Home · Synthesis · cl-cspm-cloud-posture

Cloud Security Posture Management — continuous configuration assessment

CSA CCM v4 ISO 27017 NIST CSF 2.0 RBI CSF RBI ITO 2023 SEBI CSCRF CIS Controls v8.1 DPDPA ISO 27018 NIS2 SEBI Cloud

Primary statement

CSPM operates as: (1) continuous assessment of cloud configurations against benchmarks (CIS Cloud, vendor security best practices) per RBI CSF PR.26 for Maturity Level 4 banks; (2) shared responsibility model documentation per ISO 27017 CLD.6.3.1 — RACI between CSC and CSP; (3) cloud security configuration baselines + drift detection (CSA CCC-01); (4) Infrastructure-as-Code review in change management (CSA CCC-01); (5) concentration risk management across cloud providers (RBI ITO.6); (6) SEBI cloud framework compliance for capital market entities (SEBI PR.14); (7) configuration management practices per NIST PR.PS-01.

Audit-fatigue payoff

A unified CSPM programme — tooling + benchmarks + drift detection + IaC review + shared responsibility documentation + concentration risk assessment — satisfies cloud-security-posture requirements across all 11 contributing frameworks. The CSPM tool configuration + benchmark coverage + findings remediation tracker is the audit-defensible evidence pack.

Strictness matrix

Scope

Scope: CSPM tooling continuously assessing cloud configurations across IaaS/PaaS for Maturity Level 4 banks. Coverage includes compute, storage, networking, IAM, encryption, logging across CSPs. The "continuously assessing" requirement is uniquely strict. Ceiling source: rbi_csf:RBI.PR.26 Rationale: RBI CSF PR.26 specifies continuous-assessment scope most explicitly. Other frameworks address subsets or specify periodic assessment.

Threshold

Threshold for cloud change: every change to cloud workloads flows through documented change management with IaC review + configuration drift detection + automated policy enforcement. Drift outside policy triggers automatic rollback or alert. Ceiling source: csa_ccm:CSA.CCC-01 Rationale: CSA CCC-01 specifies the most prescriptive cloud change threshold with automated policy enforcement. Manual change management without drift detection fails this threshold.

Method

Method: (1) CSPM tooling deployed across all in-scope CSPs; (2) benchmarks loaded (CIS Cloud, vendor best practices, organisation-specific tuning); (3) continuous assessment with finding generation; (4) drift detection comparing IaC source-of-truth to deployed state; (5) IaC review in change management (CSA CCC-01); (6) shared responsibility RACI documented per CSP (ISO 27017 CLD.6.3.1); (7) concentration risk assessment across CSPs (RBI ITO.6); (8) findings remediation SLA per criticality. Ceiling source: rbi_csf:RBI.PR.26 Rationale: RBI CSF PR.26 with CSA CCC-01 is the most prescriptive method. The continuous-assessment + drift-detection combination is the audit-defensible specification.

Frequency

CSPM assessment: continuous. Benchmark refresh: per CIS Cloud / vendor advisory release. Configuration drift detection: continuous (real-time alerting). Shared responsibility review: annual + on CSP service change. Concentration risk review: annual + on material outsourcing change. Ceiling source: rbi_csf:RBI.PR.26 Rationale: Continuous CSPM assessment is the strictest floor. RBI CSF PR.26 makes this explicit.

Evidence

Required evidence: (1) CSPM tool deployment evidence + coverage matrix per CSP; (2) benchmark configuration (CIS Cloud + vendor + custom); (3) sample CSPM findings + remediation tracking; (4) drift detection evidence with sample drift events; (5) IaC review evidence in change records; (6) shared responsibility RACI documented per CSP; (7) concentration risk assessment with diversification or risk-acceptance evidence (RBI ITO.6); (8) SEBI cloud framework compliance evidence (for capital market entities). Ceiling source: rbi_csf:RBI.PR.26 Rationale: RBI CSF PR.26 evidence list is the most comprehensive for cloud posture. Combined with CSA CCC-01 IaC evidence and RBI ITO.6 concentration risk, the package is audit-defensible.

Auditor test pattern

Step 1: Inspect the CSPM tool deployment; verify coverage across all in-scope CSPs. Step 2: Inspect benchmark configuration; verify CIS Cloud and vendor benchmarks are loaded and current. Step 3: Sample 3 recent CSPM findings; trace to remediation. Step 4: Verify drift detection is operational — sample one drift event. Step 5: Inspect shared responsibility RACI per CSP. Step 6: Verify concentration risk assessment per RBI ITO.6. Step 7: For SEBI-regulated entities, verify SEBI cloud framework compliance evidence.

Common findings

Common 2024–26 findings: (1) CSPM deployed at one CSP but not multi-cloud coverage; (2) Benchmarks loaded but tuning is generic — no organisation-specific customisation; (3) Findings generated but remediation SLA absent; (4) Drift detection alerts ignored; configuration drift accumulates; (5) Shared responsibility RACI absent; CSC assumes CSP handles things CSP doesn't; (6) Concentration risk concentrated in one CSP without documented risk acceptance; (7) IaC review skipped — manual deployment bypasses the CSPM cycle.