106 hand-authored syntheses
Each synthesis represents a single operational concern, resolved across every contributing framework. The strictest specification on each of five dimensions, with full source attribution.
Board-approved policy framework anchoring derived operational controls (legacy "supplier-policy" cluster name)
NOTE: Despite the legacy cluster name "supplier-policy", this cluster's controls primarily address the Board-approved policy framework and the derived operational controls that flow from it (authentication, access,…
Workforce security awareness, role-based training, and human-factor controls
Workforce security awareness operates as: (1) general awareness training for all personnel at induction + annual refresher (>95% completion target per SEBI CSCRF PR.5); (2) role-based training for specialised roles —…
Data classification with protection controls — DLP, masking, retention, secure disposal
Data classification operates as the foundation for data protection: (1) documented classification scheme (typical: Public / Internal / Confidential / Restricted) per SEBI CSCRF ID.6; (2) data asset register with…
Cryptographic controls, key management, and post-quantum readiness
Cryptography across the organisation operates under: (1) an approved-algorithms and key-length policy; (2) hardware security module (HSM) custody for high-value keys including payment, signing, and customer…
Board-approved security policy framework — IS policy, cyber security policy, and derived operational policies
The security policy framework operates as a Board-governed structure: (1) two DISTINCT Board-approved policies per RBI ITGRCA GV.9 — an Information Security Policy covering all information assets, and a Cyber Security…
Ransomware-resilient backup architecture
Backup of information, software, and systems shall be designed for ransomware resilience: multiple copies including at least one immutable (WORM / Object Lock) and at least one offline or air-gapped copy; encryption at…
Mandatory assurance regime — periodic audit, VAPT, third-party assessment, risk review
The mandatory assurance regime operates as a coordinated set of recurring controls: (1) annual third-party cyber security audit by CERT-In empanelled auditor (CERT-In Directions 5 and 19), with audit findings tracked…
Business continuity and ICT recovery readiness
ICT readiness for business continuity provides: (1) documented BCP and DR plans with explicit RTO (recovery time objective) and RPO (recovery point objective) per critical system; (2) DR site for critical systems with…
Secure configuration baselines and hardening discipline
Secure configuration baselines shall be documented for each platform class — operating system, database, application server, web server, network device, cloud service. Configurations shall be assessed against the…
Multi-regulator incident notification with coordinated submission timelines
External incident notification operates as a coordinated multi-regulator submission with the tightest concurrent clocks: CERT-In 6 hours from detection (mandatory for all in-scope incidents); RBI CIMS 6 hours initial +…
Cross-jurisdiction consumer / Data Principal rights — operational fabric
Consumer / Data Subject / Data Principal rights operate across multiple jurisdictions with overlapping but distinct specifications. The audit-defensible rights fabric provides: (1) all six core rights — access,…
Processor / service provider contract requirements across jurisdictions
Contracts with service providers / processors handling personal information shall include the mandatory contractual terms required by the applicable jurisdictions: (1) purpose limitation — processing only for the…
Comprehensive asset inventory with classification and ownership
A current inventory of ALL asset types — hardware, software, network devices, data assets, services, third-party dependencies, cryptographic assets, and intangible IT assets — shall be maintained continuously through…
Privileged access management and access rights lifecycle
Access rights — particularly privileged access — operate under: least-privilege role-based design; segregation of duties (SoD) enforcement with conflict detection; joiner-mover-leaver (JML) workflow integrated with HR…
Centralised logging with retention, tamper protection, and integrity
