9978 Cybersecurity Governance, Risk & Compliance Expert

Technology Expert II

Recruitment #PEX-9978-092169


Applicants are encouraged to apply immediately as this recruitment may close at any time but not earlier than June 28, 2019. 

This announcement has been reissued to adjust minimum qualifications.  Applicants who have applied before June 18, 2019 need not reapply and will be included in the applicant pool.

The Department of Technology is the centralized technology services provider within San Francisco City & County government, delivering technology infrastructure and services to approximately 33,000 employees and 800,000 residents. The department has an annual operating budget of over $130M and contains over 220 employees. Core service areas include: Infrastructure and Operations, Technology Security, Service Delivery & Management, Enterprise Applications, Project Management Office, Public Safety Systems & Wiring, Technology Administration, Policy & Governance and IT Public Communications.

The Cybersecurity division, located in the Department of Technology, serves City departments by securing sensitive data and technology assets, assessing and managing security risk, and thwarting attempted cyberattacks. The team is also tasked with actively monitoring systems, creating cybersecurity policies that empower departments and commissions and promoting cybersecurity best practices within the City departments.

The Cybersecurity Governance, Risk and Compliance Expert has significant responsibility for City and County of San Francisco Cybersecurity Program. The responsibilities include cybersecurity strategy, cybersecurity governance, security risk management, security compliance, 3rd party security assessments, Payment Card Industry compliance, and regulatory attestations. This position leads program management for the Cybersecurity Team and is responsible for cross organization resource and budget planning. The position requires representing the Chief Information Security Officer (CISO) and liaising with City’s department on behalf of the City’s Cybersecurity Program. The position may also supervise staff.

Essential Job Duties and Functions:

  • Serve as a primary security risk liaison for City Departments, including executive stakeholders. Liaise with business and technology leaders to ensure visibility to and understanding of security risks. Develop strong relationships with key stakeholders to ensure risk management oversight is understood and managed appropriately.
  • Oversee Information Security Governance, including preparing reports and materials for the City Information Security Governance Committee.
  • Provide recurring risk reports to the CISO, Business Stakeholders and IT leadership teams.
  • Develop and report relevant utilization and efficacy metrics for security teams including dashboards, reports and KPIs.
  • Formally documents and maintains the security risk strategy, risk assessment process and annual risk treatment efforts for the City.
  • Oversee and facilitate the development of risk assessments and mitigation strategies for the City Departments.
  • Lead Information Security program budget planning.
  • Support the Information Security policy life-cycle.
  • Create and maintain risk, threat and controls library based on NIST 800-53, ISO 27002 and other standards and regulations, and provide guidance to City departments.
  • Maintain the Information Security Risk Register and GRC tools.
  • Manage action plans in response to information security risk assessment, tracks status, and report to security leadership.
  • Interact with internal audit, third party auditors, and appropriate regulatory bodies and participate in all internal and external audit projects.
  • Perform related job duties as assigned.

Job Type:

The Permanent Exempt- Full Time position is excluded by the Charter from the competitive civil service examination process and shall serve at the discretion of the appointing officer. This exempt position may last up to sixty (60) months and will not result in an eligible list or permanent civil service hiring.

The expected hiring range for this position is $129,506 to $165,256.

Nature of Work:
Incumbent must be willing to work a 40-hour per week schedule and may be required to work additional hours when necessary as determined by the department.  The individual hired for this "essential" function/position is expected to answer calls/e-mails via a department-provided mobile device within a reasonable time frame.

Work Location:
Incumbent will conduct a majority of their work at: 1 South Van Ness. However, there may be situations where the incumbent will be required to work at other sites throughout the City of San Francisco as necessary.


