Career Opportunity

Chief Information Security Officer – Information Technology (IT) - San Francisco Human Services Agency (0933) (139987)

Recruitment: RTF0139986-01125483

Published: September 30, 2023

Apply using SmartRecruiters, the City and County of San Francisco's application portal.

About:

This is a Position-Based Test conducted in accordance with CSC Rule 111A.

• Application Opening – October 2, 2023
• Application Deadline – October 16, 2023
• Compensation: $167,908.00 - $214,344.00 Yearly https://careers.sf.gov/classifications/?classCode=0933&setId=COMMN
• List ID: PBT-0933-139987; RTF0139986-01125483

At the San Francisco Human Services Agency, we believe in a San Francisco where everyone has the opportunity and support to achieve their full potential.  We are comprised of the Department of Benefits and Family Support and the Department of Disability and Aging Services (DAS), and are united by our commitment to deliver essential services that support and protect people, families, and communities.

From financial, nutritional and employment support to child and adult protective services, health care coverage, affordable childcare, and in-home services for older adults and persons with disabilities, our team lends support for all in need.

Our Commitment to Racial Equity

As we work towards our vision of an inclusive San Francisco, we embrace our responsibility to root out systemic racism by creating services and a workforce which reflect the lived experiences and strengths of the people we serve. We are committed to fostering a work environment where our differences are celebrated and everyone has what they need to thrive--no matter their race, age, ability, gender, sexual orientation, ethnicity, or country of origin. Click here to learn more about what this commitment looks like in action.

Role description

Under the direction of the Information Technology Director, the Chief Information Security Officer (CISO) will manage HSA’s information, cyber, and technology security; including overseeing governance, risk, and compliance for the Agency.  With a team of IT professionals reporting to the incumbent, the CISO will focus on the Agency’s IT security while setting compliance policies, and developing standards and procedures.

ESSENTIAL DUTIES AND FUNCTIONS

According to Civil Service Commission Rule 109, the duties specified below are representative of the range of duties assigned to this job class and are not intended to be an inclusive list; may include additional duties as assigned.

1. Coordinate the development of SFHSA’s information security policies, standards, and procedures.  Work with key IT offices, data custodians and governance groups in the development of such policies.  Ensure that Agency policies support compliance with external requirements.  Oversee the dissemination of policies, standards, and procedures to the Agency.
2. Serve as the Agency compliance officer with respect to SFHSA, City and County, state, and federal information security policies and regulations, and contractual agreements with external entities.  Work with the Agency privacy officer on compliance issues as necessary.  Prepare and submit required reports to external agencies. Work with the City Committee on Information Technology (COIT) and other entities on citywide policies, including the 19B Surveillance Ordinance.
3. Review purchases and procurement to protect SFHSA from supply chain vulnerabilities. Engage approximately 100 vendors in the City’s Cybersecurity Risk Assessment process during new purchases and annual renewals. Review technology-related contracts for information security terms and compliance.
4. Perform oversight of internal information system risk and business impact assessments. Coordinate and respond to external requests for assessments and audits related to information systems and security, including assessments by partners and oversight entities in the city, state, and federal governments. Ensure that SFHSA completes security assessments sufficient and appropriate for compliance with regulatory requirements. Develop corrective action plans, and coordinate, track, and report on mitigation efforts.
5. Coordinate the development and delivery of a training and awareness program on information security matters for employees, other authorized users, and customers, in cooperation with the City Cybersecurity Office and SFHSA Learning & Organizational Development unit.
6. Serve as the Agency’s Chief Information Security Officer and act as the Agency’s designee representing SFHSA on information security matters; serve as the Agency contact point for external auditors and agencies, survey requests, etc. on security matters. Represent the Agency on Citywide engagements related to information security and information technology governance.
7. Oversee the administration of the Agency’s information security technologies including: identity & access management (IAM) and directory services, antimalware, disk encryption, firewalls, intrusion detection, asset tracking & recovery, VPN, and DLP (data loss prevention).
8. Monitor and provide guidance on vulnerability management. Work with infrastructure and software teams to ensure adherence to configuration baselines and patch management processes and keep SFHSA’s computing environment patched and hardened. Identify critical risks for out-of-band mitigation. Participate in change management processes to identify and avoid security and compliance risks.
9. Take part in Agency and Citywide business continuity, disaster response and recovery planning.  Develop and maintain IT cybersecurity incident response, business continuity and disaster recovery plans, in coordination with program-specific and general agency BC/DR planners and City Cybersecurity Office. Work with SFHSA’s Disaster Coordinator to facilitate cybersecurity incident and disaster response exercises.
10. Keep abreast of the latest security legislation, regulations, advisories, alerts, and vulnerabilities pertaining to SFHSA and its mission.

How to qualify

1. Education: Bachelor of Computer Science Degree or related field (i.e., Management Information Systems, Computer Information Systems); 

AND

1. Experience:  Seven (7) years of verifiable professional-level Information Technology Cybersecurity experience, three (3) of which must include supervising professionals in the field.

Substitution for Education: Additional experience as described above may be substituted for the required degree on a year-for-year basis. One year (2000 hours) of additional qualifying experience will be considered equivalent to 30 semester units/45 quarter units.

**Applicants must meet the Minimum Qualifications requirements by the final filing date unless otherwise noted. **

Note: Applicants who meet the minimum qualifications are not guaranteed to advance through all of the steps in the selection process.