Logs of activities, exceptions, faults, and security events shall be: (1) produced on ALL ICT systems including servers, network devices, cloud instances, applications, databases, IoT, and OT/SCADA; (2) centrally…
Network protection — segmentation, monitoring, perimeter, and data leak prevention
Network protection operates as a layered architecture: (1) network segmentation isolating critical systems from general corporate IT, with zero-trust principles (no implicit trust between segments, identity-based…
Vulnerability management programme — discovery, prioritisation, remediation
The vulnerability management programme operates as: (1) continuous discovery across all IT systems via scheduled scanning (critical externally-facing weekly, internal monthly, code on every build) augmented by attack…
Security reporting governance — CISO, DPO, incident reporting, compliance reporting
The security reporting structure operates across: (1) CISO appointment with reporting independence — outside operational IT, direct access to Board IT Committee (SEBI GV.3 + IRDAI GV.3); (2) DPO appointment for…
Sensitive personal information — heightened protection across jurisdictions
Sensitive Personal Information (SPI) — including health data, biometrics, racial / ethnic origin, religious beliefs, sexual orientation, precise geolocation, government IDs, financial account data, and children's data…
Authentication architecture and multi-factor authentication
Authentication operates under: documented authentication policy with allowed methods and forbidden methods; multi-factor authentication (MFA) mandatory for all administrative, remote, customer-facing, and high-impact…
Incident response execution — detection through eradication, recovery, and lessons learned
IR execution operates as a documented sequence: (1) detection via monitoring and event reporting; (2) assessment and categorisation of events as incidents (ISO 27001 A.5.25); (3) response per documented procedures…
Cyber security roles, responsibilities, and authority — Board through operational team
Cyber roles and responsibilities operate as: (1) Board-level accountability for cyber risk; (2) CISO appointment with reporting line outside operational IT and direct Board IT Committee access (SEBI GV.3); (3) RACI…
Data-at-rest protection — encryption, access, processor controls
Data at rest is protected through: (1) encryption at rest using FIPS 140-2 / industry-standard algorithms; (2) access restriction per classification and least-privilege (ISO A.8.3); (3) privileged access management for…
Cyber risk assessment — technology, process, people, third-party, supply chain, post-quantum
Cyber risk assessment operates as a comprehensive periodic process covering: (1) technology risks, process risks, people risks, third-party risks (SEBI ID.3); (2) post-quantum cryptography risk explicitly included…
Anti-malware protection with EDR and email/web safeguards
Anti-malware protection operates layered: (1) endpoint anti-malware with EDR (behavioural detection beyond signatures) deployed on ALL endpoints — servers, workstations, mobile, gateways (SEBI PR.16); (2) daily…
Continuous monitoring of networks, systems, applications, and outsourced development
Continuous monitoring covers: (1) networks, systems, and applications for anomalous behaviour (ISO A.8.16) with appropriate actions evaluating potential incidents; (2) outsourced development activities — directed,…
Incident response plan preparation, independent review, and risk-response planning
IR plan preparation is the upstream of incident response execution: (1) plan, prepare, and communicate IR management (ISO A.5.24); (2) independent review of the security approach including people, processes, technology…
Secure SDLC — threat modelling, secure coding, SAST/DAST, dependency scanning, DevSecOps
Secure SDLC operates as a pipeline-integrated discipline: (1) threat modelling for material changes (SEBI PR.12); (2) secure coding training for developers; (3) SAST on every commit, DAST on every release, dependency…
Cloud Security Posture Management — continuous configuration assessment
CSPM operates as: (1) continuous assessment of cloud configurations against benchmarks (CIS Cloud, vendor security best practices) per RBI CSF PR.26 for Maturity Level 4 banks; (2) shared responsibility model…
