Career Opportunity

Information Security Analyst – Cybersecurity Division – Human Services Agency (1053) (132466)

Recruitment: RTF0132465-01112651

Published: July 13, 2023

Apply using SmartRecruiters, the City and County of San Francisco's application portal.

About:

This is a Position-Based Test conducted in accordance with CSC Rule 111A.

• Application Opening – July 13, 2023
• Application Deadline – July 26, 2023
• Compensation: $120,536 - $151,658 1053-IS Business Analyst-Senior | City and County of San Francisco (sf.gov)
• List ID: PBT-1053-132466; RTF0132465-01112651

At the San Francisco Human Services Agency, we believe in a San Francisco where everyone has the opportunity and support to achieve their full potential.  We are comprised of the Department of Benefits and Family Support, and the Department of Disability and Aging Services, and are united by our commitment to deliver essential services that support and protect people, families, and communities.

From financial, nutritional and employment support to child and adult protective services, health care coverage, affordable childcare, and in-home services for older adults and persons with disabilities, our team lends support for all in need. 

Our Commitment to Racial Equity

As we work towards our vision of an inclusive San Francisco, we embrace our responsibility to root out systemic racism by creating services and a workforce which reflect the lived experiences and strengths of the people we serve. We are committed to fostering a work environment where our differences are celebrated and everyone has what they need to thrive--no matter their race, age, ability, gender, sexual orientation, ethnicity, or country of origin. Click here to learn more about what this commitment looks like in action.

Role description

The City and County of San Francisco (City) is hiring a Cybersecurity Risk Analyst. The analyst will support a critical function of the City's Cybersecurity Division that will be directly responsible for reducing risks posed to the City. The analyst will be tasked with the important role of identifying, assessing, controlling, and monitoring risks through the Citywide enterprise. They will gain firsthand experience supporting and maturing a Technology Risk & Resilience program.

ESSENTIAL TASK AND DUTIES

According to Civil Service Commission Rule 109, the duties specified below are representative of the range of duties assigned to this job class and are not intended to be an inclusive list.

1. Performs cyber risk assessments against City cybersecurity requirements
2. Conducts Vendor Risk Assessments to assess security posture of vendors
3. Supports the cyber awareness training and education program, including phishing simulations
4. Tracks and monitors risk mitigation plans’ and develop reports in accordance with GRC metrics
5. Coordinates with technology and business groups to assess, implement, and monitor IT-related security risks/hazards
6. Performs review of policies and supporting procedures/processes
7. Conducts technical research to aid in threat assessment and risk mitigation activities, as well as changes in the industry as it relates to security
8. Helps develop and monitor cybersecurity controls and support City departments in control maintenance

How to qualify

1. Education: An associate degree in computer science or a closely related field from an accredited college or university OR its equivalent in terms of total course credits/units [i.e., at least sixty (60) semester or ninety (90) quarter credits/units with a minimum of twenty (20) semester or thirty (30) quarter credits/units in computer science or a closely-related field].

AND

2. Experience: Three (3) years in the information systems field, including system analysis, business process design, development and implementation of business application solutions or IT project management.

License and Certification:

Substitution:

Additional experience as described above may be substituted for the required degree on a year-for-year basis (up to a maximum of two (2) years). One (1) year is equivalent to thirty (30) semester units / forty-five (45) quarter units with a minimum of 10 semester / 15 quarter units in computer science or a closely related field.

SUPPLEMENTAL INFORMATION

Essential duties require the following physical skills and work requirements: Some positions may require sufficient strength and coordination for lifting, pushing, pulling and/or carrying the weight of computer equipment. May require hand/eye coordination for semi-skilled movements, such as taking apart casings, installing parts and reconnecting computers and for performing data entry. May involve extensive VDT exposure.

Desirable Qualifications:

The stated desirable qualifications may be considered at the end of the selection process when candidates are referred for hiring.

• Three (3) to five (5)  years working in a cyber GRC type role
• Risk Analytics experience within IT
• Familiar with cybersecurity frameworks (NIST CSF/RMF, NIST 800-53, Fed RAMP, etc.)
• Familiar with security standards (i.e. HIPAA, PCI-DSS, etc.)
• Familiar with vendor risk management assessments (i.e. SOC2, CAIQ, etc)
• Comfortable having a technical discussion
• Proficient in Excel or similar
• Ability to define and communicate risk in business-relevant language
• Excellent verbal and written communication skills
• Ability to communicate IT risk concepts to non-technical people
• Comfortable with quantitative risk management, Factor Analysis of Information Risk (FAIR)
• Familiar with Auditing cybersecurity and technical policies and controls
• Familiar with GRC platforms (i.e. Service-Now, LogicGate, OneTrust, etc)
• Preferred a security certification (i.e. Security+, CISA, CISM, CRISC, etc)
• Familiar with Privacy concepts

Applicants must meet the minimum qualification requirement by the final filing date unless otherwise noted. Applicants who meet the minimum qualifications are not guaranteed to advance through all of the steps in the selection process.

Verification of Education and Experience:
Applicants may be required to submit verification of qualifying education and experience at any point during the recruitment and selection process. If education verification is required, information on how to verify education requirements, including verifying foreign education credits or degree equivalency, can be found at https://sfdhr.org/how-verify-education-requirements

Note: Falsifying one’s education, training, or work experience or attempted deception on the application may result in disqualification for this and future job opportunities with the City and County of San Francisco.

All work experience, education, training and other information substantiating how you meet the minimum qualifications must be included on your application by the filing deadline. Information submitted after the filing deadline will not be considered in determining whether you meet the minimum qualifications.

