Cybersecurity Analyst II

Join the Texas Health and Human Services Commission (HHSC) and be part of a team committed to creating a positive impact in the lives of fellow Texans. At HHSC, your contributions matter, and we support you at each stage of your life and work journey. Our comprehensive benefits package includes 100% paid employee health insurance for full-time eligible employees, a defined benefit pension plan, generous time off benefits, numerous opportunities for career advancement and more. Explore more details on the Benefits of Working at HHS webpage.

Brief Job Description:

This position is open to permanent residents or US citizens only.

The Cyber Security Analyst II is assigned different tasks to include researching, evaluating, and recommending security controls and procedures for the appropriate protection and reduction of risk for information resources. You will assess business objectives and advise business partners on the security and compliance requirements as well as the risks within various business initiatives. The position develops, recommends, and evaluates the implementation of plans designed to safeguard information systems and information resources against accidental or unauthorized modification, destruction, or disclosure for agency administered systems as well as third-party administered systems.

Develops, monitors, evaluates, and maintains system security plans and corrective action plans to ensure the protection of information systems and information resources from unauthorized users. Participates on a team that is responsible for analyzing, implementing, and maintaining security controls for sensitive data handling systems and infrastructure to enforce agency information security policies and procedures. Assists in coordinating, deploying, and managing IT security risk assessment activities of small to mid-size computing environments to identify points of vulnerability and/or non-compliance with established Information Assurance (IA) standards and regulations. Recommends mitigation strategies. Uses risk assessment evaluation tools to develop spreadsheets, diagrams, metrics, and other reports for managing the compliance and certification process. Works in sensitive situations and with sensitive information and keeps confidences.

Essential Job Functions (EJFs):       

Attends work on a regular and predictable schedule in accordance with agency leave policy and performs other duties as assigned.

1. Successfully manage and operate the HHS Training and Awareness Program. (30%)

• Provides Security Awareness Training to help ensure employees have a solid understanding of the agency's security policies, procedures, and best practices.
• Defines, prepares, delivers, and facilitates an ongoing awareness campaign utilizing a wide variety of mediums and delivery mechanisms to effectively and constantly educate the organization on security related information, threats, and technology risks.
• Conducts and coordinates information security training and awareness initiatives for users such as the annual Cyber-Security Awareness Fair.
• Ensure necessary state requirements for annual awareness training are met.
• Maintains an in-depth knowledge of industry threats, threat trends, regulatory requirements, security technologies, vendors, and products to deliver periodic notifications of potential threats to the agency.
• Research and propose security awareness and training process improvements to senior staff.

2. Helps mature the Information Security Program (25%) 

• Act as a subject matter expert (SME) for the information security assurance program; Consults on projects to ensure IT staff and non-IT parties understand and follow security policies, standards. 
• Review and supply feedback on the Information Security Plan including risk management, assurance practices, and security services (e.g., cybersecurity threat intelligence).
• Champions security awareness by helping with educational programs and on-going training and other communication (e.g., CISO SharePoint and website); Review and propose suggestions for existing and upcoming policies, standards, procedures, and other applicable security documentation; Plan, develop, and assist in the coordination and communication of new policies and procedures, including implementation of security guidance and practices 
• Assist in the creation and maintenance of criteria and materials for analyst improvement.
• Supports security and compliance controls through the agency's Governance, Risk and Compliance (GRC) tool. Ensure that the IT Security's GRC platform aligns to the enterprise GRC strategy.
• Perform and review vulnerability scanning, assist in remediation efforts, provide technical guidance, and recommend security enhancements to management, as needed.
• Performs needs assessment of controls and programs related to security awareness and training to identify and assess compliance such as role-based training.

3. Participates on a team that ensures sensitive data handling systems are in compliance with security controls that enforce agency policy and procedures. (20%)

• Provides security and risk management services by performing risk identification, assessment, and remediation as well as regulatory and internal compliance monitoring using standards and processes as required to adequately protect HHS personnel, facilities, infrastructure, information, and business operations.
• Researches and proposes compliance process improvements to senior staff.
• Monitors and reports internal and external security threats, research security threats, and recommends to senior staff the appropriate changes to the security program to prevent sensitive agency data from being compromised.
• Participates in vendor product reviews, evaluations, demonstrations, proofs of concept and implementations.
• Develops clear, comprehensive, and well-defined information security policies, standards and guidelines that regulate access to the agency's systems and the information included in them.
• Effective policy protects not only information and systems, but also individual employees and the agency. Management of events, issues, inquiries, and incidents when detected or reported to include all phases from investigation through resolution.
• Works with auditors during fieldwork and prepares management responses to Information Security findings identified in audits. Facilitates the development of Information Security action plans.
• Responds to status requests, special projects, and requests for assistance from internal and external stakeholders.

