City and County of San Francisco
Governance, Risk, and Compliance (GRC) Analyst (1042) - Department of Technology
City and County of San Francisco, San Francisco, California, United States, 94199
Governance, Risk, and Compliance (GRC) Analyst (1042) - Department of Technology
Why Work for the Department of Technology (DT)?
DT is the centralized technology services provider in the City and County of San Francisco (CCSF). We deliver technology infrastructure and services to approximately 33,000 employees! With an annual operating budget of over $140M and approximately 300 employees, DT provides a host of services that range from Public Safety radio and wiring and Network services to Enterprise Support and the Cloud. Benefits of Working for CCSF:
In addition to challenging and rewarding work, the City provides a generous suite of benefits to its employees. Competitive pay,
as well as pension and robust retirement options. Generous paid time off,
family leave, and more! Hybrid Work
with a minimum of 20% of time spent in our office in San Francisco, California for all IT related roles. Diverse
work environment in a diverse city. Career development and growth — move between departments, learn on the job, or take subsidized/reimbursed classes! Job Description The City and County of San Francisco (City) is excited to be hiring a Governance, Risk, and Compliance (GRC) security analyst. The analyst will support a critical function of the Office of Cybersecurity that will be directly responsible for reducing risks posed to the City. The analyst will be tasked with the important role of identifying, assessing, controlling, and monitoring risks through the Citywide enterprise. They will gain firsthand experience supporting and maturing a GRC program. Major functions in this role include (and are not limited to): -Perform cyber risk assessments against City cybersecurity requirements. -Conduct Vendor Risk Assessments to assess security posture of vendors. -Support the cyber awareness training and education program, including phishing simulations. -Track and monitor risk mitigation plans. -Develop routine reports in accordance with GRC metrics. -Coordinate with technology and business groups to assess, implement, and monitor IT-related security risks/hazards. -Conduct technical research to aid in threat assessment or risk mitigation activities. -Perform assessments of adherence to standards. -Perform review of policies and supporting procedures/processes. -Stay on top of changes in the industry as it relates to security. Appointment Type:
This Permanent Exempt (PEX), Full Time position is excluded by the Charter from the competitive civil service examination process and shall serve at the discretion of the appointment officer. The anticipated duration of this project position is thirty-six (36) months and will not result in an eligible list or permanent civil service hiring. Work Location:
If hired, incumbent must be a resident of or relocate to the State of California within 4 weeks as a condition of employment. This position supports remote work. The incumbent may be permitted to work a hybrid schedule with their supervisor’s approval, after which they must work at least two days in the office every two weeks. Qualifications
Minimum Qualifications: An associate degree in computer science, computer engineering, information systems, or a closely related field from an accredited college or university OR its equivalent in terms of total course credits/units [i.e., at least sixty (60) semester or ninety (90) quarter credits/units with a minimum of twenty (20) semester or thirty (30) quarter credits/units in one of the fields above or a closely-related field]. Experience: One (1) year of experience analyzing, installing, configuring, enhancing, and/or maintaining the components of an enterprise network. Desirable Qualifications: -1-2 years working in a cyber GRC type role. -Risk Analytics experience within IT. -Familiar with cybersecurity frameworks (NIST CSF/RMF, NIST 800-53, FedRAMP, etc). -Familiar with security standards (i.e. HIPAA, PCI-DSS, etc). -Familiar with vendor risk management assessments (i.e. SOC2, CAIQ, etc). -Comfortable having a technical discussion. -Proficient in Excel or similar. -Ability to define and communicate risk in business-relevant language. -Excellent verbal and written communication skills. -Ability to communicate IT risk concepts to non-technical people. -Comfortable with quantitative risk management, Factor Analysis of Information Risk (FAIR). -Familiar with GRC platforms (i.e. SNOW, LogicGate, OneTrust, etc). -Possess security certifications (i.e. Security+, CISA, CISM, CRISC, etc). -Preferred skills in SharePoint and reporting services. -Familiar with Privacy concepts. Verification:
Applicants may be required to submit verification of qualifying education and experience at any point in the application and/or departmental selection process. Written verification (proof) of qualifying experience must verify that the applicant meets the minimum qualifications stated on the announcement. Additional Information:
Compensation: $65.365 - $82.2125 (hourly)/$135,954 - $171,002 (annually). How to Apply: Applicants are encouraged to apply immediately as this recruitment may close at any time, but not before Friday, January 17th, 2025.
Your application MUST include a resume. To upload, please attach using the "additional attachments" function.
You may contact Lawlun Leung via email at
lawlun.leung@sfgov.org
with questions regarding this opportunity. Late or incomplete submissions will not be considered. Mailed, hand delivered or faxed documents/applications will not be accepted. Additional Information Regarding Employment with the City and County of San Francisco:
All your information will be kept confidential according to EEO guidelines. The City and County of San Francisco encourages women, minorities and persons with disabilities to apply.
