Cybersecurity Analyst III

Job Description:
Performs advanced (senior-level) cybersecurity analysis work. Provides guidance in strategic and tactical cybersecurity operations planning and implementation for the Health and Human Services Commission (HHSC) Information Security Office and the Enterprise Information Security Office. Oversees the IT cybersecurity operations, delivery, engineering, and architecture for the enterprise. Protects cybersecurity assets and delivers cybersecurity incident detection, incident response, threat assessment, cyber intelligence, software security, and vulnerability assessment services. Oversees the Cybersecurity Operations Center (CSOC) which consists of people, processes and technologies involved in providing situational awareness through the detection, containment, and remediation of cybersecurity threats. Works under limited supervision, with considerable latitude for the use of initiative and independent judgment. May assign and/or supervise the work of others. Essential Job Functions:
Attends work on a regular and predictable schedule in accordance with agency leave policy and performs other duties as assigned.

1. (30%) Monitors and analyzes cybersecurity alerts from cybersecurity tools, network devices, and information systems. Evaluates network and system security configuration for best practices and risk-based access controls. Performs direct analysis and configuration of security tools and operational systems to ensure successful integration within the enterprise environments. Assesses established security policy criteria against actual operational functions to ensure success criteria of data security controls and processes. Develops repeatable reporting metrics and data presentations from numerous security toolsets to include, but not limited to, Security Incident Event Monitoring (SIEM) logs, Packet Capture Analysis, Web Proxy Security Management Appliance (SMA) and Network Performance Monitoring Systems that detail network data usage, access, and statistic reporting capabilities. Develops useful reporting, integration, alerting and automation of informational feeds related to/from these tools to enhance the situational awareness and provide auditable performance metrics for the CSOC. Conducts breach readiness assessments. Designs, tests and practices breach management response. Conducts threat modeling and develops best practices and procedures to proactively identify threat vectors and anomalies in large volumes of data.

2. (20%) Provides direction and guidance in strategic and tactical cybersecurity operations planning and implementation for 1) the HHSC Information Security Office and 2) the Enterprise Information Security Office. Monitors and maintains cybersecurity infrastructure and policies and procedures to protect information systems from unauthorized use. Develops incident response and discovery workflows to speed breach detection timeframes. Oversees breach management processes and policies, information controls, secure communications, information rights, data classification and post-breach remediation and security. Enhances and improves the CSOC Program while providing technical expertise to cybersecurity staff. Provides subject matter expert guidance for cybersecurity operations initiatives and their integration into enterprise IT programs and services. Leads the establishment and implementation of the CSOC strategic plan to mitigate risks while complying with legal, statutory, contractual, and internally developed requirements. Serves as the technical liaison between the cybersecurity operations function, the other Information Technology departments and agency business units. Engages key business and IT stakeholders as needed. Reviews regulatory requirements and provides industry standards and familiarity with technical best practices to staff as appropriate. Represents the agency at business meetings, hearings, trials, legislative sessions, conferences, and seminars or on boards, panels, and committees. Leads and participates in cybersecurity special investigations, internal audits, research studies, forecasts, and modeling exercises to provide direction and guidance. Identifies and analyzes possible data loss or malicious breach using cybersecurity tools and processes. Provides direct assessment of existing cybersecurity controls throughout the enterprise environment to assess continuous improvement of management practices. Performs proactive research approaches to plan for new cybersecurity risks that may present themselves within the Health and Human Services environment to assist in the planning for future cybersecurity initiatives as they arise. Provides security guidance to IT Operations initiatives to provide cybersecurity posture acceptance for new and existing IT technologies. Provides guidance and instruction to management. Researches and analyzes cybersecurity and privacy legislation, regulations, advisories, alerts and vulnerabilities. Prioritizes and responds to cybersecurity incidents. Streamlines incident investigation and breach response procedures via industry standards and best practices. Assists in recommending and managing implementation of corrective actions. Assists in advising management and users regarding best practices and security procedures. Provides cybersecurity impact considerations for IT operations initiatives and services.

3. (20%) Monitors the IT cybersecurity operations, delivery, engineering, and architecture for the enterprise. Protects cybersecurity assets and delivers cybersecurity incident detection, incident response, threat assessment, cyber intelligence, software security, and vulnerability assessment services. Performs vulnerability scans of networks and applications to assess effectiveness and identify weaknesses. Determines department needs, implements policies and procedures, and tracks compliance through the enterprise. Consults with end users to discuss issues such as computer data access needs, security violations, and security related requirements of programming changes. Reviews, develops, and delivers cybersecurity awareness training and promotes security awareness to ensure system security. Responds and provides guidance to data breaches and viruses. Collaborates with end users and others to resolve data breaches and viruses. Projects activities with users across the enterprise to monitor the transfer and modification of data files to incorporate new security software and virus protection systems. Identifies and corrects functional areas leading to data loss risk with incorporation of security toolsets and processes, and introduces additional access controls that change individual access capabilities to sensitive data services. Performs forensic analysis of information systems and portable devices and forensic recovery of data using assessment tools. Researches and implements new security risk and mitigation strategies, tools, techniques, and solutions for the prevention, detection, containment, and correction of data security breaches.

