Governance, Risk, and Compliance

Company Description

Specific information regarding this recruitment process is listed below:

• Application Opening - Wednesday, October 15, 2025.
• Application Deadline - Interested candidates are encouraged to apply as soon as possible, as this job announcement will close at any time, but not earlier than 11:59PM PST, Wednesday, October 29, 2025.

About Department of Technology

Are you ready to make an impact in one of the most innovative cities? The Department of Technology (DT) is looking for passionate IT professionals to help shape the future of technology in San Francisco As the centralized technology services provider for the City and County of San Francisco (CCSF), DT delivers critical infrastructure and services to over 33,000 employees—supporting public safety, municipal broadband, cybersecurity, cloud solutions, and more With a $140M+ annual budget and a team of 300+ experts, DT is leading the charge in digital transformation. DT provides services through our core areas of IT Excellence:

• IT Project Management Office
• Enterprise Application Services
• Cloud Center of Excellence
• IT Operations and Support including the Service Desk and NOC
• City Infrastructure including the Network, Telcom and Data Centers
• Office of Cybersecurity including Cyber Defense, Identity Management and Disaster Recovery
• Public Safety Systems and Municipal Broadband Fiber
• SFGovTV Broadcasting Services
• IT Finance and Administration Services
• Emerging Technologies

Why Join Us? Innovative & Impactful Work At DT, you won't just work on IT—you'll power a city. Your expertise will directly impact the residents of San Francisco, from closing the digital divide to ensuring secure, efficient city operations.

Benefits of Working for CCSF: In addition to challenging and rewarding work, the City provides a generous suite of benefits to its employees.

• Competitive pay, benefits, and retirement options
• Career growth opportunities through training, internal mobility, and subsidized education
• Diverse work environment in a diverse city
• The Department has a hybrid work schedule

Join the team that's shaping the future of technology in San Francisco. Apply today and be part of a dynamic, innovative, and mission-driven ITteam

Job Description

The City and County of San Francisco (City) is excited to be hiring a Governance, Risk, and Compliance (GRC) security analyst. The analyst will support a critical function of the Office of Cybersecurity that will be directly responsible for reducing risks posed to the City. The analyst will be tasked with the important role of identifying, assessing, controlling, and monitoring risks through the Citywide enterprise. They will gain firsthand experience supporting and maturing a GRC program.

Major functions in this role include (and are not limited to):

• Perform cyber risk assessments against City cybersecurity requirements.
• Conduct Vendor Risk Assessments to assess security posture of vendors.
• Support the cyber awareness training and education program, including phishing simulations.
• Track and monitor risk mitigation plans.
• Develop routine reports in accordance with GRC metrics
• Coordinate with technology and business groups to assess, implement, and monitor IT-related security risks/hazards
• Conduct technical research to aid in threat assessment or risk mitigation activities
• Perform assessments of adherence to standards
• Perform review of policies and supporting procedures/processes.
• Stay on top of changes in the industry as it relates to security.

Appointment Type:

This Permanent Exempt (PEX), Full Time position is excluded by the Charter from the competitive civil service examination process and shall serve at the discretion of the appointment officer. The anticipated duration of this project position is thirty-six (36) months and will not result in an eligible list or permanent civil service hiring.

Work Location

Incumbent will conduct the majority of work at the Department of Technology, (1 S Van Ness, Ave San Francisco, CA 94103). However, there may be situations where the incumbent will be required to work at other sites throughout the City of San Francisco as necessary.

Nature of Work

The Department may offer a hybrid work schedule. Traveling within San Francisco may be required.

Qualifications

Minimum Qualifications

Education: An associate degree in computer science, computer engineering, information systems, or a closely related field from an accredited college or university OR its equivalent in terms of total course credits/units [i.e., at least sixty (60) semester or ninety (90) quarter credits/units with a minimum of twenty (20) semester or thirty (30) quarter credits/units in one of the fields above or a closely-related field].

Experience: One (1) year of experience analyzing, installing, configuring, enhancing, and/or maintaining the components of an enterprise network.

Substitution: Additional experience as described above may be substituted for the required degree on a year-for-year basis (up to a maximum of two (2) years). One (1) year is equivalent to thirty (30) semester units/r forty-five (45) quarter units with a minimum of 10 semester / 15 quarter units in one of the fields above or a closely related field.

Completion of the 1010 Information Systems Trainee Program may be substituted for the required degree.

