Security Governance Calendar
Security Governance Calendar
All recurring security and compliance activities at Buildwealth Technologies β meetings, training, drills, audits, and reviews. Calendar events live in Google Calendar. Evidence lives as GitHub Issues in wealthy/security.
Purpose
- Ensure IRDAI, SEBI CSCRF, CERT-In, and DPDP Act obligations are met on a recurring cadence
- Produce audit-ready evidence (MoMs, reports) for every activity
- Zero new tools β uses Google Workspace + GitHub already deployed
Cadence Summary
Meeting vs Activity β read this before the tables below
Every row on this calendar is either a Meeting or an Activity β and the distinction matters for how much of the team’s calendar gets consumed vs how much evidence is produced.
- Meeting = live human attendance with a Minutes-of-Meeting (MoM). Calendar slot booked.
- Activity = async work producing evidence (report, PDF, dashboard export, CSV, GitHub Issue body). No calendar slot required. May or may not involve a live call β usually doesn’t.
Both produce a GitHub Issue in wealthy/security as the immutable evidence hub. See “Evidence Chain” section below.
Framework column maps each row to a control ID in the India Compliance Framework β Wealthy’s consolidated register covering IRDAI Cyber Security Guidelines 2024, SEBI CSCRF Aug 2024, CERT-In Directions 2022, and DPDP Act 2023.
ID prefix key:
| Prefix | Category |
|---|---|
| G | Governance meetings |
| T | Training |
| O | Operational activities |
| D | DR & Resilience |
| A | Audit & Testing |
| C | Continuous automated |
Section A β Governance Meetings (real meetings, MoM required)
| # | Activity | Cadence | Duration | Framework | Driver |
|---|---|---|---|---|---|
| G1 | ISRMC Meeting | Quarterly | 90 min | A4 | IRDAI Β§1.5(II), Β§1.6(13) |
| G2 | IT Steering Committee (ITSC) | Quarterly | 60 min | A5 | IRDAI Β§1.6(14) |
| G3 | Board Cyber Review | Annual | 90 min | A13 | IRDAI Β§1.6(1), SEBI |
Total live meetings: 9 / year (4 ISRMC + 4 ITSC + 1 Board). All others below are activities β no live meeting required, but each produces regulatory evidence.
Section B β Regulatory Activities (async, evidence-based, no MoM required)
| # | Activity | Cadence | Meeting? | Framework | Driver |
|---|---|---|---|---|---|
| T1 | Security Training Programme (common + role tracks) | Annual + on joining (+ ad-hoc) | No β 1 live kickoff is part of the programme but the evidence is Classroom completion data, not a MoM | M4 | IRDAI, SEBI, DPDP |
| T2 | Phishing Simulation | Half-yearly (+ ad-hoc) | No β Gophish campaign run async | IRDAI, SEBI | |
| O1 | Access Review | Quarterly | No β async dashboard + signed report | C5 | IRDAI, SEBI |
| O2 | Privileged Access Verification | Weekly (automated) + monthly (human summary) | No β automated alerts + human monthly review | C4 | SEBI |
| O3 | Threat Hunting Exercise | Quarterly | No β async exercise, hypothesis + query output | J9 | SEBI |
| O4 | SOC Efficacy Review (Annexure-N) | Half-yearly | No β report generation | J1 | SEBI |
| O5 | Vendor Risk Review (feeds into ISRMC agenda) | Annual | No β async register update; reported at next ISRMC | B6 | IRDAI, SEBI (Annexure-F) |
| O6 | Cryptographic Asset Inventory Review | Annual | No β register update (post-quantum readiness) | B3 | IRDAI Control 110 |
| O7 | Data Processing Register Review | Annual | No β DPDP register update | B5 | DPDP |
| D1 | DR Drill | Half-yearly (typically 2β3 hours of engineered exercise, not a meeting) | No β actual drill + debrief report | I4 | IRDAI, SEBI |
| D2 | Backup Integrity Verification | Monthly (automated) + quarterly (human summary) | No β automated verification; human reviews pass/fail log | I5 | IRDAI, SEBI |
| D3 | Annual Risk Assessment Report | Annual | No β signed PDF in Security Drive β GitHub Issue | B1 (feeds from live Risk Register) | IRDAI, SEBI |
