0933 Chief Information Security Officer

Recruitment #PBT-0933-089248


0933 Chief Information Security Officer

San Francisco Department of Public Health

This is a position based test (PBT) conducted in accordance with Civil Service Rule 111A.

We encourage applicants to submit their applications as soon as possible. This position may close at any time but no sooner than 5:00 p.m. on Friday, September 21, 2018.

Job Description: Information technology plays a vital and ever-expanding role at the San Francisco Department of Public Health.  The San Francisco Department of Public Health’s information technology environment is a highly diverse and complex set of components that require strong leadership.  We are seeking a strong, knowledgeable leader to provide vision, strategy, broad-based planning, and hands-on responsibility as the Chief Information Security Officer (CISO).  The CISO directly reports to the Chief Information Officer (CIO) and also reports dotted line to the DPH Compliance and Privacy Affairs Chief Integrity Officer. The DPH CISO also supports and consults the City CISO in city-wide cybersecurity efforts and participated in the Citywide Cybersecurity Forum.  The CISO is a member of the DPH IT leadership team and serves a key role in leadership. 

The CISO is an advocate for DPH's total information security needs and is responsible for the development and delivery of a comprehensive information security strategy to optimize the security posture of DPH within the cybersecurity framework established by the City Cybersecurity Policy.  The CISO leads the development and implementation of a departmental security program that leverages collaboration, facilitates information security governance, advises DPH senior leadership on security direction and resource investments to capitalize on Citywide cybersecurity investments, and designs appropriate policies to manage information security risk in alignment with the Citywide Cybersecurity requirements.  The complexity of this position requires a leadership approach that is engaging, imaginative, and collaborative, with a sophisticated ability to work with other leaders to set the best balance between security strategies and other priorities at the organization level.

Important and Essential Duties:

  • Use a risk-based approach to provide leadership, direction and prioritization in assessing and evaluating information security risks across the organization with a high level of integrity and discretion, advising and consulting with executives on identified risks and ensuring the execution of agreed upon mitigation/remediation steps.
  • Oversee the ongoing strategic development of the information security project portfolio, departmental incident response and security policy frameworks in alignment with Citywide Cybersecurity policies, security compliance activities, departmental threat and vulnerability management, departmental information security training and awareness program, including specialized triaging in areas of high criticality in close partnership with IT Security Operations and Citywide Cybersecurity Team.
  • Direct and allocate resources that achieve a robust security strategy by identifying and advocating for investments, capitalizing on Citywide cybersecurity investments, aggressively managing capital and operating budgets, and providing thorough Return on Investment (ROI) analysis and IT budget recommendations.
  • Collaborate with DPH’s Office of Compliance and Privacy Affairs to assess data security risks as it relates to agreements, projects and initiatives and develop tools and interventions to mitigate risks; develop key performance criteria and metrics; perform audits and monitor security compliance activities.
  • Create alignment and support for the DPH security program goals, initiatives and strategies, effectively balancing the needs of internal and external stakeholders and informing leadership at all levels on efforts and trends impacting the overall effectiveness of the information security programs.
  • Promote understanding of regulatory requirements across the organization, leading and/or collaborating with cross functional teams and senior business leaders to ensure execution of required testing and auditing activities by internal and external parties leading to the successful certification and/or compliance of the organization on an on-going basis.
  • Develop departmental cybersecurity requirements in alignment with the Citywide cybersecurity requirements and in regulatory requirements to ensure enterprise and product compliance with industry standards including HIPAA, HITRUST, ISO 27001, NIST, PCI-DSS and other security standards.
  • Partner with the Citywide Cybersecurity team to monitor external and emerging threats and take the appropriate course of action and communication.
  • Oversee business continuity and disaster recovery policy management to support departmental compliance with Citywide Disaster Recovery policy, training, testing and coordination with agencies and staff for disaster planning and preparation.
  • Develop and coordinate plans for DPH incident response within the City cybersecurity incident response framework to ensure that business critical services can be maintained.
  • Participate and support data assets on premises, in coordination with third parties and in the cloud.
  • Ensure project management includes processes to manage security risks.
  • Manage contract and vendor negotiations ensuring ongoing contract security standards and close coordination with legal and risk management.
  • Develop, implement and maintain departmental policies (on a routine cadence) to support Citywide Cybersecurity policies and departmental procedures in order to ensure effective security program operations.
  • Actively represent DPH in security-related matters with the Citywide CISO and in the Citywide Cybersecurity Forum City partners, internal and external customers, and industry groups; be visible and enhance the organization’s external standing in the information security space.
  • Provide regular reporting on the current status of the information security program to risk teams and senior DPH leaders as part to support ongoing security strategy and management.
  • Stay current with industry trends and the latest information security practices and standards to ensure solutions incorporate effective use of technology.

