Senior It Grc And Data Privacy Analyst

About Amartha

At Amartha, we empower micro‑businesses across Indonesia, enabling growth and equal prosperity. We've supported over 2.7 million entrepreneurs—mostly women—by disbursing IDR 22.8 trillion in funding. As we step into 2025, Amartha is evolving into a technology‑driven financial ecosystem, expanding our reach in lending, funding, and payments. Through innovation and digital solutions, we aim to enhance accessibility, streamline processes, and create a seamless user experience.

About the Role

As a Senior IT GRC and Data Privacy Analyst at Amartha, you will play a key role in safeguarding our systems, data, and operations. You will lead the implementation of governance, risk, and compliance (GRC) frameworks while ensuring adherence to data privacy regulations such as ISO 27001, POJK, PSrE, and UU PDP. This role is crucial in strengthening Amartha’s security posture by embedding compliance and privacy best practices into every aspect of our technology and business processes.

About the Team

The Information Security team at Amartha is a highly analytical and collaborative group focused on driving security and privacy by design across the organization. We work closely with engineering, product, and operations teams to embed secure practices throughout the product lifecycle. Our mission is to be a trusted enabler of growth by ensuring resilience, compliance, and responsible data stewardship across Amartha's ecosystem.

• Develop, implement, and maintain Amartha's GRC framework in alignment with regulatory standards and industry best practices
• Conduct regular risk assessments to identify threats and vulnerabilities
• Design and implement risk mitigation plans, and track resolution of identified issues
• Monitor compliance with internal security policies and external regulations

• Ensure adherence to relevant data protection laws and regulations (e.g., UU PDP, GDPR, ISO 27701)
• Conduct Data Protection Impact Assessments (DPIAs) for new products, initiatives, and vendors
• Develop and maintain data privacy policies and procedures
• Manage incident response for data breaches, including investigation, containment, and reporting

• Assess and monitor the security and privacy practices of third-party vendors
• Support contract reviews to ensure vendors meet Amartha's compliance and data handling requirements
• Partner with Procurement and Legal in vendor due diligence and onboarding

• Stay current with evolving regulatory landscapes (e.g., POJK, PSrE, ISO 27001)
• Support audit readiness and provide documentation for both internal and external audits
• Educate and advise stakeholders across the company on compliance responsibilities

• Develop and maintain IAM policies, processes, and technical controls
• Administer user access management, including provisioning, de‑provisioning, and role reviews
• Conduct periodic IAM audits and access certification campaigns
• Work with infrastructure and engineering teams to implement access controls and enforce least‑privilege principles

• Minimum 5 years of experience in IT Governance, Risk & Compliance, or Information Security, preferably in financial services, fintech, or regulated industries
• Strong understanding of regulatory standards and frameworks such as ISO 27001, NIST, POJK, PSrE, and UU PDP (or GDPR)
• Hands‑on experience in developing and implementing GRC frameworks, data privacy programs, and compliance monitoring
• Solid knowledge of data protection principles, incident management, and Data Protection Impact Assessments (DPIAs)
• Familiarity with IAM technologies and concepts (e.g., Active Directory, LDAP, OAuth, SAML, provisioning tools)
• Professional certifications are a plus (e.g., CRISC, CISM, CISA, CIPP, ISO 27001 Lead Implementer)
• Excellent communication skills in both Bahasa Indonesia and English, with the ability to convey complex issues to technical and non‑technical audiences
• Strong analytical, problem‑solving, and stakeholder management skills
• Comfortable working in a fast‑paced, agile environment with cross‑functional collaboration