VERIFICATION OF EXPERIENCE AND/OR EDUCATION:

Applicants may be required to submit verification of qualifying education and experience at any point during the recruitment and selection process. If education verification is required, information on how to verify education requirements, including verifying foreign education credits or degree equivalency, can be found at https://sfdhr.org/how-verify-education-requirements

Note: Falsifying one’s education, training, or work experience or attempted deception on the application may result in disqualification for this and future job opportunities with the City and County of San Francisco.

All work experience, education, training and other information substantiating how you meet the minimum qualifications must be included on your application by the filing deadline. Information submitted after the filing deadline will not be considered in determining whether you meet the minimum qualifications.

Resumes will not be accepted in lieu of a completed City and County of San Francisco application.

Applications completed improperly may be cause for ineligibility, disqualification or may lead to lower scores.

Selection Procedures:

Supplemental Questionnaire Examination (Weight: 100%):

Candidates who meet the Minimum Qualifications will be invited to complete the Supplemental Questionnaire Examination; this exam is designed to measure knowledge, skills and/or abilities in job-related areas which may include but not be limited to: Knowledge of IT Cybersecurity topics, Knowledge of IT Governance, Risk, and Compliance matters, Management Skills, Human Relations Skills, Time Management, Critical Thinking, and other related skills.

Candidate scores on this examination may also be applied to other announcements involving other job titles, when directed by the Human Resources Director.

A passing score must be achieved on the Supplemental Questionnaire Examination in order to continue in the selection process.

The above test components are considered standardized and, therefore, test questions and answers are not available for public inspection or review.

After application submission, candidates deemed qualified must complete all subsequent steps to advance in this selection process, which includes the following:

Minimum Qualification Supplemental Questionnaire (MQSQ): Candidates will be required to complete a MQSQ as part of the employment application. This MQSQ is designed to obtain specific information regarding an applicant's experience in relation to the Minimum Qualifications (MQ) for this position. The MQSQ will be used to evaluate if the applicant possesses the required minimum qualifications.

What else should I know?

Eligible List/Score Report: A confidential eligible list of applicant names that have passed the civil service examination process will be created and used for certification purposes only. An examination score report will be established, so applicants can view the ranks, final scores and number of eligible candidates. Applicant information, including names of applicants on the eligible list, shall not be made public unless required by law. However, an eligible list shall be made available for public inspection, upon request, once the eligible list is exhausted or expired and referrals resolved. The eligible list/score report resulting from this civil service examination process is subject to change after adoption (e.g., as a result of appeals), as directed by the Human Resources Director or the Civil Service Commission.

The duration of the eligible list resulting from this examination process will be of 6 months, and may be extended with the approval of the Human Resources Director.

To find Departments which use this classification, please see https://sfdhr.org/sites/default/files/documents/Forms-Documents/Position-Counts-by-Job-Codes-and-Department-FY-2021-22.pdf

Terms of Announcement and Appeal Rights:

Applicants must be guided solely by the provisions of this announcement, including requirements, time periods and other particulars, except when superseded by federal, state or local laws, rules or regulations. Clerical errors may be corrected by the posting the correction on the Department of Human Resources website at https://careers.smartrecruiters.com/CityAndCountyOfSanFrancisco1/.

The terms of this announcement may be appealed under Civil Service Rule 111A.35.1. The standard for the review of such appeals is ‘abuse of discretion’ or ‘no rational basis’ for establishing the position description, the minimum qualifications and/or the certification rule. Appeals must include a written statement of the item(s) being contested and the specific reason(s) why the cited item(s) constitute(s) abuse of discretion by the Human Resources Director. Appeals must be submitted directly to the Executive Officer of the Civil Service Commission within five business days of the announcement issuance date.

Additional Information Regarding Employment with the City and County of San Francisco

• Information About The Hiring Process
• Conviction History
• Employee Benefits Overview  
• Equal Employment Opportunity 
• Disaster Service Worker
• ADA Accommodation
• Veterans Preference
• Right to Work
• Copies of Application Documents
• Diversity Statement

How to Apply

Applications for City and County of San Francisco jobs are only accepted through an online process. Visit https://careers.smartrecruiters.com/CityAndCountyOfSanFrancisco1/ and begin the application process.

• Select the “I’m Interested” button and follow instructions on the screen 

Applicants may be contacted by email about this recruitment and, therefore, it is their responsibility to ensure that their registered email address is accurate and kept up-to-date. Also, applicants must ensure that email from CCSF is not blocked on their computer by a spam filter. To prevent blocking, applicants should set up their email to accept CCSF mail from the following addresses (@sfgov.org, @sfdpw.org, @sfport.com, @flysfo.com, @sfwater.org, @sfdph.org, @asianart.org, @sfmta.com, @sfpl.org, @dcyf.org, @first5sf.org, @famsf.org, @ccsf.edu, @smartalerts.info, and @smartrecruiters.com).

Applicants will receive a confirmation email that their online application has been received in response to every announcement for which they file. Applicants should retain this confirmation email for their records. Failure to receive this email means that the online application was not submitted or received.

If you have any questions regarding this recruitment or application process, please contact the exam analyst, Ivy Yeung, by telephone at (415) 557-6205 or by email at ivy.yeung@sfgov.org. 

All your information will be kept confidential according to EEO guidelines.

The City and County of San Francisco encourages women, minorities and persons with disabilities to apply. Applicants will be considered regardless of their sex, race, age, religion, color, national origin, ancestry, physical disability, mental disability, medical condition (associated with cancer, a history of cancer, or genetic characteristics), HIV/AIDS status, genetic information, marital status, sexual orientation, gender, gender identity, gender expression, military and veteran status, or other protected category under the law.