This position is NOT supporting 100% remote work and employee for this position will need to live in the Bay Area.

IMPORTANT: Your application MUST include responses to the supplemental questionnaire found here

Applicants must complete the supplemental questionnaire prior to starting the online application process.  Applicants will not be reviewed without completed supplemental questionnaire.

The Department of Technology (DT) is the centralized technology services provider within San Francisco City and County government, delivering technology infrastructure and services to more than 28,000 employees and over 800,000 citizens.  The department has an annual operating budget of over $130M and contains over 240 employees.  Core service areas include: Technology Architecture & Security, Technology Service Delivery & Management, Client Services & Project Management Office, Public Safety Systems & Wiring, Technology Administration, Policy & Governance, and Public Communications.

Our award-winning cybersecurity team has been recognized for setting the standard for excellence among the City. We are a service-oriented and dynamic group, who are both responsible for their own success but are firmly committed to our mission.

In alignment with our vision of serving as a model for a secure government, ensuring data confidentiality and integrity, as well as service availability, we have embarked on a mission to further mature the City’s cybersecurity program. Through the governance, risk, and compliance pillar of cybersecurity, we will strengthen the cyber program by further developing administrative controls, enhancing our risk management program, evolving vendor assessments, meeting compliance through adherence to regulatory frameworks, and cross-functionally working with senior management to align business and security goals.

The City and County of San Francisco (City) is hiring a Cybersecurity Risk Analyst. The analyst will support a critical function of the City's Cybersecurity Division that will be directly responsible for reducing risks posed to the City. The analyst will be tasked with the important role of identifying, assessing, controlling, and monitoring risks through the Citywide enterprise. They will gain firsthand experience supporting and maturing a Technology Risk & Resilience program.

Essential Job Duties and Functions: 

• Performs cyber risk assessments against City cybersecurity requirements.
• Conducts Vendor Risk Assessments to assess security posture of vendors.
• Supports the cyber awareness training and education program, including phishing simulations.
• Tracks and monitors risk mitigation plans’ and develop reports in accordance with GRC metrics.
• Coordinates with technology and business groups to assess, implement, and monitor IT-related security risks/hazards
• Performs review of policies and supporting procedures/processes.
• Conducts technical research to aid in threat assessment and risk mitigation activities, as well as changes in the industry as it relates to security.
• Helps develop and monitor cybersecurity controls and support City departments in control maintenance

Work Location
Incumbent will conduct the majority of work at the Department of Technology, 1 South Van Ness Ave 2nd Floor, San Francisco, CA, 94103.  However, there may be situations where the incumbent will be required to work at other sites throughout the City of San Francisco as necessary.

Nature of Work
Incumbent must be willing to work a 40-hour week as determined by the department. Telecommuting options are available upon appointing officer’s approval.

Education:
An associate degree in computer science or a closely related field from an accredited college or university OR its equivalent in terms of total course credits/units [i.e., at least sixty (60) semester or ninety (90) quarter credits/units with a minimum of twenty (20) semester or thirty (30) quarter credits/units in computer science or a closely-related field].

Experience:
One (1) year in the information systems field, including technical support, content management, administration of network applications or system analysis.

Substitution:
Additional experience as described above may be substituted for the required degree on a year-for-year basis (up to a maximum of two (2) years). One (1) year is equivalent to thirty (30) semester units / forty-five (45) quarter units with a minimum of 10 semester / 15 quarter units in computer science or a closely related field.

Desirable Qualifications:
The stated desirable qualifications may be considered at the end of the selection process when candidates are referred for hiring.

• 3-5 years working in a cyber GRC type role.
• Risk Analytics experience within IT
• Familiar with cybersecurity frameworks (NIST CSF/RMF, NIST 800-53, FedRAMP, etc).
• Familiar with security standards (i.e. HIPAA, PCI-DSS, etc).
• Familiar with vendor risk management assessments (i.e. SOC2, CAIQ, etc).
• Comfortable having a technical discussion.
• Proficient in Excel or similar.
• Ability to define and communicate risk in business-relevant language
• Excellent verbal and written communication skills
• Ability to communicate IT risk concepts to non-technical people
• Comfortable with quantitative risk management, Factor Analysis of Information Risk (FAIR).
• Familiar with Auditing cybersecurity and technical policies and controls
• Familiar with GRC platforms (i.e. SNOW, LogicGate, OneTrust, etc)
• Preferred a security certification (i.e. Security+, CISA, CISM, CRISC, etc)
• Preferred skills in SharePoint and reporting services
• Familiar with Privacy concepts.

One year of full-time employment is equivalent to 2000 hours. (2000 hours of qualifying work experience is based on a 40-hour work week.) Any overtime hours that you work above forty (40) hours per week are not included in the calculation to determine full-time employment.

