Job Description
This position strategically plans and successfully executes HHSC’s Information Security Assurance roadmap. This is a key position within HHSC Information Security that manages regulatory and compliance deliverables for specific governance portfolio, assist with general risk assessment activities as well as being the SME on IT Security Assurance related topics. Plays a critical role with the development and support of the HHSC Information Security Assurance Program and developing strategy for compliance with information security regulatory requirements. Oversees the establishment, implementation, adherence to and documentation of HHSC information security policies, procedures, and processes to protect computer systems, infrastructure, and data from unauthorized access. This position is the highest level under the manager, with authority to develop strategies for compliance, security policies & procedures within 2 sections (assurance & operations) of the HHSC Information Security Assurance Program and presents these strategies to Commissioner. Employs generally accepted risk analysis and risk management methodologies to administer risk assessments on behalf of their specific governance portfolios and assist with general risk assessment and assurance functions in order to determine specific needs for security policies and procedures, and to evaluate the potential effectiveness and appropriateness of security solutions. Reviews new and modified regulatory requirements pertaining to information security to determine if new policies and procedures are needed and monitors related “best practices” and emerging security technologies for potential application. Participates in internal and external compliance and regulatory audits and implements recommended security enhancements. Guides agency users in adhering to the agency and HHS Security Policy, Guidelines and Standards, Texas Administrative Code (TAC 202), Health Insurance Portability and Accountability Act (HIPAA), and other state and federal rules and regulations. Provides information security expertise and support, in partnership with HHS agency Information Security Officers and staff, in addressing security vulnerabilities. Consults on high visibility/high risk IT projects and provides guidance to team members and information security staff on security and compliance matters. Oversees the development and delivery of appropriate information security awareness training to all members of the workforce, including employees, contractors, temporary employees, and other third parties. Initiates, facilitates and promotes activities to foster information security awareness within the organization.
Essential Job Functions
Attends work on a regular and predictable schedule in accordance with agency leave policy and performs other duties as assigned.
(30%) Leads in the design and deployment of the Information Security Assurance Program activities: Acts as the information security assurance program subject matter expert (SME). Manages and matures the HHSC Information Security Assurance Program to ensure effectiveness and compliance with the HHS Information Security Program and other compliance requirements. This includes projects and initiatives to design and verify implementation of various information security controls. Supports information security leadership team in strategic planning and development. Leads a team of security analysts to ensure security and compliance advisement and assurance for a diverse array of environments and frameworks. Develops and documents agency security policies and procedures. Assists with the successful implementation of security policies and procedures. Recognizes gaps in IT security policies by staying abreast of changes in regulations, the industry, and technology. Identifies areas where current system security policies/procedures require change or new ones need to be developed. Provides recommendations to management and creates/revises policies and/or guides Security Analysts in making the
changes. Provides security design, consultancy, and assessment services; and introduces improvements in security standards and security implementation and designs. Assists in the IT Security Assurance planning and budgeting process.
(25%) Leads internal security and compliance assessments for assurance purposes: Delivers and continuously
matures the Information Security risk assessment service for HHSC. Performs direct analysis and assessment of
established security policy criteria to ensure success criteria of data security controls and processes. Conducts analysis of security requirements and controls to identify security risk and provides recommendations of industry best practices, trends, and technology products to eliminate or minimize risks. Works closely with software/system/security architects, IT leads and other information security staff to ensure adequate security solutions are in place for IT systems and platforms to sufficiently mitigate identified risks and meet business objectives. Leads security special investigations, internal audits, research studies, forecasts, and modeling exercises to provide direction and guidance. This includes the identification and analysis of possible data loss or malicious breach using security tools and processes. Provides direct assessment of existing security controls throughout the enterprise environment to assess continuous improvement of management practices. Performs proactive research approaches to plan for new security risks that may present themselves within the Health and Human Services environment to assist in the planning for future security initiatives as they arise. Drives audit and compliance activities and provides oversight of security controls for the agency ensuring regulatory security requirements are met. Administers threat and vulnerability assessments and advises security requirements and controls following assessment of the business impact of security breach. Manages remediation of security findings from internal or external assessments.
(25%) Supports security and compliance controls through the agency's Governance, Risk and Compliance (GRC) tool. Subject matter expert on GRC concepts to ensure that the IT Security's GRC platform aligns to the enterprise GRC strategy. Manages the design and implementation of IT Security's Risk Management tool (Security Software System). Executes compliance initiatives and customer requirements for multiple services by using IT Security's GRC tool and automating these processes. Oversees initiatives to support the agency's GRC tool such as platform upgrades, data integration with other systems, and solution design reviews.
