*Due to COVID-19 we are working 100% remotely, this includes the hiring process. When it is safe to do so, we will return to a hybrid of onsite and remote work for some positions.

Why This Role Is Important To Arcadia

The Arcadia.io Security Analyst for will work as a member for the Information Security team focused on ensuring the security of Arcadia’s cloud-based Population Health Analytics portfolio through technical security control implementation. This role will be based in Burlington, MA (remote is also available) and will partner with teams throughout the company to ensure that technical security requirements are consistently implemented.

What Success Looks Like

In 3 months

Performing the following with the supervision of the Security Manager:

- All tasks related to vulnerability and configuration management (review scans, as well as assess and document results)

- Conducting vulnerability risk assessments for risk adjustment requests

- Completing timebound security tasks (aligned with HITRUST) and produces reports

In 6 months

- Participating in Security Incident Investigations

- Owning tasks associated with the Security Analyst Role

In 12 months

- Completing customer and vendor security assessments

- Reviewing security documentation on an annual basis for currency

What You'll Be Doing

• Supporting the Operations, Engineering, Production Support, and Technical Implementation teams by providing the necessary security expertise required to ensure that applications and infrastructure are implemented in accordance with company objectives for risk acceptance
• Ensuring that the organizations infrastructure and applications meet Arcadia’s technical security objectives (as outlined in Policies and Procedures) and are designed, implemented and executed effectively, efficiently and economically
• Performing, reviewing, evaluating, assessing, documenting and communicating the results of regular vulnerability and configuration scans
• Interface with external partners including Managed Detection and Response vendor as first contact for identified alerts and issues
• Reviewing (at pre-defined intervals) access rights, ports/protocols/services, audit monitoring, interconnections, firewall and router configurations, asset inventory, position risk designations, and blacklisting/whitelisting
• Recommending, documenting and monitoring the implementation of any prescribed corrective actions resulting from assigned security assessments and reviews
• Designing and implementing annual testing and training on Security Incident Response and Business Continuity/Disaster Recovery
• Providing technical and forensic support during investigations into any suspected security incidents in accordance with company security incident handling, reporting and management procedures
• Completing security assessments and annual audits for customers/prospective customers as well as providing artifacts (snapshots, etc.) to support such requests
• Completing security assessments and annual audits for 3rd party vendors/partners including gathering artifacts (snapshots, etc.) and performing risk analyses and making go-forward recommendations
• Supporting annual compliance audits (HITRUST, ISO and SOC 2)
• Producing as required, any security metrics reports for the Information Security Officer (ISO), VP Information Security & Compliance and any other stakeholders or security steering committees prescribed
• Responding to requests for consultation or other inquiries from staff and provide security advice as required
• Supporting any requests for information by any external authoritative agencies as required (E.g., assessors, auditors, investigators, etc.)
• Providing any requested input for the ongoing maturation and development of the information security, risk, compliance and governance strategies necessary to support the business planning process
• Maintain currency and expertise with emerging trends in security, risk, compliance and governance standards and technologies (both internal and external)
• Work with our offensive security team to document and report vulnerabilities discovered from our internal penetration testing program to product stakeholders. 
• Track and drive remediation efforts for discovered vulnerabilities in web applications and network ensuring they are patched according to the timeframes specified.
• Work with engineering teams to configure and perform automated scans that integrate security into our development process. Review, evaluate, document, and communicate the results to stakeholders. 
• Work with security and engineering to ensure relevant tasks in the SDLC Security Plan are completed and required artifacts are completed and maintained.

What You’ll Bring

• College Degree (from an IT Security /computer related field) or equivalent experience with at least 3 years of professional experience including security in the cloud
• Good working knowledge of security, governance, risk, compliance and privacy concepts and practices
• Demonstrated experience in network security monitoring/analysis, event escalation, cyber threat analysis, and vulnerability analysis
• Specific experience in monitoring, evaluating, and interpreting vulnerabilities, CVEs, remedies, mitigation measures, techniques for escalation, social engineering tactics, phishing techniques, and performing vulnerability assessments
• Familiarity with:
• Windows, MacOS, and Linux
• Basic knowledge of networking fundamentals (OSI model, etc.)
• Fundamentals of information security including concepts related to confidentiality, integrity and availability as well as technical competency with computer BIOS, disk encryption, antivirus, vulnerability scanning, configuration scanning, and open source firewalls
• Ability to write formal assessment reports and to present to varying stakeholders.

Would Love for You to Have

• Professional Certification(s) in information security, governance, risk and/or compliance (e.g., CISSP, CEH, GSEC, CISM, CISA, CCSP, CompTIA Security+, etc.)
• AWS Cloud Practitioner Certification
• Working knowledge of firewalls and common AWS management, monitoring and configuration services
• Professional Certification(s) in information security, governance, risk and/or compliance (e.g., CISSP, CEH, GSEC, CISM, CISA, CCSP, CompTIA Security+, OSCP, etc.)
• Experience performing application security assessments or penetration tests.

What You'll Get

• You will work with a team of experts in building and maintaining a highly validated security and privacy program for the leader in Population Health and Healthcare data analytics including experience with certifications such as HITRUST, ISO 27001, and SOC 2.
• Be a part of a team and organization the had built security and privacy into the fabric and culture of the organization.
• You will learn how to secure highly-regulated sensitive data in a cloud environment and how to build and maintain a fully validated and industry leading security program.
• Your responsibilities will grow with you as a critical member of our team.
• Competitive compensation/benefits package.
• Become an expert in all elements of securing clinical and claims healthcare data in the cloud

About Arcadia

Arcadia.io helps innovative healthcare systems and health plans around the country transform healthcare to reduce cost while improving patient health. We do this by aggregating massive amounts of clinical and claims data, applying algorithms to identify opportunities to provide better patient care, and making those opportunities actionable by physicians at the point of care in near-real time. We are passionate about helping our customers drive meaningful outcomes. We are growing fast and have emerged as the market leader in the highly competitive population health management software and value-based care services markets, and we have been recognized by industry analysts KLAS, IDC, Forrester and Chilmark for our leadership. For a better sense of our brand and products, please explore our website, our online resources, and our interactive Data Gallery.

This position is responsible for following all Security policies and procedures in order to protect all PHI under Arcadia's custodianship as well as Arcadia Intellectual Properties. For any security-specific roles, the responsibilities would be further defined by the hiring manager.