Minimum Qualifications


A Bachelor's Degree in Computer Science, Information Systems or other closely related field; AND

Five (5) years of combined experiences in Information Assurance and Risk Management
Supervisory Experience: 
Three (3) years of experience directly supervising professionals

Highly Desirable Qualifications:

  • Three (3) years or more of cybersecurity leadership experience, delivery large and complex cybersecurity projects.
  • Understanding of NIST 800-30x, HIPAA, PCI and other relevant regulatory requirements as they relate to information security.
  • Experience with formal information security risk assessment methodologies, including FAIR, ISO 31000, and NIST 800-39.
  • Experience with developing and implementing various security control standards (e.g., NIST CSF, PCI DSS, NIST 800.30) at large complex organizations.
  • Experience translating emerging IT and business trends into meaningful risk reduction opportunities.
  • Ability to manage budgets, monitor program progress and adjusts resources and priorities accordingly
  • Experience with common audit methodologies.
  • Experience working with GRC products.
  • Successful candidates will have the ability to work autonomously and be able to bridge the gap between technical knowledge and stakeholder engagement in order to influence strategy and information security management.
  • Experience working both independently and in a team oriented, collaborative environment.
  • Recognize complex problems, analyze situations and provide suggested/implemented resolution(s).
  • Ability to interact professionally with a diverse group including executives, managers and subject matter experts.
  • Ability to apply critical thinking to process improvement and measurement on behalf of the Security Team.
  • Flexibility to conform to shifting priorities through analytical and problem-solving capabilities.
  • Exhibit excellent written and oral communications skills and professionalism.
  • Experience as a project manager in a multi-departmental organization.

Special Requirements:

  • Criminal Justice Information Services (CJIS) Security Clearance may be required. (See Security Clearances and Background Investigations below).
  • Must maintain a valid driver license.

    1. Medical Testing: Prior to appointment, eligible candidates must successfully pass the TB testing process.

    2. Security Clearances & Background Investigations: Positions in this classification may require that successful candidates who become eligible for appointment may be required to go through a background investigation to determine the candidate’s suitability for employment in this classification. Factors considered in the investigation may include employment history, use of illegal/controlled substances. Reasons for rejection based on this investigation may include, but not limited to: applicable convictions, repeated or serious violations of the law, inability to accept supervision, inability to follow rules and regulations, falsification of application materials and/or other relevant factors. Failure to obtain and maintain security clearance may be basis for termination.


    How To Apply

    Applications for City and County of San Francisco jobs are only accepted through an online process. Visit www.jobaps.com/sf to register an account (if you have not already done so) and begin the application process.

    • Select the desired job announcement
    • Select “Apply” and read and acknowledge the information
    • Select either “I am a New User” if you have not previously registered, or “I have Registered Previously”
    • Follow instructions on the screen

    Computers are available for the public (from 8:00 a.m. to 5:00 p.m. Monday through Friday) to file online applications in the lobby of the Dept. of Human Resources at 1 South Van Ness Avenue, 4th Floor, San Francisco.

    Applicants may be contacted by email about this announcement and, therefore, it is their responsibility to ensure that their registered email address is accurate and kept up-to-date. Also, applicants must ensure that email from CCSF is not blocked on their computer by a spam filter. To prevent blocking, applicants should set up their email to accept CCSF mail from the following addresses (@sfgov.org, @sfdpw.org, @sfport.com, @flysfo.com, @sfwater.org, @sfdph.org, @asianart.org, @sfmta.com, @sfpl.org, @dcyf.org, @first5sf.org).

    Applicants will receive a confirmation email that their online application has been received in response to every announcement for which they file. Applicants should retain this confirmation email for their records. Failure to receive this email means that the online application was not submitted or received.

    All work experience, education, training and other information substantiating how you meet the minimum qualifications must be included on your application by the filing deadline. Information submitted after the filing deadline will not be considered in determining whether you meet the minimum qualifications. Resumes may be attached to the application; however, resumes will not be accepted in lieu of a completed City and County of San Francisco application.

    Applications completed improperly may be cause for ineligibility, disqualification or may lead to lower scores.

    Note: Falsifying one’s education, training, or work experience or attempted deception on the application may result in disqualification for this and future job opportunities with the City and County of San Francisco.

    If you have any questions regarding this recruitment or application process, please contact the exam analyst, Ryan Lim, by telephone at 652-628-5165, or by email at ryan.lim@sfdpw.org (preferable).

