Committee on Information Technology

Regular Meeting

November 21, 2019

1

1 Dr. Carlton B. Goodlett Place, City Hall, Room 305San Francisco, CA 94102

Agenda• Call to Order by Chair• Roll Call• Approval of Meeting Minutes from October 17, 2019• Chair Update• CIO Update• Digital Services Strategy Update• Policy Update: Citywide Cybersecurity Policy• Policy Update: Cybersecurity Awareness & Training Standard• Public Comment• Adjournment

2

3. Approval of MinutesAction Item

3

4. Chair Update

4

5. CIO Update

5

Department of Technology Town Hall 11.19.19

Providing Kincade Fire Refugees with Internet Access

Partnerships for

St. Mary’s Church Shelter

Services for 200 people

Department of Emergency Management, Special Event Operations

Department of Technology, Division of Public Safety

Monkeybrains – routers, WAPs and service

ATT – phone charger

Department of Technology Town Hall 11.19.19

Department of Technology Monkeybrains

Connecting Kincade Fire Refugees

Build fiberConnection

Pull fiber tothe premises

Connect wirelessaccess points

Connectswitch

Connectrouter

Department of Technology Town Hall 11.19.19

Connecting Kincade Fire Refugees

bit.ly/dthelps

Department of Technology Town Hall 11.19.19

Connecting Kincade Fire Refugees

An Overview of ballot-comparison audit for

Ranked-Choice Voting

Election Commission Meeting

November 20th, 2019

Project ShangRLA

• Implementation of a Risk-Limiting Audit on a Ranked-Choice Voting

• Independent validation of Dominion’s RCV Tabulation

• Open source voting project component piloted and tested

Introducing a few firsts

Open Source Voting System Project

11

A Risk-Limiting Audit (RLA) offers a statistical guarantee:

“If a full manual tally of the paper ballots would show that the reported election outcome is

wrong, an RLA has a known minimum chance, the RLA limit, of leading to a full manual tally”

– Philip B. Stark

“As with other elections audit, the goal is to identify not only intentional alterations of ballots

and tallies, but also bugs in election machines, such as software errors, scanners with blocked

sensors or scanners skipping some ballots. ” – Wikipedia

What is a Risk-Limiting Audit?

Open Source Voting System Project

12

Open Source Voting System Project

13

Tabulates &Convert to RAIRE

CVR(JSON)

Assertions(Json)

Raire(JSON)

RaireAssertion generator

Assertion visualizer

CVR(json)

Manifest(tab)

RLA Tool

Ballots to audit (CSV)

Manual Vote RecorderTool

Physical ballots

Dominion

MVR(json)

1

2

3

4

6

Audit results

7

Seed

8

Elections Dept

5

ShangRLA flow overview

Open Source Voting System Project

14

Next Step: Taking ShangRLA from Pilot to Product

Open Source Voting System Project

15

Phase I:

• Standardize on languages

• Transition out of Jupyter notebook

• Migrate from files to an RDBMS

• JSON is ill-suited for a system that has a natural entity-relationship model

• Build a test suite above and beyond unit tests

• Document

Phase II:

• Support for Multi-Contest auditing

• Integrate non-VBM Ballot auditing

• Enhance the UI

• ShangRLA is engineered to support various forms of contest beyond RCV

Acknowledgements

Open Source Voting System Project

16

CCSF would like to acknowledge the team effort:

RCV Team: Dr. Michelle Blom: Research Fellow, School of Computing and Information Systems, The University of Melbourne, AustraliaDr. Andrew Conway: CEO, Silicon Econometrics Pty. Ltd., AustraliaPeter Stuckey: Professor, Data Science & AI, Monash University, Melbourne, Australia

Vanessa Teague: Associate Professor, School of Computing and Information Systems, The University of Melbourne, Australia

RLA Team:

Dan King: ViewPoint Technology, San Diego Philip B. Stark:Professor of Statistics, Associate Dean, Division of Mathematical and Physical Sciences , Regional Associate Dean (Interim), College of Chemistry and Division of Mathematical and Physical Sciences, University of Berkeley, CA

San Francisco Digital Services

Digital Services update

Carrie Bishop

November 2019

Hello COIT! It’s been a while…

We launched a new website for the City!

In line with our design principles

1. Represent the diversity of the city

2. Celebrate our unique culture and progressive values

3. Be accessible and inclusive for all people

4. Reflect that the website is easy to use, efficient and reliable

5. Be flexible for the variety of services and content we offer

Done Doing To-doSearch

Service start

pages

Dept

homepages

News

EventsBranding

Homepage

Info pages

Single sign-on

for staff

Transaction

pages

Topics /

navigation

Translation

People info

pages

SEO

Analytics

Public

meetings

Content editor

for staff

Pattern library

Website progress

Emergency

info

By the new year

● Human translation implemented

● Ability to put forms online

Beyond

● Meetings, minutes and agendas

● Transactions online (digital permitting)

● Supporting more departments to move across

Thank you to the departments we’ve worked with so far!

● OCEIA

● OTI

● DPH

● County Clerk

● DPA

● Fire

● Entertainment Commission

We will be bringing an accessibility policy to COIT through APRB:

• 5th grade reading level

• Human translation

• Comply with the law and meet international

standards

We also moved 80 existing city websites to a new hosting provider.

We continue to support these existing websites.

Permitting –transactions online

We’re helping people get an ADU permit

And apply online

And connecting systems at the back end for a seamless customer experience

Case

management

Power BIPredictive

analyticsMeta-data

Digital

Forms

Document

management

Zone

checking

Appt.

booking

Payments

Unique Identifiers

Enterprise AddressSystem

Identity Access Mgmt

Electronic

SignaturesWeb

content

Fee

estimator

Status

trackingNotifications EPR

To support all of this work we are growing the team.

Into FY20/21

As we mature our services we must be able to support them. This means:

● Technical support (patches, fixes, updates)

● Customer support (public facing)

● Accessibility support (language translation, compliance)

● Content support (timely public information, legislative changes)

Questions?

7. Citywide Cybersecurity Policy

35

Background

Original Approval: November 17, 2016

Updated: June 19, 2018

2019 Update:

› Role of Department Information Security Officer

› Update to Requirement Timelines

› Emergency Support Function Unified Cyber Command

36

RequirementsThe COIT Cybersecurity Policy requires all departments to:

1.Appoint a Departmental Information Security Officer (DISO) or Chief Information Security Officer (CISO) depending on Department size.

2.Adopt a cybersecurity framework as a basis to build their cybersecurity program.

3.Support cyber incident response as needed in accordance with Emergency Support Function 18 (ESF-18) Unified Cyber Command.

4.Conduct and update, at least annually, a department cybersecurity risk assessment.

5.Develop and update, at least annually, department cybersecurity requirements to mitigate risk and comply with legal and regulatory cybersecurity requirements.

6.Participate in citywide cybersecurity forum meetings.

37

8. Cybersecurity Awareness & Training Standard

38

Background

Original Approval: October 27, 2017

Update:

› Defines role of Human Resources

› Help to improve citywide adoption

39

RequirementsUsers of CCSF information systems with access to critical systems shall participate in cybersecurity awareness training, including:

1. All users are required to take annual cybersecurity awareness training in the form of Computer- Based-Training (CBT) or instructor led workshops.

2. All new users are required to take mandatory cybersecurity awareness training in the form of the CBT or instructor led workshops.

3. Awareness reinforcement and additional training may be provided through newsletters, posters, phishing campaigns, screensavers, webcasts, workshops and national cybersecurity related events.

40

9. Public Comment

41