PII principal rights — comprehensive ISO 27701-anchored programme
PII principal rights operate per ISO 27701 PIMS specifications: (1) determine information to provide to PII principals (A.1.3.1); (2) provide privacy notice at collection (A.1.3.2); (3) provide mechanism to object to…
VAPT cycle — vulnerability assessment and penetration testing programme
VAPT cycle operates as: (1) Vulnerability Assessment + Penetration Testing after every major release (SEBI PR.4 — new feature, significant change, circular implementation, infrastructure migration); (2) periodic VAPT…
Network segmentation with zero-trust principles
Network segmentation isolates critical systems from general corporate IT: (1) documented zones with controlled connections (SEBI PR.2); (2) zero-trust principles — no implicit trust between segments, identity-based…
Privacy governance — legal, regulatory, contractual, and algorithmic obligations
Privacy governance operates as: (1) identify and meet PII protection requirements per applicable laws (ISO A.5.34); (2) legal / regulatory / contractual requirements understood and managed including privacy and civil…
GDPR data subject rights — Articles 12-22 operational implementation
GDPR data subject rights operate per Articles 12-22: (1) transparent information modalities (Art. 12); (2) information at direct collection (Art. 13); (3) information at indirect collection (Art. 14); (4) right of…
Physical access controls — secure areas, entry monitoring, asset protection
Physical access operates as: (1) continuous monitoring of premises for unauthorised access (ISO A.7.4); (2) secure areas protected by entry controls and access points (ISO A.7.2); (3) physical and logical access rules…
Security Operations Centre — SIEM, EDR, forensics, MITRE-aligned detection
SOC capability operates as: (1) SIEM with correlation across log sources, MITRE ATT&CK-aligned detection rules (SEBI DE.4); (2) EDR on all endpoints with continuous behavioural monitoring + automated containment (RBI…
Data Loss Prevention — multi-channel egress protection
DLP operates across four channels: (1) endpoint DLP for sensitive data; (2) email DLP for outbound; (3) network DLP for egress; (4) cloud DLP for SaaS (SEBI PR.17). Email security additionally with SPF/DKIM/DMARC…
Secure disposal of equipment, media, and personal information
Secure disposal operates as: (1) equipment containing storage media verified for data removal or secure overwrite before disposal/re-use (ISO A.7.14); (2) separation of dev/test/prod environments prevents…
Data-in-transit protection and physical media handling
Data in transit is protected through: (1) confidentiality, integrity, and availability of data-in-transit (NIST PR.DS-02) — TLS 1.2+ minimum, TLS 1.3 preferred, with strong cipher suites; (2) backup data-in-transit…
Cyber resilience metrics — KPIs, KRIs, Board reporting cadence
Cyber resilience metrics operate as: (1) comprehensive metrics programme reporting to Board IT Strategy Committee (RBI GV.6 for Maturity Level 4 banks); (2) defined metrics including detection MTTR, MTTD, vulnerability…
Consent management — capture, modify, withdraw across jurisdictions
Consent management operates per multi-jurisdiction requirements: (1) ISO 27701 — determine when/how consent obtained, obtain and record consent, provide mechanisms to modify or withdraw (A.1.2.3 / A.1.2.4 / A.1.3.3);…
Automated Decision-Making Technology — pre-use notice, opt-out, access rights
ADMT operations operate per evolving US state law: (1) CPPA Regulation § 7150 — risk assessment for high-risk processing (effective 1 Jan 2026, first attestation due 1 Apr 2028); (2) CPPA Regulation § 7200 — pre-use…
Children's privacy across US states — heightened protections
Children's privacy operates per multi-state requirements: (1) CCPA — opt-in for sale/sharing for consumers under 16 (1798.120 implications); (2) CTDPA Public Act 24-148 — children-specific amendments effective 1 Oct…
Change management — IT systems, configuration, supplier services, risk
Change management operates as a documented discipline: (1) all changes to IT systems pass through change management procedures (ISO A.8.32); (2) configuration management practices established and applied (NIST PR.PS-01…
DevSecOps maturity — security-as-code, pipeline-enforced controls, API security
DevSecOps maturity operates as: (1) security integrated across the development lifecycle with security-as-code, pipeline-enforced controls, continuous feedback loops (RBI PR.25 for Maturity Level 4 banks); (2) secure…
PCI DSS PAN protection — storage minimisation, masking, encryption
PAN (Primary Account Number) protection per PCI DSS v4.0.1: (1) storage limited to legitimate business need; SAD not retained after authorisation (PCI 3.1 + 3.3.1); (2) PAN masked when displayed — first six + last four…
PCI DSS v4.0.1 universal MFA expansion to all CDE access
PCI DSS v4.0.1 expanded MFA requirements: (1) MFA for all access into CDE (PCI 8.2); (2) MFA for ALL access into CDE — administrative AND non-administrative — regardless of access type (PCI 8.4.2, future-dated); (3)…
Software installation discipline — authorised software, configuration, source code access
Software installation operates as: (1) procedures and measures to securely manage software installation on operational systems (ISO A.8.19); (2) installation and execution of unauthorised software prevented (NIST…
Board-level IT/IT Strategy Committee with documented charter
Board IT Committee operates as: (1) Board-level IT Strategy Committee with experienced directors advising on IT strategy, governance, oversight (RBI ITGRCA GV.1); (2) Board IT Committee with documented charter,…
AI data governance — provenance, preparation, external reporting
AI data governance operates per ISO 42001 + DPDPA + emerging frameworks: (1) data provenance — tracking where each dataset came from and what has happened (creation, updates, transformations, validation, transfers,…
Data subject / Data Principal rights — operational rights mechanism
Operational mechanism providing data subjects (DPDPA Data Principals, GDPR data subjects, ISO 27701 PII principals) with rights to access, correction, erasure, grievance redressal. DPDPA Section 11 grants summary of…
PIMS context — Clauses 4-5 management system context and leadership
PIMS context per ISO 27701 Clauses 4-5: determine external/internal issues, interested parties, scope, role determination (controller/processor/joint), leadership commitment, roles assignment. DPDPA grievance redressal…
AI post-deployment monitoring and incident response
AI post-deployment monitoring operates per NIST AI RMF MANAGE-4.1 (capturing user/AI actor input, evaluating system performance, drift detection) + MANAGE-2.3 (procedures for previously-unknown risks) + MEASURE-2.7…
GDPR Article 35 DPIA + cross-jurisdiction high-risk assessment
GDPR Article 35 DPIA for high-risk processing + Article 36 prior consultation. DPDPA Rule 13(2) annual SDF DPIA. CCPA Reg 7150 risk assessment. MODPA data protection assessment. EU AI Act Article 27 FRIA. The DPIA is…
Universal Opt-Out Mechanism (UOOM) / Global Privacy Control honour across US states
Universal Opt-Out Mechanism honour required by CO (Jul 2024) + CT (Jul 2024) + OR (Jul 2024) + TX (Jul 2024 — opt-in by Jan 2025). California per Reg 7025. UOOM is the browser/device-level signal that consumers express…
Cloud data privacy lifecycle — CSA CCM v4 DSP control family
Cloud data privacy lifecycle per CSA CCM v4 DSP series: policy + data flow mapping + automated sensitive data discovery + classification + DLP. Layered with GDPR + DPDPA + ISO 27701 + MHMDA + MODPA. Integrated approach…
Forensic capability and evidence collection
Forensic capability — internal team OR CERT-In empanelled external vendor on retainer (SEBI RS.3 + RBI RS.3). Chain-of-custody preserved. ISO A.5.28 evidence collection procedure. SEBI CSCRF DE.3 log collection…
Event-to-incident categorisation and assessment
Event assessment: ISO A.5.25 assess events and decide if categorised as incidents. ISO A.8.15 logs analysed. NIST CSF event analysis + supply chain risk integration. NIS2 incident reporting. NIST 800-53 IR-4 incident…
AI incident reporting — serious incidents to authorities
AI incident reporting per EU AI Act Article 73 (serious incidents — 15 days general / 2 days fundamental-rights infringement / 10 days for fatality) + Article 52 GPAI systemic risk notification + DPDPA Section 8 breach…
Cloud Identity and Access Management — federation, vulnerability testing, monitoring
Cloud IAM operates as ISO 27001 A.5.23 cloud services management + CSA TVM-03 cloud penetration testing + CSA LOG-04 cloud-specific detections + CSA LOG-01 cloud logging coverage + ISO 27017 CLD.9.5.1 tenant isolation.…
India-specific AI risk classification reflecting societal context
MeitY AIGG2025.4 India-specific AI risk classification reflecting societal harms in Indian context (caste, linguistic, religious diversity, demographic patterns). ISO 42001 A.6.1.2 responsible-development objectives.…
Zero Trust Architecture — never trust, always verify
Zero Trust Architecture per RBI CSF PR.23 (Maturity Level 4) for sensitive access: payment systems, customer data, privileged operations. SEBI CSCRF PR.7 + RBI CSF PR.3 privileged access management with just-in-time,…
Processor (PII Processor) obligations — ISO 27701 controller relationship
Processor obligations per ISO 27701 A.2.x: written contract (A.1.2.7 + A.2.2.1) + processor own-purposes restriction (A.2.2.2) + infringing instruction notification (A.2.2.4) + customer obligations support (A.2.2.5).…
PCI DSS v4.0.1 customised approach with targeted risk analysis
PCI DSS v4.0.1 customised approach — PCI 3.5.1.1 (keyed hash with full PAN coverage) example. Customised approach allows entities to design their own controls meeting the objective via documented Targeted Risk Analysis…
PCI DSS Targeted Risk Analysis (TRA) — flexibility and customised approach
PCI DSS v4.0.1 TRA per PCI 12.3 (annual risk assessment) + 12.3.1 (frequency-based controls TRA — for requirements like 5.2.3.1, 7.2.5.1, 8.6.3) + 12.3.2 (customised approach TRA). The TRA is the risk-based document…
Multi-factor authentication — universal MFA across access types
MFA per CSA IAM-14 (cloud — all human, console, CLI, API), PCI 8.4.2 + 8.5.1 (universal CDE MFA, replay-resistant, non-bypassable, ≥2 categories), ISO 27001 A.5.16 + A.5.17 + A.8.5 identity and authentication…
Data Protection Impact Assessment / risk assessment for high-risk processing
Impact assessment for high-risk processing: GDPR Art 35 + 36 + CCPA Reg 7150 (effective Jan 2026, attestation Apr 2028) + MODPA 14-4607 + EU AI Act Art 27 FRIA + CSA cloud + ISO 42001 AI impact. A unified…
Logical and physical access restriction — least privilege baseline
Access restriction per ISO A.8.3 (information access restriction) + A.8.5 (secure authentication) + A.8.4 (source code access) + SOC 2 CC6.1 (logical and physical) + CC6.6 (communications channel boundary) + IRDAI…
CISO role — independence, authority, Board access
CISO role per SEBI GV.3 (independence from operational IT, direct Board IT Committee access), RBI CSF (cyber security policy ownership), IRDAI (sector-specific), MeitY CSP, NCIIPC. The CISO is the operational anchor…
AI system impact assessment (AISIA / FRIA / DPIA convergence)
AI impact assessment per ISO 42001 Clause 6 (AI risk assessment) + Clause 8 (operational planning) + EU AI Act Art 27 FRIA + DPDPA SDF DPIA + NIST AI RMF MAP + MeitY. Convergent artifact covering AI-specific risks…
Responsible AI use — operational guardrails
Responsible AI use per ISO 42001 A.9.2 (processes for responsible use) + A.9.3 (objectives) + DPDPA purpose limitation + accuracy + retention cap + MeitY + EU AI Act + NIST AI RMF MANAGE. Acceptable-use boundaries,…
SDF algorithmic due diligence and traffic-data localisation
SDF algorithmic due diligence per DPDPA Rule 13(3): SDFs must verify technical measures including algorithmic software are not likely to pose risk to Section 8/9 obligations. Rule 13(4) — traffic-data localisation for…
Cloud shared responsibility — CSC/CSP RACI
Cloud shared responsibility per CSA GRC-06 (governance responsibility model) + CSA HRS-05 (cloud awareness training) + CSA IAM-11 (CSC privileged access compliance) + ISO 27017 + SOC 2 CC1.2/CC1.3 (organisational…
Processing integrity — change management, redundancy, clock synchronisation, storage integrity
Processing integrity per ISO A.8.32 change management + A.8.17 clock synchronisation + A.8.14 redundancy + SOC 2 PI1.5.a/b storage integrity + NIST CSF + ISO 42001. The integrity of inputs / processing / outputs /…
AI principles — Seven Sutras + ISO 42001 + NIST + EU AI Act literacy
Foundational AI principles: MeitY AIGG2025.3 Seven Sutras (Trust, Inclusion, Transparency, Accountability, Safety, Innovation, Sustainable Growth) + ISO 42001 A.2.2 AI policy + A.2.3 alignment with other policies +…
AI-generated content provenance — C2PA, watermarking, SGI
AI content provenance per MeitY AIGG2025.11 (C2PA-aligned provenance) + ITR2026.1 + ITR2026.3 (SGI identification and watermarking for significant intermediaries) + NIST GenAI Profile MS-6 (information integrity,…
PCI DSS e-skimming protection — payment page script integrity
PCI DSS v4.0.1 6.4.3 e-skimming protection — manage payment page scripts, integrity-check, alert on unauthorised modification + 11.6.1 detection mechanism. CSA AIS-04 DAST + AIS-06 automated secure deployment + SOC 2…
AI governance lifecycle — GOVERN function and inventory
AI governance lifecycle per NIST AI RMF GOVERN-1 (policies, processes, procedures across MAP/MEASURE/MANAGE) + GOVERN-1.1 (legal/regulatory) + GOVERN-1.4 (risk management process) + GOVERN-1.5 (ongoing monitoring) +…
GDPR Article 33 / 34 breach notification + multi-jurisdiction coordination
GDPR Art 33 supervisory authority notification within 72 hours + Art 34 communication to data subjects without undue delay when likely to result in high risk to rights and freedoms. DPDPA Section 8 + Rule 7 two-stage…
GDPR accountability principle — Art 5(2) demonstrate compliance
GDPR accountability principle Art 5(2): controller responsible for AND able to demonstrate compliance with Article 5(1) principles. Art 24 appropriate measures + Art 25 data protection by design and by default + Art 30…
Cross-jurisdiction breach notification timelines
Cross-jurisdiction breach notification timelines: GDPR 72h (Art 33) + DPDPA 72h detailed (Rule 7) + CERT-In 6h (Direction 70B) + RBI CIMS 6h + SEBI per CSCRF + IRDAI 24h + CCPA + NIS2. Multi-regulator simultaneous…
Consumer / Data Subject / Data Principal rights response SLA
Rights response SLA across jurisdictions: GDPR Art 12(3) one month (extendable by two for complex) + CCPA 1798.130 45 days + DPDPA Rule (forthcoming, expect 30-90 days) + VCDPA 45 days + CSA. SLA tracking, identity…
Encryption at rest — sensitive data and key management
Encryption at rest per PCI 3.5.1 PAN rendered unreadable + PCI 3.6.1 key management + CSA CEK-07 cloud data stores with CMK/BYOK + CSA CEK-10 FIPS 140-3 validated key generation + ISO A.8.24 cryptography rules + GDPR…
AI policy and AIMS leadership commitment
AI policy per ISO 42001 Clauses 5 + 7 + A.2.4 (review) + EU AI Act Article 53 (GPAI obligations including technical documentation) + MeitY AIGG2025.14 (regulatory sandbox participation for high-risk and novel AI) +…
AI transparency — fairness, explainability, deep fake disclosure
AI transparency per ISO 42001 A.6.1.2 (responsible-development objectives — fairness, transparency, robustness, privacy, safety) + A.5.4 (impact on individuals/groups) + EU AI Act Article 8 + Article 50.4 (deep fake…
AI resource inventory — data, tooling, systems, people across AI lifecycle
AI resource inventory per ISO 42001 A.4.2 + Clauses 5 + 7 + EU AI Act Article 17 QMS + CERT-In + NIST AI RMF GOVERN-1.6. The inventory is the operational foundation for AI governance — without it, governance is…
AI content labelling — testing consent, deep fakes, SGI, deployer notices
AI content labelling per EU AI Act Article 61 (informed consent for real-world testing) + Article 50.4 (deep fake disclosure) + Article 53 (GPAI technical documentation) + MeitY ITR2026.1 (SGI identification) +…
Personal data erasure — trigger-driven with propagation
Personal data erasure per DPDPA Section 6 + DPDP.6 (consent withdrawal / purpose expiry / specified retention end) + ISO A.8.11 masking + A.8.12 DLP + A.7.14 secure disposal + ISO 27701 + SOC 2 P4.3. Erasure must…
Data localisation — DPDPA SDF traffic data + sectoral requirements
Data localisation per DPDPA Rule 13(4) SDF traffic-data localisation + RBI payment data localisation + CERT-In log retention in India + ISO 27018 PII transfer + RBI CSF cyber range. Sectoral localisation layered on top…
Cloud cryptographic key management — CMK/BYOK/HYOK
Cloud key management per ISO A.8.24 + A.5.23 + ISO 27017 + SEBI cloud + DPDPA. CMK/BYOK/HYOK for cloud-stored sensitive data. Key custody segregation between cloud provider and customer.
PIMS cross-border PII transfers
PIMS transfers per ISO 27701 A.1.5.1 + A.1.5.2 + A.2.5.1 + A.2.5.2 + DPDPA notice (DPDP.16) + GDPR + CSA. PIMS transfer controls layered with regulatory addenda.
