IT Security & GRC (Lead/Manager)

Company Description

Cermati is a financial technology (fintech) startup based in Indonesia. Cermati simplifies the process of finding and applying for financial products by bringing everything online so people can shop around for financial products online and apply online without having to physically visit a bank.

Our team hails from Silicon Valley tech companies such as Google, Microsoft, LinkedIn, and Sofi, as well as Indonesian startups such as Doku and Touchten. We have graduates from well-known universities such as Universitas Indonesia, ITB, Stanford, University of Washington, Cornell, and many others. We are building a company with the same culture of openness, transparency, drive, and meritocracy as Silicon Valley companies. Join us in our cause to build a world-class fintech company in Indonesia.

• Develop and maintain IT policies, standards, and procedures according to applicable internal and external requirements, including the applicable regulations in Indonesia (POJK, PBI).
• Coordinate with the Compliance team to perform gap assessments and recommend appropriate measures to mitigate risks.
• Ensure that every initiative, development, and collaboration complies with the standards and regulations (internal and external).
• Develop and implement the RBAC and least privilege access management.
• Assess the effectiveness of IT controls, policies, and procedures in place to safeguard information assets, ensure data integrity, and maintain system availability.
• Coordinate with related IT work units to follow up on data requests and the implementation of audit recommendations (internal audit, external audit, and regulator).
• Continuously update and implement the internal control framework, policies, and procedures to strengthen the organization's IT governance according to IT General Control, IT Application Control, ISO 27001, PCI DSS, and other industry best practices.
• Socialize and regularly raise awareness to ensure IT policy, procedures, guidelines, and standards are implemented in day-to-day operations.

• A minimum of 3 years of experience in Information Security, IT Governance, Risk, and Compliance (IT GRC), or IT Auditor in banking or the financial services industry.
• Experience in developing and maintaining IT and/or information security policies and procedures.
• Demonstrate good communication and writing skills.
• Proven experience in implementing and/or auditing ISO 27001 and PCI-DSS standards.
• Good understanding of the applicable regulatory requirements (such as OJK, BI, and Kemkominfo) and how they impact IT policies.
• One or more of the following or equivalent certifications preferred: CISA, CRISC, CISSP.