| A1 | VAPT β Grey/White box PT | Half-yearly | No β auditor engagement, not a meeting | G1 | IRDAI Control 96 |
| A2 | Cyber Audit (external) | Annual | No β auditor engagement | G4 | IRDAI, SEBI |
| A3 | Annexure-III Submission to Insurer | Annual (within 30 days of audit) | No β regulatory submission | G6 | IRDAI Β§1.10 |
| A4 | ISO 27001 Surveillance (if certified) | Annual | No β external auditor engagement | G7 | conditional β only if certified |
Section C β Continuous Automated (no calendar slot β background operational activities)
| # | Activity | Framework | Implementation |
|---|---|---|---|
| C1 | Wazuh alert triage (sev 10+) | D1, F1 | custom-ai β GitHub Issue β Telegram + Slack |
| C2 | Threat intel sync (every 4 h) | D18, J8 | threatintel-sync s6 service in Wazuh manager |
| C3 | Patch management | H9 | GKE auto-upgrade + Wazuh Vulnerability Detector (servers/VMs) + Fleet posture policies (laptops: OS up-to-date, Chrome up-to-date) |
| C4 | Log retention monitoring | E1, E2, E5 | GCP Logging + CloudWatch retention policies |
| C5 | CERT-In 6-hour incident reporting | F2, L1βL20 | SOP-004 trigger, not calendar |
| C6 | DPDP 72-hour breach notification | F4 | SOP-004 trigger, not calendar |
| C7 | GCP + AWS audit log ingestion | D21 | Pub/Sub β Wazuh gcp-pubsub service; AWS wodle |
| C8 | GitHub audit log poller | D22 | Wazuh s6 service (GitHub Enterprise only) |
Governance Meetings
G1 β ISRMC (Information Security Risk Management Committee)
- Cadence: Quarterly (changed from biannual under IRDAI 2024 amendments)
- Attendees: CISO (chair), CTO, RMC representative, Independent External Expert (IEE)
- Regulatory driver: IRDAI Guidelines 1.5(II), 1.6(13)
Standard agenda:
- Review of open cyber incidents since last meeting
- Status of non-conformities from last cyber audit
- Risk register updates β top risks, treatment plan progress
- Threat landscape β CERT-In advisories, vendor notices
- VAPT findings and closure status
- Policy exception approvals (CISO-tier)
- Report to RMC on quarterly basis
Evidence: GitHub Issue with meeting:isrmc label, MoM attached, RMC brief attached.
G2 β IT Steering Committee (ITSC)
- Cadence: Quarterly
- Attendees: CTO (convener), CISO, Ops lead, Finance, Business reps
- Regulatory driver: IRDAI Guidelines 1.6(14) β new provision
Standard agenda:
- IT strategy alignment with business needs
- IT architecture and regulatory compliance posture
- SLA and SOW compliance review
- BCP and DR effectiveness
- Policyholder data protection controls
- IT procurement and SaaS subscriptions requiring CISO input
- Update for RMC and CEO
Evidence: GitHub Issue with meeting:itsc label, MoM attached, RMC/CEO brief attached.
G3 β Board Cyber Review
- Cadence: Annual
- Attendees: Board of Directors, CISO, CTO, IEE
- Regulatory driver: IRDAI Guidelines 1.6(1) β Board responsibilities
Standard agenda:
- Annual cyber audit report
- Non-conformities and 12-month closure plan approval
- Cyber budget approval for next FY
- Risk appetite review
- Major incidents of the year
Evidence: Board minutes with cyber agenda item, signed closure plan.
G4 β Vendor / Third-Party Risk Review
- Cadence: Annual
- Attendees: Procurement, CISO, Legal
- Regulatory driver: IRDAI (B6), SEBI Annexure-F
Checklist per critical vendor:
- NDA current, covers privacy / security / BC
- Data elimination clause present (for CSPs)
- Subcontracting permission clause present
- SLA within regulatory requirements
- Last audit / certification reviewed
- MeitY empanelment verified (CSPs)
- STQC audit status verified (CSPs)
Evidence: GitHub Issue with meeting:vendor label, vendor register attached.
Training
T1 β Security Training Programme
One annual programme covering everyone, with a common track for all staff plus role-specific tracks bolted on for those who need them. Keeps the calendar to a single event per year instead of two separate series.
