9976 Cybersecurity Risk and Compliance Manager

Recruitment #PEX-9976-087954



ABOUT US: The Department of Technology is the centralized technology services provider within San Francisco City & County government, delivering technology infrastructure and services to approximately 28,000 employees and 800,000 citizens.  The department has an annual operating budget of over $97M and contains over 220 employees.  Core service areas include: Technology Architecture & Security, Technology Service Delivery & Management, Client Services & Project Management Office, Public Safety Systems & Wiring, Technology Administration, Policy & Governance, and Public Communications.

ABOUT THE TEAM: The cybersecurity division, located in the Department of Technology, serves City departments by securing sensitive data and technology assets, assessing and managing security risk, and thwarting attempted cyberattacks. The team is also tasked with actively monitoring systems, creating cybersecurity policies that empower departments and commissions and promoting cybersecurity best practices within the City departments.

POSITION SUMMARY: Cybersecurity Risk and Compliance Manager is accountable for development and maintenance of the City’s Information Security Risk and Compliance Management Program. The position liaises with City’s department on behalf of the City’s Information Security Program. Cybersecurity Risk and Compliance Manager will be responsible for evaluating security risks and recommending security strategies and mitigations.


·         Serve as a primary security risk liaison for City Departments, including executive stakeholders. Liaise with business and technology leaders to ensure visibility to and understanding of security risks. Develop strong relationships with key stakeholders to ensure risk management oversight is understood and managed appropriately. 

·         Formally documents and maintains the security risk strategy, risk assessment process and annual risk treatment efforts for the City.

·         Assists and facilitates the development of risk assessments and mitigation strategies for the City Departments. 

·         Oversee information security risk assessments while working directly with security technologists to evaluate risks for new and existing technologies

·         Facilitates self-assessments and third-party assessment information security risk assessments of key City technologies, operational processes, controls and vendors

·         Develops and maintains the information security risk management framework/ methodology based on NIST standards

 ·         Create and maintain risk, threat and controls library based on NIST 800-53, ISO 27002 and other standards ·         Manage action plans in response to information security risk assessment, tracks status and reports to security leadership.

  ·         Provide guidance and support related to design and implementation of internal and external control requirements (e.g., NIST CSF, PCI, HIPAA). 

·         Design relevant risk metrics to enable security leadership to make risk based decisions and assist with the development and management of policies, standards, guidelines and training. 

·         Provide recurring risk reports to the CISO, Business Stakeholders and IT leadership teams. 

·         Maintain the Information Security Risk Register 

·         Promote a risk-aware culture, ensure efficient and effective risk and security management practices by adhering to required standards and processes 

·         Participate in planning, scheduling and preliminary analysis for all internal and external audit projects. 

·         Interact with internal audit, third party auditors, and appropriate regulatory bodies

·         Maintain and promote use of GRC tools

·         Builds and maintains relations with the City Departments, including understanding their risk landscape

·         Contributes to the development of security policy & standards. 

·         Promote a risk-aware culture, ensure efficient and effective risk and security management practices by adhering to required standards and processes 

·         Understand and work effectively in a complex, matrixed environment  

JOB TYPE: This Permanent Exempt- Full Time position is excluded by the Charter from the competitive civil service examination process and shall serve at the discretion of the appointing officer. This position has an anticipated duration of no more than five (5) years and will not result in an eligible list or permanent civil service hiring.

WORK LOCATION: Incumbent will conduct the majority of work at the Department of Technology, 1 South Van Ness, San Francisco, CA.  However, there may be situations where the incumbent will be required to work at other sites throughout the City of San Francisco as necessary.

NATURE OF WORK: Incumbent must be willing to work a 40-hour week as determined by the department.  Travel within San Francisco may be required.


Working under general administrative direction, the Technology Expert plans, organizes, performs, delivers, directs and/or controls highly complex technology-related work products requiring industry or product expertise in broad areas of information technology.

