RBI CSCRF · SEBI CSCRF · DPDPA · CERT-In

Compliance Migration Services for Indian Enterprises

Migrate from non-compliant infrastructure to a fully auditable security stack. We close gaps for RBI CSCRF, SEBI CSCRF, DPDPA, and CERT-In — using technology you already own or need to acquire.

View Regulatory Landscape

India's Regulatory Cybersecurity Landscape

RBI CSCRF

Reserve Bank of India

  • Applies to all RBI-regulated entities
  • Mandatory SOC operations
  • Periodic VAPT required
  • Incident reporting obligations
  • Board-level cyber risk oversight

SEBI CSCRF

Securities & Exchange Board of India

  • Market infrastructure institutions
  • Trading system integrity controls
  • Investor data protection
  • Cyber resilience testing (BAS)
  • Third-party risk management

DPDPA

Digital Personal Data Protection Act

  • Consent management for personal data
  • Data minimisation and purpose limitation
  • Data principal rights (access, erasure)
  • Data Protection Officer appointment
  • Penalties up to Rs 250 crore

CERT-In

Indian Computer Emergency Response Team

  • 6-hour incident reporting
  • 180-day log retention
  • NTP synchronisation mandatory
  • VPN subscriber data retention
  • Applies to all organisations in India

Our Gap Assessment Methodology

1

Control Mapping

We map every control requirement from applicable frameworks (RBI, SEBI, DPDPA, CERT-In) to your current technology stack, policies, and procedures. This produces a control-by-control gap matrix.

2

Technical Validation

Vulnerability assessment and configuration review of your infrastructure to validate whether implemented controls are actually effective. We run 1,000+ VA checks and 256 BAS attack simulations to test real-world control efficacy.

3

Remediation Roadmap

Prioritised remediation plan with effort estimates, technology recommendations, and timeline. Critical gaps first, then high and medium. Each remediation item is linked to specific compliance requirements.

Technology to Compliance Mapping

One technology stack, multiple compliance frameworks satisfied

Technology Compliance Control RBI SEBI DPDPA CERT-In
FortiGate NGFW Access control, network segmentation, IPS
CrowdStrike Falcon Endpoint detection & response (EDR)
M365 Purview Data classification, DLP, retention
Microsoft Sentinel SIEM, log retention, SOC operations
Entra ID + MFA Identity management, privileged access
Ogma VA + BAS + TI Vulnerability management, resilience testing, threat intel

Data Classification & Labelling

Classification Levels

We implement a 4-tier classification scheme aligned with Indian regulatory requirements.

  • Restricted — PII, financial data, authentication credentials
  • Confidential — internal reports, customer lists, contracts
  • Internal — policies, procedures, organisational data
  • Public — marketing materials, published content

DLP Policy Implementation

Microsoft Purview DLP policies enforce data handling rules based on classification labels.

  • Auto-detect PII patterns (Aadhaar, PAN, GSTIN, bank accounts)
  • Block external sharing of Restricted/Confidential data
  • Encrypt emails containing classified information
  • Prevent upload of classified files to unapproved cloud services
  • Audit trail of all data access and movement

Log Retention & SIEM Configuration

180-Day Retention

CERT-In mandates 180-day log retention for all ICT systems. We configure tiered storage — hot (30 days), warm (60 days), cold (90 days) — to optimise cost.

Log Sources

Firewall, IDS/IPS, endpoint, server OS, database audit, application, DNS, DHCP, VPN, email gateway, proxy, cloud workload, and identity provider logs.

Detection Rules

Pre-built detection rules for common attack patterns — brute force, lateral movement, data exfiltration, privilege escalation. MITRE ATT&CK mapped analytics.

Incident Response

Automated playbooks for incident triage, enrichment, and CERT-In notification. 6-hour SLA from detection to report submission via predefined templates.

Audit Preparation & Evidence Collection

Evidence We Prepare

  • Asset inventory and classification reports
  • Access control matrix and quarterly review logs
  • Vulnerability assessment reports with remediation proof
  • BAS test results showing control effectiveness
  • Incident response procedure documentation
  • Log retention configuration and SIEM evidence
  • Data flow maps and DLP policy documentation
  • Employee security awareness training records

Mock Audit Process

  • Simulate auditor questions for each control domain
  • Review evidence completeness and accuracy
  • Identify documentation gaps before real audit
  • Test staff readiness for auditor interviews
  • Validate technical controls with live demonstrations
  • Generate mock audit findings and fix them
  • Produce audit-ready report package
  • Assign control owners and evidence custodians

Our Compliance Migration Process

1

Scope & Framework Mapping

Identify which frameworks apply. Map all control requirements. Define compliance scope boundaries.

2

Gap Assessment (VA + BAS)

Technical and procedural gap analysis. VA scans, BAS simulations, policy review, access control audit.

3

Remediation Roadmap

Prioritised plan — critical gaps first. Technology procurement, configuration changes, policy updates.

4

Technology Deployment

Deploy and configure security tools — firewall, EDR, SIEM, DLP, IAM. Map each deployment to compliance controls.

5

Data Classification & DLP

Classify data assets, apply labels, configure DLP policies. Map data flows. Implement retention policies.

6

IR Playbooks & SOC

Build incident response procedures, CERT-In notification templates, and SOC runbooks. Automate detection and triage.

7

Mock Audit & Validation

Full mock audit against each framework. Fix remaining gaps. Compile evidence package. Train staff for auditor interviews.

8

Ongoing Compliance Support

Quarterly VA scans, periodic BAS testing, access reviews, policy updates. Continuous compliance monitoring and reporting.

Why Choose Ogma for Compliance Migration

VA + BAS + TI Trifecta

We combine vulnerability assessment, breach & attack simulation, and threat intelligence to validate compliance controls with evidence, not assumptions. 1,000+ VA checks and 256 BAS attack simulations provide auditable proof that your controls work.

Single Vendor for Technology + Services

As an authorised partner for Fortinet, CrowdStrike, HPE, Dell, and Microsoft, we sell the hardware and software you need AND deploy and configure it for compliance. One vendor, one contract, full accountability.

India-Specific Expertise

We specialise in Indian regulatory frameworks — RBI CSCRF, SEBI CSCRF, DPDPA, CERT-In. Not generic ISO 27001 consulting. Specific, actionable controls mapped to Indian compliance requirements.

Ongoing Compliance Operations

Compliance is not a one-time project. We provide ongoing managed services — quarterly VA, periodic BAS, access reviews, SIEM monitoring, and audit support — to maintain continuous compliance.

Frequently Asked Questions

RBI CSCRF (Cyber Security and Cyber Resilience Framework) is a mandatory framework for all regulated entities under the Reserve Bank of India — banks, NBFCs, payment aggregators, and credit information companies. It mandates comprehensive cybersecurity controls including access management, network security, data protection, incident reporting, and SOC operations. Non-compliance can result in regulatory action, penalties, and reputational damage.

SEBI CSCRF (Cyber Security and Cyber Resilience Framework) applies to stock exchanges, depositories, clearing corporations, mutual funds, portfolio managers, and other market infrastructure institutions regulated by SEBI. While the core principles overlap with RBI CSCRF — access control, network security, incident management — SEBI CSCRF has specific requirements around market data protection, trading system integrity, and investor data privacy that differ from banking requirements.

The Digital Personal Data Protection Act (DPDPA) requires enterprises to: obtain explicit consent before processing personal data, limit data collection to what is necessary, implement reasonable security safeguards, enable data principal rights (access, correction, erasure), appoint a Data Protection Officer for significant data fiduciaries, and report data breaches to the Data Protection Board. Non-compliance penalties can reach up to Rs 250 crore.

CERT-In Directions (April 2022) mandate that all organisations report cybersecurity incidents to CERT-In within 6 hours of detection. This includes data breaches, ransomware, DDoS attacks, website defacement, and unauthorised access. To comply, organisations need automated incident detection (SIEM/SOC), predefined incident response procedures, and 180-day log retention. The 6-hour window requires near-real-time detection capability.

Timeline depends on your current maturity level and the regulatory framework. A focused RBI CSCRF gap closure for an organisation with some controls in place typically takes 8-12 weeks. A full compliance migration from minimal controls to multi-framework compliance (RBI + SEBI + DPDPA + CERT-In) can take 16-24 weeks. We prioritise based on audit deadlines and regulatory risk.

No. Most security tools serve multiple frameworks. A FortiGate firewall addresses access control requirements across RBI, SEBI, and CERT-In. CrowdStrike EDR satisfies endpoint protection requirements for all frameworks. Microsoft Purview handles data classification and DLP for DPDPA. We design a unified technology stack that maps to all applicable frameworks — one deployment, multiple compliance outcomes.

Vulnerability Assessment (VA) identifies technical gaps that violate compliance requirements — unpatched systems, misconfigurations, weak access controls. Breach & Attack Simulation (BAS) validates that your security controls actually work against real attack techniques mapped to compliance requirements. Threat Intelligence (TI) provides context on threats targeting your industry, which regulators increasingly expect as part of proactive security posture. Together, they provide evidence for audit readiness.

Yes. We prepare comprehensive audit evidence packages including: asset inventory and classification reports, access control matrix and review logs, vulnerability scan reports with remediation evidence, incident response procedure documentation, log retention and SIEM configuration proof, data flow maps and DLP policy documentation, BAS test results showing control effectiveness, and employee awareness training records. We also conduct mock audits to identify gaps before the actual audit.

Ready to Get Compliance-Ready?

Get a free compliance gap assessment. We map your current state against RBI, SEBI, DPDPA, and CERT-In requirements and deliver a prioritised remediation roadmap — no obligation.

View All Solutions