Accidental exposure of customer data, employee records, or financial information can result in regulatory fines under the Digital Personal Data Protection Act 2023, loss of customer trust, and damage to your reputation. For example, a manufacturing SME in Bangalore discovered that a temporary contractor had access to the shared drive and copied the complete bill-of-materials for a product line to a competitor—a mistake that cost them ₹50 lakhs in lost contracts. Poorly organised files also make it impossible to comply with data protection audits that GST-registered or export-oriented businesses now face regularly. Without clear data organisation and access controls, you cannot prove to customers (especially large enterprises or government buyers) that their information is protected.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You walk into the office and see that almost everyone has access to every shared folder and file server. Sensitive documents like salary sheets, customer lists, and financial records sit in a central folder that any employee with network access can read, copy, or delete.
Initial
You see that basic user accounts exist and some folders have 'read-only' or 'full access' labels, but the assignment of access is ad-hoc. One person knows who should have access to what, but there is no written list and access rights have accumulated over years without review.
Developing
You find a documented list of which departments or roles can access which folders (e.g., Finance team → Finance folder, HR → Personnel folder). Access is enforced through folder permissions, but the list is not reviewed regularly and old employee accounts still have active permissions.
Defined
You see a formal access control matrix maintained quarterly that specifies which roles/individuals can access which folders and at what permission level (read, write, delete). Access is granted based on job function, and leavers are removed within a defined timeframe, typically within 1–2 weeks of departure.
Managed
You find that access is granted on a need-to-know basis with individual user approval documented. Sensitive folders (salary, customer PII, financial records) are clearly marked and encrypted; access is reviewed every quarter with sign-off from department heads and IT maintains an audit log of who accessed what file and when.
Optimised
You see a mature system where file organisation follows a defined data classification scheme (public, internal, confidential, restricted). Access is automatically provisioned based on directory service roles (LDAP/AD), re-certified every six months, and all access to sensitive data is logged and monitored in real time with alerts for anomalous access patterns.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Conduct a one-time walk-through of all shared drives and network storage. List the folders that exist, note who currently has access, and document this in a simple spreadsheet. Identify which folders contain sensitive data (salary files, customer lists, financial records, product designs). | IT Administrator or IT Owner | 1–2 days |
| 1 → 2 | Create and document a basic Access Control List (ACL) that defines which roles (e.g., Finance, HR, Sales, Operations) should have access to which folders and at what level (Read, Write, Delete). Communicate this to all staff and enforce it through folder permissions in your file server or network storage system. Do not change access retroactively for existing employees; start from new joiners. | IT Administrator with approval from department heads | 1–2 weeks |
| 2 → 3 | Implement a quarterly access review process. Assign one person (e.g., IT owner or HR) to review the access list every three months, confirm with department heads that permissions are still correct, and formally remove access for employees who have left. Document each review with a sign-off date. | IT Administrator and Department Heads | 2–4 weeks (first time); 2 hours every quarter thereafter |
| 3 → 4 | Classify all data into sensitivity levels: Public (website content), Internal (team documents), Confidential (customer data, financial records), and Restricted (passwords, admin credentials). Create separate folders for Confidential and Restricted data. Implement encryption at rest for Confidential and Restricted folders. Introduce individual-level access approval: only the department head or data owner can grant access to sensitive folders, with written approval recorded. | IT Administrator and Information Security Lead (if available) | 1–2 months |
| 4 → 5 | Implement automated access provisioning via directory services (Active Directory or similar) so access is granted based on job role, not individual request. Enable detailed access logging and monitoring for Restricted and Confidential folders. Set up automated alerts if unauthorised access is attempted or bulk file downloads occur. Conduct annual security awareness training on data classification and access discipline. | IT Administrator or outsourced IT Security Consultant | Ongoing (quarterly reviews, annual training, continuous monitoring) |
Documents and records that prove your maturity level.
- A documented Access Control List (ACL) or access matrix showing which roles/users have which permissions on which folders, signed off by department heads
- Records of quarterly access reviews with dates, names of reviewers, and evidence of removal of access for employees who have left (e.g., email confirmations)
- Data classification policy document that defines what is Public, Internal, Confidential, and Restricted
- Encryption configuration or audit report showing which folders containing sensitive data are encrypted
- Access request and approval forms (even simple email records) showing that access to sensitive folders was formally approved by a manager or data owner
Prepare for these questions from customers or third-party reviewers.
- "Can you show me the current list of who has access to your shared drives and folders? Who maintains this list and when was it last reviewed?"
- "How do you ensure that when an employee leaves, their access to all folders is removed? Can you provide evidence of access removal for the last three employees who left?"
- "Are there any folders containing customer data, financial records, or salary information? How do you control access to these folders? Who can currently read or delete files in these folders?"
- "If I pick a random folder containing sensitive data, can you show me a log of who accessed it, when, and what they did? How far back does this log go?"
- "Do you classify your data by sensitivity level? How does your folder structure or access controls reflect these classifications?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Scan your network storage and document which folders exist, their current permissions, and who has access | Windows File Server built-in NTFS permissions audit (via command line: icacls.exe) or Linux 'ls -l' and 'getfacl' commands | Netwrix Auditor (approx ₹4–8 lakhs/year for SME tier) or Varonis (approx ₹8–15 lakhs/year) |
| Create and maintain an access control matrix; manage approvals and quarterly reviews | Microsoft Excel or Google Sheets with manual data entry; free alternatives: LibreOffice Calc | ServiceNow IT Service Management (approx ₹10–20 lakhs/year); Sailpoint IdentityIQ (approx ₹15–30 lakhs/year) for large enterprises |
| Encrypt sensitive folders and files to prevent unauthorised access even if permissions are bypassed | BitLocker (included in Windows Professional/Enterprise); Linux LUKS encryption; Cryptomator (cross-platform, open-source) | