Meet the gatekeeper

As the Chief Information Security Officer for the Treasury of the World Bank, Jim Nelms oversees the security infrastructure, including computer and network systems, business systems, web-based applications, e-commerce and online trading systems. So it’s fair to say he’s a busy man. The Word Bank is headquartered in Washington DC, where about 5000 of its 16,000 employees are based ((the rest are distributed across 90 different countries worldwide). The IT threat faced by World Bank is similar to most commercial global market banks, although it faces an additional risk as many of its activities are politically sensitive. This manifests itself in additional representational political risk, which is a threat to its stability in cyberspace.

So how does the World Bank deal with these kinds of threats, as opposed to commercial banks might deal with them? “About five years ago, we adopted a much stronger prevention model,” says Nelms. “Most commercial banks use a balance model between intrusion detection and evasive action: the counter measures to trap and learn more about the perpetrators. We do some of that, but our focus primary is on the prevention model.” Working in a global environment today – especially on internet-based applications – it is vital to know your markets. Some countries lack cyber crime laws to pursue perpetrators of fraud, or are impossible to get financial or criminal information from. This is why World Bank concentrates on a stronger prevention model.

About a year ago, World Bank began the task of aligning its IT architecture, which Nelms, who has been with World Bank 11 years, describes currently as a “work in progress” – for the past ten months, in fact. The bank’s IT has been aligned with its four business units, which they support. The financial complex and the five business lines there that are used are treated slightly differently than the business units. “We also align the information security architecture with these, as well using a graduated approach depending upon the classification of information and the sensitivities as a bank operational and representational financial risk,” says Nelms. It is an operation that is progressing well, and has led to the concept of Business Process Team Leaders: individuals that work in the business unit themselves, but are IT and risk security professionals who support the needs of the business.

World Bank has also undertaken an 18-month Identity and Access Management project to institutionalise good practices across the enterprise. “Identity and Access Management are still a decompose piece,” says Nelms. The bank has taken a stronger authentication model for authentication and the authorisation in provisions, which is completed and in production in the financial complex. He is currently moving this model to the other centres of the banks and into the bank population on a phased approach. “It’s a difficult balance between ease of use and the cultural changes for users as much as it is technology,” he states; but the project is on track, and another 12 months of implementation is expected before all areas are synchronized with the common identity in access management methodology.

So what are some of the challenges facing the industry? Nelms suggests that a big development will be the convergence of information security and risk management. He says the complexity of financial instruments has increased to the point that they can no longer be performed or managed manually – technology is needed. According to Nelms, there are two projects that he’s currently excited about, which are related to the bank strengthening its prevention model. “The first is related to our web posture. The bank has close to 10 million pages online for the operations side of the bank, and we’re in the business of assimilating information. We want that information to remain accurate and available to users. We have a platform, and content management we are bringing in: it’s a huge undertaking because of the magnitude of the operation.” Over the next few months, a major project will be underway to standardise World Bank’s entire web presence.

The second project Nelms speaks of addresses increasingly sophisticated threats to the bank’s security. The bank is going through a higher granularity model in their network segregation; moving different areas in the country away from some aspects – a discreetly granular posture – so that in the event of a virus or security breach it will affect a smaller area within the bank. Both these projects speak to the increasing need to address problems locally.

The greening of IT is a huge issue that has reached all sectors of the technology industry, including World Bank, which has gone through a huge reorganization by the bank’s Information Security Council. Although there are no active projects for green computing at time of press, the bank has been restructured with business members, business process owners and green computing on the agenda for the next quarter’s decision making on the project. A lot to look forward to in insuring World Bank keeps up with its commercial neighbours: luckily for them, their CISO is on the job.