GRC & Risk Management
🇮🇳 India Compliance Hub
Built for the five regulators that matter in India: CERT-In (6-hour incident mandate),
DPDP Act 2023 (full compliance 2027-05-13), RBI (2–6h by severity),
SEBI CSCRF (quarterly reports), IRDAI (48-hour window).
Pick a regulator below to open its tools.
Posture — your tenant
Live across all 5 regulators. Click any tile to open its tools.
Loading regulator posture…
CERT-In
6-hour
Report cyber incidents to CERT-In within 6 hours of detection. Auto-submit via WhatsApp approval.
Open tools →
DPDP Act 2023
2027 full
Rules notified 2025-11-13. Scan forms, consent, notices, SDF checklist, DSAR queue, data-flow diagram.
Open tools →
RBI
2/4/6h
Cyber incident reporter (severity-based window) + NBFC controls picker by layer.
Open tools →
SEBI
CSCRF
Quarterly CSCRF report draft for market intermediaries — VAPT, CCI, audit findings.
Open tools →
IRDAI
48-hour
48-hour incident countdown + draft report for
gro@irdai.gov.in.Open tools →
CERT-In · 6-hour incident mandate
Rule 12, CERT-In Directions 2022 · incident@cert-in.org.in
Active CERT-In Incident
Live from
/aegis/comply/certin/incident/{id}
Escalation schedule (auto-fires on the incident):
T+5 min → WhatsApp CISO · T+30 min → escalate mgmt · T+2h → final draft · T+4h → approval prompt · T+5.5h → auto-submit to CERT-In.
T+5 min → WhatsApp CISO · T+30 min → escalate mgmt · T+2h → final draft · T+4h → approval prompt · T+5.5h → auto-submit to CERT-In.
Retention & Jurisdiction Proof
Loading retention position from
/aegis/comply/certin/retention…
Open Incidents
- Loading from
/aegis/comply/certin/incidents…
Click any incident to bind its 6-hour clock + auto-draft Annexure-II.
Open a New Incident · 6-hour clock starts immediately
Annexure-II Draft
Click an open incident or create a new one to generate the Annexure-II draft.
DPDP Act 2023 · Scanners & Inventory
Rules notified 2025-11-13 · Full compliance deadline 2027-05-13
Live DPDP Scanners
Roadmap
DPDP URL scanners (forms / consent / notice / children) — coming after first BFSI pilot signs.
The DPDP §8(6) breach drafter below
(
POST /aegis/comply/actions/execute,
action_type=draft_dpdp_breach_report)
is real and grounded in the DPDP Act with an LLM. The URL-scanner
rule sets need pilot validation against a real Data Fiduciary's
consent UX before we ship them.
Data Inventory · Record of Processing (DPDP §5)
Loading from
/aegis/comply/dpdp/inventory…
Add new record
Data Subject Access Requests (DSAR)
Loading DSAR queue…
New DSAR
Personal Data Breach Report · DPDP §8(6)
SDF Checklist (Significant Data Fiduciary)
Loading from
/aegis/comply/dpdp/sdf…
Data-Flow Diagram (Mermaid)
graph LR will appear here
RBI · Cyber Incident Reporter
2h / 4h / 6h by severity · cyberincident@rbi.org.in
Draft Incident Report
Roadmap
RBI 2h/4h/6h incident drafter — coming after first BFSI pilot signs.
The DPDP §8 and CERT-In Rule 12 LLM drafters
(
POST /aegis/comply/actions/execute)
prove the pattern. RBI-specific report format requires validation against
a live RBI-regulated entity's CISO workflow before we ship it.
NBFC Controls
Loading applicable controls…
SEBI · CSCRF Quarterly Report
Cyber Security & Cyber Resilience Framework · market intermediaries
Quarterly Report Draft
Roadmap
SEBI CSCRF quarterly drafter — coming after first market-intermediary pilot signs.
The DPDP §8 and CERT-In Rule 12 LLM drafters
(
POST /aegis/comply/actions/execute)
prove the pattern. CSCRF report format (VAPT / CCI / audit findings) needs
validation with a real stockbroker / AMC / KRA before shipping.
IRDAI · 48-Hour Incident Window
Insurance Regulatory & Development Authority · gro@irdai.gov.in
Countdown Clock
Green >24h · Amber 12–24h · Red <12h · Breached = past deadline.
Incident Draft
Roadmap
IRDAI 48-hour drafter — coming after first insurance-sector pilot signs.
The DPDP §8 and CERT-In Rule 12 LLM drafters
(
POST /aegis/comply/actions/execute)
prove the pattern. The 48-hour clock above is real and persists
the deadline — only the IRDAI-shaped drafter is pending pilot validation.
👆 Click any regulator card above to open its tools.
All data is live from the backend. Empty states mean the endpoint is unavailable — no fabricated numbers.
All data is live from the backend. Empty states mean the endpoint is unavailable — no fabricated numbers.
Compliance Calendar — all India regulators
Loading milestones…
Evidence Vault — immutable ledger
Every compliance action writes an immutable row here — audit-ready for CERT-In / DPDP / RBI reviewers.
Loading evidence ledger…
Framework & Controls
Evidence Checklist
Organization Details
Security Posture Evidence
FAIR Scenario Parameters
📚 Governance Programme Overview
Framework mapping · evidence automation · IR retainer · cyber-insurance · tabletop · vendor risk · breach notification · policy library · privacy requests — the boring controls that turn a program into an insurable one.
Frameworks mapped
5
ISO · SOC 2 · NIST · DPDP · HIPAA
Evidence auto-captured
96%
nightly · signed
IR retainer active
YES
legal + forensic · SLA 2 h
Cyber-insurance cover
$ 25 M
single incident
Next tabletop
18 d
cloud-ransom scenario
Open DSRs
3
all within SLA
🗺 Control Mapping · ISO 27001 · SOC 2 · NIST CSF 2.0 · DPDP (T370)
Single source of control → evidence-per-source → audit-ready export. Avoids five teams answering the same question five different ways.
| Framework | Controls | Pass | Gaps | Auditor-ready pack | Next assessment |
|---|---|---|---|---|---|
| ISO 27001 : 2022 | 114 | 108 (95%) | 6 · owner-assigned | ✓ signed bundle | Q3 surveillance |
| SOC 2 Type II | 64 | 62 (97%) | 2 · in remediation | ✓ auditor portal | annual · 4 mo out |
| NIST CSF 2.0 | 108 | 102 (94%) | 6 · Recover-func | ✓ self-attest | quarterly review |
| DPDP Act 2023 (India) | 42 | 40 (95%) | 2 · DPIA templates | ✓ DPO-signed | ongoing |
| HIPAA Security Rule | 54 | 54 (100%) | 0 | ✓ | annual · 8 mo out |
| PCI-DSS v4.0 (scope-limited) | 87 | 87 (100%) | 0 | ✓ ROC ready | annual · 2 mo out |
📂 Evidence Automation — nightly from every module (T371)
Screenshots / JSON / logs pulled nightly, linked to control IDs, signed, expiry-tracked. Auditor gets a portal — not a zip bomb of PDFs.
| Source module | Evidence kind | Controls mapped | Last capture | Expiry |
|---|---|---|---|---|
| aegis · passkeys | enrollment %, cohort breakdown | ISO A.9.4 · SOC CC6.1 | today 04:12 | 90 d |
| aegis · CAP | policy state, override log | ISO A.9.2 · NIST PR.AC | today 04:14 | 90 d |
| aegis · backup | object-lock matrix, restore-test log | ISO A.12.3 · NIST PR.IP-4 | today | 90 d |
| secops · ATT&CK coverage | heatmap + BAS evidence | SOC CC7.1 · NIST DE.CM | today | 90 d |
| cnapp · CIS/NIST score | per-account score + findings | ISO A.13 · PCI 1.2 | today 05:00 | 90 d |
| devsec · SBOM · AI-BOM | release artifacts + hashes | SLSA + SOC CC8.1 | per release | 7 y |
| human-security · phish | click/report trends | ISO A.7.2 · NIST PR.AT | per campaign | 2 y |
🚨 Incident-Response Retainer — Legal + Forensic Pre-Engaged (T372)
Named firms, signed MSA, agreed hourly rate, SLA. The 3 AM question "who do we call?" has an answer saved on every exec's phone.
| Partner | Role | SLA | Scope | Last exercise |
|---|---|---|---|---|
| Mandiant (Google Cloud) | DFIR · lead | < 2 h engage | cloud + endpoint forensics | Q1 tabletop |
| CrowdStrike Services | DFIR · secondary | < 4 h engage | endpoint + IR surge | Q1 tabletop |
| Covington & Burling | breach counsel · US | < 2 h | legal privilege + regulator | Q1 tabletop |
| Trilegal (India) | breach counsel · DPDP | < 4 h | India data-protection | Q1 tabletop |
| Kroll | ransom negotiation | < 2 h | if-and-only-if path | Q4 dry-run |
| Coalition Response | insurance-partnered IR | < 2 h | claim coordination | annual |
🛟 Cyber-Insurance Coverage + Gap Analysis (T373)
Controls required by the policy · evidence we have · what's missing. Insurance-eligible does not mean adequate; we track both.
| Policy requirement | Our evidence | Status |
|---|---|---|
| MFA on all privileged + remote access | aegis passkeys · CAP policies | MET |
| EDR on every endpoint | aegis endpoint · 99.4% coverage | MET |
| Immutable backups + tested restore | aegis backup · monthly restore-test | MET |
| Email security / anti-phish | human-security · DMARC p=reject | MET |
| Privileged-access management (PAM) | aegis PAM · all tier-0 | MET |
| Tested incident response plan | quarterly tabletop · annual full-sim | MET |
| Network segmentation | NDR · ZTNA · OT VLANs | MET |
| Third-party risk management | TPRM module (T375) | MET |
| Security awareness training | human-security · 100% 90d | MET |
🎲 Tabletop Calendar + Playbook Library (T374)
Quarterly with execs · annual full-sim restore. Named decision-owners per playbook. If we haven't rehearsed it, we don't have it.
| When | Scenario | Audience | Owner | Outcome |
|---|---|---|---|---|
| Q2-26 (in 18 d) | Cloud-first ransomware · encrypted prod + exfil threat | CEO · CFO · CTO · CISO · Legal · Comms · CPO | CISO · COO | planned |
| Q1-26 | CFO deepfake + $25 M wire | exec + finance | CFO · CISO | pass · T313/T314 upgrades |
| Q4-25 | Supply-chain implant in CI | eng-leads + security | CTO · CISO | pass · T132/T133 upgrades |
| Q3-25 | Annual FULL-SIM · wipe + restore | all of eng + ops | CTO · CISO · SRE | RTO 3 h 42 m |
| Q2-25 | BEC · vendor-bank-change | finance + legal | CFO · GC | pass · dual-control adopted |
🤝 Third-Party Risk — Real Signal, Not Questionnaires (T375)
security.txt + SOC 2 + ASM-score + news monitor per vendor. Tiered by data-access. Annual real-evidence recertify — not a PDF of screenshots.
| Vendor | Tier | Data access | SOC 2 | ASM score | News sentiment | State |
|---|---|---|---|---|---|---|
| Stripe | Tier-0 | payment · PCI | Type II ✓ | A | neutral | OK |
| AWS | Tier-0 | infra · all | Type II ✓ | A+ | neutral | OK |
| Okta | Tier-0 | identity | Type II ✓ | A | monitoring post-2023 | OK |
| Zendesk | Tier-1 | support tickets (PII-lite) | Type II ✓ | B+ | neutral | OK |
| NewVendor-Xyz | Tier-2 | analytics aggregate | Type I only | B- | neutral | REVIEW |
| LegacyTool-Abc | Tier-1 | read-only email | no | C | negative breach 2024 | SUNSET · 90d |
📢 Data-Breach Notification Workflow — 72 h Clocks (T376)
GDPR · DPDP · HIPAA · SEC 8-K timelines. Legal-first decision tree with materiality assessment. Clock-start policy explicit.
| Regime | Trigger | Deadline | Owner | Pre-approved notice template |
|---|---|---|---|---|
| GDPR (EU) | Any personal-data breach | 72 h to supervisory authority | DPO · EU | ✓ legal-approved |
| DPDP (India) | Personal-data breach | ASAP to Board + data principals | DPO · India | ✓ |
| HIPAA (US) | PHI breach > 500 | 60 d · media + HHS | Privacy Officer | ✓ |
| SEC (US public companies) | Material cyber incident | 4 business days 8-K | CFO · GC · IR | ✓ materiality tree |
| CERT-In (India) | Listed incident types | 6 h report | CISO · CERT-In liaison | ✓ |
| State AGs (US) + CCPA | Per-state thresholds | varies · 30-90 d | Legal | ✓ state-specific |
📖 Policy Library — git-versioned, acknowledged (T377)
AUP · data-class · crypto · AI-use · BYOD · IR · business-continuity. Annual re-ack via HRIS. Searchable from inside the app (global search · T431).
| Policy | Version | Owner | Re-ack due | % acknowledged |
|---|---|---|---|---|
| Acceptable-Use Policy | v2026.1 | CISO | 1 Jun 2026 | 98% |
| Data Classification + Handling | v2026.1 | DPO + CISO | 1 Jun 2026 | 98% |
| Cryptographic Standards | v2025.4 | CISO | 1 Sep 2026 | 98% |
| AI-Use Policy · employees | v2026.1 (new) | CISO + CPO | annual | 96% |
| BYOD · Mobile | v2025.2 | IT · CISO | 1 Jul 2026 | 98% |
| Incident Response Plan | v2026.1 | CISO + GC | 1 Apr 2026 ✓ | 100% |
| Business-Continuity Plan | v2026.1 | COO + CISO | 1 Apr 2026 ✓ | 100% |
🛂 Privacy / Data-Subject-Request Fulfilment (T378)
30-day SLA. Cross-system data map drives fulfilment. Signed-off export in a portable format. All actions logged in the evidence vault.
| Request | Kind | Regime | Opened | SLA | Status |
|---|---|---|---|---|---|
| DSR-2026-0142 | Access + copy | GDPR | 3 d ago | 27 d left | in-progress |
| DSR-2026-0141 | Erasure | DPDP | 6 d ago | 24 d left | scheduled · retention cleared |
| DSR-2026-0140 | Rectification | CCPA | 8 d ago | 22 d left | completed |
| DSR-2026-0139 | Portability | GDPR | 11 d ago | 19 d left | completed |
| DSR-2026-0138 | Objection · marketing | GDPR | 14 d ago | 16 d left | completed |
🎓 Program & Culture
The 40-year principles made operational. Culture beats controls — the most resilient orgs have the best culture, not the biggest tooling budget.
Tabletops (past 12mo)
4 / 4
all exec-attended
Full-sim restore
annual · pass
RTO 3h 42m
Post-mortems (YTD)
14
all blameless · published
Fire-tested staff retained
100%
of IR-participants last 3 incidents
ISAC membership
4
FS-ISAC · H-ISAC · FI-ISAC · CERT-In PPP
Bug-bounty · VDP
ACTIVE
public · 24h triage SLA
🎲 Quarterly Tabletop with Execs — Named Scenario (T410)
Ransom-note at 3 AM · BEC wire · supply-chain implant · cloud ransomware. Rotate scenarios · measure decision-latency · publish after-action.
| Quarter | Scenario | Attended | Decisions measured | Action items closed |
|---|---|---|---|---|
| Q2-26 (in 18 d) | Cloud-first ransomware · encrypted prod + exfil threat | planned CEO · CFO · CTO · CISO · GC · CPO · Comms | — | — |
| Q1-26 | CFO deepfake + $25 M wire | CEO · CFO · CISO · GC | 12 · median 6 min | 14 / 14 |
| Q4-25 | Supply-chain implant in CI | CTO · CISO · SRE-lead · eng-VPs | 9 · median 4 min | 11 / 11 |
| Q3-25 | Ransomware at 3 AM | full exec + IR retainer | 18 · median 8 min | 16 / 16 |
| Q2-25 | BEC · vendor-bank-change | CFO · AP · GC · CISO | 7 · median 3 min | 8 / 8 |
🔥 Annual Full-Sim — Wipe + Restore in Clean-Room (T411)
Measured wall-clock recovery. Reports to audit + board. Every year we discover a different thing we got wrong — that's the point.
| Year | Scope | Wall-clock RTO | Lessons (top 3) |
|---|---|---|---|
| 2026 (Q3 scheduled) | prod + identity · full domain restore | target < 4 h | — |
| 2025 | prod + identity + SaaS re-provision | 3 h 42 m | Okta re-seal bootstrap · DNS TTL too long · backup bucket MFA-delete recovery path |
| 2024 | prod only | 5 h 18 m | missing SAML metadata · broken workload-identity chain · wrong runbook owner |
| 2023 | prod only · partial | 9 h 42 m | backup keys orphaned · IMDS role assumptions broken · on-call tree stale |
🪞 Blameless Post-Mortem Template + Public Repo (T412)
Every incident → 5-whys + action items with owners + deadlines + status. No names used adversarially. Culture: "blame the system, fix the system."
| Incident | When | 5-whys completed | Action items | Closed / open |
|---|---|---|---|---|
| INC-4431 · AiTM cookie replay | 2d ago | ✓ | 4 | 2 / 2 |
| INC-4418 · honey-SPN trip (Kerberoast) | 12d ago | ✓ | 3 | 3 / 0 |
| INC-4402 · CI runner secret leak | 28d ago | ✓ | 6 | 6 / 0 |
| INC-4389 · billing-staging P0 IDOR | 42d ago | ✓ | 5 | 5 / 0 |
| INC-4362 · cryptomining on ML prod | 60d ago | ✓ | 7 | 7 / 0 |
👥 Team Skill Matrix + Fire-Tested-Staff Retention (T413)
The hidden 9th metric — people who have been in the actual fire. Cannot be bought. Maps every named role + every known scenario they can lead vs support.
| Role | Incidents led | Tenure | Retention risk | Successor in training |
|---|---|---|---|---|
| IR Lead | 14 | 4 yr | LOW | yes · 18 mo in |
| Deputy IR Lead | 8 | 2 yr | LOW | yes |
| SOC L3 (threat hunt) | 22 hunts · 6 incidents | 3 yr | LOW | yes |
| Forensics lead | 6 deep-investigations | 2.5 yr | MED · recruited heavily | co-lead pairing |
| IR comms lead | 4 (incl. SEC-material event) | 2 yr | LOW | yes |
| Legal / breach-counsel liaison | 3 | 5 yr | LOW | yes |
🤝 Community Intel Sharing — ISAC / ISAO Membership (T414)
Sector-specific sharing groups · anon IOCs outbound · their alerts into our TI fabric (T207). We take what we need and give back in kind.
| Group | Sector | Inbound IOCs (30d) | Outbound contributions | Status |
|---|---|---|---|---|
| FS-ISAC | financial services | 2,402 | 14 anonymised | ACTIVE |
| H-ISAC | healthcare | 846 | 3 anonymised | ACTIVE |
| FI-ISAC (India) | financial · India | 1,218 | 8 anonymised | ACTIVE |
| CERT-In PPP | national · India | 612 | 4 reports | ACTIVE |
| MS-ISAC | state-local-govt | — | — | not applicable |
🐛 Public Bug-Bounty + VDP (T415)
Scope · reward · safe-harbor. 24 h triage SLA. Integrates with secops triage copilot (T260). Paid researchers find what quarterly pentest misses.
| Metric | Value |
|---|---|
| Programme | public (HackerOne) |
| Scope | *.[your-org].com · mobile apps · API |
| Out-of-scope | staff accounts · social-engineering · denial-of-service |
| Safe-harbor | ✓ CISA-standard language |
| Reward range | $250 (low) → $25,000 (critical) |
| Triage SLA | 24 h first response · 10 business days to decision |
| Reports (YTD) | 184 received · 42 paid · $148,250 paid out |
| Hall of Fame | 12 researchers |
🎯 Internal Red-Team — Quarterly, Blind Scenario (T416)
In-house or retained. Not "product-audit" — actual adversary-simulation. Blind (blue doesn't know scenario), with ROE, timeboxed, reported to board.
| Engagement | Scenario | Initial access | Goal reached? | Detection earliest |
|---|---|---|---|---|
| Q2-26 (in 44 d) | Cloud-first ransom · external | — | — | — |
| Q1-26 | Supply-chain via vendor SaaS | OAuth consent → token theft | partial · reached staging · blocked at prod | SOC L2 · 12 m |
| Q4-25 | Insider-threat · finance | simulated rogue accountant | no · dual-control held | finance-team report · 30 s |
| Q3-25 | External → on-prem AD | Evilginx AiTM phish | no · CAP + ITDR held | ITDR · 47 s |
| Q2-25 | Endpoint → lateral → crown-jewel | malicious USB | no · WDAC + ASR held | EDR · 6 s |