Notes: 

1. Medical Testing: Prior to appointment, eligible candidates must successfully pass the TB testing process. 

2. Security Clearances & Background Investigations: Positions in this classification may require that successful candidates who become eligible for appointment may be required to go through a background investigation to determine the candidate’s suitability for employment in this classification. Factors considered in the investigation may include employment history, use of illegal/controlled substances. Reasons for rejection based on this investigation may include, but not limited to: applicable convictions, repeated or serious violations of the law, inability to accept supervision, inability to follow rules and regulations, falsification of application materials and/or other relevant factors. Failure to obtain and maintain security clearance may be basis for termination. 

3. Verification: Applicants may be required to submit verification of qualifying education and experience at any point during the recruitment and selection process. If education verification is required, information on how to verify education requirements, including verifying foreign education credits or degree equivalency, can be found at here.

Note: Falsifying one’s education, training, or work experience or attempted deception on the application may result in disqualification for this and future job opportunities with the City and County of San Francisco.

All work experience, education, training and other information substantiating how you meet the minimum qualifications must be included on your application by the filing deadline. Information submitted after the filing deadline will not be considered in determining whether you meet the minimum qualifications.
Resumes will not be accepted in lieu of a completed City and County of San Francisco application.
Applications completed improperly may be cause for ineligibility, disqualification or may lead to lower scores.

Appointment Type: Permanent Exempt (PEX) - Full Time, this position is excluded by the Charter from the competitive civil service examination process and shall serve at the discretion of the appointment officer.

Compensation: $96,512.00 - $121,420.00 annually ($46.4000-$58.3750 hourly)

How to Apply:

• IMPORTANT: Your application MUST include responses to the supplemental questionnaire found here
• Applicants are encouraged to apply immediately as this recruitment is anticipated to close on Friday, July 1, 2022.
  • Your application MUST include a resume.  To upload, please attach using the "additional attachments" function.

• You may contact Connie Poon via email at [email protected] with questions regarding this opportunity.

• Applicants are encouraged to apply immediately as this recruitment may close at any time.
• Your application MUST include a resume.  To upload, please attach using the "additional attachments" function.

Applicants may be contacted by email about this recruitment and, therefore, it is their responsibility to ensure that their registered email address is accurate and kept up-to-date. Also, applicants must ensure that email from CCSF is not blocked on their computer by a spam filter. To prevent blocking, applicants should set up their email to accept CCSF mail from the following addresses (@sfgov.org, @sfdpw.org, @sfport.com, @flysfo.com, @sfwater.org, @sfdph.org, @asianart.org, @sfmta.com, @sfpl.org, @dcyf.org, @first5sf.org, @famsf.org, @ccsf.edu, @smartalerts.info, and @smartrecruiters.com).

Applicants will receive a confirmation email that their online application has been received in response to every announcement for which they file. Applicants should retain this confirmation email for their records. Failure to receive this email means that the online application was not submitted or received.

Late or incomplete submissions will not be considered. Mailed, hand delivered or faxed documents/applications will not be accepted.

Exam Analyst Information: If you have any questions regarding this recruitment or application process, please contact Connie Poon by email at [email protected]

Right to Work:

All persons entering the City and County of San Francisco workforce are required to provide verification of authorization to work in the United States. Please be informed that the Department of Technology will not sponsor visa applications/transfer.

This position is NOT supporting 100% remote work and employee for this position will need to live in the Bay Area.

Helpful Information

• Information About The Hiring Process
• Conviction History
• Employee Benefits Overview  
• Equal Employment Opportunity 
• Disaster Service Worker
• ADA Accommodation
• Veterans Preference
• Right to Work
• Copies of Application Documents
• Diversity Statement

CONDITION OF EMPLOYMENT:  All City and County of San Francisco employees are required to be fully vaccinated against COVID-19 as a condition of employment. Someone is fully vaccinated when 14 days have passed since they received the final dose of a two-shot vaccine or a dose of a one-shot vaccine. Any new hire must present proof of full vaccination status to be appointed. Any new hire who will be routinely assigned or occasionally enter High-Risk Settings, must provide proof of having received a COVID-19 booster vaccine by March 1, 2022, or once eligible.

The City and County of San Francisco encourages women, minorities and persons with disabilities to apply. Applicants will be considered regardless of their sex, race, age, religion, color, national origin, ancestry, physical disability, mental disability, medical condition (associated with cancer, a history of cancer, or genetic characteristics), HIV/AIDS status, genetic information, marital status, sexual orientation, gender, gender identity, gender expression, military and veteran status, or other protected category under the law.