Governance, Risk & Compliance Director in Austin, TX

Description

Join the Texas Health and Human Services Commission (HHSC) and be part of a team committed to creating a positive impact in the lives of fellow Texans. At HHSC, your contributions matter, and we support you at each stage of your life and work journey. Our comprehensive benefits package includes 100% paid employee health insurance for full-time eligible employees, a defined benefit pension plan, generous time off benefits, numerous opportunities for career advancement and more. Explore more details on the Benefits of Working at HHS webpage.

Functional Title: Governance, Risk & Compliance Director 
Job Title: Director III 
Agency: Health & Human Services Comm 
Department: CHIEF INFO SECURITY OFFICE 
Posting Number: 13442 
Closing Date: 05/04/2026 
Posting Audience: Internal and External 
Occupational Category: Computer and Mathematical 
Salary Group: TEXAS-B-28 
Salary Range: $7,716.66 - $13,051.00 
Pay Frequency: Monthly
Shift: Day 
Additional Shift: Days (First) 
Telework:  
Travel:  
Regular/Temporary: Regular 
Full Time/Part Time: Full time 
FLSA Exempt/Non-Exempt: Exempt 
Facility Location:  
Job Location City: AUSTIN 
Job Location Address: 4601 W GUADALUPE ST 
Other Locations:  
MOS Codes: 8003,8040,8041,8042,10C0,111X,112X,113X,114X,20C0,30C0,40C0,611X,612X,631X,641X,648X,90G0,91C0,91W0 
97E0,SEI15 
 
 

Brief Job Description:

This position is open to permanent residents or US citizens only.

The GRC Director serves as the senior leader for Governance, Risk, and Compliance functions within the HHSC Office of the Chief Information Security Officer. This position directs enterprise cybersecurity governance frameworks, risk management programs, and compliance oversight to ensure HHSC information systems and services meet federal and state cybersecurity requirements, including NIST 800-53 Rev. 5, MARS-E 2.0, HIPAA, Texas DIR standards, and HHSC security policies.

The role provides executive oversight of Authorization to Operate (ATO) governance, System Security Plans (SSPs), Security Assessment Reports (SARs), Plans of Action and Milestones (POA&Ms), Risk-Based Decisions (RBDs), Vendor Risk Management, Insider Risk Management, security awareness compliance, and audit readiness. The GRC Director ensures cybersecurity risks impacting confidentiality, integrity, and availability are consistently identified, documented, mitigated, or formally accepted in a defensible manner.

Essential Job Functions (EJFs):

Enterprise Governance, Risk & Compliance Leadership

• Direct HHSC's enterprise cybersecurity governance, risk, and compliance programs.
• Establish risk management frameworks, tolerance thresholds, escalation procedures, and reporting mechanisms.
• Provide executive-level risk posture reporting and compliance dashboards.
• Ensure alignment of cybersecurity governance with HHSC strategic objectives and regulatory obligations.

• Authorization to Operate (ATO) Governance
• Lead and oversee ATO and ATO renewal processes for HHSC systems and applications.
• Coordinate with system owners, ISSOs, assessors, auditors, and Authorizing Officials.
• Validate ATO artifacts including SSPs, SARs, POA&Ms, and RBDs.
• Facilitate executive risk acceptance and authorization decisions.

POA&M and SAR Oversight

• Direct lifecycle management of POA&Ms for remediation of security findings.
• Review and validate SARs, compensating controls, and residual risk statements.
• Monitor remediation progress and escalate overdue or systemic risk items.

System Security Plan (SSP) Oversight

• Oversee development and maintenance of SSPs aligned with NIST and MARS-E.
• Ensure SSPs accurately reflect system boundaries, implemented controls, and operating environments.
• Provide authoritative guidance on control documentation standards.

• Vendor and Third-Party Risk Management
• Direct cybersecurity risk management for vendors and third-party service providers.
• Review vendor security artifacts including TxRAMP packages, SOC reports, security questionnaires, and contract clauses.
• Provide cybersecurity risk input into procurement, contract negotiations, and renewals.
• Ensure vendor risks are mitigated or formally accepted.

Insider Risk Management

• Lead insider risk governance in collaboration with IAM, SOC, HR, Legal, and Privacy.
• Assess risks related to privileged access, user behavior, and data handling.
• Ensure insider risk decisions and investigations are properly documented.

Risk-Based Decision (RBD) Management

• Oversee development, review, and lifecycle tracking of RBD documentation.
• Ensure risk acceptance decisions are documented, approved, and periodically reassessed.
• Provide audit-defensible evidence of executive risk decisions.

• Incident Preparedness and Tabletop Exercises
• Direct cybersecurity tabletop exercises and scenario-based simulations.
• Coordinate participation across technical, legal, privacy, and executive teams.
• Track lessons learned and corrective actions.
• Security Awareness and Compliance Training
• Oversee security awareness and role-based training compliance.
• Monitor completion metrics and audit reporting.
• Promote agency-wide cybersecurity culture.

Audit and Regulatory Engagement

• Serve as senior liaison to internal audit, external auditors, DIR, CMS, and oversight entities.
• Direct preparation of compliance evidence and audit responses.
• Ensure GRC documentation is audit-ready and defensible.

