Governance, Risk & Compliance Director jobs in United States
cer-icon
Apply on Employer Site
company-logo

Texas Health and Human Services · 10 hours ago

Governance, Risk & Compliance Director

positionAustin, TX
timeFull-time
remoteOnsite
seniorityDirector/Executive
money$7,716.66/mo - $13,051/mo
date7+ years exp

Texas Health and Human Services Commission (HHSC) is committed to creating a positive impact in the lives of fellow Texans. The GRC Director serves as the senior leader for Governance, Risk, and Compliance functions, directing enterprise cybersecurity governance frameworks, risk management programs, and compliance oversight to ensure adherence to federal and state cybersecurity requirements.

Health Care
badNo H1BnoteU.S. Citizen Onlynote

Responsibilities

Direct HHSC’s enterprise cybersecurity governance, risk, and compliance programs
Establish risk management frameworks, tolerance thresholds, escalation procedures, and reporting mechanisms
Provide executive-level risk posture reporting and compliance dashboards
Ensure alignment of cybersecurity governance with HHSC strategic objectives and regulatory obligations
Lead and oversee ATO and ATO renewal processes for HHSC systems and applications
Coordinate with system owners, ISSOs, assessors, auditors, and Authorizing Officials
Validate ATO artifacts including SSPs, SARs, POA&Ms, and RBDs
Facilitate executive risk acceptance and authorization decisions
Direct lifecycle management of POA&Ms for remediation of security findings
Review and validate SARs, compensating controls, and residual risk statements
Monitor remediation progress and escalate overdue or systemic risk items
Oversee development and maintenance of SSPs aligned with NIST and MARS-E
Ensure SSPs accurately reflect system boundaries, implemented controls, and operating environments
Provide authoritative guidance on control documentation standards
Direct cybersecurity risk management for vendors and third-party service providers
Review vendor security artifacts including TxRAMP packages, SOC reports, security questionnaires, and contract clauses
Provide cybersecurity risk input into procurement, contract negotiations, and renewals
Ensure vendor risks are mitigated or formally accepted
Lead insider risk governance in collaboration with IAM, SOC, HR, Legal, and Privacy
Assess risks related to privileged access, user behavior, and data handling
Ensure insider risk decisions and investigations are properly documented
Oversee development, review, and lifecycle tracking of RBD documentation
Ensure risk acceptance decisions are documented, approved, and periodically reassessed
Provide audit-defensible evidence of executive risk decisions
Direct cybersecurity tabletop exercises and scenario-based simulations
Coordinate participation across technical, legal, privacy, and executive teams
Track lessons learned and corrective actions
Oversee security awareness and role-based training compliance
Monitor completion metrics and audit reporting
Promote agency-wide cybersecurity culture
Serve as senior liaison to internal audit, external auditors, DIR, CMS, and oversight entities
Direct preparation of compliance evidence and audit responses
Ensure GRC documentation is audit-ready and defensible
Lead development, maintenance, and enforcement of HHSC cybersecurity policies, standards, and procedures
Ensure agency security policies remain aligned with evolving federal, state, DIR, and regulatory requirements
Coordinate policy exception requests and ensure approved exceptions are documented through Risk-Based Decisions (RBDs)
Oversee continuous security control monitoring strategies in coordination with SOC, Infrastructure, and Application teams
Ensure security metrics, risk indicators, and compliance status are reported to CISO leadership on a recurring basis
Identify emerging threats and systemic risk trends and recommend mitigation strategies
Partner with Data Governance and Privacy Offices to ensure data classification, protection, and privacy controls are integrated into risk decisions
Ensure privacy risks (PII/PHI) are considered in SSPs, SARs, vendor risk reviews, and RBDs
Coordinate cybersecurity risk input into Business Impact Analyses (BIA), Disaster Recovery (DR), and Business Continuity (BCP) planning
Validate recovery strategies and backup controls align with system risk and availability requirements
Provide risk-based input into cybersecurity funding requests, exceptional items (EI), and technology investment proposals
Support workforce planning and capability development for GRC functions
Provides strategic direction and oversight to GRC managers, analysts, and support staff
Assigns work, reviews performance, and ensures staff development
Coordinates cross-functional teams and working groups
Perform other job-related duties as assigned by the Chief Information Security Officer (CISO), Deputy CISO, or agency executive leadership to support mission requirements, emerging regulatory mandates, or agency priorities

Qualification

NIST 800-53 Rev. 5MARS-E 2.0HIPAA Security RuleGovernanceRiskComplianceCISSPCISMCRISCCISACGRCGRCPAnalytical skillsTeam coordinationLeadership skillsCommunication skills

Required

Expert knowledge of NIST 800-53 Rev. 5, MARS-E 2.0, HIPAA Security Rule, and Texas DIR cybersecurity standards
Advanced knowledge of Governance, Risk, and Compliance (GRC) frameworks
Proven leadership skills in ATO governance, POA&M and SAR oversight, vendor risk, insider risk, and RBD processes
Highly skilled with GRC tools such as Archer or equivalent platforms
Ability to communicate cybersecurity risk to executive and non-technical stakeholders
Ability to maintain the security and integrity of critical infrastructure systems by preventing unauthorized access and ensuring compliance with laws and regulations related to national security and foreign ownership restrictions
Graduation from an accredited four-year college or university with major coursework in information technology security, computer information systems, computer science, management information systems, or a related field is strongly preferred
Seven (7) Years Of Progressively Responsible Experience In Cybersecurity governance, risk, or compliance
Seven (7) Years Of Progressively Responsible Experience In Security authorization (Authorization to Operate or ATO) processes
Seven (7) Years Of Progressively Responsible Experience In A Plan of Action and Milestones (POA&M) management
Professional certifications: CISSP, CISM, CRISC, CISA, CGRC or GRCP

Preferred

Ten (10) or more years of cybersecurity GRC leadership experience
Experience in state or federal government or healthcare environments
Leadership experience in vendor risk and insider risk programs
Experience briefing executives and supporting high-visibility audits

Benefits

100% paid employee health insurance for full-time eligible employees
Defined benefit pension plan
Generous time off benefits
Numerous opportunities for career advancement

Company

Texas Health and Human Services

twittertwitter
company-logo
Texas Health and Human Services is an agency that focuses on improving health, safety and well-being.
dateFounded in 1907
location
Austin, Texas, USA
people-size10001+ employees
web-link
http://hhs.texas.gov

Funding

Current Stage
Late Stage

Leadership Team

leader-logo
Dr. Napoleon Broughton
Chief Executive Officer: Life Enhancement Solutions
linkedin
leader-logo
John F. Palermo
CTO Strategic Analyst VI
linkedin

Recent News

Help Net Security
Cybersecurity jobs available right now: April 8, 2025
2025-04-09
Fort Worth Star-Telegram
Fall pre-K enrollment underway in Tarrant County. What resources are available to parents?
2024-04-01
Company data provided by crunchbase