Thinking of a Career in Emergency Management?
- BY Nicole Pelette
Established in 1944, the WBG is one of the world’s largest sources of funding and knowledge for development solutions. In fiscal year 2018, the WBG committed $67 billion in loans, grants, equity investments and guarantees to its members and private businesses, of which $24 billion was concessional finance to its poorest members. It is governed by 188-member countries and delivers services out of 120 offices with nearly 15,000 staff located globally.
The WBG consists of five specialized institutions: the International Bank for Reconstruction and Development (IBRD), the International Development Association (IDA), the International Finance Corporation (IFC), the Multilateral Investment Guarantee Agency (MIGA), and the International Centre for the Settlement of Investment Disputes (ICSID). The World Bank is organized into six client-facing Regional Vice-Presidencies, several corporate functions and thirteen Global Practices to bring best-in-class knowledge and solutions to regional and country clients.
Information and Technology Solutions (ITS) enables the WBG to achieve its mission of ending extreme poverty by 2030 and boosting shared prosperity in a sustainable manner by delivering transformative information and technologies to its staff working in over 130 client countries. ITS services range from: establishing the infrastructure to reach and connect staff and development stakeholders; providing the devices and agile technology and information applications to facilitate the science of delivery through decentralized services; creating and maintaining tools to integrate information across the World Bank Group, the clients we serve and the countries where we operate; and delivering the computing power staff need to analyze development challenges and identify solutions. The ITS business model combines dedicated business solutions centers that provide services tailored to specific World Bank Group business needs and shared services that provide infrastructure, applications and platforms for the entire Group. ITS is one of three VPUs that have been brought together as the World Bank Group Integrated Services (WBGIS), to provide enhanced corporate core services and enable the institution to operate as one strategic and coordinated entity.
The ITS Information Security and Risk Management (ITSSR) unit, headed by the Chief Information Security Officer (CISO), is responsible for providing leadership in managing the information security and risk functions and activities across the World Bank Group, enabling the achievement of WBG's business objectives. ITSSR supports and facilitates a risk aware culture, ensuring that WBG information assets are protected in an effective, efficient, and balanced manner and IT security and risk management efforts throughout the World Bank Group are coordinated and aligned to the Bank's business and IT strategy. ITSSR comprises of the following functions: Security Operations, Risk Management and Advisory, IT Policy, IT Compliance, PMO, Business Continuity, and Sourcing and Vendor Management.
The ITS Risk and Compliance (ITSRC) unit within ITSSR has been tasked with providing technical and architectural information security solutions for The World Bank Group and needs an Information Security professional who is results oriented, multi-disciplined and experienced in evaluating information security controls in web and mobile applications and complex business applications.
The IT Analyst, Security, Risk and Compliance, would be expected to work primarily in the following areas:
Interface with ITSRC Security Architecture team members to understand security requirements for WBG information systems (websites, enterprise systems, mobile applications, cloud-based solutions, etc.) seeking security accreditation;Prepare risk-based test plans and perform the security testing (tool-based testing, manual penetration testing, source code review, etc.) on the different layers of those information systems in support of the Certification & Accreditation.
The selected candidate will report to the Team Lead of the Certification and Accreditation function.
Duties and Accountabilities
The IT Analyst, Security, Risk and Compliance will have responsibilities for specific individual tasks and for working as an integral part of the team in executing ITSRC's work program. The primary responsibilities will include, but are not limited to, a combination of the following:
Review the security architecture evaluation of WBG new systems and create security test plans based on existing and planned controls and recommendations.Perform security analysis of the different layers of the systems (application, operating systems and database layers) by performing source code review, manual testing and automated system vulnerability assessment scans using various web, application, operating systems, source code and database vulnerability scanners.Integrate and implement security testing activities in DevOps methodology, using scripting languages and integrate them with CICD pipelines and servers.Perform security testing for cloud-based solutions.Perform application security testing on both native and web based mobile applications on different mobile platforms.Review testing result reports and work with the application development community to remediate issues following a risk-based approach.Perform manual vulnerability assessment and penetration testing of applications, produce reports and walk development team through issues.Maintain detailed documentation of test procedures and findings in ITSRC ticketing system.Help develop and maintain ITSRC application security testing processes and procedures to incorporate new technologies and testing methodologies, including the development of automated testing scripts with focus on automation, integration and visualization.Track relevant security metrics and key performance indicators, analyze test results and vulnerability trends, and prepare status reports.Stay abreast of newer trends in tools and technologies used for application security and acquire security testing skills for various cloud services.
Master's degree with 2 years relevant experience or bachelor’s degree with a minimum of 4 years relevant experience.Preferred 2+ years of experience working in information security or working in software development or operations in cloud technology, with demonstrated hands-on experience in application security.Proven level of understanding of the security architecture and security requirements of enterprise applications and platforms, and hands-on experience in preparing risk-based test plans and performing the security testing on the different layers of those information systems.In-depth knowledge of common security vulnerabilities of OWASP Top 10 (e.g. SQL injection, cross-site scripting) and common exploit techniques (e.g. character encoding, privilege escalation, directory traversal).Demonstrated hands-on experience with web application security manual testing, source code review, and running web application testing tools (e.g., TrustWave Hailstorm, HP Web Inspect), identifying vulnerabilities as per SANS 25 or OWASP Top 10 specifications and validating test results, analyzing vulnerabilities and helping develop platform specific remediation plans.Demonstrated hands-on experience with automating security testing activities in DevOps methodology, using scripting languages (e.g. Power Shell, Python), using application life cycle management products (e.g. MS TFS, Azure DevOps) and common automation and orchestration tools (e.g. Chef, Jenkins).Experience with AWS, Azure, and ADAL SDKs for Python, and Selenium scripting is an added plus.Understanding of cloud technology (e.g. AWS, MS Azure, MS Office 365, Adobe Cloud, ServiceNow), web application technologies (e.g. Java, .NET, Drupal) and operation/configuration of common web servers (e.g. IIS, Apache) is an added plus.Experience with mobile application security testing on different mobile platforms (iOS and Android) is an added plus.Industry certifications highly preferred including, but not limited to, Certified Ethical Hacker (CEH), AWS Solutions Architect Associate, Azure Solutions Architect Associate, CSA Certificate of Cloud Security Knowledge (CCSK), Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Global Information Assurance Certification (GIAC), and Information Systems Security Management Professional (ISSMP).Ability to work well under pressure and meet tight deadlines. Demonstrate a high level of motivation, confidence, integrity and responsibility.Ability to be organized, responsive and to be able to effectively multi-task with a focus on driving results.Demonstrate excellent interpersonal skills; including the ability to work independently, effectively in a team/task force as a team member or leader, and with senior staff and managers in the unit and elsewhere in the WBG.