Governance, Risk, and Compliance (GRC) Analyst (1042) - Department of Technology

Governance, Risk, and Compliance (GRC) Analyst (1042) - Department of Technology Apply through the City and County of San Francisco SmartRecruiters portal. Application deadline: 11:59 PM PST, Wednesday, October 29, 2025. About Department of Technology The Department of Technology (DT) is the centralized technology services provider for the City and County of San Francisco, supporting public safety, municipal broadband, cybersecurity, cloud solutions, and more. Benefits of Working for CCSF Competitive pay, benefits, and retirement options Career growth opportunities through training, internal mobility, and subsidized education Diverse work environment in a diverse city Hybrid work schedule Responsibilities Perform cyber risk assessments against City cybersecurity requirements. Conduct vendor risk assessments to evaluate security posture of vendors. Support the cyber awareness training and education program, including phishing simulations. Track and monitor risk mitigation plans. Develop routine reports in accordance with GRC metrics. Coordinate with technology and business groups to assess, implement, and monitor IT‑related security risks/hazards. Conduct technical research to aid in threat assessment or risk mitigation activities. Perform assessments of adherence to standards. Review policies and supporting procedures/processes. Stay up‑to‑date on industry changes related to security. Appointment Type Permanent Exempt (PEX), Full Time. This position is excluded by the Charter from the competitive civil service examination process and will serve at the discretion of the appointment officer. The anticipated duration is 36 months and will not result in an eligible list or permanent civil service hiring. Work Location Primary location: Department of Technology, 1 S Van Ness Ave, San Francisco, CA 94103. Occasional travel to other City sites may be required. Nature of Work Hybrid work schedule may be offered. Traveling within San Francisco may be required. How to Qualify Minimum Qualifications Associate degree in computer science, computer engineering, information systems, or a closely related field from an accredited college or university, OR equivalent in credit units. One (1) year of experience analyzing, installing, configuring, enhancing, and/or maintaining enterprise network components. Substitution: Each year of relevant experience may substitute for one year of academic training, up to a maximum of two (2) years. Completion of the 1010 Information Systems Trainee Program may substitute for the required degree. Desirable Qualifications 1–2 years working in a cyber GRC role. Experience with risk analytics within IT. Familiarity with cybersecurity frameworks (NIST CSF/RMF, NIST 800‑53, FedRAMP, etc.). Familiarity with security standards (e.g., HIPAA, PCI‑DSS, etc.). Familiarity with vendor risk management assessments (e.g., SOC 2, CAIQ, etc.). Comfortable discussing technical topics. Proficiency in Excel or similar. Ability to define and communicate risk in business‑relevant language. Excellent verbal and written communication skills. Experience communicating IT risk concepts to non‑technical people. Knowledge of quantitative risk management, including the Factor Analysis of Information Risk (FAIR). Familiarity with GRC platforms (e.g., SNOW, LogicGate, OneTrust, etc.). Security certifications (e.g., Security+, CISA, CISM, CRISC, etc.). Preferred skills in SharePoint and reporting services. Knowledge of privacy concepts. Verification Applicants may be required to submit verification of qualifying education and experience. Written verification must be on official letterhead, signed by the employer. Selection Procedures Evaluation of applications will consider minimum requirements and assess knowledge, skills, and abilities. Additional screening may be used. Interviews and written or performance exercises may be part of the process. Compensation $66.6750 – $83.8625 (hourly) | $138,684 – $174,434 (annually) EEO Statement The City and County of San Francisco encourages women, minorities, and persons with disabilities to apply. Applicants will be considered regardless of sex, race, age, religion, color, national origin, ancestry, physical or mental disability, medical condition, HIV/AIDS status, genetic information, marital status, sexual orientation, gender identity, gender expression, military and veteran status, or any other protected class. Additional Information Regarding Employment All information will be kept confidential according to EEO guidelines. #J-18808-Ljbffr City and County of San Francisco