IT Analyst, Security, Risk and Compliance

IT Analyst, Security, Risk and Compliance

Description

Do you want to build a career that is truly worthwhile? Working at the World Bank Group provides a unique opportunity for you to help our clients solve their greatest development challenges. The World Bank Group is one of the largest sources of funding and knowledge for developing countries; a unique global partnership of five institutions dedicated to ending extreme poverty, increasing shared prosperity and promoting sustainable development. With 189 member countries and more than 120 offices worldwide, we work with public and private sector partners, investing in groundbreaking projects and using data, research, and technology to develop solutions to the most urgent global challenges. For more information, visit www.worldbank.org

ITS Vice Presidency Context:

Information and Technology Solutions (ITS) enables the WBG to achieve its mission of ending extreme poverty and promote shared prosperity in a sustainable way by delivering transformative information and technologies to its staff working in over 150 locations.

Our vision is to transform how the Bank Group accomplishes its mission through information and technology. In this fast-paced, ever-changing world, the formulation and implementation of the ITS strategy is an ongoing, iterative process of learning and adaptation developed through extensive consultations with business partners throughout the World Bank Group.

ITS shapes its strategy in response to changing business priorities and leverages new technologies to achieve three high-level business outcomes: business enablement, by providing Bank Group units with innovative digital tools and technologies to transform how they deliver value for their clients; empowerment & effectiveness, by ensuring that all Bank Group staff are connected, able to find information, and productive to accelerate the delivery of development solutions globally; and resilience, by equipping the Bank Group to provide risk-based cybersecurity and robust data protection for a global network and a growing cloud platform.

Implementation of the strategy is guided by three core principles. The first is to deliver solutions for business partners that are customer-centric, innovative, and transformative. The second is to provide the Bank Group with value for money with selective and standard technologies. The third principle is to excel at the basics by providing a high performing, robust, and resilient IT environment for the organization.

The ITS Information Security and Risk Management (ITSSR) unit, headed by the Chief Information Security Officer (CISO), is responsible for providing leadership in managing the information security and risk functions and activities across the World Bank, enabling the achievement of WB’s business objectives. ITSSR supports and facilitates a risk aware culture, ensuring that WB information assets are protected in an effective, efficient, and balanced manner and IT security and risk management efforts throughout the World Bank are coordinated and aligned to the World Bank’s business and IT strategy.

The ITS Risk & Security Advisory unit (ITSRC) within ITSSR is responsible for providing leadership in managing IT and third-party information risks across WB.ITSRC is responsible for the institutional processes which enable and support technology risk assessments, including oversight and management of WBs IT risk management framework; third party information and technology risk management practices; enterprise security architecture (ESA) reference model; and security review and accreditation of business solutions. It advises about risk and security controls related to business engagements involving WB information and systems, and ensures that information risks are identified, assessed, and managed in line with the overall institutional risk management approach and within established risk appetites and tolerances.

ITSRC is seeking an IT Analyst (Security, Risk & Compliance) to join its Third-party Information and Technology Risk Management (TPRM) function.The IT Analyst will be expected to have expertise and commensurate experience to work effectively in the following broad third-party risk management areas.

Risk assessment, case management and advisory: Support third party risk assessments and clearances, including coordinating across WB risk functions and risk partners (technical and non-technical), ITS line of business teams, and WB business units to ensure that these are completed effectively and in a timely manner. Act as a point of coordination for stakeholders (particularly ITS line of business units) to ensure appropriate case handling and address any issues, escalating as necessary to ensure timely resolution. Field requests from business units and risk partners regarding third party information risks and provide guidance and clarifications as appropriate. Mature client relationship and excellent spoken/written communication skills are a plus.

Data monitoring, analysis & reporting: ITSRC collects as well as creates large amounts of operational third-party risk data that has the potential to be aggregated, correlated and analyzed. This position will include data collection/monitoring, analysis and reporting responsibilities, and will require strong data analysis skills and familiarity with visualization and analytical tools such as Microsoft Excel (and preferably Power BI and/or Tableau). The IT Analyst will identify available internal and external information sources and establish relationships between disparate datasets to identify industry trends, find data-driven opportunities for process efficiencies and visualize additional measures for monitoring third party risk. A key task will be to interact with a broad group of internal stakeholders to collect third party risk data. Another key responsibility will be to collaborate with other team members to support establishing supply chain risk data monitoring capabilities.

Risk process oversight & governance: Support the effectiveness and efficiency of the institutional third party information and technology risk management process, including facilitating process integration with WB risk partners; publishing/maintaining appropriate guidance for WB business units, risk partners, and IT line of business teams; facilitating and supporting third party risk governance (and managing related stakeholders); monitoring and ensuring overall process compliance; and aligning with evolving industry best practices through continuous improvement. Requires an understanding of industry best practices in information and technology risk management and strong stakeholder management skills.

The selected candidate will report to the Team Lead for Third Party Risk Management within ITSRC.

Duties and Accountabilities

The IT Analyst will have responsibilities for both, managing substantive tasks on their own and executing ITSRC’s third-party risk management work program as an integral part of the TPRM team. S/he would also be expected to work closely with other teams in ITSSR as well as with WB risk partners to understand their respective processes.

Their primary responsibilities may include, but are not limited to, a combination of the following:

Apply institutional third party risk management processes to triage incoming third-party risk clearance requests from ITS line of business teams, WB business units, and Corporate Procurement category managers, providing coordination and guidance, as appropriate, and responding promptly to ensure effective compliance with World Bank procedures while enabling clients to meet their business objectives. Communicate and engage with stakeholders to agree on risk clearance steps and timelines. Troubleshoot, address process bottlenecks, and escalate issues as needed to expedite resolution.

Collaborate with Corporate Procurement and other World Bank risk partners to ensure that the third-party risk assessment and clearance process integrates and aligns with the institutional vendor management framework and that data to support third party risk management process metrics are captured systematically and timely to facilitate analysis and reporting.

Collect information regarding future enterprise contract/vendor plans from ITS contract/project managers and ensure updated information is reflected in an IT Contracts online dashboard. Leverage the IT Contracts dashboard to notify contract managers about upcoming contract/vendor actions.

Support the TPRM team in its oversight of the institutional third-party information and technology risk management process (including associated governance) and suggest/implement refinements to improve efficiency. Develop, publish and maintain process guidance, standards, FAQs, etc.

Collaborate with TPRM team members to establish and refine IT supply chain risk data collection/monitoring, analysis and reporting capabilities.

Maintain and refine a quarterly aggregate third-party risk dashboard for ITS management, coordinating with other WB risk functions and aggregating internal and external data sources to provide a full picture of institutional third-party risk.

Maintain and refine a categorized inventory of IT third parties tiered according to risk and value characteristics (vendor classification), to ensure the appropriate level of institutional attention and decision-making is focused on key third party IT engagements.

Respond to industry-wide cybersecurity incidents/trends and individual vendor incidents, assessing vendor impact and conducting follow-ups on remediation, working closely with ITSSR teams and WB incident response teams, as appropriate.

Periodically conduct surveys of substantive WB third parties to gauge impact and/or response related to industry information and technology risk trends and/or systemic events, and report status and risk exposure accordingly.

Maintain and refine a library of prior third-party risk decisions which can be leveraged as precedents to guide future risk decisions.

Engage with stakeholders across WB to monitor, update and report third party residual risks on a quarterly basis.

Assist in preparation of regular periodic status reports on key performance indicators, work program delivery, accomplishments, and other activities of the third-party risk management function.

Selection Criteria

Bachelors or Master’s degree with 2 years relevantexperience OR equivalent combination of education and experience.

2+ years of demonstrated hands-on experience working in information security and/or IT risk is strongly preferred.

Candidates with CISA, CRISC, CISM, CISSP, or similar certification are strongly preferred.

Experience working in a financial institution in an information security or IT risk setting is strongly preferred.

Good understanding of enterprise third-party information risk management and its related technical, legal, privacy, contractual and operational perspectives. Experience working in or with third-party information risk management teams is a plus.

Experience developing dashboards and monitoring/reporting key risk indicators and quarterly risk and process metrics to management audiences.

Experience and/or familiarity with using artificial intelligence (AI) tools, including generative AI tools (e.g. OpenAI) is preferred.

Excellent data analysis and reporting skills using Microsoft Excel. Working familiarity with Microsoft Power BI and/or Python is a plus.

Sound knowledge of various outsourcing models such as Application Service Provider, Managed Service Provider, Cloud Service Provider (SaaS, PaaS, IaaS) and related technical and contractual risks and mitigations.

Experience conducting IT project and technology risk assessments and monitoring, risk event root cause analysis. Familiarity with IT risk governance frameworks and taxonomies.

Working familiarity with interpreting and evaluating independent third-party attestation reports (e.g., SOC-2) to gauge vendor internal control environments.

Some understanding of contractual and legal terminology as it pertains to IT risks, coupled with the ability and willingness to learn more in this area.

Ability and experience in using GRC systems for tracking and reporting purposes.

Strong understanding of enterprise IT environments, enterprise architecture, software development life cycle, cloud computing, and information security.

Excellent writing and verbal communication skills. Ability to communicate complex information to non-technical senior staff is a plus.

Ability to manage client relationships across businesses, technology groups, levels and disciplines.

Excellent interpersonal skills and ability to work productively as part of a team.

Ability to be organized, responsive and to be able to effectively multi-task with a focus on driving results.

Identifies innovative approaches to resolve issues.

In-tune with leading industry practices around vendor, supply chain and sub-contractor risk management.

Experience in planning, executing, and monitoring projects in a multi-cultural environment and across boundaries.

Solid ability to assess requirements, initiate and complete tasks or projects with little or no guidance in a consistent manner and with attention to detail.

Ability to work well under pressure and meet tight deadlines.

Demonstrably high level of motivation, confidence, integrity and responsibility.

World Bank Group Core Competencies

The World Bank Group offers comprehensive benefits, including a retirement plan; medical, life and disability insurance; and paid leave, including parental leave, as well as reasonable accommodations for individuals with disabilities.

We are proud to be an equal opportunity and inclusive employer with a dedicated and committed workforce, and do not discriminate based on gender, gender identity, religion, race, ethnicity, sexual orientation, or disability.

Learn more about working at theWorld BankandIFC, including our values and inspiring stories.