Cybersecurity Analyst II

About The Position

Requirements

• Graduation from an accredited four-year college or university with major coursework in cybersecurity, information technology, computer engineering, computer information systems, computer science, management information systems, or a related field is generally preferred. Work experience may be substituted for education on a year-for-year basis.
• 1-2 years’ experience in governance, risk management, and compliance roles, preferably in a regulated industry or highly complex environment.
• Experience with State of Texas information security requirements, including Texas Administrative Code §202 and Texas Government Code 2054, is strongly preferred.
• Knowledge of security controls in industry-standard frameworks including, but not limited to the Federal Information Security Management Act (FISMA), the Federal Risk and Authorization Management Program (FedRAMP), the National Institute of Standards (NIST) 800 Series Special Publications, the NIST Cybersecurity Framework, FBI Criminal Justice Information Services (CJIS) Security Policy or other security standards and regulations.
• Proficiency in using GRC software and other relevant tools.
• Ability to prepare technical issue papers and research reports and effectively deliver oral presentations and written reports to IT and non-IT management
• Excellent analytical and problem-solving skills, with the ability to identify and evaluate potential risks and develop effective mitigation strategies.
• Exceptional attention to detail and a thorough understanding of internal control systems.
• Experience in developing and delivering compliance training programs.
• Experience creating and managing policy, processes, and procedure documents.
• Enjoys looking for and building efficiencies in the team, strong consensus building, multi-tasking, interpersonal, and analytical skills.
• Experience auditing various Cloud architectures and deployment strategies such as Software-as-a-service, Infrastructure-as-a-service, Platform as a service, etc.
• Excellent written and verbal communication skills with the ability to adapt messaging to executive, technical, and non-technical audiences.
• If not already certified, must obtain within one year of employment a Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in Risk and Information Systems Control (CRISC), GIAC Critical Controls Certification (GCCC), (ISC)² Certified in Governance, Risk and Compliance (CGRC) or similar certification.

Responsibilities

• Assist the Director of Security GRC and GRC Lead in developing, reviewing, and maintaining an enterprise-wide governance, risk management, and compliance program, aligning it with the agency’s goals and objectives.
• Ensure policies, procedures, and controls comply with legal and regulatory requirements, industry standards, and best practices.
• Conduct and document risk assessments of information systems, vendors, and business processes to identify vulnerabilities, assess the impact of risks, and recommend mitigation strategies.
• Track and report on identified risks and mitigation strategies.
• Support the organization’s risk register and help business units develop remediation plans.
• Monitor compliance with internal policies and state regulatory requirements.
• Support internal and external audit activities, including evidence collection and gap remediation.
• Assist with regulatory reporting and compliance attestations.
• Contribute to the development and delivery of role-based security awareness and compliance training.
• Review security questionnaires, contracts, and vendor engagements to ensure third-party compliance with cybersecurity requirements.
• Provide compliance support to SSCC/CBC partners.
• Collaborate with key stakeholders, such as legal, finance, IT, and operations teams, to provide guidance on compliance-related matters and promote a culture of risk awareness and ethical behavior.
• Stay informed on relevant laws, regulations, industry standards, and emerging governance, risk, and compliance trends, and communicate any changes or updates to the GRC Lead, Director and/or CISO.
• Assist in conducting periodic audits and internal reviews to identify control weaknesses and recommend corrective actions.
• Foster a culture of ethics, integrity, and accountability within the agency.
• Supports the Cybersecurity Awareness Training Program by updating content, tracking completion metrics, and coordinating campaigns.
• Maintains the accuracy and relevance of internal and external cybersecurity communications, including website content and shared dashboards.
• Ensures the team's shared inbox and communication channels are monitored and responsive, enhancing stakeholder engagement and service delivery.
• Provides day-to-day operational support of the GRC platform, including access control, user account management, and issue resolution.
• Troubleshoots platform issues and works with internal IT or vendor support teams to ensure consistent system performance.
• Assists in the configuration and enhancement of GRC workflows to streamline assessments, reporting, and risk tracking.
• Organizes compliance evidence artifacts to satisfy internal, state, and federal reporting requirements.
• Coordinates the upkeep of a centralized evidence repository to support recurring assessments and audit preparedness.
• Collaborates with audit teams to ensure timely responses to findings, recommendations, and control testing activities.
• Assists in assessing existing IT architecture and solutions for alignment with standards such as NIST 800-53, NIST CSF, and CJIS.
• Contributes to the ongoing development and testing of Disaster Recovery (DR) and Business Continuity (BC) plans.
• Participates in cross-functional architecture reviews to ensure security considerations are embedded in system design and implementation.
• Assists in conducting risk assessments of third-party vendors and reviewing technology contracts for security and compliance considerations.
• Collaborates with senior team members to ensure contractual terms align with cybersecurity policies and regulatory requirements.
• Supports engagement efforts with business and IT stakeholders by gathering requirements and assisting with the coordination of risk management activities.
• Conducts basic research on emerging cybersecurity risks to support team planning and help identify potential impacts to the Department of Family & Protective Services agency's third-party ecosystem.
• Ensures division website content is accurate, up-to-date, and effectively communicated. Supports division email box is monitored and maintained.
• Functions as a cybersecurity generalist to support and backfill work across the team.
• Provides GRC system operational support, including troubleshooting issues, access control management, account management, and general technical support.
• Advises customers and internal stakeholders on security configuration and best practice issues.

Benefits

• 100% paid health insurance for you, and 50% paid for eligible family members—saving you hundreds every month in out-of-pocket medical costs
• Retirement plans with lifetime monthly payments after five years of state service, plus options to save even more with 401(k) and 457 plans
• Paid vacation, holidays, and sick leave so you can recharge and take care of life outside work (that’s time off you’re actually paid for)
• Optional dental, vision, and life insurance—at rates much lower than most private plans
• Flexible spending accounts for added tax savings on health and dependent care
• Employee discounts on things like gym memberships, electronics, and entertainment