Skip to content

Career Opportunity

Cybersecurity Risk Analyst (1052) – Cybersecurity Division - Department of Technology (Eligible List ID #144022)

Recruitment: RTF0144020-01125126

Published: May 21, 2024


Gina Lapez -

Apply using SmartRecruiters, the City and County of San Francisco's application portal Learn More

Department: Technology
Job class: 1052-IS Business Analyst
Salary range: $106,470.00 - $133,926.00
Role type: Permanent Civil Service What does this mean?
Hours: Full-time
Exam type: Position Based Test
Rule: Rule of 7 What does this mean?
List type: Combined Promotive and Entrance


This is a Position-Based Test conducted in accordance with CSC Rule 111A.

Specific information regarding this recruitment process is listed below:

  • Application Opening:  Tuesday, May 21, 2024
  • Application Deadline: Tuesday, May  28, 2024 (11:59 PM, PST)

The Department of Technology (DT) is the centralized technology services provider within San Francisco City and County government, delivering technology infrastructure and services to more than 28,000 employees and over 800,000 citizens.  The department has an annual operating budget of over $130M and contains over 240 employees.  Core service areas include: Technology Architecture & Security, Technology Service Delivery & Management, Client Services & Project Management Office, Public Safety Systems & Wiring, Technology Administration, Policy & Governance, and Public Communications.

Our award-winning cybersecurity team has been recognized for setting the standard for excellence among the City. We are a service-oriented and dynamic group, who are both responsible for their own success but are firmly committed to our mission.

In alignment with our vision of serving as a model for a secure government, ensuring data confidentiality and integrity, as well as service availability, we have embarked on a mission to further mature the City’s cybersecurity program. Through the governance, risk, and compliance pillar of cybersecurity, we will strengthen the cyber program by further developing administrative controls, enhancing our risk management program, evolving vendor assessments, meeting compliance through adherence to regulatory frameworks, and cross-functionally working with senior management to align business and security goals.     

Work Location: Incumbent will conduct the majority of work at the Department of Technology, 1 South Van Ness Ave 2nd Floor, San Francisco, CA, 94103.  However, there may be situations where the incumbent will be required to work at other sites throughout the City of San Francisco as necessary.

Nature of Work: Incumbent must be willing to work a 40-hour week as determined by the department. Telecommuting options are available upon appointing officer’s approval.

Role description

The City and County of San Francisco (City) is hiring a Cybersecurity Risk Analyst. The analyst will support a critical function of the City's Cybersecurity Division that will be directly responsible for reducing risks posed to the City. The analyst will be tasked with the important role of identifying, assessing, controlling, and monitoring risks through the Citywide enterprise. They will gain firsthand experience supporting and maturing a Technology Risk & Resilience program.

Examples of Important and Essential Duties:

  1. Analyze data processing needs, which include a performance of policies and supporting procedures/processes. 
  2. Evaluate vendor products by conducting vendor risk assessments to assess the security posture of vendors. 
  3. Conduct user training and support the cyber awareness training and education program, including phishing simulations. 
  4. Facilitate communication between clients and vendors regarding system maintenance issues; coordinate with technology and business groups to assess, implement, and monitor IT-related security risks and hazards.
  5. Perform non-routine adds, moves, and changes as needed; perform cyber risk assessments against city cybersecurity requirements; and perform assessments of adherence to standards.
  6. Create, documents and compile manuals related to procedures.
  7. Participate and represent the department in computer users meetings or meetings of related committees to track and monitor risk mitigation plans. 
  8. Research and evaluate technology through industry meetings, seminars, and vendor contacts in conducting technical research to aid in threat assessment or risk mitigation activities.
  9. Identify opportunities for improvements through automation and stay on top of changes in the industry as it relates to security. 
  10. Create and generate reports and statistics to meet user and program requirements in accordance with GRC metrics.
  11. Inter-face with other departments, jurisdictions and users on regulations and reporting requests.
  12. Performs related duties as assigned.

How to qualify

Minimum Qualifications

An associate degree in business administration, public administration, information systems, economics, finance, computer science or a closely related field from an accredited college or university OR its equivalent in terms of total course credits/units [i.e., at least sixty (60) semester or ninety (90) quarter credits/units with a minimum of twenty (20) semester or thirty (30) quarter credits/units in one of the fields above or a closely-related field].

One (1) year in the information systems field, including technical support, content management, administration of network applications or system analysis.

Additional experience as described above may be substituted for the required degree on a year-for-year basis (up to a maximum of two (2) years). One (1) year is equivalent to thirty (30) semester units / forty-five (45) quarter units with a minimum of 10 semester / 15 quarter units in one of the fields above or a closely related field.

Completion of the 1010 Information Systems Trainee Program may be substituted for the required degree.

Special Conditions:

  • One (1) year of IT customer support experience.
  • One (1) year of IT security experience in performing cyber risk assessments.

Desirable Qualifications:

The stated desirable qualifications may be used to identify job finalists at the end of the selection process when candidates are referred for hiring.