- Cadence: Annual, plus mandatory on joining, plus ad-hoc (e.g. post-incident retraining, new regulation rollout, major control change)
- Duration: 90β120 minutes total β 45 min common + 45β75 min role track
- Owner: CISO + HR
Common track (all staff):
- Phishing recognition
- Password hygiene and MFA
- Device hardening (Mac/Windows)
- Data classification and handling
- DPDP Act obligations
- Incident reporting process
- Physical security and social engineering
Role-specific tracks (attend the one that matches your role):
| Role | Track |
|---|---|
| Engineering / DevOps | Secure coding (OWASP Top 10), secrets hygiene, cloud security (GCP + AWS hardening), supply-chain / dependency scanning |
| SRE / Security | Incident-response runbook walkthrough, threat hunting, DR drill walkthrough |
| Finance / Support / Operations | Fraud scenarios, partner impersonation, social engineering variants |
| Privileged-access holders | PAM hygiene, just-in-time elevation, break-glass accounts |
Regulation: Indian regulations (IRDAI 2024, SEBI CSCRF, DPDP Act) require “regular” / “periodic” training without prescribing cadence or separating generic from role-specific. Annual + ad-hoc with role tracks satisfies all.
Evidence: Attendance list (common + role tracks), training decks, signed acknowledgment from each employee. GitHub Issue with training label plus role tag.
T2 β Phishing Simulation
- Cadence: Half-yearly, plus ad-hoc campaigns (e.g. after a real phishing incident, after a new joiner cohort, or when a new attack theme is trending)
- Duration: Asynchronous (campaign runs over 1 week)
- Owner: CISO
- Regulation: No Indian regulation prescribes a phishing-sim cadence β “regular” / “periodic” is the bar (IRDAI 2024, SEBI CSCRF, DPDP, ISO 27001 A.7.2.2). Half-yearly + ad-hoc is the chosen floor; cadence is raised if click rate or repeat-offender rate exceed POL-025 targets.
Metrics tracked:
- Click rate
- Credential entry rate
- Reporting rate (good signal β people recognizing and flagging)
Follow-up:
- Individual coaching for repeat clickers
- Awareness training content updates
- Report to ISRMC
Evidence: GitHub Issue with phishing-sim label, campaign report attached.
Operational Reviews
O1 β Quarterly Access Review
- Cadence: Quarterly
- Attendees: CISO, DevOps, HR
- Regulatory driver: IRDAI (C5), SEBI
Systems reviewed:
- GCP IAM (all projects)
- AWS IAM
- Google Workspace
- GitHub org (wealthy)
- Wazuh Dashboard
- CloudSQL
- Cloudflare
- Any new system added in the quarter
Output:
- Users to be removed (stale)
- Roles to be downgraded (over-privileged)
- Privilege escalations to review
Evidence: GitHub Issue with access-review label, CISO sign-off on actions taken.
O2 β Privileged Access Verification
- Cadence: Weekly
- Duration: 15 minutes
- Owner: CISO or on-call
- Driver: SEBI CSCRF (C4)
Simple weekly check: log into GCP/AWS IAM audit, confirm no unexpected privileged access grants in last 7 days. One-line GitHub Issue update each week.
Evidence: GitHub Issue with access-review + weekly checklist ticked.
O3 β Threat Hunting Exercise
- Cadence: Quarterly
- Duration: 3 hours
- Owner: Security team
- Driver: SEBI CSCRF Annexure-N Domain 5
Structure:
- Test 1 hypothesis based on open vulnerability
- Test 1 hypothesis based on known IoC
- Test 1 hypothesis based on known TTP (IoA)
Query Wazuh, GCP, AWS, GitHub, endpoint logs. Document findings. Create new SIEM rules if gaps identified.
Evidence: GitHub Issue with threat-hunt label, hypotheses + findings + new rules.
O4 β SOC Efficacy Review (Annexure-N)
- Cadence: Half-yearly
- Signed by: MD / CEO / Board member
- Driver: SEBI CSCRF mandatory
Full 5-domain scoring per SEBI Annexure-N:
- Asset Coverage (25%)
- SOC Operations (25%)
- Personnel Competency (20%)
- SOC Governance (15%)
- SOC Enrichments (15%)
Evidence: Signed PDF report, GitHub Issue with soc-efficacy label. Kept on file for SEBI audit.
DR & Resilience
D1 β DR Drill
- Cadence: Half-yearly
- Duration: 2 hours
- Attendees: DevOps, CTO, CISO
- Driver: IRDAI (I4), SEBI Annexure-C
Rotate scenarios:
- CloudSQL restore from backup
- Application failover to DR region
- Full region failover
- Ransomware recovery drill
Metrics captured: Actual RTO vs target, actual RPO vs target, issues encountered.
Evidence: GitHub Issue with dr-drill label, timeline + RTO/RPO achieved + CTO/CISO sign-off.
D2 β Backup Integrity Verification
- Cadence: Monthly
- Duration: 30 minutes
- Owner: DevOps
Pick one backup at random. Restore to isolated test environment. Verify data integrity. Document result.
Evidence: GitHub Issue with dr-drill label, restore test result.
Audit & Testing
A1 β VAPT (Grey/White box PT)
- Cadence: Half-yearly (changed from annual black-box under IRDAI 2024)
- Auditor: Must be CERT-In empaneled
- Driver: IRDAI (G1) β updated to grey/white box half-yearly
Scope:
- Internet-facing applications
- Internal applications
- Network devices
- Cloud infrastructure
If test env used instead of prod: ISRMC must approve, and test env must resemble production in version and configuration.
Closure target: All findings closed within 12 months per IRDAI Board mandate.
Evidence: GitHub Issue with vapt label, auditor report, closure tracking against 12-month target.
A2 β Annual Cyber Audit
- Cadence: Annual
- Auditor: CERT-In empaneled
- Driver: IRDAI (G4), SEBI
Scope:
- IRDAI Cybersecurity Guidelines 2024 β Annexure-III checklist
- SEBI CSCRF compliance
- ISO 27001 (if certified)
Post-audit actions:
- Board submission of findings
- 12-month closure plan approved by Board
- Annexure-III submission to Insurer/s within 30 days
Evidence: GitHub Issue with cyber-audit label, auditor report, Board resolution, closure plan.
A3 β Annexure-III Submission to Insurer
- Cadence: Annual (within 30 days of cyber audit completion)
- Driver: IRDAI (G6) β new provision 2024
Document pack:
- Annexure-III completed checklist
- Board / RMC / Principal Officer comments
- CERT-In empaneled auditor report
Evidence: GitHub Issue with annexure-iii label, submission confirmation from Insurer.
Calendar Setup β Step by Step
1. Create the shared calendar
Google Workspace Admin
β Calendar β Create shared calendar
β Name: "Wealthy Security & Compliance"
β Owner: CISO
β Write access: CISO, CTO, RMC members, Compliance Officer
β Read access: All staff (for training events only)
2. Create recurring events
For each row in the Cadence Summary table, create a recurring event. Example:
- Event name: “ISRMC Quarterly Meeting”
- Frequency: Every 3 months
- Reminder: 2 weeks before
- Description: Link to this doc + agenda template link
- Invitees: Permanent attendee list per role
3. Color coding
- Blue β Governance meetings (ISRMC, ITSC, Board, Vendor)
- Green β Training (all staff awareness, phishing sim, role-specific)
- Red β Technical (DR drills, VAPT, threat hunting)
- Orange β Operational reviews (access review, SOC efficacy)
4. Annual refresh
At year-end (December), review the calendar:
- Check all events fired on time
- Update attendee lists (role changes, new hires)
- Add any new frameworks that came into force
Evidence Chain β Mandatory for Every Governance Activity
Rule: every governance event on this calendar produces an evidence record. No exceptions. An activity without an evidence trail is equivalent to it not having happened in an audit.
Evidence lives as a GitHub Issue in wealthy/security using the matching template under .github/ISSUE_TEMPLATE/. The Issue is the hub β all artefacts attach to it or link from its body. Issue stays open until sign-off checklist complete, then closed β becomes immutable audit evidence (GitHub retains closed Issues indefinitely with full edit history).
Minimum evidence required for every meeting
Every meeting-type event (ISRMC, ITSC, Board, Vendor, Training, Review) MUST produce at minimum:
- Minutes of Meeting (MoM) β attached to the GitHub Issue as a PDF or a Google Doc link. Includes: date, attendees (names + roles), agenda, decisions, action items with owners + deadlines.
- Attendance list β either inline in the MoM or a separate CSV/Sheet. Required for training / attendance-gated activities.
- Artefacts discussed β PDF exports of any Sheet / Doc reviewed during the meeting (e.g. risk register snapshot, vendor register, access-review report). Attach to the Issue.
- Sign-off confirmation β last comment on the Issue from the designated reviewer (CISO / CTO / Board Chair) explicitly confirming closure.
Additional evidence (attach whatever is available)
- Meeting recordings β if Google Meet “Record meeting” is enabled, the MP4 auto-lands in Drive. Link it from the Issue body. Do NOT attach video directly (size limits) β link to Drive with view permission for auditors on request.
- Screenshots β before / after states for config changes, dashboards showing metrics reviewed, etc.
- Tool exports β Wazuh alert exports, Gophish campaign CSVs, Classroom completion dashboards, access-review CSVs from IAM.
