Information Security Portfolio Manager (ISPM)

Join the Texas Health and Human Services Commission (HHSC) and be part of a team committed to creating a positive impact in the lives of fellow Texans. At HHSC, your contributions matter, and we support you at each stage of your life and work journey. Our comprehensive benefits package includes 100% paid employee health insurance for full-time eligible employees, a defined benefit pension plan, generous time off benefits, numerous opportunities for career advancement and more. Explore more details on the Benefits of Working at HHS webpage.

Functional Title: Information Security Portfolio Manager (ISPM)
Job Title: Cybersecurity Analyst III
Agency: Health & Human Services Comm
Department: CHIEF INFO SECURITY OFFICE
Posting Number: 15262
Closing Date: 05/23/2026
Posting Audience: Internal and External
Occupational Category: Computer and Mathematical
Salary Range: $7,015.16 - $10,416.00
Pay Frequency: Monthly
Salary Group: TEXAS-B-27
Shift: Day
Additional Shift: Days (First)
Telework:
Travel:
Regular/Temporary: Regular
Full Time/Part Time: Full time
FLSA Exempt/Non-Exempt: Exempt
Facility Location:
Job Location City: AUSTIN
Job Location Address: 701 W 51ST ST
Other Locations:
MOS Codes: 0605,0630,0631,0639,0670,0679,0681,1702,1705,1710,1720,1721,1799,2611,2659,8055,8858,14N,14NX,170A
170B,17A,17B,17C,17C0,17DX,17S,17SX,17X,181X,182X,183X,184X,1B4X1,1D7X1,1N4X1,255A,255N,255S,25B,25D
26A,26B,26Z,514A,5C0X1D,5C0X1N,5C0X1R,5C0X1S,5IX,681X,682X,683X,781X,782X,783X,784X,CTI,CTM,CTR,CWT
CYB10,CYB11,CYB12,CYB13,CYB14,IS,ISM,ISS,IT,ITS

Brief Job Description:

This position is open to U.S. Citizens and permanent residents.

This is an onsite position based in Austin, TX. The selected candidate must be willing to work onsite from an HHS office located in Austin, Texas.

The Information Security Portfolio Manager (ISPM) provides dedicated cybersecurity governance, risk management, and compliance oversight across assigned HHSC information system portfolios. The position ensures continuous execution of the Risk Management Framework (RMF), security authorization activities, vulnerability management, procurement of security reviews, audit readiness, and incident response coordination. The ISPM works closely with Information Owners, Information Custodians, technical teams, and executive governance bodies to ensure cybersecurity risks, security events, and compliance obligations are proactively managed throughout the system lifecycle, from initiation through retirement.

Essential Job Functions (EJFs):

Essential Job Functions represent the core duties of the position and serve as the basis for performance evaluation.

(30%) EJF 1 – Risk Management Framework (RMF) Execution

• Guides Information Owners and Information Custodians through RMF lifecycle activities including system security categorization, security planning, and risk assessments.
• Ensures vulnerability scans are requested, completed, and remediation actions are tracked to closure.
• Oversees development and maintenance of security documentation including System Security Plans (SSPs), Confidentiality-Integrity-Availability (CIA) assessments, risk assessments, Plans of Action & Milestones (POA&Ms), and risk exception requests.
• Monitors annual risk assessment completion in accordance with TAC 202 and HHSC Information Security Policy requirements.
• Communicates with major system or architectural changes to the Risk Team for determination of additional security assessment requirements.

(25%) EJF 2 – Security Assessment and Authorization Oversight

• Coordinates security control assessments, penetration testing activities, and vulnerability management in collaboration with the Cybersecurity Operations Center (CSOC) and Risk Team.
• Provides compliance oversight of the Authorization to Operate (ATO) process.
• Develops ATO packages for CISO and Authorizing Official review and approval.
• Supports DIR risk letter responses, external audit engagements, and regulatory inquiries.

(20%) EJF 3 – Architecture and Technical Design Review

• Reviews system architecture, design, and technical intake submissions to identify security risks and compliance gaps.
• Provides corrective guidance to ensure security requirements are incorporated prior to enterprise approval.
• Participates in Architecture Review Board (ARB) meetings to represent cybersecurity governance and risk considerations.

(10%) EJF 4 – Procurement and Contract Security Review

• Reviews of Requests for Offer (RFOs), procurement documentation, contract renewals, and vendor engagement materials to ensure privacy, security, SPI, and RAMP requirements are incorporated based on data classification and deployment models.
• Provides security feedback on solicitation and contract language on behalf of the CISO Office.

