Job Description
Performs advanced and/or supervisory (senior
level) cybersecurity analysis work. Researches, evaluates, and recommends security controls and procedures for the
appropriate protection and reduction of risk for information resources. Work involves development of communication
templates to include executive leadership, presentation and reporting material preparation to executive leadership,
internal department communications, planning, implementing, and monitoring security measures for information systems and
infrastructure to regulate access to information resources and to prevent unauthorized modification, destruction, or
disclosure of information. Evaluates business objectives and advises business partners on the security and compliance
requirements as well as the risks within various business initiatives. Develops, recommends, and evaluates the
implementation of plans designed to safeguard information systems and information resources against accidental or
unauthorized modification, destruction, or disclosure for agency administered systems as well as third party
administered systems. Develops, monitors, evaluates, and maintains system security plans and corrective action plans to
ensure the protection of information systems and information resources from unauthorized users. Independently interfaces
with executive management throughout the agency and enterprise to assist the CISO in the delivery of the Information
Security Program. Works under limited supervision, with considerable latitude for the use of initiative and independent
judgment.
Essential Job Functions
Attends work on a regular and predictable schedule in
accordance with agency leave policy and performs other duties as assigned.
- (20%) Develops communication templates to include executive leadership:
- Develops Monthly, Quarterly, and Annual reports and presentation material in preparation for executive
leadership.
- This position will also help with internal departmental communications, newsletters, announcements, etc.
- (20%) Provides security and risk management services by identifying, assessing, and remediating risks, as well
as monitoring regulatory and internal compliance. This includes protecting facilities, infrastructure,
information, and business operations within acceptable risk tolerance. Risk management involves assessing and
evaluating risk within information resources, technology, practices, and procedures to ensure efficient and
effective delivery of programs and services while mitigating potential negative outcomes. This includes
conducting technology risk assessments, reviewing technology use in business initiatives, analyzing
vulnerabilities, and monitoring emerging threats and advancing technology. Responsible for developing and
implementing information security policies, responding to security incidents, managing internal and external
audits, and facilitating the resolution of any security-related issues. This includes creating clear and
comprehensive policies, investigating, and resolving security incidents, working with auditors during fieldwork,
and providing assistance to internal and external stakeholders.
Performs essential functions such as identifying, assessing, and addressing risks to ensure security and
compliance. This involves safeguarding facilities, infrastructure, information, and business operations within risk
tolerances. Risk management includes evaluating risks in technology, practices, and procedures to support program
delivery while minimizing negative impacts. The analyst conducts technology risk assessments, assesses technology usage
in business projects, identifies vulnerabilities, and monitors emerging threats and advancements in technology.
Responsibilities also include developing and enforcing information security policies, responding to security incidents,
overseeing audits, and resolving security concerns. This encompasses creating thorough policies, investigating, and
resolving security incidents, collaborating with auditors during assessments, and supporting internal and external
stakeholders as
needed.
Following Are The Primary Information Security Risk Management Functions That Are Performed By Cybersecurity Analyst II In The Information Security Business And Operations Department
- Security Policy Development – Develops clear, comprehensive, and well-defined information security policies,
standards and guidelines that regulate access to the agency's systems and the information included in them.
Effective policy protects not only information and systems, but also individual employees and the agency.
- Security Incident Response – Management of events, issues, inquiries, and incidents when detected or reported to
include all phases from investigation through resolution. Responsible for notifying and escalating incidents to
appropriate personnel and coordinating activities to ensure timely isolation and containment, impact analysis,
and any resulting remediation / resolution requirements. Incidents include but may not be limited to privacy
breach, loss, theft, unauthorized access, malware infections, and occurrences of negligence, human error, or
malicious acts.
- Internal, State and Federal Audits – Works with auditors during fieldwork and prepares management responses to
Information Security findings identified in audits. Facilitates the development of Information Security action
plans. Responds to status requests, special projects, and requests for assistance from internal and external
stakeholders.
- (20%) Performs needs assessment to identify requirements of automated systems and evaluates enterprise
information security compliance standards. Reviews the agency's systems including their infrastructure,
processes and procedures to discover security compliance needs (non-compliance) to the following agency control
requirements:
- Texas Administrative Code: Title I, Part 10, Chapter 202, Subchapter B, Rule 202.22 and 202.25, enacted 2004
- Internal Revenue Service Publication 1075, Tax Information Security Guidelines for Federal, State, and Local
Agencies, revised 2010
- Health Insurance Portability and Accountability Act, enacted 1996
- Texas Health & Safety Code, Title 2, Subtitle I, Chapter 181: Medical Records Privacy, enacted 2011
- American Recovery and Reinvestment Act, including Health Information Technology for Economic and Clinical Health
Act, enacted 2009
- CMS Policy for Information Security Program, dated 8/31/2010 (Document Number: CMS-CIO-POL-SEC02-4.0; sections
4.1.1, 4.7, 4.14, 4.16, and 4.17.4)
- Federal Information Security Management Act, enacted 2002
- Family Educational Rights and Privacy, enacted 1974
- Texas Government Code, Title 10, Subtitle B, Chapter 2059, Subchapter A, Sec. 2059.056: Responsibility for
External and Internal Security Threats, enacted 2005
- Texas Business and Commerce Code, Title 11, Subtitle B, Chapter 521, Subchapter B, Sec. 521.052: Business Duty
to Protect and Safeguard Personal Identifying Information, enacted 2005
- Texas Health and Human Services Commission: Enterprise Information Security Standards and Guidelines (EISSG),
revised September 2015
- National Institute of Standards and Technology (NIST) Special Publication 800 Series for processes Documents and
maintains agency control requirements in the HHSC Enterprise Information Security Standards and Guidelines
(EISSG) which is a collection of security controls from:
- NIST SP 800-53 version 4 – From the National Institute of Standards and Technology (NIST), which is used by
federal agencies and referred to by CMS and HIPAA
- IRS/FTI Publication 1075
Maintains a Controls Catalog Which Defines Controls Such As
- Access Control
- Awareness and Training
- Audit and Accountability
- Security Assessment and Authorization
- Configuration Management
- Contingency Planning
- Identification and Authentication
- Incident Response
- Maintenance
- Media Protection
- Physical and Environmental Protection
- Planning
- Personnel Security
- Risk Assessment
- System and Services Acquisition
- System and Communications Protection
- System and Information Integrity
- Program Management
Requirements
These controls are the safeguards or countermeasures that when implemented and
enforced will satisfy the information security compliance requirements defined in the EISSG. Performs assessments to
facilitate the classification of data that is being processed through the agency's automated systems as:
- Restricted: Data subject to specific federal or state regulatory requirements, where it must remain encrypted at
all times and access is controlled and monitored (example – IRS FTI data)
- Confidential: Data subject to federal or state regulatory requirements, where data must be encrypted in transit
and encrypted when stored on mobile devices (example – PI, PII, PHI, LEA)
- Agency Internal: Data that is not subject to specific regulatory requirements, but is considered sensitive
(example – HHSC financial, business records)
- Public: Information intended or required for public release.
- (20%) Continuity of Operations Planning to assure that the capability exists to continue essential agency
functions across a wide range of potential emergencies:
- Continuity of Operations Planning (COOP) – Supports the following Business Continuity Planning functions:
- Facilitates the establishment of a set of plans for emergency response, backup operations, and post-incident
recovery for HHSC information systems.
- Monitors plans to make sure they are maintained and effectively implemented to ensure the availability of
critical information resources and continuity of operations in emergency situations.
- Business Continuity Risks – Supports the following Business Continuity Planning functions:
- Performs periodic business impact analysis to ensure that recovery time objectives are aligned with the business
continuity plan and disaster recovery capabilities.
- Ensures that contention issues for recovery and continuity requirements are addressed through the appropriate
governance board.
- Provides advisory services to ensure that business continuity plans have proper consideration for technology
availability and utilization during technology interruptions and declared disasters.
- Evaluates disaster recovery exercises to ensure processes and recovery capabilities are validated.
- Back-up and Disaster Recovery – Supports the following Business Continuity Planning functions:
- Ensures compliance with HHSC business requirements for backing up data and applications. This enables the
recovery of data and applications in the event of loss or damage (natural disasters, system disk and other
systems failures, intentional or unintentional human acts, data entry errors, or systems operator errors).