Minimum Qualifications

These minimum qualifications establish the education, training, experience, special skills and/or license(s) which are required for employment in the classification.  Please note, additional qualifications (i.e., special conditions) may apply to a particular position and will be stated on the exam/job announcement.

Education: An associate degree in computer science or a closely related field from an accredited college or university OR its equivalent in terms of total course credits/units [i.e., at least sixty (60) semester or ninety (90) quarter credits/units with a minimum of twenty (20) semester or thirty (30) quarter credits/units in computer science or a closely-related field].

Experience: Seven (7) years of IT Systems/Information Assurance experience. Five (5) years of this experience must include specialize IT risk management experience such as Understanding of NIST 800-30x, HIPAA and PCI requirements as they relate to information security.

Substitution: Additional experience as described above may be substituted for the required degree on a year-for-year basis (up to a maximum of two (2) years). One (1) year is equivalent to thirty (30) semester units/ forty-five (45) quarter units with a minimum of 10 semester / 15 quarter units in computer science or a closely related field.  


  • Understanding of NIST 800-30x, HIPAA and PCI requirements as they relate to information security
  • Experience with implementing various security control standards (e.g., NIST CSF, PCI DSS, NIST 800.30) at large complex organizations. 
  • Experience with common audit methodologies. 
  • Experience working with GRC products. 
  • Successful candidates will have the ability to work autonomously and be able to bridge the gap between technical knowledge and stakeholder engagement in order to influence strategy and information security management
  • Experience working both independently and in a team-oriented, collaborative environment
  • Recognize complex problems, analyze situations and provide suggested/implemented resolution(s)
  • Ability to interact professionally with a diverse group including executives, managers and subject matter experts
  • Ability to apply critical thinking to process improvement and measurement on behalf of the Security Team
  • Flexibility to conform to shifting priorities through analytical and problem-solving capabilities
  • Exhibit excellent written and oral communications skills and professionalism
  • Experience as a project manager in a multi-departmental organization  


1. MEDICAL TESTING: Prior to appointment, eligible candidates must successfully pass the TB testing process.

2. SECURITY CLEARANCES AND BACKGROUND INVESTIGATIONS: Positions in this classification may require that successful candidates who become eligible for appointment may be required to go through a background investigation to determine the candidate’s suitability for employment in this classification. Factors considered in the investigation may include employment history, use of illegal/controlled substances. Reasons for rejection based on this investigation may include, but not limited to: applicable convictions, repeated or serious violations of the law, inability to accept supervision, inability to follow rules and regulations, falsification of application materials and/or other relevant factors. Failure to obtain and maintain security clearance may be basis for termination. 

How To Apply

Applications for City and County of San Francisco jobs are only accepted through an online process. Visit www.jobaps.com/sf to register an account (if you have not already done so) and begin the application process.

  • Select the desired job announcement
  • Select “Apply” and read and acknowledge the information
  • Select either “I am a New User” if you have not previously registered, or “I have Registered Previously”
  • Follow instructions on the screen

Computers are available for the public (from 8:00 a.m. to 5:00 p.m. Monday through Friday) to file online applications in the lobby of the Dept. of Human Resources at 1 South Van Ness Avenue, 4th Floor, San Francisco.

Applicants may be contacted by email about this announcement and, therefore, it is their responsibility to ensure that their registered email address is accurate and kept up-to-date.  Also, applicants must ensure that email from CCSF is not blocked on their computer by a spam filter.  To prevent blocking, applicants should set up their email to accept CCSF mail from the following addresses (@sfgov.org, @sfdpw.org, @sfport.com, @flysfo.com, @sfwater.org, @sfdph.org, @asianart.org, @sfmta.com, @sfpl.org, @dcyf.org, @first5sf.org, @famsf.org, @ccsf.edu).

Applicants will receive a confirmation email that their online application has been received in response to every announcement for which they file.  Applicants should retain this confirmation email for their records.  Failure to receive this email means that the online application was not submitted or received.

