Site: Mass General Brigham Incorporated

Mass General Brigham relies on a wide range of professionals, including doctors, nurses, business people, tech experts, researchers, and systems analysts to advance our mission. As a not-for-profit, we support patient care, research, teaching, and community service, striving to provide exceptional care. We believe that high-performing teams drive groundbreaking medical discoveries and invite all applicants to join us and experience what it means to be part of Mass General Brigham.

Job Summary

The Senior IAM Analyst – Risk & Compliance is responsible for ensuring that Identity and Access Management controls are designed, implemented, and operated in alignment with regulatory, security, and risk management requirements. This role serves as the primary liaison between IAM engineering/operations teams, Information Security operations, internal and external auditors, and application owners

The role focuses on governance, control effectiveness, policy enforcement, metrics, and audit readiness across the IAM ecosystem, including Identity Governance & Administration (IGA), Access Management, Privileged Access Management (PAM), and directory services.

This position requires strong analytical skills, deep understanding of IAM control frameworks, and the ability to translate regulatory and audit requirements into actionable IAM controls and operational processes.

Qualifications Essential Functions: IAM Risk & Control Management

• Own and maintain IAM-related controls mapped to frameworks such as NIST 800-53, NIST CSF, HIPAA Security Rule, and Mass General Brigham security policies
• Partner with IAM Engineering and Operations teams to ensure controls are properly designed, implemented, and operating effectively
• Identify IAM control gaps, assess risk, and drive remediation plans with clear owners and timelines
• Evaluate IAM processes for alignment with least privilege, separation of duties, and zero trust principles

Metrics, Reporting & Continuous Improvement

• Define and report IAM risk and compliance KPIs, such as:

• Certification completion and exception rates

• Orphaned and dormant account trends

• Privileged access violations

• Access request SLA adherence

• Use data to identify trends, emerging risks, and opportunities for automation or control enhancement

• Contribute to continuous improvement of IAM governance processes and tooling

Audit & Compliance Support

• Act as the primary IAM point of contact for:

• Internal audits

• External audits

• Regulatory inquiries

• Prepare audit evidence, narratives, and walkthroughs for IAM controls including:

• User lifecycle management

• Access requests and approvals

• Access certifications

• Privileged access management

• Authentication and authorization controls

• Track audit findings, manage remediation efforts, and validate closure

Access Governance & Certification Oversight

• Provide risk and compliance oversight for access certification campaigns (manager, application owner, privileged access)
• Define and enforce certification standards, review quality thresholds, and escalation criteria
• Analyze certification results to identify systemic risk, role sprawl, or control weaknesses

Policy, Standards & Procedures

Develop and maintain IAM-related:

• Policies

• Standards

• Procedures

• Control documentation

• Ensure policies are actionable, enforceable, and aligned with technical implementations

• Support annual policy reviews and exception management processes

Cross-Functional Collaboration

• Collaborate closely with:

• IAM Engineering and Operations

• Information Security Operations and Program Governance

• Privacy and Legal teams

• Internal Audit

• Application and Infrastructure owners

• Serve as a trusted advisor on IAM risk topics to technical and non-technical stakeholders

Education:

• Bachelor’s or Associate’s Degree preferred

Licenses and Certification:

• Relevant certifications such as CISSP, CISA, CRISC, or IAM platform certifications (e.g., Saviynt, Okta, Cyber Ark) – Preferred

Work Experience:

• 5 years of progressively responsible experience in Identity and Access Management, Information Security, or IT Risk & Compliance, preferably in a large, regulated healthcare or academic medical environment
• Demonstrated experience supporting audits, regulatory inquiries, and control remediation efforts related to IAM

Knowledge, Skills, and Abilities:

• Advanced expertise in IAM governance, risk, and compliance, including identity lifecycle controls, access governance, privileged access management, and authentication and authorization models.
• Strong working knowledge of healthcare regulatory and security frameworks, including HIPAA and NIST-based control models, and the ability to map requirements to technical IAM controls.
• Hands-on experience assessing and governing IAM controls within enterprise IAM platforms (e.g., IGA, access management, PAM, directory services).
• Ability to apply risk-based and analytical thinking to identify control gaps, prioritize remediation, and drive measurable improvements.
• Strong written and verbal communication skills, with the ability to clearly articulate IAM risk and compliance concepts to technical teams, auditors, and non-technical stakeholders.
• Proven ability to lead complex initiatives, manage competing priorities, and deliver outcomes in a matrixed enterprise environment.
• Strong judgment and decision-making skills, with demonstrated ability to evaluate trade-offs and recommend solutions that align with MGB’s risk tolerance and

Additional Job Details (if applicable)

• M-F Eastern Business Hours required

• Hybrid onsite Flexible working model required weekly includes onsite in office (number of days weekly can vary, must be flexible for business needs)

• 1-2 onsite days per week

• Remote working days require stable, secure, quiet, compliant working station

Remote Type

Hybrid

Work Location

399 Revolution Drive

Scheduled Weekly Hours

40

Employee Type

Regular

Work Shift

Day (United States of America)

Pay Range

$93,953.60 - $136,739.20/Annual

Grade

7

At Mass General Brigham, we believe in recognizing and rewarding the unique value each team member brings to our organization. Our approach to determining base pay is comprehensive, and any offer extended will take into account your skills, relevant experience if applicable, education, certifications and other essential factors. The base pay information provided offers an estimate based on the minimum job qualifications; however, it does not encompass all elements contributing to your total compensation package. In addition to competitive base pay, we offer comprehensive benefits, career advancement opportunities, differentials, premiums and bonuses as applicable and recognition programs designed to celebrate your contributions and support your professional growth. We invite you to apply, and our Talent Acquisition team will provide an overview of your potential compensation and benefits package.

EEO Statement:

0100 Mass General Brigham Incorporated is an Equal Opportunity Employer. All qualified applicants will receive consideration for employment without regard to race, color, religious creed, national origin, sex, age, gender identity, disability, sexual orientation, military service, genetic information, and/or other status protected under law. We will ensure that all individuals with a disability are provided a reasonable accommodation to participate in the job application or interview process, to perform essential job functions, and to receive other benefits and privileges of employment. To ensure reasonable accommodation for individuals protected by Section 503 of the Rehabilitation Act of 1973, the Vietnam Veteran’s Readjustment Act of 1974, and Title I of the Americans with Disabilities Act of 1990, applicants who require accommodation in the job application process may contact Human Resources at (857)-282-7642.

Mass General Brigham Competency Framework

At Mass General Brigham, our competency framework defines what effective leadership “looks like” by specifying which behaviors are most critical for successful performance at each job level. The framework is comprised of ten competencies (half People-Focused, half Performance-Focused) and are defined by observable and measurable skills and behaviors that contribute to workplace effectiveness and career success. These competencies are used to evaluate performance, make hiring decisions, identify development needs, mobilize employees across our system, and establish a strong talent pipeline.