IT Security & GRC (Lead/Manager)

Cermati is a financial technology (fintech) startup based in Indonesia. Cermati simplifies the process of finding and applying for financial product by bringing everything online so people can shop around for financial products online and can apply online without having to physically visit a bank.

Our team hailed from Silicon Valley Tech companies such as Google, Microsoft, LinkedIn and Sofi as well as Indonesian startups such as Doku and Touchten. We have graduates from well known universities such as Universitas Indonesia, ITB, Stanford, University of Washington, Cornell and many others. We are building a company with the same culture of openness, transparency, drive and meritocracy as Silicon Valley companies. Join us in our cause to build a world class fintech company in Indonesia.

• Develop and maintain IT policies, standards, and procedures according to applicable internal and external requirements, including the applicable regulations in Indonesia (POJK, PBI)
• Coordinate with the Compliance team to perform gap assessment. Recommend appropriate measures to mitigate risks.
• Ensure that every initiative, development, and collaboration complies with the standards and regulations (internal and external)
• Develop and implement the RBAC and least privilege of access management
• Assess the effectiveness of IT controls, policies, and procedures in place to safeguard information assets, ensure data integrity, and maintain system availability
• Coordinate with the related IT work units to follow up on data requests and the implementation of audit recommendations (internal audit, external audit, and regulator)
• Continuously update and implement the internal control framework, policies, and procedures to strengthen the organization's IT governance according to IT General Control, IT Application control, ISO 27001, PCI DSS, and other industry best practices
• Socialization and regular awareness to ensure IT policy, procedures, guidelines, and standards are implemented in the day-to-day operations

• A minimum of 3 years of experience as Information Security, IT Governance, Risk, and Compliance (IT GRC), or IT Auditor in banking or the financial service industry
• Experience in developing and maintaining IT and/or information security policies and procedures
• Demonstrate good communication and writing skills
• Proven experience in implementing and/or auditing ISO 27001 and PCI-DSS standards
• Good understanding of the applicable regulatory requirements (such as OJK, BI, and Kemkominfo) and how they impact IT policies
• One or more of the following or equivalent certifications preferred: CISA, CRISC, CISSP