All work experience, education, training and other information substantiating how you meet the minimum qualifications must be included on your application by the filing deadline.  Information submitted after the filing deadline will not be considered in determining whether you meet the minimum qualifications.

Applications completed improperly may be cause for ineligibility, disqualification or may lead to lower scores.

If you have any questions regarding this recruitment or application process, please contact the exam analyst, Raquel Knighten, by telephone at 628-652-5045, or by email at Raquel.knighten@sfdpw.org.

Resumes may be attached to the application; however, resumes will not be accepted in lieu of a completed City and County of San Francisco application.

Note: Falsifying one's education, training or work experience or attempted deception on the application may result in disqualification for this and future job opportunities with the City and County of San Francisco. 

Selection Plan

Applications will be screened for relevant qualifying experience. Additional screening mechanisms may be implemented in order to determine candidates’ qualifications. Only those applicants who most closely meet the needs of the Agency will be invited to participate in the selection process. Applicants meeting the minimum qualifications are not guaranteed advancement to the interview.

Applicants may be required to submit verification of qualifying education and experience at any point during the recruitment and selection process. If education verification is required, information on how to verify education requirements, including verifying foreign education credits or degree equivalency, can be found at

The application procedure is in compliance with the Americans with Disabilities Act, if you need assistance to participate in this recruitment, contact Raquel Knighten (628) 652-5045, or in writing at Raquel.Knighten@sfdpw.org. Notification in advance will enable the department and County to evaluate arrangements to reasonably accommodate your need.

Conviction History

As a finalist for a job, you will be fingerprinted, and your fingerprints will be sent to the California Department of Justice (DOJ) and the Federal Bureau of Investigation (FBI). The resulting report of your conviction history (if any) will be used to determine whether the nature of your conviction (or arrest, in limited circumstances) conflicts with the specific duties and responsibilities of the job for which you are a finalist. If a conflict exists, you will be asked to present any evidence of rehabilitation that may mitigate the conflict, except when federal or state regulations bar employment in specific circumstances, such as:

  • Candidates for positions with the Unified School District and the Community College District may be disqualified from consideration should their conviction history not meet the standards established under the California Education Code.
  • Candidates for positions with the Recreation and Park Department may be disqualified from consideration should their conviction history not meet the standards established under California Public Resources Code 5164.

Having a conviction history does not automatically preclude you from a job with the City.

If you are selected as a finalist, the hiring department will contact you to schedule a fingerprinting appointment.


Terms of Announcement:

Applicants must be guided solely by the provisions of this announcement, including requirements, time periods and other particulars, except when superseded by federal, state or local laws, rules or regulations.  Clerical errors may be corrected by the posting the correction on the Department of Human Resources website at www.jobaps.com/sf.


Applicants with disabilities who meet the minimum eligibility requirements for this job announcement can find information on requesting a reasonable ADA Accommodation at: 

General Information concerning City and County of San Francisco Employment Policies and Procedures:
Important Employment Information for the City and County of San Francisco can be obtained at http://sfdhr.org/information-about-hiring-process or hard copy at 1 South Van Ness Avenue, 4th Floor.

Copies of Application Documents:
Applicants should keep copies of all documents submitted, as these will not be returned.

Right to Work:
All persons entering the City and County of San Francisco workforce are required to provide verification of authorization to work in the United States.

Issued:  July 20, 2018
Micki  Callahan
Human Resources Director
Department of Human Resources
Recruitment ID Number: PEX-9976-087954
Department of Technology/ RK / 628-652-5045


All employees hired on or after January 10, 2009 will be required (pursuant to San Francisco Charter Section A8.432) to contribute 2% of pre-tax compensation to fund retiree healthcare. In addition, most employees are required to make a member contribution towards retirement, ranging from 7.5%-13.25% of compensation. For more information on these provisions, please contact the personnel office of the hiring agency.

For more information about benefits, please click here.


Powered by JobAps