#J-18808-Ljbffr
Why Work for the Department of Technology (DT)?
DT is the centralized technology services provider in the City and County of San Francisco (CCSF). We deliver technology infrastructure and services to approximately 33,000 employees! With an annual operating budget of over $140M and approximately 300 employees, DT provides a host of services that range from Public Safety radio and wiring and Network services to Enterprise Support and the Cloud. Benefits of Working for CCSF:
In addition to challenging and rewarding work, the City provides a generous suite of benefits to its employees. Competitive pay,
as well as pension and robust retirement options. Generous paid time off,
family leave, and more! Hybrid Work
with a minimum of 20% of time spent in our office in San Francisco, California for all IT related roles. Diverse
work environment in a diverse city. Career development and growth — move between departments, learn on the job, or take subsidized/reimbursed classes! Job Description The City and County of San Francisco (City) is excited to be hiring a Governance, Risk, and Compliance (GRC) security analyst. The analyst will support a critical function of the Office of Cybersecurity that will be directly responsible for reducing risks posed to the City. The analyst will be tasked with the important role of identifying, assessing, controlling, and monitoring risks through the Citywide enterprise. They will gain firsthand experience supporting and maturing a GRC program. Major functions in this role include (and are not limited to): -Perform cyber risk assessments against City cybersecurity requirements. -Conduct Vendor Risk Assessments to assess security posture of vendors. -Support the cyber awareness training and education program, including phishing simulations. -Track and monitor risk mitigation plans. -Develop routine reports in accordance with GRC metrics. -Coordinate with technology and business groups to assess, implement, and monitor IT-related security risks/hazards. -Conduct technical research to aid in threat assessment or risk mitigation activities. -Perform assessments of adherence to standards. -Perform review of policies and supporting procedures/processes. -Stay on top of changes in the industry as it relates to security. Appointment Type:
This Permanent Exempt (PEX), Full Time position is excluded by the Charter from the competitive civil service examination process and shall serve at the discretion of the appointment officer. The anticipated duration of this project position is thirty-six (36) months and will not result in an eligible list or permanent civil service hiring. Work Location:
If hired, incumbent must be a resident of or relocate to the State of California within 4 weeks as a condition of employment. This position supports remote work. The incumbent may be permitted to work a hybrid schedule with their supervisor’s approval, after which they must work at least two days in the office every two weeks. Qualifications
Minimum Qualifications: An associate degree in computer science, computer engineering, information systems, or a closely related field from an accredited college or university OR its equivalent in terms of total course credits/units [i.e., at least sixty (60) semester or ninety (90) quarter credits/units with a minimum of twenty (20) semester or thirty (30) quarter credits/units in one of the fields above or a closely-related field]. Experience: One (1) year of experience analyzing, installing, configuring, enhancing, and/or maintaining the components of an enterprise network. Desirable Qualifications: -1-2 years working in a cyber GRC type role. -Risk Analytics experience within IT. -Familiar with cybersecurity frameworks (NIST CSF/RMF, NIST 800-53, FedRAMP, etc). -Familiar with security standards (i.e. HIPAA, PCI-DSS, etc). -Familiar with vendor risk management assessments (i.e. SOC2, CAIQ, etc). -Comfortable having a technical discussion. -Proficient in Excel or similar. -Ability to define and communicate risk in business-relevant language. -Excellent verbal and written communication skills. -Ability to communicate IT risk concepts to non-technical people. -Comfortable with quantitative risk management, Factor Analysis of Information Risk (FAIR). -Familiar with GRC platforms (i.e. SNOW, LogicGate, OneTrust, etc). -Possess security certifications (i.e. Security+, CISA, CISM, CRISC, etc). -Preferred skills in SharePoint and reporting services. -Familiar with Privacy concepts. Verification:
Applicants may be required to submit verification of qualifying education and experience at any point in the application and/or departmental selection process. Written verification (proof) of qualifying experience must verify that the applicant meets the minimum qualifications stated on the announcement. Additional Information:
Compensation: $65.365 - $82.2125 (hourly)/$135,954 - $171,002 (annually). How to Apply: Applicants are encouraged to apply immediately as this recruitment may close at any time, but not before Friday, January 17th, 2025.
Your application MUST include a resume. To upload, please attach using the "additional attachments" function.
You may contact Lawlun Leung via email at
lawlun.leung@sfgov.org
with questions regarding this opportunity. Late or incomplete submissions will not be considered. Mailed, hand delivered or faxed documents/applications will not be accepted. Additional Information Regarding Employment with the City and County of San Francisco:
All your information will be kept confidential according to EEO guidelines. The City and County of San Francisco encourages women, minorities and persons with disabilities to apply.
#J-18808-Ljbffr