Compensation and Benefits:

The normal annual salary range is $139,620.00 - $178,230.00/year. Appointment above the maximum of the normal range may be considered based on documented and substantiated recruitment and retention issues or exceptional skills. A special approval process is necessary for appointment above the normal salary range.

In addition to a competitive salary, the City and County of San Francisco offers flexible benefit plans with pre-tax elections which include: medical and dental insurance; retirement plan; deferred compensation plan; Social Security; long-term disability plan; life insurance; management training program; eleven (11) paid holidays annually; five (5) floating holidays; depending on years of service, ten (10), fifteen (15), or twenty (20) vacation days annually; and may earn up to 100 hours paid administrative leave annually.


Minimum Qualifications


Bachelor's in business, computer engineering, computer science or any related field.


A minimum of eight (8) years in information technology security, including:

  • Five (5) years of Healthcare IT security experience.
  • Three (3) years of experience supervising Healthcare IT security professionals.

Substitution: Additional experience as described above may substitute for the required degree on a year-for-year basis. One (1) year is equivalent to thirty (30) semester units / forty-five (45) quarter units.

A graduate degree in business, engineering, or any related field may substitute for one (1) year of the required non-supervisory experience.

Desirable Qualifications: The following desirable qualifications may be used to identify job finalists at the end of the selection process when candidates are referred for hiring.

  • Project management experience.
  • Financial and budget management experience.
  • Executive leadership training or Graduate degree.
  • Professional security management certification is desirable (CISSP, CISM, CISA).
  • Experience with vendor management.
  • AXELOS ITIL (Information Technology Infrastructure Library) Certification.


Applicants may be required to submit verification of qualifying education and experience at any point during the recruitment and selection process. If education verification is required, information on how to verify education requirements, including verifying foreign education credits or degree equivalency, can be found at http://sfdhr.org/index.aspx?page=456.

Note: Falsifying one’s education, training, or work experience or attempted deception on the application may result in disqualification for this and future job opportunities with the City and County of San Francisco.

How To Apply

Applications for City and County of San Francisco jobs are only accepted through an online process. Visit www.jobaps.com/sf to register an account (if you have not already done so) and begin the application process.

  • Select the desired job announcement
  • Select “Apply” and read and acknowledge the information
  • Select either “I am a New User” if you have not previously registered, or “I have Registered Previously”
  • Follow instructions on the screen

Computers are available for the public (from 8:00 a.m. to 5:00 p.m. Monday through Friday) to file online applications in the lobby of the Dept. of Human Resources at 1 South Van Ness Avenue, 4th Floor, San Francisco.

Applicants may be contacted by email about this announcement and, therefore, it is their responsibility to ensure that their registered email address is accurate and kept up-to-date.  Also, applicants must ensure that email from CCSF is not blocked on their computer by a spam filter.  To prevent blocking, applicants should set up their email to accept CCSF mail from the following addresses (@sfgov.org, @sfdpw.org, @sfport.com, @flysfo.com, @sfwater.org, @sfdph.org, @asianart.org, @sfmta.com, @sfpl.org, @dcyf.org, @first5sf.org).

Applicants will receive a confirmation email that their online application has been received in response to every announcement for which they file.  Applicants should retain this confirmation email for their records.  Failure to receive this email means that the online application was not submitted or received.

