Information Security Portfolio Manager (ISPM)

Join the Texas Health and Human Services Commission (HHSC) and be part of a team committed to creating a positive impact in the lives of fellow Texans. At HHSC, your contributions matter, and we support you at each stage of your life and work journey. Our comprehensive benefits package includes 100% paid employee health insurance for full-time eligible employees, a defined benefit pension plan, generous time off benefits, numerous opportunities for career advancement and more. Explore more details on the Benefits of Working at HHS webpage.

Functional Title: Information Security Portfolio Manager (ISPM)
Job Title: Cybersecurity Analyst III
Agency: Health & Human Services Comm
Department: CISO - DSHS 4.2.5
Posting Number: 16818
Closing Date: 06/07/2026
Posting Audience: Internal and External
Occupational Category: Computer and Mathematical
Salary Range: $7,015.16 - $10,416.66
Pay Frequency: Monthly
Salary Group: TEXAS-B-27
Shift: Day
Additional Shift: Days (First)
Telework:
Travel:
Regular/Temporary: Regular
Full Time/Part Time: Full time
FLSA Exempt/Non-Exempt: Exempt
Facility Location:
Job Location City: AUSTIN
Job Location Address: 701 W 51ST ST
Other Locations:
MOS Codes: 0605,0630,0631,0639,0670,0679,0681,1702,1705,1710,1720,1721,1799,2611,2659,8055,8858,14N,14NX,170A
170B,17A,17B,17C,17C0,17DX,17S,17SX,17X,181X,182X,183X,184X,1B4X1,1D7X1,1N4X1,255A,255N,255S,25B,25D
26A,26B,26Z,514A,5C0X1D,5C0X1N,5C0X1R,5C0X1S,5IX,681X,682X,683X,781X,782X,783X,784X,CTI,CTM,CTR,CWT
CYB10,CYB11,CYB12,CYB13,CYB14,IS,ISM,ISS,IT,ITS

This position is open to U.S. Citizens and permanent residents.

This is an onsite position based in Austin, TX. The selected candidate must be willing to work onsite from an HHS office located in Austin, Texas.

The Information Security Portfolio Manager (ISPM) provides dedicated cybersecurity governance, risk management, and compliance oversight across assigned HHSC information system portfolios.

The position ensures continuous execution of the Risk Management Framework (RMF), security authorization activities, vulnerability oversight. The role acts as an information security office liaison to Information Owners, Information Custodians, technical teams, privacy, procurement, legal, and executive leadership to ensure security and regulatory requirements are embedded throughout the system lifecycle. Manages and advances the HHSC Information Security Program to ensure effective, secure, and resilient operations. Provides strategic support to the information security leadership team, liaison for projects, contributing to long‑term planning, and continuous improvement of cybersecurity initiatives.

The role provides planning, facilitation and cross‑functional meetings and governance forums, and develops clear, executive‑level briefings and presentations that translate technical risk into business impact to support informed decision‑making.

Essential Job Functions (EJFs):

Essential Job Functions represent the core duties of the position and serve as the basis for performance evaluation.

(30%) EJF 1 – Risk Management Framework (RMF) Execution

• Guides Information Owners and Information Custodians through RMF lifecycle activities including system security categorization, security planning, and risk assessments.
• Provides security guidance to Information Owners and Information Custodians to develop and maintain security documentation including System Security Plans (SSPs), risk assessments, Plans of Action & Milestones (POA&Ms), and risk exception requests.
• Monitors risk assessment completion in accordance with TAC 202 and HHSC Information Security Policy requirements.
• Evaluates major system or architectural changes for determination of additional security, privacy or regulatory requirements.

(30%) EJF 2 – Security Assessment and Authorization Oversight

• Coordinates or guides security control assessments, secure architecture reviews, security consulting for vulnerability efforts.
• Provides oversight of the Authorization to Operate (ATO) process. May develop ATO packages for CISO and Authorizing Official review and approval. Provides executive briefing to portfolio leadership.
• Participates in executive committee meetings, provides risk posture and security gap analysis. Engaged in DIR risk letter responses, audit engagements, and regulatory inquiries. Ensure portfolio adherence to internal polices, as well as external regulations and legal mandates such as TAC 202 and NIST.
• Leading teams in handling both legacy and emerging technologies to manage business risk and enforce security controls that safeguard information systems.
• Requires broad technical knowledge, the ability to research legal and regulatory requirements, legislative awareness, and the skill to ensure data and privacy safeguards.

(20%) EJF 3 – Architecture and Technical Review

• Provides initial security technical reviews, consultancy, and assessment services for system architecture and technical intake submissions.
• Engages IT and cybersecurity technical SMEs across cloud, AI, CI/CD, SDLC, and legacy environments to drive secure and compliant architectural decisions.
• Researches and analyzes cybersecurity threat indicators or system weaknesses for the prevention and correction to recommend threat mitigation strategies to harden ecosystems.

