World Bank Information Security Analyst Job Vacancy in Chennai, India

Background / General description
The World Bank Group (WBG) Office of Information Security (OIS) provides information security services to the World Bank Group (WBG). OIS’s mission is to protect the WBG’s information assets in a manner that supports the WBG’s mission to have a world free of poverty. The office develops strategy, standards and processes to protect the confidentiality, integrity and availability of WBG information assets in a manner that is aligned with their values and risk appetite. OIS maintains an information security program in a way that respects the rights and privacy of those it serves and addresses the needs of the WBG’s business units. OIS is responsible for managing security strategy, operations and compliance activities for the WBG’s four (IBRD, IDA, MIGA & IFC) member institutions. In addition, OIS manages security across remote sites in over 180 countries across the globe. iSOC Chennai lead oversees and provides vision and leadership for the development and execution of our information security strategy ensuring that business operations and client assets are not compromised. OIS is in search of an Application Security Analyst to the iSOC Chennai lead who would maintain Business continuity and expand the Certification & Accreditation and Web vulnerability management by developing an offshore practice to a maturity level defined by World Bank HQ. OIS wants to hire Application Security Professional that can handle the team and also provide technical and architectural information security solutions for The World Bank Group. The individual should be multi-disciplined and comfortable in operating and maintaining secured solutions for platforms running mission critical business applications in a homogeneous environment, at the enterprise level.

Note: If the selected candidate is a current Bank Group staff member with a Regular or Open-Ended appointment, s/he will retain his/her Regular or Open-Ended appointment. All others will be offered a 4 year renewable term appointment.

Duties and Accountabilities
• Security analysis of WBG systems (application, Operating Systems and database layers) by performing automated system vulnerability assessment scans using various web, application, operating systems and database vulnerability scanners (Cenzic Hailstorm /HP Web Inspect/ NGSSquirrel, Nessus), analyze reports and assist IT staff with remediation efforts.
• Perform security code audits for high risk based applications.
• Review scanner reports and work with the application development community to remediate issues following a risk based approach.
• Work with DBA, network operations and application development teams, to discuss vulnerabilities through recommending and monitoring of remediation activities.
• Maintain detailed documentation of test procedures and findings in OIS ticketing system.
• Perform manual vulnerability assessment and penetration testing of applications, produce report walk development team through issues.
• Analyze existing and proposed processes and products and produce technical accreditation reports.
• Interface with scanning vendors and the development teams to prepare C&A requests, oversee vendor scanning, interpreting results and discussing remediation recommendations with development teams.
• Develop standard operating procedures and process maps for the functioning of Web Application Security in Chennai.
• Develop an escalation matrix for escalating issue to the HQ team.
• Assist the IR team in performing an adhoc / on demand investigation for web related incidents
• Assist iSOC team lead in developing and maintaining ISMS procedures (related to iSOC) for complying with global ISMS policy defined by the organization.
• Assist the IR team in performing an adhoc / on demand investigation for web related incidents
• Assist iSOC team lead in developing and maintaining ISMS procedures (related to iSOC) for complying with global ISMS policy defined by the organization.
• Assist iSOC Team Lead in knowledge transfer from HQ-OIS group and accordingly mentor the resources in iSOC Chennai.
• Maintain technical proficiency in information security concepts and related technologies through on the job training, performing individual research and attending training courses as necessary.

Administrative:
• Liaison with contracting vendors for recruitment of resources and ensure lower turnover rate.
• Prepare a project management plan and ensure that the dashboard is updated on regular basis
• Along with iSOC Team Lead, develop KRA’s and KPI’s for Application security resources in Chennai.
• Demonstrate experience in making sound, high impact business decisions supported by sound analysis and information security strategy.
• Assist iSOC Team lead in developing periodic status reports and monthly metrics for global reporting purposes

Selection Criteria
• At least 7 years experience in Information Security out of which  Minimum 3 years of application security assessments Minimum 2 years of experience in team management
• Ability to work well under pressure and to meet tight deadlines
• Demonstrates a high level of motivation, confidence, integrity and responsibility
• Ability to be organized, responsive and to be able to effectively multi-task with a focus on driving results
• Demonstrated knowledge of running web application testing tools (e.g., Cenzic Hailstorm /HP Web Inspect), identifying vulnerabilities as per SANS 25 or OWASP Top 10 specifications and helping develop platform specific remediation plan.
• Proven level of understanding of web application technologies (Java, .NET, Drupal) and database management systems and related security concepts
• Proven level of understanding of HTML, Java script, PHP, Java, C++, C# is a plus
• In-depth knowledge of common website vulnerabilities such as SQL injection, cross-site scripting, remote/local file inclusion, etc.; in-depth knowledge of common website exploit techniques such as character encoding, privilege escalation, directory traversal, etc
• Proven level of understanding of Windows and UNIX operating systems and operation/configuration of common web servers as IIS and Apache is a plus.
• Demonstrate excellent interpersonal skills; including the ability to work independently, effectively in a team/task force as a team member or leader, and with senior staff and managers
• Ability to collaborate with business stakeholders to identify requirements and drive compliance with approved standards

Preferred Skillsets / Requirements
• Experience with testing ERP solutions (e.g., SAP and PeopleSoft)
• Experience with security vulnerability evaluation of proposed implementation of COTS solutions, including collaboration tools like Documentum, Sharepoint, etc.
• Demonstrable skills in identifying and mitigating security weaknesses, and incorporating security into enterprise software development lifecycles

Academic Qualification:
• Academic/professional training to at least a Bachelor’s Degree or its international equivalent, preferably in Computer Science, or Computer Engineering.
• Possession of industry certifications highly preferred including, but not limited to, Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Global Information
• Assurance Certification (GIAC), Certified Secure Software Lifecycle Professional (CSSLP), and Information Systems Security Management Professional (ISSMP)

Click Here to Apply

Closing Date: Monday, 19 December 2011