IMF - IT Consultant
Information Risk Manager/IT Security Consultant (TGS)-1200069
International Monetary Fund (IMF)
Washington DC
If you are an external candidate,
please visit www.imf.org/jobs to view the list of current vacancies and to apply to them.
Job Description
A challenging Information Security role that will give you the opportunity to deliver value, gain a sense of achievement, and be a part of a successful Information Security Team.
Working within a diverse and forward thinking Organization and Technology Function that prides itself on customer service and focused on meeting its objectives. The role will require people, process, and technology skills that are second to none. The successful applicant will be a part of a growing and influential team looking to deliver the best results with the best people.
Duties and Responsibilities:
Under the general supervision of the Chief Information Security Officer. The role will require the candidate to provide information risk management and IT security expertise. The expertise will take the form of risk analysis, consultancy, guidance, policies, standards, best practice, incident response, and process improvements.
The candidate with be required to work with project teams, service providers, and business units internal and external to the IT function. The candidate is expected to bring pragmatic risk management experience allowing for the Fund to meet its present and emergent business needs but in compliance to Fund's security polices and standards and within risk appetite.
This individual is expected to advise and influence technology and business personnel regarding the value and methods of safeguarding information, applications, systems, infrastructure, and activities to help ensure that technologies function optimally, work practices are optimized so that the information risks are managed.
Specific responsibilities include:
• Delivers information security risk assessments (Certification and Accreditation) of projects, new technologies, external service providers, and IT changes. Guides staff and managers on the
appropriate risk mitigation strategies.
• Effectively communicates requirements and trains staff and managers in IT divisions to identify and manage risks throughout the project lifecycle.
• Communicates and reports on risk metrics to IT management and governance groups.
• Conducts quality assurance reviews of security requirements and audit recommendations for the implementation of identified solutions.
• Manages the engagement process of external risk assessment providers and acts as a liaison with internal IT project teams and business units.
• Supports the Fund's ISO 27001 certification by promoting self-compliance to policies and standards by IT staff and managers. Keeps abreast of international information security codes of
practice such as ISO 27001/27002, information security and privacy regulations and how these measures could affect information assets owned by, or administered on behalf of, the IMF.
• Assists with the development of the Fund's enterprise security architecture and standards at the business, information, infrastructure, and application level. Provides subject matter expertise on
enterprise security architecture and influences selection of tools and technologies to support the Fund's security architecture standards.
• As an advocate of information security, works closely and proactively with IT project team leaders, service providers, and business units to provide security-related technical solutions.
Identifies opportunities to improve business practices or IT security-related processes.
• Analyzes, recommends and implements process improvements within the context of information security.
• Works closely with IT project teams to develop implementation plans for new security-related products and services.
• Coordinates the preparation and presentation of user technical support and training materials to ensure the efficient, effective and secure use of information and communications technology.
• Coordinates and supports the work of security governance.
• Prioritizes, monitors, and assesses compliance and audit recommendation results to ensure they are comprehensive, robust, and of high quality.
Qualifications
Experience should include:
Minimum of 7 years working in the field of Information Security (Information Risk management and IT security) within regulated industries
Developing Information Risk management and IT security Policies and Standards within large scale geographically distributed organizations and diverse cultural user population
Having worked as or have experience of Information Risk Management at organizations with regulatory compliance requirements
Demonstrated IT Security expertise in infrastructure areas, network, applications, and database system technologies including personal computers and mobile devices
Assisted and taken part in delivering Enterprise Security Architecture principles, service management concepts and experience with use of quality assurance tools and techniques
Delivered improvements in Application Security processes, and vulnerability minimization techniques
General infrastructure Vulnerability Management
Experience of External Service Provider risk management
Incident response processes
Application of project management and systems development methodologies, and managing IT administrative and capital development project budgets
Delivery of Security awareness initiatives
Skills:
Familiarity with a broad range of technologies supplemented by in-depth knowledge in specific areas of relevance
Ability to quickly grasp how new technologies work and how they might be applied to achieve business goals
Analytical skills that enable synthesis of inputs from many sources, and allow for strategic thinking and tactical implementation
Interpersonal skills that create openness and trust among colleagues
Facilitation and conflict management skills that enable effective working relationships
Spoken and written communications that are compelling, convincing and reassuring, and skills to articulate complex technical ideas to non-technical stakeholders
Pragmatic security expert with an inherent ability to balance security demands with business reality
Excellent relationship management skills
Ability to multi-taskAbility to think laterally and to have input to / propose detailed, complex solutions to technical issues.
Technical knowledge:
Assisting in the delivery of an IT (infrastructure and applications) Security Strategy and Architecture
Developing and presenting IT security awareness training
Delivery of Information Security Risk and architecture assessments including consulting on threat modeling, appropriate tiering of N tier applications, placement, and infrastructure controls to
protect application components. Able to consult and review the implementation of authentication (SSO, LDAP, AD), authorization (fine grained and course grained), and cryptography
(PKI, SSL, kerberos, crypto algorithms) mechanisms within applications.