    Selection Procedures

    Supplemental Questionnaire (Qualifying):
    Applicants will be prompted to complete a supplemental questionnaire as part of the online employment application. I is essential that applicants provide complete information in identifying their education, experience, training and licensure, consistent with the information provided on their application.


    The Supplemental Questionnaire will be used to evaluate whether applicants meet the minimum qualifications and also assess the applicant's knowledge, skills, and abilities as they relate to this position. Applicants must also complete the official application. The information in the supplemental questionnaire will not be scored and is collected for informational purposes.

    The Department may establish and implement additional screening mechanisms to comparatively evaluate qualifications of candidates. If this becomes necessary, only those applicants whose qualifications most closely meet the needs of the Department will be invited for an interview.

    Note: Applicants who meet the minimum qualifications are not guaranteed to advance through all of the steps in the selection process.

    Verification: Applicants may be required to submit verification of qualifying education and experience at any point during the recruitment and selection process. If education verification is required, information on how to verify education requirements, including verifying foreign education credits or degree equivalency, can be found at http://sfdhr.org/index.aspx?page=456.


    Conviction History

    As a finalist for a job, you will be fingerprinted, and your fingerprints will be sent to the California Department of Justice (DOJ) and the Federal Bureau of Investigation (FBI). The resulting report of your conviction history (if any) will be used to determine whether the nature of your conviction (or arrest, in limited circumstances) conflicts with the specific duties and responsibilities of the job for which you are a finalist. If a conflict exists, you will be asked to present any evidence of rehabilitation that may mitigate the conflict, except when federal or state regulations bar employment in specific circumstances, such as:

    • Candidates for positions with the Unified School District and the Community College District may be disqualified from consideration should their conviction history not meet the standards established under the California Education Code.
    • Candidates for positions with the Recreation and Park Department may be disqualified from consideration should their conviction history not meet the standards established under California Public Resources Code 5164.

    Having a conviction history does not automatically preclude you from a job with the City.

    If you are selected as a finalist, the hiring department will contact you to schedule a fingerprinting appointment.

    Disaster Service Workers

    All City and County of San Francisco employees are designated Disaster Service Workers through state and local law (California Government Code Section 3100-3109). Employment with the City requires the affirmation of a loyalty oath to this effect. Employees are required to complete all Disaster Service Worker-related training as assigned, and to return to work as ordered in the event of an emergency.


    Terms of Announcement:
    Applicants must be guided solely by the provisions of this announcement, including requirements, time periods and other particulars, except when superseded by federal, state or local laws, rules or regulations. Clerical errors may be corrected by the posting the correction on the Department of Human Resources website at www.jobaps.com/sf.


    Applicants with disabilities who meet the minimum eligibility requirements for this job announcement can find information on requesting a reasonable ADA Accommodation at: http://sfdhr.org/information-about-hiring-process#applicantswithdisabilities

    General Information concerning City and County of San Francisco Employment Policies and Procedures: Important Employment Information for the City and County of San Francisco can be obtained at http://sfdhr.org/information-about-hiring-process or hard copy at 1 South Van Ness Avenue, 4th Floor.

    Copies of Application Documents:
    Applicants should keep copies of all documents submitted, as these will not be returned.

    Right to Work:
    All persons entering the City and County of San Francisco workforce are required to provide verification of authorization to work in the United States.  Please be informed that the Department of Technology will NOT sponsor visa applications/transfers.

    Issued: January 17, 2019 (amend date: 3/5/2019)
    Micki Callahan
    Human Resources Director
    Department of Human Resources
    Recruitment ID Number: PEX-9978-092169


    All employees hired on or after January 10, 2009 will be required (pursuant to San Francisco Charter Section A8.432) to contribute 2% of pre-tax compensation to fund retiree healthcare. In addition, most employees are required to make a member contribution towards retirement, ranging from 7.5%-13.25% of compensation. For more information on these provisions, please contact the personnel office of the hiring agency.

    For more information about benefits, please click here.

    Powered by JobAps