(10%) EJF 5 – Governance and Stakeholder Engagement

• Serves as a cybersecurity liaison in executive management committees, data governance councils, metadata governance forums, and other enterprise decision-making bodies.
• Conducts recurring outreach with Information Custodians to monitor RMF compliance status, including missing or expired categorizations, risk assessments, POA&Ms, and risk-based decisions.
• Communicates security-related changes, impacts, and requirements to portfolio stakeholders.

(10%) Performs or leads other duties as assigned.

Knowledge, Skills and Abilities (KSAs):

Technical and Professional Knowledge

• Working knowledge of security frameworks (TAC 202, NIST 800‑53 Rev 5, ISO 27001, CIS Controls, ARC-AMPE).
• Understanding of cloud security concepts (AWS, Azure, GCP).
• Understanding of AI Language Learning Models (LLM), Open Web Application Security Project (OWASP), threat analysis and system security posture for cloud, APIs, legacy, and microservice ecosystems
• Knowledge of enterprise risk management principles and NIST RMF implementation.

• Knowledge of security authorization and ATO governance processes.
• Strong Communication Skills – Exceptional written and verbal communication skills to effectively convey security policies, risks, and compliance requirements to both technical and non-technical stakeholders, including CMS auditors and regulatory bodies.
• Advanced Problem-Solving Abilities – Ability to quickly analyze complex security risks and develop effective mitigation strategies within healthcare IT environments while ensuring compliance with CMS security requirements.
• Risk Mitigation & Control Implementation – Ability to assess security risks, evaluate compensating controls, and implement risk mitigation strategies to protect regulated data for systems.
• Knowledge of security architecture, system design review principles, and enterprise security standards.
• Proficient in GRC tools for tracking and managing compliance, conducting risk assessments and reporting (Archer GRC, ServiceNow, Helix, or equivalent).

Analytical and Organizational Skills

• Risk identification and risk-based decision support
• Ability to interpret regulatory and technical security requirements
• Documentation management and audit evidence preparation
• Process improvement and governance maturity development

• Communication and Leadership Skills
• Ability to communicate technical risk in business terms
• Facilitation of governance forums and working sessions
• Stakeholder engagement across technical and executive levels
• Clear written and verbal communication
• Ability to maintain confidentiality of security and integrity of critical infrastructure systems by ensuring compliance with laws and regulations.

Registrations, Licensure Requirements or Certifications:

• Professional certifications such as CISM, CISSP, CISA, CRISC, or equivalent.
• ISO 27001 Lead Implementer or Lead Auditor certification.
• Project Management Professional (PMP) or equivalent.

Initial Screening Criteria:

• Bachelor’s degree in information security, Information Technology, or related field, or equivalent experience on a year-for-year basis.
• Minimum of five (5) years of experience in cybersecurity governance, risk management, or compliance.
• Experience implementing RMF and security authorization processes.
• Experience working with enterprise GRC and IT service management tools.

• Experience in public sector or healthcare security governance environments.

Additional Information:

• Candidates for this position will be subject to a pre-employment security review to determine employment eligibility.
• This is an onsite position, with 5 days in office required.
• Any employment offer is contingent upon available budgeted funds. The offered salary will be determined in accordance with budgetary limits and the requirements of HHSC Human Resources Manual.

#LI-IN1

Review our Tips for Success when applying for jobs at DFPS, DSHS and HHSC.

Active Duty, Military, Reservists, Guardsmen, and Veterans:

Military occupation(s) that relate to the initial selection criteria and registration or licensure requirements for this position may include, but not limited to those listed in this posting. All active-duty military, reservists, guardsmen, and veterans are encouraged to apply if qualified to fill this position. For more information please see the Texas State Auditor’s Job Descriptions, Military Crosswalk and Military Crosswalk Guide at Texas State Auditor's Office - Job Descriptions.

ADA Accommodations:

In compliance with the Americans with Disabilities Act (ADA), HHSC and DSHS agencies will provide reasonable accommodation during the hiring and selection process for qualified individuals with a disability. If you need assistance completing the on-line application, contact the HHS Employee Service Center at 1-888-894-4747. If you are contacted for an interview and need accommodation to participate in the interview process, please notify the person scheduling the interview.

Pre-Employment Checks and Work Eligibility:

Depending on the program area and position requirements, applicants selected for hire may be required to pass background and other due diligence checks.

HHSC uses E-Verify. You must bring your I-9 documentation with you on your first day of work. Download the I-9 Form

Telework Disclaimer:

This position may be eligible for telework. Please note, all HHS positions are subject to state and agency telework policies in addition to the discretion of the direct supervisor and business needs.