4. Provides leadership to other security analysts in the performance of their duties. (20%)

• Provides leadership to other security analysts in the performance of their duties. Within assigned specific security domains or knowledge.
• Builds relationships and partners with business and IT organizations.
• Develops and maintains effective working relationships with customers, business partners, and other team members.
• Responds to customer security assessments and audits.
• Participates in the incident response process. Assesses the impact on the business caused by theft, destruction, alteration, or denial of access to information.
• Investigates, recommends, and monitors implementation of new security products and services.
• Acts as a central point of contact for internal and external customers on Information Security issues.
• Acts as an escalation point for complex internal and external facing Information Security support functions.
• Participates in Change Control Boards and works with other departments and agencies to ensure security of products and services. Maintains an in-depth knowledge of industry threats, threat trends, regulatory requirements, security technologies, vendors, and products. Proactively shares information that will make colleagues and customers more successful.

5. Performs or leads other duties as assigned. (5%)

Knowledge, Skills and Abilities (KSAs):

• Knowledge and understanding of the NIST Special Publications (800 Series) with particular emphasis on the SP 800-53 Security and Privacy Controls for Federal Information Systems & Organizations. Must be able to demonstrate knowledge of control structures and application of controls.
• Knowledge of the limitations and capabilities of computer systems; of technology across all network layers and computer platforms; of operational support of networks, operating systems, Internet technologies, databases, and security applications; and of information security practices, procedures, and regulations.
• Knowledge in analyzing, recommending, & developing enterprise-wide security policies, standards, & guidelines within appropriate organizational risk tolerances. Skill in implementing enforcement of security policy within technology solutions.
• Knowledge of enterprise security program management using Enterprise Governance Risk & Compliance solutions. Demonstrated experience with the implementation & development of business processes in Enterprise Governance Risk & Compliance solutions.
• Knowledge of effective project management practices & ability to effectively manage multiple priorities within a security function providing services to numerous clients. Has professional presentation skills.
• Skill in the operation of computers and applicable software and in configuring, deploying, and monitoring security infrastructure.
• Skill in evaluating enterprise networks/systems for assurance of control requirements as specified by the IRS Pub.1075, Tax Information Security Guidelines for Federal, State & Local Agencies. Capable of managing control assertion & corrective action plan processes including the coordination of status updates & report submission.
• Skilled information technology professional with advanced experience developing and implementing IT security training and awareness programs, policy, standards, and/or procedures.
• Must have critical thinking and solution development skills.
• Excellent written, verbal communication, and presentation skills.
• Ability to resolve complex security issues in diverse and decentralized environments, to communicate effectively, and to assign and/or supervise the work of others.

Registrations, Licensure Requirements or Certifications:

Prefer one or more of the following certifications: Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), Certified Information Systems Manager (CISM), Global Information Assurance Certification (GIAC), or similar security certifications.

Initial Screening Criteria:

At least 3 years’ experience in information security analysis work. Graduation from an accredited four-year college or university with major coursework in information technology security, computer information systems, computer science, management information systems, or a related field is generally preferred. Education and experience may be substituted for one another up to 4 years.

Additional Information:

Any employment offer is contingent upon available budgeted funds. The offered salary will be determined in accordance with budgetary limits and the requirements of HHSC Human Resources Manual.

Review our Tips for Success when applying for jobs at DFPS, DSHS and HHSC.

Active Duty, Military, Reservists, Guardsmen, and Veterans:

Military occupation(s) that relate to the initial selection criteria and registration or licensure requirements for this position may include, but not limited to those listed in this posting. All active-duty military, reservists, guardsmen, and veterans are encouraged to apply if qualified to fill this position. For more information please see the Texas State Auditor’s Job Descriptions, Military Crosswalk and Military Crosswalk Guide at Texas State Auditor's Office - Job Descriptions.

ADA Accommodations:

In compliance with the Americans with Disabilities Act (ADA), HHSC and DSHS agencies will provide reasonable accommodation during the hiring and selection process for qualified individuals with a disability. If you need assistance completing the on-line application, contact the HHS Employee Service Center at 1-888-894-4747. If you are contacted for an interview and need accommodation to participate in the interview process, please notify the person scheduling the interview.

Pre-Employment Checks and Work Eligibility:

Depending on the program area and position requirements, applicants selected for hire may be required to pass background and other due diligence checks.

HHSC uses E-Verify. You must bring your I-9 documentation with you on your first day of work. Download the I-9 Form

Telework Disclaimer:

This position may be eligible for telework.  Please note, all HHS positions are subject to state and agency telework policies in addition to the discretion of the direct supervisor and business needs.