SIG-Lite and CAIQ-Lite

Buyer is conducting an information security assessment using standardized questionnaires for vendor risk management. The assessment focuses on security controls across multiple domains including application security, incident management, business continuity, access control, and data protection. Buyer requires vendors to demonstrate compliance with security best practices, regulatory requirements, and privacy safeguards. The questionnaires (SIG-Lite and CAIQ-Lite) include specific security requirements for cloud services provided to the City and County of San Francisco.

• 5/24/2025 - Proposal Due Date

• Security attestation reports (SOC2/ISO 27001)
• Regular network and application penetration testing
• Formal information security policies and procedures
• Incident response management program
• Data encryption capabilities for data at rest and in transit

• Complete comprehensive security questionnaire covering application development security practices
• Document secure software development lifecycle policies and procedures
• Demonstrate vulnerability remediation processes for production systems
• Provide evidence of API security and encryption standards
• Document incident response plans and cybersecurity management
• Establish business resilience and disaster recovery protocols
• Implement third-party risk management for subcontractors and vendors
• Maintain information security policies with annual reviews
• Configure multi-factor authentication and access controls
• Demonstrate data privacy compliance across multiple jurisdictions