  • 3-5 years working in a cyber GRC type role.
  • Risk Analytics experience within IT.
  • Familiar with cybersecurity frameworks (NIST CSF/RMF, NIST 800-53, FedRAMP, etc).
  • Familiar with security standards (i.e. HIPAA, PCI-DSS, etc).
  • Familiar with vendor risk management assessments (i.e. SOC2, CAIQ, etc).


  • One-year full-time employment is considered equivalent to 2000 hours (2000 hours of qualifying work experience is based on 40 hours work week). Any overtime hours that you work above forty (40) hours per week are not included in the calculation to determine full-time employment.
  • The above minimum qualifications reflect special conditions associated with the position(s) to be filled. They may differ from the standard minimum qualifications associated with this class code.
  • Applicants must meet minimum qualification requirements by the final filing date unless otherwise noted.

Please make sure it is clear in your application exactly how you meet the minimum qualifications.

Every application is reviewed to ensure that you meet the minimum qualifications as listed in the job ad. Please review our articles on Employment Application and Minimum Qualifications and Verification of Experience and/or Education for considerations taken when reviewing applications.

Note: Applications completed improperly may be cause for ineligibility, disqualification or may lead to lower scores. Falsifying one’s education, training, or work experience or attempted deception on the application may result in disqualification for this and future job opportunities with the City and County of San Francisco. Resumes will not be accepted in lieu of a completed City and County of San Francisco application.

What else should I know?

Selection Procedure/Examination Requirements
After application submission, candidates deemed qualified must complete all subsequent steps to advance in this selection process:

Minimum Qualification Supplemental Questionnaire (MQSQ):
Candidates will be required to complete a MQSQ as part of the employment application at a later time. This MQSQ is designed to obtain specific information regarding an applicant's experience in relation to the minimum qualifications for this position. The MQSQ will be used to evaluate if the applicant possesses the required minimum qualifications.

Supplemental Questionnaire (Weight 100%):
Candidates deemed to meet the minimum qualifications will participate in a supplemental questionnaire evaluation designed to measure their relative knowledge, skills and abilities in job-related areas, which may include, but not be limited to: knowledge of electronic data processing and its applications; business applications development including an understanding of functional requirements, structured systems or procedures analysis; relational database and database analysis; cyber security systems implementation and assessment; oral communication ability to effectively speak and convey information a clear and understandable manner, translate technical information into plain words; written communication ability to communicate effectively in writing, to read and understand professional journals and literature to translate functional requirements into technical specifications clear, concise, well-structured, grammatically correct and appropriate; ability to establish and maintain good working relations with department personnel, staff, vendors, peers, and management; understand and learn a variety of business procedures and processes in order to determine the relationship between the data with reference to established criteria and standards; use logic and analysis to solve computer, systems and cybersecurity problems; advise and provide interpretation to others how to apply policies, procedures and standards to specific situations; exercise judgment, decisiveness and creativity required in situations involving the evaluation of information against measurable criteria. A passing score must be achieved on the supplemental questionnaire in order to be ranked on the eligible list.

Eligible List/Score Report:
A confidential eligible list of applicant names that have passed the civil service examination process will be created and used for certification purposes only. An examination score report will be established, so applicants can view the ranks, final scores and number of eligible candidates. Applicant information, including names of applicants on the eligible list, shall not be made public unless required by law. However, an eligible list shall be made available for public inspection, upon request, once the eligible list is exhausted or expired and referrals resolved. The eligible list/score report resulting from this civil service examination process is subject to change after adoption (e.g., as a result of appeals), as directed by the Human Resources Director or the Civil Service Commission.

The duration of the eligible list resulting from this examination process will be 6 months and may be extended with the approval of the Human Resources Director.

To find Departments which use this classification, please see:

Terms of Announcement and Appeal Rights:
Applicants must be guided solely by the provisions of this announcement, including requirements, time periods and other particulars, except when superseded by federal, state or local laws, rules or regulations. Clerical errors may be corrected by the posting the correction on the Department of Human Resources website at

The terms of this announcement may be appealed under Civil Service Rule 111A.35.1. The standard for the review of such appeals is ‘abuse of discretion’ or ‘no rational basis’ for establishing the position description, the minimum qualifications and/or the certification rule. Appeals must include a written statement of the item(s) being contested and the specific reason(s) why the cited item(s) constitute(s) abuse of discretion by the Human Resources Director. Appeals must be submitted directly to the Executive Officer of the Civil Service Commission within five business days of the announcement issuance date.

What else should I know?

Additional Information Regarding Employment with the City and County of San Francisco:

Applicants will receive a confirmation email from that their online application has been received in response to every announcement for which they file. Applicants should retain this confirmation email for their records.

Failure to receive this email means that the online application was not submitted or received.

Exam Analyst Information: If you have any questions regarding this recruitment or application process, please contact the exam analyst at

The City and County of San Francisco encourages women, minorities and persons with disabilities to apply. Applicants will be considered regardless of their sex, race, age, religion, color, national origin, ancestry, physical disability, mental disability, medical condition (associated with cancer, a history of cancer, or genetic characteristics), HIV/AIDS status, genetic information, marital status, sexual orientation, gender, gender identity, gender expression, military and veteran status, or other protected category under the law.