Resumes will not be accepted in lieu of a completed City and County of San Francisco application.

Applications completed improperly may be cause for ineligibility, disqualification or may lead to lower scores. 

Supplemental Questionnaire Examination (Weight: 100%):

Candidates who meet the Minimum Qualifications will be invited to take the Supplemental Questionnaire Examination; this exam is designed to measure knowledge, skills and/or abilities in job-related areas which may include but not be limited to knowledge of requirements installation procedures, hardware, software and maintenance of systems; electronic data processing methods; interactive or macro-based applications; functional requirements, structured systems or procedures analysis; personal computer applications development tools; system analysis and design; coding, testing and implementing complex programs; script/procedure languages; common operating systems software and relational database systems; network environments.

Candidate scores on this examination may also be applied to other announcements involving other job titles, when directed by the Human Resources Director.

A passing score must be achieved on the Supplemental Questionnaire Examination in order to continue in the selection process.

The above test components are considered standardized and, therefore, test questions and answers are not available for public inspection or review.

After application submission, candidates deemed qualified must complete all subsequent steps to advance in this selection process, which includes the following:

Minimum Qualification Supplemental Questionnaire (MQSQ): Candidates will be required to complete a MQSQ as part of the employment application. This MQSQ is designed to obtain specific information regarding an applicant's experience in relation to the Minimum Qualifications (MQ) for this position. The MQSQ will be used to evaluate if the applicant possesses the required minimum qualifications.”

What else should I know?

Eligible List/Score Report: A confidential eligible list of applicant names that have passed the civil service examination process will be created, and used for certification purposes only. An examination score report will be established, so applicants can view the ranks, final scores and number of eligible candidates. Applicant information, including names of applicants on the eligible list, shall not be made public unless required by law. However, an eligible list shall be made available for public inspection, upon request, once the eligible list is exhausted or expired and referrals resolved. The eligible list/score report resulting from this civil service examination process is subject to change after adoption (e.g., as a result of appeals), as directed by the Human Resources Director or the Civil Service Commission.

The duration of the eligible list resulting from this examination process will be of six (6) months and may be extended with the approval of the Human Resources Director.

Terms of Announcement and Appeal Rights:

Applicants must be guided solely by the provisions of this announcement, including requirements, time periods and other particulars, except when superseded by federal, state or local laws, rules or regulations. Clerical errors may be corrected by the posting the correction on the Department of Human Resources website at https://careers.smartrecruiters.com/CityAndCountyOfSanFrancisco1/.

The terms of this announcement may be appealed under Civil Service Rule 111A.35.1. The standard for the review of such appeals is ‘abuse of discretion’ or ‘no rational basis’ for establishing the position description, the minimum qualifications and/or the certification rule. Appeals must include a written statement of the item(s) being contested and the specific reason(s) why the cited item(s) constitute(s) abuse of discretion by the Human Resources Director. Appeals must be submitted directly to the Executive Officer of the Civil Service Commission within five business days of the announcement issuance date.

Additional Information Regarding Employment with the City and County of San Francisco:

• Information About The Hiring Process
• Conviction History
• Employee Benefits Overview  
• Equal Employment Opportunity 
• Disaster Service Worker
• ADA Accommodation
• Veterans Preference
• Right to Work
• Copies of Application Documents
• Diversity Statement

How to Apply

Applications for City and County of San Francisco jobs are only accepted through an online process.

Visit https://careers.smartrecruiters.com/CityAndCountyOfSanFrancisco1/ and begin the application process.

• Select the “I’m Interested” button and follow instructions on the screen

Applicants may be contacted by email about this recruitment and, therefore, it is their responsibility to ensure that their registered email address is accurate and kept up-to-date. Also, applicants must ensure that email from CCSF is not blocked on their computer by a spam filter. To prevent blocking, applicants should set up their email to accept CCSF mail from the following addresses (@sfgov.org, @sfdpw.org, @sfport.com, @flysfo.com, @sfwater.org, @sfdph.org, @asianart.org, @sfmta.com, @sfpl.org, @dcyf.org, @first5sf.org, @famsf.org, @ccsf.edu, @smartalerts.info, and @smartrecruiters.com).

Applicants will receive a confirmation email that their online application has been received in response to every announcement for which they file. Applicants should retain this confirmation email for their records. Failure to receive this email means that the online application was not submitted or received. 

Exam Analyst Information: If you have any questions regarding this recruitment or application process, please contact the exam analyst Josephus Cassell by telephone (415) 439-3410 or by email at josephus.cassell@sfgov.org. 

All your information will be kept confidential according to EEO guidelines.

CONDITION OF EMPLOYMENT:  All City and County of San Francisco employees are required to be fully vaccinated against COVID-19 as a condition of employment. Someone is fully vaccinated when 14 days have passed since they received the final dose of a two-shot vaccine or a dose of a one-shot vaccine. Any new hire must present proof of full vaccination status to be appointed. Any new hire who will be routinely assigned or occasionally enter High-Risk Settings, must provide proof of having received a COVID-19 booster vaccine by March 1, 2022, or once eligible.

The City and County of San Francisco encourages women, minorities and persons with disabilities to apply. Applicants will be considered regardless of their sex, race, age, religion, color, national origin, ancestry, physical disability, mental disability, medical condition (associated with cancer, a history of cancer, or genetic characteristics), HIV/AIDS status, genetic information, marital status, sexual orientation, gender, gender identity, gender expression, military and veteran status, or other protected category under the law.