the discretion of the City of San Diego Cybersecurity Team.
25.4.4. Further detail can be found in the Incident Response Plan document.
26. Compliance
26.1. Legal Requirements
26.1.1. The City shall conduct or cause to be conducted, at least annually, a formal
compliance audit of the information security controls for those information
and communications systems which are governed by state or federal laws or
regulations.
26.1.2. City records and other information assets shall be protected from loss,
destruction, tampering or falsification by following the City Clerk’s policies
and procedures, and applicable statutes, by implementing information
security controls and measures commensurate with the security classification
of such information.
26.1.3. By using City information systems, Individuals acknowledge that any
information they store on City systems will be released to law enforcement
when appropriate or when subpoenaed.

26.2. Compliance Policies

26.2.1. Policies relevant to specific compliance regulations shall be created and
maintained in separate documents by the City of San Diego Cyber Security
Team.
27. Segregation of Duties
27.1. The City of San Diego’s Cyber Security Team will abide by a segregation of
duties document stored here

Rev: 6 Page 19 of 22 Date:11/30/2023

Information Security Standards and Guidelines

27.1.1. This document will be reviewed and approved by the CISO and CIO on an
annual basis
28. References
28.1. External Resources
28.1.1. https://www.cisecurity.org/controls/
28.1.2.https://www.sans.org/security-resources/policies
28.1.3. https://nvd.nist.gov/vuln-metrics/cvss
28.1.4. https://csrc.nist.gov/glossary
28.2. Internal Resources
28.2.1. https://citynet.sandiego.gov/it/services/it-security
28.2.2. https://www.sandiego.gov/humanresources/resources/ar

Rev: 6 Page 20 of 22 Date:11/30/2023

Information Security Standards and Guidelines

Appendices
Appendix A – Security Objectives
Objective Definition Effect
Confidentiality Preserving authorized restrictions on The unauthorized
information access and disclosure, including disclosure of information.
means for protecting personal privacy and
proprietary information.
Integrity Guarding against improper information The unauthorized
modification or destruction, and modification or
includes ensuring information destruction of information.
nonrepudiation and authenticity.
Availability Ensuring timely and reliable access to and The disruption of access to
use or use of information or an
of information. information system.

Rev: 6 Page 21 of 22 Date:11/30/2023

Information Security Standards and Guidelines

Appendix B - Contacts
Cyber Security Team

Role Name Email Primary Phone

Chief Brendan Daly bmdaly@sandiego.gov (619) 980-9473
Information
Security Officer
Deputy CISO Jim Luther jfluther@sandiego.gov (858) 208-0033
Cyber Security Joe Schiffman JSchiffman@sandiego.gov (619)-534-3314
Manager
Cyber Security Luan Tran tranl@sandiego.gov (858) 401-6185
Engineer
PCI Security Ian Brazill IBrazill@sandiego.gov (619) 533-4812
Compliance
Cyber John Bortscheller jnbort@sandiego.gov (619) 533-4807
Operations
Manager
User Account Kamal Scott kscott@sandiego.gov (619) 533-4886
Administrator
Information Anthony Chadwick achadwick@sandiego.gov (619) 884-4150
Systems
Analyst

Rev: 6 Page 22 of 22 Date:11/30/2023