Desirable Qualifications

• 1-2 years working in a cyber GRC type role.
• Risk Analytics experience within IT
• Familiar with cybersecurity frameworks (NIST CSF/RMF, NIST 800-53, FedRAMP, etc).
• Familiar with security standards (i.e. HIPAA, PCI-DSS, etc).
• Familiar with vendor risk management assessments (i.e. SOC2, CAIQ, etc).
• Comfortable having a technical discussion.
• Proficient in Excel or similar.
• Ability to define and communicate risk in business-relevant language
• Excellent verbal and written communication skills

-Ability to communicate IT risk concepts to non-technical people -Comfortable with quantitative risk management, Factor Analysis of Information Risk (FAIR).

• Familiar with GRC platforms (i.e. SNOW, LogicGate, OneTrust, etc).
• Possess security certifications (i.e. Security+, CISA, CISM, CRISC, etc).
• Preferred skills in SharePoint and reporting services
• Familiar with Privacy concepts.

Verification: Applicants may be required to submit verification of qualifying education and experience at any point in the application and/or departmental selection process. Written verification (proof) of qualifying experience must verify that the applicant meets the minimum qualifications stated on the announcement. Written verification must be submitted on employer's official letterhead, specifying name of employee, dates of employment, types of employment (part-time/full-time), job title(s), description of duties performed, and the verification must be signed by the employer. City employees will receive credit for the duties of the class to which they are appointed. Credit for experience obtained outside of the employee's class will be allowed only if recorded in accordance with the provisions of the Civil Service Commission Rules. Experience claimed in self-employment must be supported by documents verifying income, earnings, business license and experience comparable to the minimum qualifications of the position. Copies of income tax papers or other documents listing occupations and total earnings must be submitted. If education verification is required, information on how to verify education requirements, including verifying foreign education credits or degree equivalency, can be found at

Note: Falsifying one's education, training, or work experience or attempted deception on the application may result in disqualification for this and future job opportunities with the City and County of San Francisco.

Applicants must meet the minimum qualification requirement by the final application deadline unless otherwise noted.

What Else Should I Know

Selection Procedures

The selection process will include evaluation of applications in relation to minimum requirements and assessment of candidates' job-related knowledge, skills and abilities. Depending on the number of applicants, the Department may establish and implement additional screening mechanisms to evaluate candidate qualifications. This typically includes an oral interview and/or a written or performance exercise.

If this becomes necessary, only those applicants whose qualifications most closely meet the Department needs will be invited to continue in the selection process. Applicants meeting the minimum requirements are not guaranteed advancement in the selection process.

To find Departments which use this classification, please see:

Additional Information

Additional Information Regarding Employment with the City and County of San Francisco:

• Information About the Hiring Process
• Conviction History
• Employee Benefits Overview
• Equal Employment Opportunity
• Disaster Service Worker
• ADA Accommodation
• Right to Work
• Copies of Application Documents
• Diversity Statement

Compensation: $ $ hourly)/$138,684 - $174,434 (annually)

How to Apply:

Applications for City and County of San Francisco jobs are only accepted through an online process. Visit and begin the application process.

• Select the "Apply Now" button and follow instructions on the screen

For best practices on the application process, please visit Apply for Jobs in the City and County of San Francisco Best Practices Guide. Applicants may be contacted by email about this announcement and, therefore, it is their responsibility to ensure that their registered email address is accurate and kept up-to-date. Also, applicants must ensure that email from CCSF is not blocked on their computer by a spam filter. To prevent blocking, applicants should set up their email to accept CCSF mail from the following addresses , , , , , , , , , , , , , , and ).

Applicants will receive a confirmation email that their online application has been received in response to every announcement for which they file. Applicants should retain this confirmation email for their records. Failure to receive this email means that the online application was not submitted or received.

All your information will be kept confidential according to EEO guidelines.

HR Analyst Information: If you have any questions regarding this recruitment or application process, please contact the assigned Human Resources Analyst, Melanie Bautista at

Condition of Employment:

The City and County of San Francisco encourages women, minorities and persons with disabilities to apply. Applicants will be considered regardless of their sex, race, age, religion, color, national origin, ancestry, physical disability, mental disability, medical condition (associated with cancer, a history of cancer, or genetic characteristics), HIV/AIDS status, genetic information, marital status, sexual orientation, gender, gender identity, gender expression, military and veteran status, or other protected category under the law.

The City and County of San Francisco encourages women, minorities and persons with disabilities to apply. Applicants will be considered regardless of their sex, race, age, religion, color, national origin, ancestry, physical disability, mental disability, medical condition (associated with cancer, a history of cancer, or genetic characteristics), HIV/AIDS status, genetic information, marital status, sexual orientation, gender, gender identity, gender expression, military and veteran status, or other protected category under the law.