All work experience, education, training and other information substantiating how you meet the minimum qualifications must be included on your application by the filing deadline.  Information submitted after the filing deadline will not be considered in determining whether you meet the minimum qualifications.

Applications completed improperly may be cause for ineligibility, disqualification or may lead to lower scores.

If you have any questions regarding this recruitment or application process, please contact the exam analyst, Thomas Duda, by telephone at 415-554-2916, or by email at thomas.duda@sfdph.org.

Selection Procedures

Management Test Battery: (Weight: 50%)

Qualified candidates will be invited to participate in a computer-based examination designed to measure competencies in job-related areas which may include but not be limited to: Problem Solving; Leadership; Decision Making; Interpersonal skill; Human Resources Management; Team Building; Communication; Conflict Management and Process Improvement. For more information about this Management Test (and a suggested reading list) please visit: http://www.sfdhr.org/index.aspx?page=343.

Please note: this examination is only held in San Francisco. A passing score must be achieved on the Management Test Battery to continue in the selection process.

A passing score must be achieved on the Management Test Battery in order to continue in the selection process.

This is a standardized examination and, therefore, test questions and answers are not available for public inspection or review.

Scores attained on the Management Test Battery will be valid and 'banked' for three years, starting from the date of the examination. This means that, during this three-year time period, you will not be required to take the Management Test Battery. The Management Test Battery may be used for many other classes; therefore your test score may be applied to one or more of these classes if you choose to apply to future recruitments. If the selection process for the future announcement is held within one year of the date of this examination and it includes the Management Test Battery, your score will be automatically applied to that announcement. However, after one year, you have the option to either (a) apply your test score to the other announcement or (b) re-take the Management Test Battery. Re-testing is permitted no sooner than one year from the date of the examination and only in association with your eligibility for another announcement for which the Management Test Battery is used. Please note that, should you re-test, your re-test score would become your official score since it is the most recent.

Supplemental Questionnaire: (Weight: 50%)

Candidates who successfully complete the Management Test Battery will receive a supplemental questionnaire that will be evaluated in relation to the knowledge, skills, and abilities required for the Chief Information Security Officer position.

These may include, but are not limited to, the following:

  • Ability to apply project management principles, methods, and tools for developing, scheduling, coordinating, and managing projects and resources, including monitoring and inspecting costs, work, and contractor performance.
  • Ability to devise, implement, and maintain information security management framework.
  • Ability to engage and influence a broad range of internal stakeholders (e.g. HR, IT, Legal, Compliance, senior management, etc.). 
  • Ability to prepare, justify, administer, and monitor the budget for program areas to ensure cost-effective support of programs and policies.
  • Ability to respond to and contain information security incidents.
  • Knowledge of information security technology, including NIST, HITRUST, COBIT,  ISO 27001 or similar Cyber Security Framework.
  • Knowledge of relevant laws, regulation, and standards relating to healthcare information security, including HIPAA, PCI-DSS, PII, HITECH etc.
  • Knowledge of the principles and methods for evaluating program performance using financial and nonfinancial measures, including identification of evaluation factors, metrics, and outcomes. 

Certification Rule: The certification rule used for the eligible list resulting from this selection procedure will be Rule of the List. The hiring department may employ additional selection procedures prior to making a final hiring decision.

Eligible List: http://sfdhr.org/getting-job#eligiblelists

The eligible list resulting from this examination is subject to change after adoption (e.g., as a result of appeals), as directed by the Human Resources Director or the Civil Service Commission.

The duration of the eligible list resulting from this examination process will be of 12 months, and may be extended with the approval of the Human Resources Director.

Upon approval of the Human Resource Director (see Civil Service Rule 111A.26.5), the eligible list resulting from this announcement may be used by other departments that also use this classification or a similar classification.


