Part 13.7

Compliance Checklist

"Your Complete Cybersecurity Compliance Guide"

Comprehensive compliance checklist covering CERT-In 2022 directions, sector-specific requirements, and Maharashtra implementation guidelines.

7.1

CERT-In 2022 Compliance Checklist

Technical Requirements

☐

NTP Synchronization: All ICT systems synchronized with NIC/NPL NTP servers (time.nic.in or time.nplindia.org)

☐

Log Retention (180 days): All system, network, and application logs retained for 180 days rolling

☐

Log Storage Location: Logs stored within Indian jurisdiction; accessible to CERT-In on request

☐

SIEM/Log Management: Centralized log management system implemented for correlation and analysis

☐

Monitoring Capability: 24x7 monitoring capability (in-house SOC or MSSP)

Administrative Requirements

☐

Point of Contact (POC): Designated POC registered with CERT-In; available 24x7

☐

Alternate POC: Backup contact person designated for POC unavailability

☐

Incident Response Plan: Documented IRP with playbooks for different incident types

☐

Reporting Procedure: Internal procedure for 6-hour incident reporting established

☐

Training: Staff trained on incident identification and escalation procedures

VPN/Cloud Provider Additional Requirements

☐

KYC Implementation: Customer KYC process implemented (name, address, contact, IP, purpose)

☐

5-Year Record Retention: Subscriber records retained for 5 years after cancellation

☐

IP Address Records: All IP addresses assigned to subscribers documented

☐

Ownership Details: Ownership pattern of subscribing entities recorded

7.2

Sector-Specific Checklists

Banking/NBFC (RBI Framework)

☐

Board-Approved Policy: IT Security Policy and Cyber Security Policy approved by Board

☐

CISO Appointment: Chief Information Security Officer appointed (senior level)

☐

SOC Establishment: Security Operations Center operational

☐

VAPT: Vulnerability Assessment and Penetration Testing conducted quarterly

☐

RBI Reporting: Incident reporting to RBI within 2-6 hours (in addition to CERT-In)

☐

Payment Data Localization: Payment data stored exclusively in India

Capital Markets (SEBI)

☐

Cyber Security Policy: SEBI-compliant policy implemented

☐

Annual IT Audit: Conducted by CERT-In empaneled auditor

☐

SEBI Reporting: Incident reporting to SEBI within 6 hours

☐

BCP/DR: Business Continuity and Disaster Recovery plans tested

Insurance (IRDAI)

☐

Information Security Policy: Board-approved IS policy

☐

IRDAI Reporting: Incident reporting to IRDAI as per circular

☐

Data Security: Policyholder data protection measures implemented

7.3

DPDPA 2023 Integration

DPDPA Compliance (Upcoming)

☐

Consent Mechanism: Valid consent collection for personal data processing

☐

Privacy Notice: Clear, accessible privacy notice in 22 official languages

☐

Data Principal Rights: Mechanisms for access, correction, erasure requests

☐

Grievance Officer: Designated Grievance Officer for data complaints

☐

Breach Notification: Process for notifying DPB of personal data breaches

☐

Children's Data: Parental consent mechanism for under-18 data

7.4

Legal and Contractual Compliance

Legal Requirements

☐

Cyber Insurance: Adequate cyber insurance coverage obtained

☐

Third-Party Contracts: Vendor contracts include security and compliance clauses

☐

Cloud Agreements: Data location, security, and audit clauses in cloud contracts

☐

Employee Agreements: Confidentiality and acceptable use policies signed

☐

Legal Retainer: Cyber law firm on retainer for incident support

7.5

Maharashtra Implementation Guide

Maharashtra-Specific Considerations

Maharashtra Cyber Coordination:

- Register with Maharashtra Cyber for local incident coordination

- Know nearest Cyber Police Station contact

- Dual reporting: CERT-In (mandatory) + Maharashtra Cyber (criminal incidents)

Local Resources:

- Maharashtra Cyber: www.maharashtracyber.gov.in

- Mumbai Cyber Crime: BKC office

- Pune Cyber Crime: Shivajinagar

IT/ITES Hub Considerations (Mumbai/Pune):

- Client contract compliance requirements

- Multi-jurisdictional compliance (India + client country)

- STPI/SEZ regulatory considerations

Compliance Area	Frequency	Responsible	Documentation
Log Review	Daily	SOC Team	Daily Report
NTP Sync Check	Weekly	IT Team	Sync Status Report
POC Contact Update	On Change	CISO/Compliance	CERT-In Registration
VAPT	Quarterly	Security Team	VAPT Report
Policy Review	Annual	Board/Management	Updated Policies
IRP Drill	Semi-Annual	SOC/All Teams	Drill Report
Compliance Audit	Annual	External Auditor	Audit Report

Key Points - Part 13.7

CERT-In Technical - NTP sync, 180-day logs, Indian jurisdiction storage, SIEM/SOC
CERT-In Administrative - POC designation, IRP documentation, staff training, 6-hour reporting
VPN/Cloud Providers - Additional KYC and 5-year retention requirements
Banking (RBI) - Board policy, CISO, SOC, VAPT, payment data localization
Capital Markets (SEBI) - Annual IT audit, SEBI reporting, BCP/DR testing
DPDPA Integration - Consent, privacy notice, data principal rights, breach notification
Legal/Contracts - Cyber insurance, vendor security clauses, employee agreements
Maharashtra - Register with Maharashtra Cyber; dual reporting for criminal incidents
Regular Reviews - Daily log review, weekly NTP check, quarterly VAPT, annual audit
Documentation - Maintain evidence of compliance for regulatory inspection