- Signed documents β any point-in-time artefact requiring sign-off (Annual Risk Assessment Report, Board resolution, closure plan, CERT-In submission receipt) β PDF with signatures attached to the Issue (see Risk Register for the typed-name + version-history flow on Business Starter).
- External auditor reports β VAPT report, external cyber audit report, Annexure-III filing receipt.
- Communications β copies of security bulletins sent, partner notifications, customer comms.
Why GitHub Issues (not Drive folders)
- Immutable per-event audit trail β once closed, edit history preserved
- Label + search queries make auditor evidence requests trivial (see example below)
- Cross-references (mentions of PRs, commits, other Issues) give full context
- Can be exported in bulk per label for handover
- Access-controlled (private repo) β auditor gets read-only access, no risk of tampering
Labels β one per event type
| Label | Purpose | Matching template |
|---|---|---|
meeting:isrmc |
ISRMC quarterly meeting | isrmc-review.md |
meeting:itsc |
IT Steering Committee | itsc-review.md |
meeting:board |
Board cyber review | board-cyber-review.md |
meeting:vendor |
Vendor risk review | vendor-review.md |
training |
Any security training | training.md |
phishing-sim |
Phishing simulation results | phishing-sim.md |
access-review |
Quarterly / weekly access review | access-review.md |
threat-hunt |
Threat hunting exercise | threat-hunt.md |
dr-drill |
Disaster recovery drill | dr-drill.md |
soc-efficacy |
Annexure-N SOC review | annexure-n-soc-efficacy.md |
vapt |
VAPT engagement | vapt-report.md |
cyber-audit |
Annual cyber audit | cyber-audit.md |
annexure-iii |
IRDAI Annexure-III submission | annexure-iii.md |
risk-assessment |
Annual Risk Assessment Report sign-off | (to be added) |
incident |
Security incident | incident.md |
scan-finding |
Scan / CVE finding | scan-finding.md |
threat-alert |
Wazuh-triaged threat alert | threat-alert.md |
Closure checklist (every Issue)
Every Issue uses its template’s sign-off checklist. Minimum items to tick before closing:
- MoM / report attached
- Attendance list recorded (if meeting)
- Action items created as follow-up Issues (if any) and linked
- Artefacts discussed attached or linked
- Reviewer sign-off comment posted
- Next-event date scheduled (for recurring events)
Auditor evidence query (example)
1# "Show me last 4 ISRMC meetings"
2gh issue list --repo wealthy/security --label meeting:isrmc --state closed --limit 4
3
4# "Show all security training from 2026"
5gh issue list --repo wealthy/security --label training --search "created:2026-*"
6
7# "Show all DR drills"
8gh issue list --repo wealthy/security --label dr-drill --state closed
Roles & Ownership
| Role | Owns these events |
|---|---|
| CISO | ISRMC, Access Review, Threat Hunt, SOC Efficacy, VAPT, Cyber Audit, Annexure-III, Training |
| CTO | ITSC (convener), DR Drill, Backup Verification |
| Compliance Officer | Vendor Review, Annexure-III submission, Board Cyber Review |
| DevOps Lead | Access Review (support), DR Drill (execute), Backup verification |
| HR | Training attendance tracking, New joiner onboarding training |
| Procurement | Vendor Review, NDA and contract management |
| Board / RMC / IEE | Board Cyber Review, 12-month gap closure approvals |
Framework Coverage Summary
This calendar alone closes the following regulatory obligations:
| Framework | Controls covered by this schedule |
|---|---|
| IRDAI 2024 | ISRMC quarterly (1.5), ITSC (1.6.14), CISO responsibilities (1.6.3), Board responsibilities (1.6.1), Access reviews, Annual audit, VAPT half-yearly, Annexure-III submission, DR drill, Training |
| SEBI CSCRF | SOC Efficacy (Annexure-N), Threat hunting, Access review, DR testing (Annexure-C), Vendor risk (Annexure-F), Training (Domain 3), Cyber audit |
| CERT-In | Incident reporting process testing, auditor engagement |
| DPDP Act | Security awareness training, privacy breach drills |
Related Documents
- CERT-In Compliance Policy
- Cyber Crisis Management Plan (POL-005)
- Disaster Recovery Policy (POL-012)
- Business Continuity Policy (POL-002)
- VAPT Execution SOP
- Incident Response SOP
Owner: CISO Review cycle: Annual (or on regulatory change) Last reviewed: 2026-04-22