Experience with Identity and Access management suite integration, Web services (SAML, WS-Federation and WS-Security), and SOA security,
Defining the policies, standards, and guidelines for Information Security activities including Application and Infrastructure Security Vulnerability management and ensuring Application Security
is integrated into SDLC
Ability to consult and deliver standards and guidelines on the hardening of application and infrastructure components, tools and techniques to ensure the security of application and
infrastructure components such as LINUX/Windows servers, Web servers (IIS, Apache, tomcat), app servers, Databases (Oracle and MS SQL), endpoints (MAC, Windows, Apple IOS,
Blackberry etc), ArcSight, and Web Application Firewalls.
Manage and review the output of Application and Infrastructure Security assessments conducted by external security services firms. Defining process and procedures for using External
security service providers including scoping, management of services, remediation tracking, and exception management
Ability to perform and consult on whitebox and blackbox application security assessments. Familiarity with code to the level of being able to conduct source code analysis for applications
developed in languages: C#, .NET, JAVA. Experience using manual penetration assessment techniques as well as commercial/open-source secure application development tools/products,
such as Fortify, WebInspect, Core Impact, Appscan (includes ability to identify false positives from output of automated tools)
Knowledge of OWASP, WASC, SANS, CVE, and CVSS (Threat & Vulnerability classification).
General Security:
ISO 27001: knowledge, implementation, and management
Risk management concepts and principals - including assessment, prioritization, delivery of treatment plans, tracking, reporting, and metrics (accreditation and certification)
Knowledge of information security and privacy related regulatory compliance requirements.
Embedding security into processes such as SDLC, Project Lifecycle, etc.
Security policy and standards creation
Security training & awareness
Basic project management and consultancy skills
CERT - Incident Response
Infrastructure security (perimeter, network, application, operating system, mobile device)
Knowledge of security solutions, latest threats, and countermeasures
Knowledge of information risk/security frameworks
Certifications:
CISSP (minimum)
CISA
GIAC, GSSP-NET, GWAPT, GPEN
CISM
ISO Lead Auditor
Education:
Advanced degree in Information Security and minimum 7 years experience in regulated industries working as an information risk manager or as an IT security specialist; or
Bachelors degree in Information Security and minimum 10 years experience in regulated industries working as an information risk manager or IT security specialist; or
Advanced university degree in computer science, engineering, mathematics, business or related field of study plus a minimum of 12 years of relevant experience in regulated industries working as an information risk manager or IT security specialist.
please visit
www.imf.org/jobs
International Monetary Fund (IMF)
Washington DC
If you are an external candidate,
please visit www.imf.org/jobs to view the list of current vacancies and to apply to them.
Job Description
A challenging Information Security role that will give you the opportunity to deliver value, gain a sense of achievement, and be a part of a successful Information Security Team.
Working within a diverse and forward thinking Organization and Technology Function that prides itself on customer service and focused on meeting its objectives. The role will require people, process, and technology skills that are second to none. The successful applicant will be a part of a growing and influential team looking to deliver the best results with the best people.
Duties and Responsibilities:
Under the general supervision of the Chief Information Security Officer. The role will require the candidate to provide information risk management and IT security expertise. The expertise will take the form of risk analysis, consultancy, guidance, policies, standards, best practice, incident response, and process improvements.
The candidate with be required to work with project teams, service providers, and business units internal and external to the IT function. The candidate is expected to bring pragmatic risk management experience allowing for the Fund to meet its present and emergent business needs but in compliance to Fund's security polices and standards and within risk appetite.
This individual is expected to advise and influence technology and business personnel regarding the value and methods of safeguarding information, applications, systems, infrastructure, and activities to help ensure that technologies function optimally, work practices are optimized so that the information risks are managed.
Specific responsibilities include:
• Delivers information security risk assessments (Certification and Accreditation) of projects, new technologies, external service providers, and IT changes. Guides staff and managers on the
appropriate risk mitigation strategies.
• Effectively communicates requirements and trains staff and managers in IT divisions to identify and manage risks throughout the project lifecycle.
• Communicates and reports on risk metrics to IT management and governance groups.
• Conducts quality assurance reviews of security requirements and audit recommendations for the implementation of identified solutions.
• Manages the engagement process of external risk assessment providers and acts as a liaison with internal IT project teams and business units.
• Supports the Fund's ISO 27001 certification by promoting self-compliance to policies and standards by IT staff and managers. Keeps abreast of international information security codes of
practice such as ISO 27001/27002, information security and privacy regulations and how these measures could affect information assets owned by, or administered on behalf of, the IMF.
• Assists with the development of the Fund's enterprise security architecture and standards at the business, information, infrastructure, and application level. Provides subject matter expertise on
enterprise security architecture and influences selection of tools and technologies to support the Fund's security architecture standards.
• As an advocate of information security, works closely and proactively with IT project team leaders, service providers, and business units to provide security-related technical solutions.
Identifies opportunities to improve business practices or IT security-related processes.