- (10%) Advises management and users regarding enterprise security program functions:
- Provides Security Awareness Training to help ensure employees have a solid understanding of the agency's
security policies, procedures, and best practices. Defines, prepares, delivers, and facilitates an ongoing
awareness campaign utilizing a wide variety of mediums and delivery mechanisms to educate the organization
effectively and constantly on security related information, threats, and technology risks. Conducts and
coordinates information security training and awareness initiatives for users such as the annual Cyber-Security
Awareness Fair.
- Periodically reviews the Information Security Plan with DIR, including risk management, practices, and security
services. Works with the Information Security Officer to prepare for periodic briefings with the Executive
Commissioner to provide him with the overall status of the HHSC Enterprise Information Security Program and
obtain formal approvals of the program as required by Texas Administrative Code (TAC) 202.
- (10%) Provides leadership to other security analysts in the performance of their duties. Provides leadership to
other security analysts in the performance of their duties. Within assigned specific security domains or
knowledge. Other duties as assigned.
Knowledge Skills Abilities
Excellent written, presentation, and verbal communication skills
and applicable
software.
Knowledge of the limitations and capabilities of computer systems; of technology across all network layers and computer platforms; of operational support of networks, operating systems, Internet technologies, databases, and security applications; and of information security practices, procedures, and regulations.
Skill in the operation of computers and applicable software and in configuring, deploying, and monitoring security infrastructure.
Ability to resolve complex security issues in diverse and decentralized environments, to communicate effectively, and to assign and/or supervise the work of others.
In depth understanding of the NIST Special Publications (800 Series) with particular emphasis on the SP 800-53 Security and Privacy Controls for Federal Information Systems & Organizations. Must be able to demonstrate extensive knowledge of control structures and application of controls.
Skill in evaluating enterprise networks/systems for assurance of control requirements as specified by the IRS Pub.1075, Tax Information Security Guidelines for Federal, State & Local Agencies. Capable of managing control assertion & corrective action plan processes including the coordination of status updates & report submission.
Knowledge in analyzing, recommending, & developing enterprise-wide security policies, standards, & guidelines within appropriate organizational risk tolerances. Skill in implementing enforcement of security policy within technology solutions.
Knowledge of enterprise security program management using Enterprise Governance Risk & Compliance solutions. Demonstrated experience with the implementation & development of business processes in Enterprise Governance Risk & Compliance solutions.
Registration Or Licensure Requirements
Initial Selection Criteria:
2-4
years of experience in information technology, security risk and compliance management, assessment, auditing, research
and/or consulting. Experience in researching, authoring or supporting development of information security policies and
standards preferred. Experience developing security and risk performance metrics and reporting dashboards for executive,
business and technical audiences preferred. 3 or more years’ experience with creation and editing experience of internal
department communications, newsletter, announcements, reports and presentations Preferred. Graduation from an accredited
four-year college or university with major coursework in information technology security, computer information systems,
computer science, management information systems, or a related field is strongly preferred. Education and experience may
be substituted for one
another.
Additional Information
MOS Code:
Note: Military
occupation(s) that relate to the initial selection criteria and registration or licensure requirements for this position
may include, but not limited to: 25B, IT, OS, 0681, 3D0X2. All active duty military, reservists, guardsmen, and veterans
are encouraged to apply if qualified to fill this position. For more information see the Texas State Auditor’s Military
Crosswalk at
http://www.hr.sao.state.tx.us/Compensation/JobDescriptions.aspx
HHS agencies use E-Verify. You must bring your I-9 documentation with you on your first day of work.
I-9 Form - Click here to download the I-9 form.
In compliance with the Americans with Disabilities Act (ADA), HHS agencies will provide reasonable accommodation during the hiring and selection process for qualified individuals with a disability. If you need assistance completing the on-line application, contact the HHS Employee Service Center at 1-888-894-4747. If you are contacted for an interview and need accommodation to participate in the interview process, please notify the person scheduling the interview.
Top 10 Tips for Success when Applying to Jobs at HHSC and DSHS