Cybersecurity Analyst III

TX-HHSC-DSHS-DFPS•Austin, TX

22d•Onsite

About The Position

This position is open to U.S. Citizens and permanent residents. This onsite role requires the selected candidate to work from an HHS office in Austin, Texas. The Cybersecurity Analyst III performs senior-level security work with emphasis on cloud security, web application protection, and governance, risk, and compliance (GRC). The role supports on-premises and cloud environments by evaluating, implementing, and monitoring security controls to protect agency systems and data. The position helps develop and maintain the HHSC Information Security Program and ensures the implementation and documentation of policies, procedures, and controls that meet regulatory and compliance requirements. Using established risk management methodologies, the Analyst conducts security and risk assessments, identifies policy or control needs, and evaluates the effectiveness of security solutions across assigned governance areas. The role reviews regulatory changes, monitors industry’s best practices and emerging technologies, participates in compliance and regulatory audits, and supports the implementation of security improvements. The Analyst also provides expert guidance on HHS Security Policy, TAC 202, HIPAA, and other applicable regulations; partners with Information Security Officers and technical teams to address vulnerabilities; advises on high-risk IT projects; and supports staff on security and compliance matters.

Requirements

Information security risk assessment and security assessment methodologies, processes, and audit practices.
Security program policies, standards, controls, and procedural requirements.
Networking, operating systems, applications, databases, and related technologies, including wireless and mobile environments.
Incident response concepts, practices, and procedures.
Secure Software/System Development Lifecycle (S‑SDLC) methodologies.
Regulatory and compliance requirements, including HIPAA/HITECH, PCI, SOX, TAC 202, IRS Publication 1075, Texas Business and Commerce Code, and Texas Health and Safety Code.
Security and risk management frameworks such as NIST, SANS, HITRUST, ISO, and COBIT.
Written and verbal communication.
Analyzing and solving complex problems and quickly understanding technical concepts.
Developing, implementing, and maintaining information security policies, standards, and controls.
Performing risk assessments, security assessments, and audits.
Evaluating risks and identifying mitigation strategies, including defining compensating controls.
Interpret and apply regulatory, policy, and security framework requirements.
Communicate technical information to both technical and non-technical audiences.
Work collaboratively with diverse teams and guide others in information security practices
Ability to maintain the security and integrity of critical infrastructure systems by preventing unauthorized access and ensuring compliance with laws and regulations related to national security and foreign ownership restrictions
Graduation from an accredited four-year college or university with major coursework in information technology security, computer information systems, computer science, management information systems, or a related field is strongly preferred. Education and experience may be substituted for one another on a year-for-year basis.
At least 8 - 12 years of experience in information technology, security risk, compliance management, assessment, auditing, research, and consulting.
Experience in researching, authoring, or supporting the development of information security policies and standards.
Experience developing security and risk performance metrics and reporting dashboards for executive, business, and technical audiences.

Nice To Haves

Certified Information Systems Security Professional (CISSP)
Certified Information Systems Auditor (CISA)
Certified in Risk and Information Systems Control (CRISC)
Certified Information Systems Manager (CISM)
Global Information Assurance Certification (GIAC)
Project Management Professional (PMP)

Responsibilities

Provides security and risk management services by performing risk identification, assessment, and remediation, as well as regulatory and internal compliance monitoring; uses established standards and processes to adequately protect Health and Human Services (HHS) personnel, facilities, cloud infrastructure, information, and business operations. (30%)
Conduct system security assessments and evaluate products, services, and technical issues to determine security impacts and required mitigation actions. Performs risk-based needs assessments of automated systems to identify information security requirements; evaluates agency systems including infrastructure, processes, and procedures with a specific focus on cloud security posture management (CSPM) and web application vulnerabilities to discover compliance needs and gaps. (30%)
Lead and facilitate security initiatives, including planning, coordinating, and executing assigned security projects and tasks. Prepares documentation, reporting packages, and audit responses for internal reviews, external audits, and leadership inquiries. (20%)
Advises management and users regarding enterprise security program functions, including cloud security best practices and secure application development standards; provides targeted training to agency customers within assigned specific security domains. (10%)
Provide leadership and mentorship to other security analysts, offering guidance in performing assessments, implementing controls, and carrying out security functions. (10%)