This job ad has been posted over 30 days ago...



IT Analyst, Security, Risk and Compliance - Application Security (150587) Full-time

at The World Bank Group in Chennai (Published at 07-04-2015)

Innovation and partnership bond the five institutions of the World Bank Group (WBG): the International Bank for Reconstruction and Development (IBRD) and the International Development Association (IDA), which together form the World Bank; the International Finance Corporation (IFC); the Multilateral Investment Guarantee Agency (MIGA); and the International Centre for Settlement of Investment Disputes (ICSID). The World Bank Group is one of the world’s largest sources of funding and knowledge for developing countries. It uses financial resources and extensive experience to help our client countries to reduce poverty, increase economic growth, and improve quality of life. To ensure that countries can access the best global expertise and help generate cutting-edge knowledge, the World Bank Group is constantly seeking to improve the way it works. Key priorities include delivering measurable results, promoting openness and transparency in development, and improving access to development information and data.

Information and Technology Solutions (ITS) enables the WBG to achieve its mission of ending extreme poverty by 2030 and boosting shared prosperity in a sustainable manner by delivering transformative information and technologies to its staff working in over 130 client countries. ITS services range from: establishing the infrastructure to reach and connect staff and development stakeholders; providing the devices and agile technology and information applications to facilitate the science of delivery through decentralized services; creating and maintaining tools to integrate information across the World Bank Group, the clients we serve and the countries where we operate; and delivering the computing power staff need to analyze development challenges and identify solutions. The ITS business model combines dedicated business solutions centers that provide services tailored to specific World Bank Group business needs and shared services that provide infrastructure, applications and platforms for the entire Group. ITS is one of three VPUs that have been brought together as the World Bank Group Integrated Services (WBGIS), to provide enhanced corporate core services and enable the institution to operate as one strategic and coordinated entity.

The Risk and Compliance team engages with the business, IT, and risk stakeholders to ensure a common understanding of risk across ITS and that IT risks to the business are identified, responded to, monitored, reported, and followed up in a continuous, consistent, timely, and effective manner. The team assesses and enforces compliance with policies, procedures, and adopted control and governance programs (e.g. ICFR, ISO standards, ITIL, etc.) related to the use and administration of WBG IT systems and processes. Key functions and services include: IT Operational Risk Management, Compliance, Risk Governance & Policy Management and Independent Verification & Validation (IV&V).

The ITS Information Security and Risk Management (ITSSR) unit, headed by the Chief Information Security Officer (CISO), is responsible for providing leadership in managing the information security and risk functions and activities across the World Bank Group, enabling the achievement of WBG’s business objectives. ITSSR supports and facilitates a risk aware culture, ensuring that WBG information assets are protected in an effective, efficient, and balanced manner and IT security and risk management efforts throughout the World Bank Group are coordinated and aligned to the Bank’s business and IT strategy. ITSSR comprises of the following functions: Security Operations, Risk Management and Advisory, IT Policy, IT Compliance, PMO, Business Continuity, and Sourcing and Vendor Management.

The ITS Risk Management and Compliance(ITSRC) unit within ITSSR has been tasked with providing technical and architectural information security solutions for The World Bank Group, and is in need of an Information Security professional who is results oriented, multi-disciplined and experienced in evaluating information security controls in web and mobile applications and complex business applications.

The Information Security Analyst – Chennai Technical Team Lead would be expected to work primarily in the following areas:

  • Interface with ITSRC Security Architecture team members to understand security requirements for WBG information systems (websites, enterprise systems, mobile applications, cloud-based solutions, etc.) seeking security accreditation;
  • Prepare risk-based test plans and perform or lead the security testing on the different layers of those information systems in support of the Certification & Accreditation or Web Vulnerability Management/Database VM efforts. Conduct manual penetration testing or source code review as needed
  • Understand the trend of application security and work with WB teams to remediate any vulnerabilities identified during periodic scans and from third party sources (such as CVE)

This position will report to the Application Security Team Lead in Chennai

Note: If the selected candidate is a current Bank Group staff member with a Regular or Open-Ended appointment, s/he will retain his/her Regular or Open-Ended appointment. All others will be offered a 3 year term appointment.

Duties and Accountabilities:

IT professional executing and solving security, risk management, and/or compliance problems under guidance.
Performs analysis, testing and/or reviews of information on business processes from a risk management/security/compliance perspective. Prepares standard reports, highlighting any gaps or concerns, and escalates to management as appropriate.
Proposes improvements and assists in the implementation of standards, procedures and guidelines.
Supports audits, maintaining and routing necessary documentation.
Diagnoses risk, security and compliance incidents and issues that may involve extensive analysis, and recommends resolutions to management.
Researches opportunities to improve processes and standards, and identifies best practices from the industry to promote across the organization.
Assists with the development of project proposals, ensuring that project plans are in compliance with applicable regulations and policies.
Provides technical guidance and mentorship to team members, as appropriate.
Supports the development and execution of security/compliance/risk awareness programs across the WBG.
The Information Security Analyst will have responsibilities for specific individual tasks and for working as an integral part of the team in executing OIS’s work program. The primary responsibilities will include, but are not limited to, a combination of the following:

  • Review the security architecture evaluation of WBG new systems and create security test plans based on existing and planned controls and recommendations.
  • Perform security analysis of the different layers of the systems (application, operating systems and database layers) by performing manual testing and automated system vulnerability assessment scans using various web, application, operating systems, source code and database vulnerability scanners.
  • Review scanner result reports and work with the application development community to remediate issues following a risk-based approach.
  • Perform manual vulnerability assessment and penetration testing of applications, produce reports and walk development team through issues.
  • Perform source code reviews to identify security vulnerabilities in source code (static analysis) when needed.
  • Perform mobile application security testing (both native and web based mobile applications) on different mobile platforms (iOS and Android).
  • Help develop and maintain OIS application security testing processes and procedures to incorporate new technologies and testing methodologies.
  • Stay abreast of newer trends in tools and technologies used for application security.

Selection Criteria:

Minimum Education/Experience:

Master’s degree with 2 years relevant experience or Bachelors Degree with a minimum of 4 years relevant experience.

Required Competencies

Client Understanding and Advising – Looks at issues from the client’s perspective and takes action beyond normal expectations to ensure client satisfaction.
Learning Orientation – Stays abreast of new trends and developments in own specialty area, the broader industry, and exposes self to increasingly more challenging projects and opportunities to learn.
Broad Business Thinking – Maintains an in-depth understanding of the long term implications of decisions both for department and the client’s business. Ensures that decisions are supported by relevant stakeholders as well as sound performance data.
Compliance with Standards – Monitors and maintains records on requests for information and assistance.
Information Systems / Technologies / Product / Services Knowledge – Resolves escalated problems of technical support.
Knowledge of Emerging Technology – Tests new technology to evaluate capability compared to specifications.
Negotiation – Investigates areas of disagreement.
Risk Management – Reduces risk by solving day-to-day problems as they arise and takes action to prevent problems from recurring.
Lead and Innovate – Brings new and different insights.
Deliver Results for Clients – Contributes to delivery of results for clients on complex issues.
Collaborate Within Teams and Across Boundaries – Collaborates within team and across boundaries.
Create, Apply and Share Knowledge – Actively contributes to and readily applies WBG’s body of knowledge for internal and/or external client solutions.
Make Smart Decisions – Leverages available data and makes timely decisions.

Other Selection Criteria:

Proven level of understanding of the security architecture and security requirements of complex WBG information systems, COTS products and platforms (e.g. Documentum, SharePoint, Jive, DayCQ), and hands-on experience preparing risk-based test plans and performing or leading the security testing on the different layers of those information systems.
In-depth knowledge of common security vulnerabilities (such as SQL injection, cross-site scripting, remote/local file inclusion, etc.) and common exploit techniques (such as character encoding, privilege escalation, directory traversal, etc.).
Hands on experience with web application security manual testing and source code review.
Hands on experience with database security scanner and database monitoring solution is a plus
Demonstrated hands-on experience of running web application testing tools (e.g., Cenzic Hailstorm, HP Web Inspect), identifying vulnerabilities as per SANS 25 or OWASP Top 10 specifications and performing manual testing, validating test results, analyzing vulnerabilities and helping develop platform specific remediation plans.
Proven knowledge regarding mobile application security testing on different mobile platforms (iOS and Android).
Experience with security vulnerability evaluation of ERP solutions (e.g., SAP and PeopleSoft) and cloud-based solutions is an added plus.
Previous software development experiences (using .NET or Java) will be preferred.
Industry certifications highly preferred including, but not limited to, Certified Ethical Hacker (CEH), Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Global Information Assurance Certification (GIAC), and Information Systems Security Management Professional (ISSMP).
Demonstrated knowledge and experience of the Bank’s and its Unit’s systems and business processes, policies and procedures, as well as relevant software application systems, hardware configuration and network architecture to implement information security as a process;
Ability to work well under pressure and to meet tight deadlines. Demonstrate a high level of motivation, confidence, integrity and responsibility;
Ability to be organized, responsive and to be able to effectively multi-task with a focus on driving results;
Demonstrate excellent interpersonal skills; including the ability to work independently, effectively in a team/task force as a team member or leader, and with senior staff and managers in the unit and elsewhere in the WBG;
Ability to interact and lead off-shore team members and to collaborate with business stakeholders to identify requirements and drive compliance with approved standards.

The World Bank Group is committed to achieving diversity in terms of gender, nationality, culture and educational background. Individuals with disabilities are equally encouraged to apply. All applications will be treated in the strictest confidence.

Note: Applications have been closed.

Recent jobs at The World Bank Group

Viewed: 3223 times
« Go back to category
Is this job ad fake? Report it!   
Recommend to a friend