GDPR Articles 44-49 international transfers
GDPR transfers Arts 44-49: general principle (44) + adequacy (45) + appropriate safeguards SCCs/BCRs (46) + BCRs intra-group (47) + derogations (49). Plus DPDPA + ISO 27701 + CSA. Post-Schrems II transfer impact…
AI roles and responsibilities across the lifecycle
AI roles per ISO 42001 Clause 4 + A.4.6 (human resources) + A.3.2 (AI roles). Define accountable and responsible across AI lifecycle — developers, operators, deployers, oversight, risk management. EU AI Act + NIST AI…
AI lifecycle — policies, safety mindset, environmental impact
AI lifecycle per NIST AI RMF GOVERN-4.1 (critical-thinking + safety-first mindset) + GOVERN-2.1 (roles across lifecycle and actor types) + GenAI MG-1 (environmental impact) + EU AI Act + ISO 42001.
AI supplier management — third-party AI systems and components
AI supplier management per ISO 42001 A.3.2 + Clauses 5 + 9 + EU AI Act Art 99 penalty awareness + Art 9 risk management for HRAIS providers + NIST AI RMF. Supply chain AI risks — purchased models, third-party SaaS, API…
AI risk classification — EU AI Act high-risk + GPAI + NIST risks
AI risk classification per EU AI Act Art 6 high-risk + Art 7 Annex III dynamic amendments + Art 51 GPAI systemic risk + NIST AI RMF MEASURE-3 risk tracking + MEASURE-2.8 transparency/accountability + MeitY.
Cloud network security — remote access, vulnerability scanning, monitoring
Cloud network per CSA UEM-03 (remote access — MFA + encrypted connections) + TVM-02 (continuous or weekly IaaS scanning + 24h new deployment) + LOG-07 (logging scope including network flows) + ISO 27017 CLD.NET.1…
General-Purpose AI model provider obligations
GPAI obligations per EU AI Act Article 53 (technical documentation, downstream provider info, copyright/TDM, training data summary) + Article 54 (authorised representative for third-country providers) + Article 55…
AI conformity assessment, EU database registration, regulatory sandbox
AI conformity per EU AI Act Article 49 (EU database registration for HRAIS prior to market placement) + Article 57 (regulatory sandboxes — national competent authorities) + Article 62 (SME / mid-cap / start-up support)…
Data broker registration and obligations (US states)
Data broker registration per CCPA California Delete Act SB 362 (registration with CPPA + DROP one-stop deletion mechanism by Aug 2026) + Texas TDPSA broker provisions + Oregon OCPA data broker registration. Data…
Cloud supply chain transparency — STA control family
Cloud supply chain per CSA STA-01 (CSP transparency review — subprocessors, locations, certifications) + STA-02 (multi-tenant isolation verification) + STA-03 (third-party cloud security compliance) + STA-04 (audit…
EU AI Act prohibited practices + India AI capacity building
EU AI Act Article 5 prohibited practices (eight categories + Dec 2026 addition for nudifier/CSAM) + Article 2 jurisdictional scope + Article 10 data and data governance for HRAIS. Plus India MeitY AIGG2025.13 capacity…
Cloud cryptography and key management — CSA CEK control family
Cloud cryptography per CSA CEK-01 (policy) + CEK-02 (FIPS 140-2/3 key generation) + CEK-03 (purpose-specific keys) + CEK-04 (rotation schedules — DEKs ≤1 year, TLS ≤1 year/2 max) + CEK-05 (revocation and destruction).…
Cloud IAM complete — CSA IAM control family
Cloud IAM per CSA IAM-01 (least-privilege via RBAC, JIT elevation, named roles) + IAM-02 (privileged access — standing-zero policy, session recording) + IAM-03 (federation — Azure AD/Okta with SAML/OIDC, local accounts…
Cloud logging and monitoring — CSA LOG control family
Cloud logging per CSA LOG-01 (control plane + data plane + network + application logs) + LOG-02 (tamper-evident storage + retention per regulatory floor — 180 days CERT-In) + LOG-03 (continuous automated alerting +…
Cloud-accessed endpoint management — CSA UEM control family
Endpoint management for cloud access per CSA UEM-01 (MDM/UEM enrolment + conditional access by posture) + UEM-02 (mobile device policy) + UEM-03 (remote access security — MFA + VPN/ZTNA) + UEM-04 (EDR for…