IS Cybersecurity Business Analyst

Company Description
Department: DT/Cybersecurity

Job class: 1052 IS Business Analyst

Salary range: [$111, $140,738.00] annually

Hours: Full-time.

Role type: Permanent Exempt (PEX), Full Time position is excluded by the Charter from the competitive civil service examination process and shall serve at the discretion of the appointment officer. The anticipated duration of this project position is thirty-six (36) months and will not result in an eligible list or permanent civil service hiring. Project-based positions cannot be ongoing or exceed 36 months.

About

• Application Opening: Monday, November 10, 2025
• Application Deadline: This job will close no sooner than Monday, November 24, :59 PM).

Department Description
Are you ready to make an impact in one of the most innovative cities? The Department of Technology (DT) is looking for passionate IT professionals to help shape the future of technology in San Francisco As the centralized technology services provider for the City and County of San Francisco (CCSF), DT delivers critical infrastructure and services to over 33,000 employees—supporting public safety, municipal broadband, cybersecurity, cloud solutions, and more With a $140M+ annual budget and a team of 300+ experts, DT is leading the charge in digital transformation. DT provides services through our core areas of IT Excellence:

• IT Project Management Office
• Enterprise Application Services
• Cloud Center of Excellence
• IT Operations and Support including the Service Desk and NOC
• City Infrastructure including the Network, Telcom and Data Centers
• Office of Cybersecurity including Cyber Defense, Identity Management and Disaster Recovery
• Public Safety Systems and Municipal Broadband Fiber
• SFGovTV Broadcasting Services
• IT Finance and Administration Services
• Emerging Technologies

Why Join Us? Innovative & Impactful Work At DT, you won't just work on IT—you'll power a city. Your expertise will directly impact the residents of San Francisco, from closing the digital divide to ensuring secure, efficient city operations.

Benefits of Working for CCSF: In addition to challenging and rewarding work, the City provides a generous suite of benefits to its employees.

• Competitive pay, benefits, and retirement options
• Career growth opportunities through training, internal mobility, and subsidized education
• Diverse work environment in a diverse city

Join the team that's shaping the future of technology in San Francisco. Apply today and be part of a dynamic, innovative, and mission-driven IT team

We are committed to ensuring that the City's services are inclusive, efficient, equitable, and culturally competent for San Franciscans of all races, ethnic backgrounds, religions, and sexual orientations. This commitment requires comprehensive review and thorough analysis of existing practices and policies to remove barriers to real inclusion. We are also committed to ensuring that we have a safe, equitable, and inclusive workplace for individuals of all races. This includes creating opportunities for hiring, promotion, training, and development, for all employees, including but not limited to Black, Indigenous, and people of color (BIPOC).

Telecommute option: The department offers a hybrid work schedule.

Job Description
The City and County of San Francisco (City) are excited to be hiring a Governance, Risk, and Compliance (GRC) security analyst. The analyst will support a critical function of the Office of Cybersecurity that will be directly responsible for reducing risks posed to the City. The analyst will be tasked with the important role of identifying, assessing, controlling, and monitoring risks through the Citywide enterprise. They will gain firsthand experience supporting and maturing a GRC program.

• Perform cyber risk assessments against City cybersecurity requirements.
• Conduct Vendor Risk Assessments to assess security posture of vendors.
• Support the cyber awareness training and education program, including phishing simulations.
• Track and monitor risk mitigation plans.
• Develop routine reports in accordance with GRC metrics
• Coordinate with technology and business groups to assess, implement, and monitor IT-related security risks/hazards
• Conduct technical research to aid in threat assessment or risk mitigation activities
• Perform assessments of adherence to standards
• Perform review of policies and supporting procedures/processes.
• Stay on top of changes in the industry as it relates to security.

Qualifications
Education
:

An associate degree in business administration, public administration, information systems, economics, finance, computer science or a closely related field from an accredited college or university OR its equivalent in terms of total course credits/units [i.e., at least sixty (60) semester or ninety (90) quarter credits/units with a minimum of twenty (20) semester or thirty (30) quarter credits/units in one of the fields above or a closely-related field].

Experience
One (1) year in the information systems field, including technical support, content management, administration of network applications or system analysis.

Substitution
Additional experience as described above may be substituted for the required degree on a year-for-year basis (up to a maximum of two (2) years). One (1) year is equivalent to thirty (30) semester units / forty-five (45) quarter units with a minimum of 10 semester / 15 quarter units in one of the fields above or a closely related field.

Completion of the 1010 Information Systems Trainee Program may be substituted for the required degree.

Desirable Qualifications

• Comfortable with quantitative risk management, Factor Analysis of Information Risk (FAIR).
• Familiar with GRC platforms (i.e. SNOW, LogicGate, OneTrust, etc).
• Possess security certifications (i.e. Security+, CISA, CISM, CRISC, etc).
• Preferred skills in SharePoint and reporting services
• Familiar with Privacy concepts.

Note
: Applicants must meet the minimum qualification requirement by the final filing date unless otherwise noted.

One-year full-time employment is considered equivalent to 2000 hours (2000 hours of qualifying work experience is based on a 40hour work week). Any overtime hours that you work above forty (40) hours per week are not included in the calculation to determine full-time employment.

Additional Information

• Information About the Hiring Process
• Conviction History
• Employee Benefits Overview
• Equal Employment Opportunity
• Disaster Service Worker
• ADA Accommodation
• Veterans Preference
• Right to Work
• Copies of Application Documents
• Diversity Statement

Applicants will receive a confirmation email from that their online application has been received in response to every announcement for which they file. Applicants should retain this confirmation email for their records. Failure to receive this email means that the online application was not submitted or received.

Applicants may be contacted by email about this recruitment and, therefore, it is their responsibility to ensure that their registered email address is accurate and kept up-to-date. Also, applicants must ensure that email from CCSF is not blocked on their computer by a spam filter. To prevent blocking, applicants should set up their email to accept CCSF mail from the following addresses , , , , , , , , , , , , , , and ).

Exam Analyst Information: If you have any questions regarding this recruitment or application process, please contact the analyst at

The City and County of San Francisco encourages women, minorities and persons with disabilities to apply. Applicants will be considered regardless of their sex, race, age, religion, color, national origin, ancestry, physical disability, mental disability, medical condition (associated with cancer, a history of cancer, or genetic characteristics), HIV/AIDS status, genetic information, marital status, sexual orientation, gender, gender identity, gender expression, military and veteran status, or other protected category under the law.