Tech Risk Governance

Company Description:

MilikiRumah's mission is to empower the underbanked population by building their credit profile and increasing homeownership opportunities through financial literacy and discipline. We are a team of veterans with expertise in real estate, proptech, and finance.

Role Description:

​We are seeking a highly experienced and meticulous
Tech Risk Governance & Security Officer
to build our compliance function from the ground up. The ideal candidate will be a strategic thinker with hands-on experience in developing and implementing Information Security Management Systems (ISMS), achieving ISO 27001 certification, and navigating the complex regulatory landscape of Indonesia, particularly regulations set by OJK, Bank Indonesia, and Kominfo. Your primary mission will be to ensure our company's policies, technologies, and processes meet the highest standards of security and data privacy, thereby making us a trusted and qualified technology partner for Indonesia's largest financial institutions and state-owned enterprises.

Qualifications:

• ​Bachelor's degree in Information Technology, Computer Science, Information Systems, or a related field.
• ​Minimum of 3+ years of proven experience in an IT audit, IT risk management, information security, or IT compliance role.
• ​Demonstrable, hands-on experience leading or playing a key role in an end-to-end ISO 27001 implementation and certification project.
• ​In-depth knowledge of Indonesian regulations (UU PDP, OJK, BI regulations for IT).
• ​Strong understanding of IT governance and risk management frameworks such as COBIT and NIST.
• ​Excellent project management skills with the ability to manage complex projects with multiple stakeholders.
• ​Exceptional communication skills in both Bahasa Indonesia and English (written and verbal).

​Bonus Point:

• ​Direct experience working with or for Indonesian State-Owned Enterprises (BUMN), major national banks, or financial institutions, specifically in a technology procurement or compliance context.
• Professional certifications such as CISA, CISM, CRISC, CISSP, or ISO 27001 Lead Implementer/Lead Auditor.
• Experience with cloud security best practices (AWS, GCP, Azure).
• ​Familiarity with the security challenges unique to SaaS platforms and AI/ML model development

​Key Responsibilities:

​1. ISO 27001 Certification & ISMS Development:

• ​Lead the entire lifecycle of the ISO 27001:2022 certification process, from gap analysis and scope definition to implementation, internal audits, and successful external certification.
• ​Develop, implement, and maintain a comprehensive Information Security Management System (ISMS) aligned with ISO 27001 standards.
• ​Author and manage all required documentation, including information security policies, procedures, standards, and guidelines.

​2. Regulatory & Legal Compliance:

• ​Serve as the subject matter expert on Indonesian data protection and IT regulations, including but not limited to:

-Indonesia's Personal Data Protection Law (UU PDP - No. 27 of 2022).

-​Otoritas Jasa Keuangan (OJK) regulations on IT Risk Management for Financial Institutions (POJK).

-Bank Indonesia (BI) regulations concerning technology providers in the financial system.

-Relevant regulations from the Ministry of Communication and Information Technology (Kominfo).

• ​Proactively monitor for changes in the regulatory landscape and ensure the company's continuous compliance.
• ​Work closely with the legal and product teams to embed data privacy and security controls into our SaaS platform and AI/ML solutions (Privacy by Design).

​3. IT Risk Management:

• ​Establish and manage a formal IT risk assessment framework to systematically identify, analyze, evaluate, and treat information security risks across the organization.
• ​Maintain a comprehensive IT risk register and track the status of mitigation plans.
• ​Conduct vulnerability assessments and coordinate penetration testing activities with third-party vendors.

​4. Audits & Client Due Diligence:

• ​Act as the primary point of contact for all external and internal IT audits.
• ​Prepare for and manage security and compliance assessments from prospective clients, especially from BUMNs and banks.
• ​Confidently and accurately complete complex vendor security questionnaires and due diligence requests.

​5. Stakeholder Management & Training:

• ​Collaborate with Engineering, DevOps, and Data Science teams to implement necessary security controls and best practices within the SDLC and MLOps lifecycle.
• ​Report on the company's GRC posture, risk levels, and compliance status to senior management.
• ​Develop and deliver information security and data privacy awareness training programs for all employees.