(15%) Champions the Security Awareness Program: Consults on enterprise projects to ensure IT staff and external parties understand and comply with security policies, standards, etc. Develops and enhances security awareness by providing orientation, educational programs, and on-going training/communication. Coordinate agency communication activities (posters, emails, Connection articles, etc.) to support the Information Security awareness program. Is a presenter of information security awareness initiatives to the HHS agencies at the annual Cyber-Security Awareness Fair. Stays current on security industry trends, attack techniques, mitigation techniques, and security technologies by attending conferences, networking with peers, and other educational opportunities.
(5%) Other duties as assigned. (Note: For DSHS positions this includes but is not limited to actively participating and/or serving in a supporting role to meet the agency’s obligations for disaster response and/or recovery or Continuity of Operations (COOP) activation. Such participation may require an alternate shift pattern assignment and/or location.)
Knowledge Skills Abilities
Excellent written and verbal communication skills; interpersonal and collaborative skills; the ability to communicate security, and risk-related concepts to technical and nontechnical audiences; persuasive, encouraging, motivating, and inspiring; the ability to listen and understand.
Strong knowledge of cloud security best practices and compliance frameworks
Experience in risk assessment and mitigation strategies for cloud environments
Proficiency in automation and scripting for security operations
Ability to translate complex technical concepts to non-technical stakeholders
High analytical skills.
Skilled in performing security risk and compliance assessments.
Knowledge of root cause analysis, risk mitigation, analysis of security threats, trends and architecture.
Skilled at recommending, implementing and delivering security solutions based on analysis and business requirements.
Knowledge of the basic tenants of enterprise risk management (threat management, vulnerability management,
and risk treatment).
Knowledge of network, system, application and data protection standards, benchmarks, processes, applications, tools, and techniques.
Knowledge of network, system/endpoint, application and data protection issues and security risks.
Ability to monitor the legal and regulatory landscape to proactively address new information security related requirements
In depth knowledge of the NIST Special Publications (800 Series) with particular emphasis on the SP 800-53
Security and Privacy Controls for Federal Information Systems & Organizations. Must be able to demonstrate extensive knowledge of control structures and application of controls.
Skill in evaluating enterprise networks/systems for assurance of control requirements as specified by the IRS Pub.1075, Tax Information Security Guidelines for Federal, State & Local Agencies. Capable of managing control assertion & corrective action plan processes including the coordination of status updates & report submission.
Knowledge in analyzing, recommending, & developing enterprise-wide security policies, standards, & guidelines
within appropriate organizational risk tolerances. Skill in implementing enforcement of security policy within
technology solutions.
Ability to develop positive relationships and effectively communicate with management, software /systems/security architects, software/systems/security engineers, quality assurance, auditors, Legal, Privacy, and IT & security operations staff.
Skilled in project management, financial/budget management, scheduling and resource management.
Ability to define, learn, understand, and apply new technologies, methods, and processes.
Adaptable and flexible, with the ability to handle ambiguity and sometimes changing priorities.
Registration Or Licensure Requirements
Must hold at least one of the following certifications:
- Certified Information Systems Security Professional (CISSP)
- Microsoft Cybersecurity Architect (SC-100)
- AWS Certified Solutions Architect
- Prisma Certified Cloud Security Professional
Initial Selection Criteria
5+ years of experience in IT security.
Hands-on experience with cloud platforms (e.g., AWS, Azure, Google Cloud)
Additional Information
MOS Code:
There are no direct military occupation(s) that relate to the responsibilities, and registration or licensure requirements for this position. All active duty, reservists, guardsmen, and veterans are encouraged to apply if they meet the qualifications for this position.
HHS agencies use E-Verify. You must bring your I-9 documentation with you on your first day of work.
I-9 Form - Click here to download the I-9 form.
In compliance with the Americans with Disabilities Act (ADA), HHS agencies will provide reasonable accommodation during the hiring and selection process for qualified individuals with a disability. If you need assistance completing the on-line application, contact the HHS Employee Service Center at 1-888-894-4747. If you are contacted for an interview and need accommodation to participate in the interview process, please notify the person scheduling the interview.
Top 10 Tips for Success when Applying to Jobs at HHSC and DSHS
