When too many people can access sensitive data, mistakes happen—a junior clerk accidentally emails customer data to the wrong person, or a disgruntled employee copies your client list before leaving. If you suffer a data breach, regulators and customers will ask why your accounts manager had access to HR salary files. A manufacturing company in Pune lost a ₹50 lakh contract when a competitor got their pricing data through an employee who had unnecessary access. Without this control, you cannot prove to audit teams (for ISO or bank compliance) that your data is properly protected.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You would find that any employee with a computer login can open and read shared drives, email archives, or accounting software with no restrictions. Everyone knows the same password to access the main server or shared folder.
Initial
You would see that some basic passwords or user accounts exist, but there is no written list of who should access what data. The IT person gives access based on what people ask for, without checking if it matches their job role.
Developing
You would find a simple spreadsheet listing job roles and what data each role needs (e.g., 'Sales staff can see customer contact info but not pricing history'). Access is set up based on this list, but no one regularly checks if the rules are being followed.
Defined
You would see a formal access policy document approved by management, and system logs show that access was set up according to the policy. Every 6 months, the IT person or manager reviews who has access and removes unnecessary permissions, with sign-offs recorded.
Managed
You would find that access is automatically enforced by your systems (e.g., accounting software only shows records the user role is allowed to see). Regular automated reports show who accessed what data and when, and any unusual access is investigated.
Optimised
You would see continuous monitoring of data access with alerts for suspicious activity, automatic removal of access when employees change roles or leave, and proof that these controls are tested and working. All access changes are logged and auditable, and the system adapts based on identified risks.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Create a simple list of all job roles in your company and write down what data each role genuinely needs to do their job (e.g., 'Accounts Manager: can access invoices and bank statements'). Get the business owner or manager to approve this list. | IT person or designated manager | 2-3 days |
| 1 → 2 | Convert the role-based list into a formal access policy document. Use this to set up user accounts in your actual systems (Google Workspace, QuickBooks, file servers, etc.) so each person only sees what their role needs. Document who has access to what. | IT person with manager approval | 1-2 weeks |
| 2 → 3 | Schedule a quarterly access review meeting. Print or export the list of who has access to what, go through each person, and confirm whether they still need that access. Remove access for people who no longer need it (especially those who changed roles or left). Keep a signed record of each review. | Manager and IT person together | 2-4 weeks (1st review), then 4 hours per quarter |
| 3 → 4 | Set up automated logging or reports in your systems to show who accessed which files or records and when. Configure your software (accounting, CRM, file storage) to generate monthly reports of access activity. Review these reports for anything unusual and investigate. | IT person with software vendor support if needed | 1-2 months |
| 4 → 5 | Implement automated alerts when someone tries to access data outside their normal role (e.g., a salesman suddenly accessing payroll records). Test your access controls annually by simulating unauthorized access attempts. Update controls based on what you find and new business risks. | IT person or external cybersecurity consultant | Ongoing (1-2 hours per week for monitoring and testing) |
Documents and records that prove your maturity level.
- A written access control policy signed by the business owner, listing job roles and what data each role needs
- A current access matrix or spreadsheet showing which employees have access to which systems, files, or data (updated at least quarterly)
- Signed records of quarterly or annual access reviews, showing who reviewed the access list, what was approved, and what was removed
- System reports or logs from your software (accounting, CRM, file server, email) showing who accessed what data and when
- A list of access removals (employees who left or changed roles, with dates when their access was disabled)
Prepare for these questions from customers or third-party reviewers.
- "Can you show me your access control policy and explain how it ensures each person only accesses data they need for their job?"
- "Walk me through your process for granting new access to an employee. How do you verify that the requested access matches their job role?"
- "When was the last time you reviewed who has access to your important data, and how do you document that review?"
- "Show me the logs or reports from your systems proving who accessed customer data, financial records, or product files in the last 3 months."
- "If an employee leaves or moves to a different role, how do you ensure their old access is removed? Can you show me examples?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Track who has access to what in Google Workspace, Microsoft 365, or similar cloud services | Native reporting in Google Admin Console or Microsoft Entra (Azure AD) – no extra cost if you already use these services | Okta (₹2,00,000–5,00,000/year for small orgs); JumpCloud (₹1,50,000–3,00,000/year) |
| Generate reports showing file and folder access on shared drives or servers | Windows Server built-in auditing; Google Drive audit log (free in workspace); Dropbox activity logs (free) | ManageEngine ADAudit Plus (₹1,50,000–4,00,000/year); Varonis (₹5,00,000+/year – enterprise level) |
| Monitor for suspicious access or unusual user behavior in real time | OSSEC (open-source, needs technical skill to set up) | CrowdStrike Falcon Identity Threat (₹3,00,000–10,00,000/year); Microsoft Defender for Identity (₹50,000–1,50,000/year as add-on) |
- Giving blanket access to 'all staff' to shared drives or accounting software 'just in case they need it later'—instead, start with zero access and add only what is needed
- Forgetting to remove access when someone leaves or changes roles, leading to former employees or people in wrong departments still accessing sensitive data
- Creating a policy on paper but not actually enforcing it in the systems—access rules exist in a document but the software is not configured to match them
- Assuming one password shared across multiple people is 'good enough'—this violates DPDP and makes it impossible to know who accessed data
- Not logging or tracking who accessed what, so if a breach happens, you cannot prove to customers or regulators that access was controlled
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 8 (lawful purpose for processing), Article 4(12) (principle of least privilege for access control) |
| CERT-In Guidelines 2022 | Section 2.1 (Access Control and Authentication): Implement role-based access control (RBAC) |
| ISO 27001:2022 | Annex A, Control 6.2.4 (Segregation of duties) and Control 5.3.1 (Access to information and other related assets) |
| NIST CSF 2.0 | Govern (GV.AT-2, GV.AT-3): Know user identities and roles; Control, Protect (PR.AC-1, PR.AC-2): Implement access control and user account management |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →