EpochZero Learn
EpochZero LearnMulti-Domain Tech Learning Hub
Courses
LeaderboardAbout
Dashboard
EpochZero
EpochZero Learn
Multi-Domain Tech Learning Hub

Structured learning for Reverse Engineering, Cloud Security, Cryptography, and Web Development. Articles, videos, tests, and peer discussion.

Learn

  • Learning Path
  • All Articles
  • Video Lessons
  • Podcast
  • eBooks & PDFs
  • Question Banks
  • Cheatsheets
  • MCQ Banks

Tests & Forum

  • All Tests
  • REMA Tests
  • Cloud Tests
  • Forum
  • REMA Forum
  • Cloud Forum
  • Crypto Forum
  • Web Dev Forum

Campus

  • REMA Club
  • Full Stack Dev Club
  • Extension Activity
  • Events
  • CTF Competitions
  • Workshops
  • Industrial Visits

Platform

  • Dashboard
  • Leaderboard
  • About
  • Verify Certificate

© 2026 EpochZero Learn. Educational content for learning purposes.

Course Instructor: Ashish Revar

All articles
cloud-securityCERT-InSEBI-CSCRFDPDP-Act

Cloud Auditing, Compliance & Indian Regulatory Frameworks

Internal vs external cloud audits, the concept of continuous auditing, and a practitioner guide to SEBI CSCRF 2024, CERT-In 2022, DPDP Act 2023, and RBI IT Framework — the four Indian regulations that shape every cloud deployment in the financial sector.

Ashish Revar3 July 202613 min read1 views

Sign in to mark this article as read and track your progress.

Related to this topic

Continue learning

Reference material

eBook
Cloud Security — eBook
v2026
Open resource
Cheatsheet
Cloud Security — Cheatsheet
v2026
Open resource
MCQ Bank
Cloud Security — MCQ Bank
v2026
Open resource
Question Bank
Cloud Security — Question Bank
v2026
Open resource

External references

SEBI CSCRF 2024 Circular

SEBI CSCRF 2024 circular with full requirements for cybersecurity governance in capital markets.

paper
SEBI CSCRF 2024 Circular

SEBI CSCRF 2024 circular with full requirements for cybersecurity governance in capital markets.

paper
CERT-In Directions 2022 — Full Text

Complete CERT-In binding directions on cybersecurity practices, incident reporting, and log retention.

paper
CERT-In Directions 2022 — Full Text

Complete CERT-In binding directions on cybersecurity practices, incident reporting, and log retention.

paper
RBI IT Framework for Banks 2015

RBI circular on IT framework for banks covering cybersecurity, data localisation, and audit requirements.

paper
RBI IT Framework for Banks 2015

RBI circular on IT framework for banks covering cybersecurity, data localisation, and audit requirements.

paper
AWS Config Managed Rules Reference

Complete list of AWS Config managed rules for continuous compliance monitoring.

blog
AWS Config Managed Rules Reference

Complete list of AWS Config managed rules for continuous compliance monitoring.

blog
More articlesTest your knowledge

Auditing in the Cloud: A Different Discipline

Traditional auditing involves auditors visiting data centres, reviewing physical access logs, and inspecting hardware. Cloud auditing is fundamentally different: auditors work through APIs, dashboards, and logs. Physical access to provider infrastructure is impossible by design.

Internal vs. External Audit

DimensionInternal AuditExternal Audit
Conducted byIn-house security team or GRC teamThird-party auditor (Big 4, specialist firm)
FrequencyContinuous or quarterlyAnnual or as required by regulation
ScopeDetermined by internal risk assessmentDetermined by regulatory requirement or contract
OutputInternal report and remediation trackingFormal audit opinion or certification
Cloud toolsAWS Security Hub, Azure Secure Score, ProwlerProvider compliance reports (SOC 2, ISO 27001) + customer environment review

Continuous Auditing

Traditional annual audits leave gaps of 364 days. Continuous auditing uses automated tools to assess compliance posture in real time:

  • AWS Config Rules: Evaluated whenever a resource changes; rules can auto-remediate violations
  • AWS Security Hub: Aggregates findings from GuardDuty, Inspector, Macie, and Config into a unified compliance score against CIS, PCI-DSS, NIST
  • Azure Policy: Assigns, evaluates, and enforces organisational standards continuously
  • GCP Security Command Center: Provides continuous asset inventory and vulnerability findings

Indian Regulatory Frameworks

Four Indian frameworks directly impact cloud security architecture for financial and regulated sector organisations.

CERT-In Directions 2022

The Indian Computer Emergency Response Team issued binding directions in April 2022:

RequirementImplementation
6-hour breach reportingDetect and report any cyber incident within 6 hours of awareness. Requires mature monitoring — GuardDuty findings must route to on-call within minutes.
5-year log retentionAll ICT system logs retained for 180 days immediately accessible + remaining 5 years in secure storage. S3 Lifecycle + Object Lock is the standard implementation.
NTP synchronisationAll ICT systems synchronised to NTP servers in India (NIC, NPL). EC2 instances use AWS Time Sync Service by default; verify it points to Indian NTP servers.
VPN/cloud service provider dataCloud service providers must retain subscriber information and usage logs for 5 years.

SEBI CSCRF 2024

The Securities and Exchange Board of India Cybersecurity and Cyber Resilience Framework (SEBI CSCRF), effective January 2025, applies to all SEBI-regulated entities:

DomainKey Requirement
GovernanceBoard-approved cybersecurity policy; CISO appointment mandatory
IdentifyAsset inventory including cloud resources; risk assessment annually
ProtectMFA for privileged access; encryption of sensitive data in transit and at rest
Detect24x7 Security Operations Centre for Category I and II entities; SIEM deployment
RespondIncident response plan; 6-hour reporting to SEBI for critical incidents
RecoverRTO: 4 hours (Category I); RPO: 30 minutes for critical systems
Third-party riskDue diligence for cloud service providers; contractual security obligations

DPDP Act 2023

The Digital Personal Data Protection Act 2023 is India regulatory framework for personal data:

ProvisionCloud Security Implication
Lawful processingData processed only with consent or legitimate use; document legal basis in DPA
Data minimisationCollect only what is necessary; design cloud storage with field-level necessity checks
Purpose limitationData used only for declared purpose; enforce through IAM and data lake access controls
Right to erasureData deleted upon request; cryptographic erasure is the cloud-compatible implementation
Breach notificationReport data breaches to Data Protection Board; 72 hours (timeline under finalisation)
Data Fiduciary obligationsOrganisations handling personal data are Data Fiduciaries; accountability for cloud storage configuration
Cross-border transferGovernment may restrict transfer to certain countries; monitor approved/blacklisted country list

RBI IT Framework for Banks

The Reserve Bank of India IT Framework requires:

  • All payment system data (card numbers, transaction records) to be stored exclusively in India
  • Annual IT audits by CERT-In-empanelled auditors
  • Business Continuity Plan with RTO and RPO objectives
  • Penetration testing before major system changes

Log Retention Requirements

FrameworkMinimum RetentionAccessibility Requirement
CERT-In 20225 years180 days immediately accessible
SEBI CSCRF5 yearsOnline for 1 year
PCI-DSS v412 months3 months immediately available
ISO 27001Defined by organisationAs per internal policy
GDPR (where applicable)No longer than necessaryN/A

Key Takeaway

Indian regulatory frameworks are converging on consistent requirements: 6-hour incident reporting, 5-year log retention, mandatory encryption, and continuous monitoring. Cloud architectures built with these requirements in mind from day one are significantly cheaper to maintain than those that retrofit compliance after deployment.