BMC Software

Compensation

Full Description

POSITION SUMMARY: The Senior Application Security Analyst professional will lead the day-to-day execution and continuous improvement of Epic application access in a high-volume hospital environment. This role blends operational excellence (hundreds of access tickets weekly) with senior-level ownership of access models, governance, and audit readiness. This role will also be a key application-side partner in our SailPoint program—helping define the Epic roles/entitlements, approvals, and access review structures that enable scalable onboarding and offboarding automation. Over the next 12–24 months, this team’s scope is expected to broaden from Epic-focused access to enterprise application access governance across the organization. Position: Applications Security Analyst (Epic) III / Senior Department: Information Security Schedule: Full Time ESSENTIAL RESPONSIBILITIES / DUTIES: High-Volume ServiceNow Access Operations Own and execute work in a high-volume ServiceNow queue, consistently handling hundreds of tickets per week for access creation, changes, troubleshooting, terminations/offboarding, and triage. Prioritize and route requests using impact, urgency, patient-care considerations, risk, and defined SLAs; escalate complex/high-risk issues appropriately. Troubleshoot access end-to-end (request intent, user attributes, role mapping, provisioning outcomes, in-application authorization) and document decisions/outcomes clearly for auditability. Epic Application Access & Security Leadership Serve as the senior escalation point for Epic access design/build and complex access issues; ensure access is scalable, supportable, and aligned to policy. Develop and maintain standardized access patterns (RBAC roles/templates, privileged/elevated access controls) aligned to least privilege. Partner with Epic application teams and operational leaders to translate workflows into durable access models and reduce one-off exceptions. Access Governance, Audit Readiness, and Risk Controls Maintain an Epic access catalog (roles/entitlements, risk tiers, prerequisites, approval paths) and keep it current as workflows evolve. Support access reviews/attestations for high-risk roles and privileged access; drive remediation of findings and control gaps. Support investigations related to inappropriate access/privacy concerns and contribute to corrective action plans. IGA / SailPoint Enablement (Application-Side SME) Partner with IAM/IGA stakeholders during SailPoint implementation to ensure Epic is “automation-ready” (clean entitlements, requestable roles, approvals, constraints, and edge-case handling). Help align access with authoritative source systems (HR, operations, credentialing, etc.) by defining needed attributes and lifecycle scenarios (joiner/mover/leaver, LOA, contractors, students). Support testing/UAT and rollout readiness by validating that automated provisioning yields correct in-application authorization and usable audit trails. Mentorship & Operational Excellence Mentor and quality-review work performed by Level II analysts; establish standard work, runbooks, knowledge articles, and queue hygiene practices. Track and improve key operational metrics (turnaround time, rework/defect rate, exception volume, access quality) and drive measurable process improvement. JOB REQUIREMENTS Associates degree OR equivalent education or experience Epic certification(s), Security strongly preferred. 5+ years of experience in Epic security/access, application access governance, or closely related healthcare IT security operations with substantial Epic access responsibility. Strong Epic import/export, Microsoft Excel skills and experience. Demonstrated expertise in RBAC/least privilege, access standardization, and governing elevated access in a complex clinical/operational environment. Proven ability to thrive in a high-volume ticket environment while maintaining quality, consistency, and audit-ready documentation. Strong cross-functional collaboration skills (Epic teams, operations, HR, IAM/IGA, IT) and clear written communication. Preferred Bachelor’s degree; majors in Computer Science, Information Systems, Cybersecurity, Healthcare Informatics, or related fields are preferred. Additional Epic certifications. Strong Data Governance knowledge and experience. Experience implementing or partnering with IGA platforms (SailPoint IdentityIQ/IdentityNow preferred; similar tools acceptable). Experience with access reviews/attestations, segregation-of-duties concepts, and audit support in healthcare. Microsoft Access database experience. This Role Will Sit inside Cybersecurity under the CISO organization with meaningful influence on enterprise access strategy. Help shape the application authorization layer that makes IGA automation successful (Epic first; broader application portfolio next). Have real scale: high operational volume, high-impact clinical workflows, and a multi-year SailPoint program modernizing access lifecycle controls. Compensation Range: $83,000.00- $120,500.00 This range offers an estimate based on the minimum job qualifications. However, our approach to determining base pay is comprehensive, and a broad range of factors is considered when making an offer. This includes education, experience, skills, and certifications/licensures as they directly relate to position requirements; as well as business/organizational needs, internal equity, and market-competitiveness. In addition, BMCHS offers generous total compensation that includes, but is not limited to, benefits (medical, dental, vision, pharmacy), discretionary annual bonuses and merit increases, Flexible Spending Accounts, 403(b) savings matches, paid time off, career advancement opportunities, and resources to support employee and family well-being. NOTE: This range is based on Boston-area data, and is subject to modification based on geographic location. Equal Opportunity Employer/Disabled/Veterans According to the FTC, there has been a rise in employment offer scams. Our current job openings are listed on our website and applications are received only through our website. We do not ask or require downloads of any applications, or “apps” job offers are not extended over text messages or social media platforms. We do not ask individuals to purchase equipment for or prior to employment. Working at Boston Medical Center is more than a job. It’s a chance to make a difference as part of our mission to provide exceptional and equitable care to all. As a nationally-recognized leader in health equity, nursing, initiatives to combat climate change, and many other areas, BMC is dedicated to improving the health of our community in Boston and beyond. BMC’s mission to provide exceptional care without exception extends to our employees, and we have been recognized as a top employer and best place to work. A strong sense of teamwork and support for our staff are the bedrock of BMC, as we know that we can only provide exceptional care to patients when our staff are cared for too. Boston Medical Center is an equal employment/affirmative action employer. We ensure equal employment opportunities for all, without regard to race, color, religion, sex, national origin, age, disability, veteran status, sexual orientation, gender identity and/or expression or any other non-job-related characteristic. If you need accommodation for any part of the application process because of a medical condition or disability, please send an e-mail to Talentacquisition@bmc.org or call 617-638-8582 to let us know the nature of your request. Boston Medical Center participates in the Electronic Employment Verification Program. As an E-Verify employer, prospective employees of BMC must complete a background check before beginning their employment at the hospital. BMC requires all staff to be vaccinated against COVID-19 and flu, as well as receive a booster dose of the COVID-19 vaccine. According to the FTC, there has been a rise in employment offer scams. Our current job openings are listed on our website and applications are received only through our website. We do not ask or require downloads of any applications, or “apps” job offers are not extended over text messages or social media platforms. We do not ask individuals to purchase equipment for or prior to employment. To avoid becoming a victim of an employment offer scam, please follow these tips from the FTC: FTC Tips