Information Security Portfolio Manager (ISPM)

About The Position

Requirements

• Bachelor’s degree in information security, Information Technology, or related field, or equivalent experience on a year-for-year basis.
• Minimum of five (5) years of experience in cybersecurity governance, risk management, or compliance.
• Experience implementing RMF and security authorization processes.
• Experience working with enterprise GRC and IT service management tools.
• Risk Management Framework (NIST RMF) implementation
• Security Authorization and ATO processes
• Vulnerability management and remediation tracking
• Security assessments and penetration testing coordination
• Incident response processes and escalation protocols
• Security architecture and design review
• Procurement and contract security controls
• Governance, risk, and compliance methodologies
• TAC 202, NIST 800-53, MARS-E, and HHSC security policy
• GRC and ITSM platforms (Archer, ServiceNow, Helix, or equivalent)
• Risk identification and risk-based decision support
• Ability to interpret regulatory and technical security requirements
• Documentation management and audit evidence preparation
• Process improvement and governance maturity development
• Ability to communicate technical risk in business terms
• Facilitation of governance forums and working sessions
• Stakeholder engagement across technical and executive levels
• Clear written and verbal communication
• Ability to maintain the security and integrity of critical infrastructure systems by preventing unauthorized access and ensuring compliance with laws and regulations related to national security and foreign ownership restrictions

Nice To Haves

• Experience in public sector or healthcare security governance environments.
• Professional certifications such as CISM, CISSP, CISA, CRISC, or equivalent.
• ISO 27001 Lead Implementer or Lead Auditor certification.
• Project Management Professional (PMP) or equivalent.

Responsibilities

• Guides Information Owners and Information Custodians through RMF lifecycle activities including system security categorization, security planning, and risk assessments.
• Ensures vulnerability scans are requested, completed, and remediation actions are tracked to closure.
• Oversees development and maintenance of security documentation including System Security Plans (SSPs), Confidentiality-Integrity-Availability (CIA) assessments, risk assessments, Plans of Action & Milestones (POA&Ms), and risk exception requests.
• Monitors annual risk assessment completion in accordance with TAC 202 and HHSC Information Security Policy requirements.
• Communicates with major system or architectural changes to the Risk Team for determination of additional security assessment requirements.
• Coordinates security control assessments, penetration testing activities, and vulnerability management in collaboration with the Cybersecurity Operations Center (CSOC) and Risk Team.
• Provides compliance oversight of the Authorization to Operate (ATO) process.
• Develops ATO packages for CISO and Authorizing Official review and approval.
• Supports DIR risk letter responses, external audit engagements, and regulatory inquiries.
• Reviews system architecture, design, and technical intake submissions to identify security risks and compliance gaps.
• Provides corrective guidance to ensure security requirements are incorporated prior to enterprise approval.
• Participates in Architecture Review Board (ARB) meetings to represent cybersecurity governance and risk considerations.
• Reviews of Requests for Offer (RFOs), procurement documentation, contract renewals, and vendor engagement materials to ensure privacy, security, SPI, and RAMP requirements are incorporated based on data classification and deployment models.
• Provides security feedback on solicitation and contract language on behalf of the CISO Office.
• Serves as a cybersecurity liaison in executive management committees, data governance councils, metadata governance forums, and other enterprise decision-making bodies.
• Conducts recurring outreach with Information Custodians to monitor RMF compliance status, including missing or expired categorizations, risk assessments, POA&Ms, and risk-based decisions.
• Communicates security-related changes, impacts, and requirements to portfolio stakeholders.
• Serves as a portfolio point of contact for cybersecurity incidents and security events.
• Coordinates incident response engagement between CSOC, Risk Team, system owners, and executive stakeholders.
• Ensures appropriate documentation, tracking, and post-incident reporting activities are completed.
• Ensure compliance with TAC 202, HHSC Information Security Policy, and NIST RMF requirements.
• Maintains evidence of artifacts for audits and regulatory reviews.
• Supports audit inquiries, evidence requests, and remediation tracking.

Benefits

• comprehensive benefits package includes 100% paid employee health insurance for full-time eligible employees, a defined benefit pension plan, generous time off benefits, numerous opportunities for career advancement and more