Conviction History

As a finalist for a job, you will be fingerprinted, and your fingerprints will be sent to the California Department of Justice (DOJ) and the Federal Bureau of Investigation (FBI). The resulting report of your conviction history (if any) will be used to determine whether the nature of your conviction (or arrest, in limited circumstances) conflicts with the specific duties and responsibilities of the job for which you are a finalist. If a conflict exists, you will be asked to present any evidence of rehabilitation that may mitigate the conflict, except when federal or state regulations bar employment in specific circumstances, such as:

  • Candidates for positions with the Unified School District and the Community College District may be disqualified from consideration should their conviction history not meet the standards established under the California Education Code.
  • Candidates for positions with the Recreation and Park Department may be disqualified from consideration should their conviction history not meet the standards established under California Public Resources Code 5164.

Having a conviction history does not automatically preclude you from a job with the City.

If you are selected as a finalist, the hiring department will contact you to schedule a fingerprinting appointment.

Disaster Service Workers

All City and County of San Francisco employees are designated Disaster Service Workers through state and local law (California Government Code Section 3100-3109). Employment with the City requires the affirmation of a loyalty oath to this effect. Employees are required to complete all Disaster Service Worker-related training as assigned, and to return to work as ordered in the event of an emergency.


Note on Electronic Health Record (EHR): The Department of Public Health (DPH) is implementing a unified Electronic Health Record (EHR) system and DPH employees must demonstrate competency in the use of the system that is appropriate for their classification as a condition of employment.

Note on Personal Protective Equipment (PPE): Some positions in the Department of Public Health will require the use of personal protective equipment (PPE), including but not limited to gloves, gowns, eye and face protection, and face-fitting respirators. The requirement for the use of PPE may come on short or no notice. Facial hair or any condition that interferes with a face-fitting respirator’s seal (i.e. comes between the sealing surfaces of the respirator and the wearer’s bare skin) is not permitted when face-fitting respirators are worn, including during initial or periodic respirator fit-testing.

Employees who choose not to shave and do not have either American Disabilities Act (ADA) or Equal Employment Opportunity (EEO) Accommodations do not have the right to alternate work assignments or the option of using a loose-fitting Powered Air Purifying Respirator (PAPR) in place of a FaceFitting Respirator.

Medical Examination/Drug Testing:
Prior to appointment, at the Department's expense, applicants may be required to take a tuberculosis (TB) screening test, a medical examination and/or drug test. 

Terms of Announcement:

Applicants must be guided solely by the provisions of this announcement, including requirements, time periods and other particulars, except when superseded by federal, state or local laws, rules or regulations.  Clerical errors may be corrected by the posting the correction on the Department of Human Resources website at www.jobaps.com/sf.

The terms of this announcement may be appealed under Civil Service Rule 111A.35.1. The standard for the review of such appeals is ‘abuse of discretion’ or ‘no rational basis’ for establishing the position description, the minimum qualifications and/or the certification rule.  Appeals must include a written statement of the item(s) being contested and the specific reason(s) why the cited item(s) constitute(s) abuse of discretion by the Human Resources Director.  Appeals must be submitted directly to the Executive Officer of the Civil Service Commission within five business days of the announcement issuance date.

General Information concerning City and County of San Francisco Employment Policies and Procedures can be found at:  http://www.sfdhr.org/index.aspx?page=20

Copies of Application Documents: http://sfdhr.org/getting-job#copies

Right to Work: http://sfdhr.org/getting-job#identification

Information on requesting a reasonable ADA Accommodation: http://www.sfdhr.org/index.aspx?page=20#applicantswithdisabilities  

Information regarding requests for Veterans Preference can be found at:

Information regarding Seniority Credit can be found at:

Exam Type:  CPE
Issued:  August 31, 2018
Micki Callahan
Human Resources Director
Department of Human Resources
Recruitment ID Number: PBT-0933-089248



All employees hired on or after January 10, 2009 will be required (pursuant to San Francisco Charter Section A8.432) to contribute 2% of pre-tax compensation to fund retiree healthcare. In addition, most employees are required to make a member contribution towards retirement, ranging from 7.5%-13.25% of compensation. For more information on these provisions, please contact the personnel office of the hiring agency.

For more information about benefits, please click here.


Powered by JobAps