4. (20%) Manages the CSOC processes and technologies to provide awareness through the detection, containment, and remediation of cybersecurity threats. Manages the CSOC to ensure incidents are properly identified, analyzed, communicated, actioned and defended, investigated and reported. Monitors applications to identify a possible cyber-attack or intrusion (event) and determines if it is a real, malicious threat (incident), and if it could have a business impact. Monitors activities, investigations, forensics, web monitoring and site blocking, and other system safeguards. Develops a state-of-the art situational watch room, combining analysts, management, and executive-level dashboards, giving the agency real-time business security intelligence. Maintains the full functionality needed in the CSOC, including traffic analysis, event correlation/log analysis, and threshold alerts. Maintains security surveillance of network traffic and system events for all critical infrastructure components by combining threat analysis with alerts when any anomalies are detected, correlated, and confirmed. Maintains comprehensive web activity monitoring and selective site blocking based upon customer requirements. Focuses upon the insider threat, and network violation management through the use of effective policy monitoring, reporting and agency enforcement. Maintains and supports the analysis of cybersecurity counter-intelligence and optimizes CSOC investments through CSOC Key Performance Indicator (KPI) monitoring and staff time management tracking.

5. (5%) Provides leadership to other cybersecurity analysts in the performance of their duties. Tactically develops staff for operational tasks. Provides recommendations for tactical improvements. Uses delegated authority to provide operational tasks and assignments. Provides operational tasking with clear direction and information on responsibilities and work performance expectations. Identifies and reports potential development and advancement of operational cases for management. Works with management to identify and obtain tools necessary for operations staff to carry out their responsibilities and to succeed in their work. Monitors and provides feedback as to whether established goals and objectives for the CSOC team are aligned with the goals of the enterprise. Evaluates and recommends procurement of security technologies. Identifies trends and opportunities to improve CSOC processes for the agency and the enterprise. Provides guidance for CSOC work orders and tickets. Anticipates organizational impacts and develops procedures introducing new cybersecurity technologies. Identifies and evaluates new cybersecurity technologies to remediate vulnerabilities and participate in the procurement of technology solutions.

6. (5%) Other duties as assigned. (Note: For DSHS positions this includes but is not limited to actively participating and/or serving in a supporting role to meet the agency’s obligations for disaster response and/or recovery or Continuity of Operations (COOP) activation. Such participation may require an alternate shift pattern assignment and/or location.) Knowledge Skills Abilities:
• Knowledge in technical proficiency surrounding CSOC tools and their use by the cybersecurity staff.
• Knowledge and understanding of Texas state government and its information systems.
• Knowledge of laws, rules, and regulations relevant to information technology in Texas.
• Knowledge of industry accepted software engineering practices and life cycle methods.
• Knowledge of the limitations and capabilities of computer systems.
• Knowledge of IT infrastructure designs, technologies, products, and services; networking protocols, firewall functionality, host and network intrusion detection systems, operating systems, databases, encryption, load balancing, and other technologies.
• Knowledge of procedures on systems security, inventory, and database management.
• Knowledge across all network layers and computer platforms; of the operational support of networking, operating systems, Internet technologies, databases, and security application support; and of information security practices, procedures, and regulations.
• Skill in analyzing complex data and synthesizing large amounts of information.
• Skill in preparing, interpreting, and presenting complex statistical and information analysis reports. • Skill in analyzing and evaluating systems and procedures.
• Skill in managing, interpreting, analyzing, evaluating and summarizing data on a statewide basis using appropriate computer technology and analytical methods.
• Skilled and proficient in network analysis protocols to include netflow, logging protocols and methodologies, packet capture and TCP/IP stack operations.
• Skill communicating with varied levels of staff to develop positive effective working relationships.
• Skill in configuring, deploying, and monitoring security infrastructure.
• Skill in effective communication both orally and in writing.
• Skill in security risk assessments (including vulnerability analysis and penetration testing).
• Skill in planning, organizing, assigning, and overseeing the work of others, tracking progress, and taking corrective action to meet deadlines.
• Skill in network intrusion detection.
• Ability to help establish unit goals, objectives, and strategies.
• Ability to identify and recommend mitigations for vulnerabilities, exploits, patches.
• Ability to analyze work related problems, draw evidence-based conclusions, and devise innovative solutions.
• Ability to analyze large data sets and unstructured data for the purpose of identifying trends and anomalies

---