(5%) EJF 5 – Governance and Stakeholder Engagement

• Serves as a cybersecurity liaison in executive management committees, data governance councils, metadata governance forums, and other enterprise decision-making bodies.
• Conducts recurring outreach with Information Custodians to monitor RMF compliance status, including missing or expired categorizations, risk assessments, POA&Ms, and risk-based decisions.
• Communicates security-related changes, impacts, and requirements to portfolio stakeholders.

(5%) EJF 6 – Incident Response Coordination

• Serves as a portfolio point of contact for cybersecurity incidents and security events.
• Coordinates incident response engagement between CSOC, Risk Team, system owners, and executive stakeholders.
• Ensures appropriate documentation, tracking, and post-incident reporting activities are completed.

(5%) EJF 7 – Compliance and Audit Readiness

• Ensure compliance with TAC 202, HHSC Information Security Policy, and NIST RMF requirements.
• Maintains evidence of artifacts for audits and regulatory reviews.
• Supports audit inquiries, evidence requests, and remediation tracking.

Knowledge, Skills and Abilities (KSAs):

Technical and Professional Knowledge

• Risk Management Framework (NIST RMF) implementation
• Security Authorization and ATO processes
• Vulnerability management and remediation tracking
• Security assessments and penetration testing coordination
• Incident response processes and escalation protocols
• Security architecture and design review
• Procurement and contract security controls
• Governance, risk, and compliance methodologies
• TAC 202, NIST 800-53, MARS-E, and HHSC security policy
• GRC and ITSM platforms (Archer, ServiceNow, Helix, or equivalent)

Analytical and Organizational Skills

• Risk identification and risk-based decision support
• Ability to interpret regulatory and technical security requirements
• Documentation management and audit evidence preparation
• Process improvement and governance maturity development

• Communication and Leadership Skills
• Ability to communicate technical risk in business terms
• Facilitation of governance forums and working sessions
• Stakeholder engagement across technical and executive levels
• Clear written and verbal communication

Ability to maintain the security and integrity of critical infrastructure systems by preventing unauthorized access and ensuring compliance with laws and regulations related to national security and foreign ownership restrictions

Registrations, Licensure Requirements or Certifications:

• Professional certifications such as CISM, CISSP, CISA, CRISC, or equivalent.
• ISO 27001 Lead Implementer or Lead Auditor certification.
• Project Management Professional (PMP) or equivalent.

Initial Screening Criteria:

Minimum Qualifications

• Bachelor’s degree in information security, Information Technology, or related field, or equivalent experience on a year-for-year basis.
• Minimum of five (5) years of experience in cybersecurity governance, risk management, or compliance.
• Experience implementing RMF and security authorization processes.
• Experience working with enterprise GRC and IT service management tools.

Preferred Qualifications

• Experience in public sector or healthcare security governance environments.

Additional Information:

Candidates for this position will be subject to a pre-employment security review to determine employment eligibility.

This is an onsite position, with 5 days in office required.

Any employment offer is contingent upon available budgeted funds. The offered salary will be determined in accordance with budgetary limits and the requirements of HHSC Human Resources Manual.

#LI-IN1

Review our Tips for Success when applying for jobs at DFPS, DSHS and HHSC.

Active Duty, Military, Reservists, Guardsmen, and Veterans:

Military occupation(s) that relate to the initial selection criteria and registration or licensure requirements for this position may include, but not limited to those listed in this posting. All active-duty military, reservists, guardsmen, and veterans are encouraged to apply if qualified to fill this position. For more information please see the Texas State Auditor’s Job Descriptions, Military Crosswalk and Military Crosswalk Guide at Texas State Auditor's Office - Job Descriptions.

ADA Accommodations:

In compliance with the Americans with Disabilities Act (ADA), HHSC and DSHS agencies will provide reasonable accommodation during the hiring and selection process for qualified individuals with a disability. If you need assistance completing the on-line application, contact the HHS Employee Service Center at 1-888-894-4747. If you are contacted for an interview and need accommodation to participate in the interview process, please notify the person scheduling the interview.

Pre-Employment Checks and Work Eligibility:

Depending on the program area and position requirements, applicants selected for hire may be required to pass background and other due diligence checks.

HHSC uses E-Verify. You must bring your I-9 documentation with you on your first day of work. Download the I-9 Form

Telework Disclaimer:

This position may be eligible for telework. Please note, all HHS positions are subject to state and agency telework policies in addition to the discretion of the direct supervisor and business needs.