• Policy and Standards Governance
• Lead development, maintenance, and enforcement of HHSC cybersecurity policies, standards, and procedures.
• Ensure agency security policies remain aligned with evolving federal, state, DIR, and regulatory requirements.
• Coordinate policy exception requests and ensure approved exceptions are documented through Risk-Based Decisions (RBDs).

Continuous Monitoring and Risk Reporting

• Oversee continuous security control monitoring strategies in coordination with SOC, Infrastructure, and Application teams.
• Ensure security metrics, risk indicators, and compliance status are reported to CISO leadership on a recurring basis.
• Identify emerging threats and systemic risk trends and recommend mitigation strategies.

• Data Governance and Privacy Risk Coordination
• Partner with Data Governance and Privacy Offices to ensure data classification, protection, and privacy controls are integrated into risk decisions.
• Ensure privacy risks (PII/PHI) are considered in SSPs, SARs, vendor risk reviews, and RBDs.
• Business Continuity and Disaster Recovery Risk Oversight
• Coordinate cybersecurity risk input into Business Impact Analyses (BIA), Disaster Recovery (DR), and Business Continuity (BCP) planning.
• Validate recovery strategies and backup controls align with system risk and availability requirements.
• Strategic Planning and Budget Support
• Provide risk-based input into cybersecurity funding requests, exceptional items (EI), and technology investment proposals.
• Support workforce planning and capability development for GRC functions.

Supervisory Responsibilities

• Provides strategic direction and oversight to GRC managers, analysts, and support staff.
• Assigns work, reviews performance, and ensures staff development.
• Coordinates cross-functional teams and working groups.

Other Agency-Directed Duties

• Perform other job-related duties as assigned by the Chief Information Security Officer (CISO), Deputy CISO, or agency executive leadership to support mission requirements, emerging regulatory mandates, or agency priorities.

Knowledge, Skills and Abilities (KSAs):

• Expert knowledge of NIST 800-53 Rev. 5, MARS-E 2.0, HIPAA Security Rule, and Texas DIR cybersecurity standards.
• Advanced knowledge of Governance, Risk, and Compliance (GRC) frameworks.
• Proven leadership skills in ATO governance, POA&M and SAR oversight, vendor risk, insider risk, and RBD processes.
• Highly skilled with GRC tools such as Archer or equivalent platforms.
• Ability to communicate cybersecurity risk to executive and non-technical stakeholders.
• Ability to maintain the security and integrity of critical infrastructure systems by preventing unauthorized access and ensuring compliance with laws and regulations related to national security and foreign ownership restrictions

Registrations, Licensure Requirements or Certifications:

Professional certifications: CISSP, CISM, CRISC, CISA, CGRC or GRCP

Initial Screening Criteria:

Graduation from an accredited four-year college or university with major coursework in information technology security, computer information systems, computer science, management information systems, or a related field is strongly preferred. Education and experience may be substituted for one another on a year for year basis.

Seven (7) years of progressively responsible experience in:

• Cybersecurity governance, risk, or compliance
• Security authorization (Authorization to Operate or ATO) processes
• A Plan of Action and Milestones (POA&M) management

Preferred Qualifications

• Ten (10) or more years of cybersecurity GRC leadership experience.
• Experience in state or federal government or healthcare environments.
• Leadership experience in vendor risk and insider risk programs.
• Experience briefing executives and supporting high-visibility audits.

Additional Information:

Candidates for this position will be subject to a pre-employment security review to determine employment eligibility.

•       This is an onsite position with work hours Monday through Friday 8am to 5pm

•       Occasional after-hours participation for audits, incident exercises, or authorization milestones may be required

Other Requirements

•       Must maintain confidentiality of sensitive information.

•       Must comply with HHSC cybersecurity and ethics policies.

•       May be required to pass background and security screening.

Any employment offer is contingent upon available budgeted funds. The offered salary will be determined in accordance with budgetary limits and the requirements of HHSC Human Resources Manual.

#LI-IN1

Review our Tips for Success when applying for jobs at DFPS, DSHS and HHSC.

Active Duty, Military, Reservists, Guardsmen, and Veterans:

Military occupation(s) that relate to the initial selection criteria and registration or licensure requirements for this position may include, but not limited to those listed in this posting. All active-duty military, reservists, guardsmen, and veterans are encouraged to apply if qualified to fill this position. For more information please see the Texas State Auditor's Job Descriptions, Military Crosswalk and Military Crosswalk Guide at Texas State Auditor's Office - Job Descriptions.

ADA Accommodations:

In compliance with the Americans with Disabilities Act (ADA), HHSC and DSHS agencies will provide reasonable accommodation during the hiring and selection process for qualified individuals with a disability. If you need assistance completing the on-line application, contact the HHS Employee Service Center at 1-888-894-4747. If you are contacted for an interview and need accommodation to participate in the interview process, please notify the person scheduling the interview.

Pre-Employment Checks and Work Eligibility:

Depending on the program area and position requirements, applicants selected for hire may be required to pass background and other due diligence checks.

HHSC uses E-Verify. You must bring your I-9 documentation with you on your first day of work. Download the I-9 Form

Telework Disclaimer:

This position may be eligible for telework.  Please note, all HHS positions are subject to state and agency telework policies in addition to the discretion of the direct supervisor and business needs.