The IT Department “is the centralized technology services provider” for San Francisco government, delivering infrastructure and services to more than 28,000 employees and over 800,000 citizens, according to the job posting. The department has an annual operating budget of over $130 million and contains more than 240 employees. Key service areas include Technology Architecture and Security, Technology Service Delivery and Management, Client Services and Project Management Office, Public Safety Systems and Wiring, Technology Administration, Policy and Governance, and Public Communications.
“In alignment with our vision of serving as a model for a secure government, ensuring data confidentiality and integrity, as well as service availability, we have embarked on a mission to further mature the city’s cybersecurity program,” the job posting says. “Through the governance, risk, and compliance pillar of cybersecurity, we will strengthen the cyber program by further developing administrative controls, enhancing our risk management program, evolving vendor assessments, meeting compliance through adherence to regulatory frameworks, and cross-functionally working with senior management to align business and security goals.”
Desirable qualifications include:
- Three to five years working in a cyber GRC-type role
- Risk analytics experience within IT
- Familiar with cybersecurity frameworks (NIST CSF/RMF, NIST 800-53, FedRAMP, etc.) and security standards (i.e., HIPAA, PCI-DSS, etc.)
- Familiar with vendor risk management assessments (i.e., SOC2, CAIQ, etc.)
- Ability to define and communicate risk in business-relevant language
- Ability to communicate IT risk concepts to non-technical people
- Comfortable with quantitative risk management, Factor Analysis of Information Risk (FAIR)
- Familiar with auditing cybersecurity and technical policies and controls
- Familiar with GRC platforms (i.e., SNOW, LogicGate, OneTrust, etc.)
- Security certification preferred (i.e., Security+, CISA, CISM, CRISC, etc.)
The core responsibilities of the position include:
- Perform cyber risk assessments against city cybersecurity requirements.
- Conduct Vendor Risk Assessments to assess security posture of vendors.
- Support the cyber awareness training and education program, including phishing simulations.
- Track and monitor risk mitigation plans and develop reports in accordance with GRC metrics.
- Coordinate with technology and business groups to assess, implement, and monitor IT-related security risks/hazards.
- Perform review of policies and supporting procedures/processes.
The position has an annual salary range of $96,512 to $121,420. The application deadline is July 1.