• Analyzes, recommends and implements process improvements within the context of information security.
• Works closely with IT project teams to develop implementation plans for new security-related products and services.
• Coordinates the preparation and presentation of user technical support and training materials to ensure the efficient, effective and secure use of information and communications technology.
• Coordinates and supports the work of security governance.
• Prioritizes, monitors, and assesses compliance and audit recommendation results to ensure they are comprehensive, robust, and of high quality.
Qualifications
Experience should include:
Minimum of 7 years working in the field of Information Security (Information Risk management and IT security) within regulated industries
Developing Information Risk management and IT security Policies and Standards within large scale geographically distributed organizations and diverse cultural user population
Having worked as or have experience of Information Risk Management at organizations with regulatory compliance requirements
Demonstrated IT Security expertise in infrastructure areas, network, applications, and database system technologies including personal computers and mobile devices
Assisted and taken part in delivering Enterprise Security Architecture principles, service management concepts and experience with use of quality assurance tools and techniques
Delivered improvements in Application Security processes, and vulnerability minimization techniques
General infrastructure Vulnerability Management
Experience of External Service Provider risk management
Incident response processes
Application of project management and systems development methodologies, and managing IT administrative and capital development project budgets
Delivery of Security awareness initiatives
Skills:
Familiarity with a broad range of technologies supplemented by in-depth knowledge in specific areas of relevance
Ability to quickly grasp how new technologies work and how they might be applied to achieve business goals
Analytical skills that enable synthesis of inputs from many sources, and allow for strategic thinking and tactical implementation
Interpersonal skills that create openness and trust among colleagues
Facilitation and conflict management skills that enable effective working relationships
Spoken and written communications that are compelling, convincing and reassuring, and skills to articulate complex technical ideas to non-technical stakeholders
Pragmatic security expert with an inherent ability to balance security demands with business reality
Excellent relationship management skills
Ability to multi-taskAbility to think laterally and to have input to / propose detailed, complex solutions to technical issues.
Technical knowledge:
Assisting in the delivery of an IT (infrastructure and applications) Security Strategy and Architecture
Developing and presenting IT security awareness training
Delivery of Information Security Risk and architecture assessments including consulting on threat modeling, appropriate tiering of N tier applications, placement, and infrastructure controls to
protect application components. Able to consult and review the implementation of authentication (SSO, LDAP, AD), authorization (fine grained and course grained), and cryptography
(PKI, SSL, kerberos, crypto algorithms) mechanisms within applications.
Experience with Identity and Access management suite integration, Web services (SAML, WS-Federation and WS-Security), and SOA security,
Defining the policies, standards, and guidelines for Information Security activities including Application and Infrastructure Security Vulnerability management and ensuring Application Security
is integrated into SDLC
Ability to consult and deliver standards and guidelines on the hardening of application and infrastructure components, tools and techniques to ensure the security of application and
infrastructure components such as LINUX/Windows servers, Web servers (IIS, Apache, tomcat), app servers, Databases (Oracle and MS SQL), endpoints (MAC, Windows, Apple IOS,
Blackberry etc), ArcSight, and Web Application Firewalls.
Manage and review the output of Application and Infrastructure Security assessments conducted by external security services firms. Defining process and procedures for using External
security service providers including scoping, management of services, remediation tracking, and exception management
Ability to perform and consult on whitebox and blackbox application security assessments. Familiarity with code to the level of being able to conduct source code analysis for applications
developed in languages: C#, .NET, JAVA. Experience using manual penetration assessment techniques as well as commercial/open-source secure application development tools/products,
such as Fortify, WebInspect, Core Impact, Appscan (includes ability to identify false positives from output of automated tools)
Knowledge of OWASP, WASC, SANS, CVE, and CVSS (Threat & Vulnerability classification).
General Security:
ISO 27001: knowledge, implementation, and management
Risk management concepts and principals - including assessment, prioritization, delivery of treatment plans, tracking, reporting, and metrics (accreditation and certification)
Knowledge of information security and privacy related regulatory compliance requirements.
Embedding security into processes such as SDLC, Project Lifecycle, etc.
Security policy and standards creation
Security training & awareness
Basic project management and consultancy skills
CERT - Incident Response
Infrastructure security (perimeter, network, application, operating system, mobile device)
Knowledge of security solutions, latest threats, and countermeasures
Knowledge of information risk/security frameworks
Certifications:
CISSP (minimum)
CISA
GIAC, GSSP-NET, GWAPT, GPEN
CISM
ISO Lead Auditor
Education:
Advanced degree in Information Security and minimum 7 years experience in regulated industries working as an information risk manager or as an IT security specialist; or
Bachelors degree in Information Security and minimum 10 years experience in regulated industries working as an information risk manager or IT security specialist; or
Advanced university degree in computer science, engineering, mathematics, business or related field of study plus a minimum of 12 years of relevant experience in regulated industries working as an information risk manager or IT security specialist.
please visit
www.imf.org/jobs
Post a Comment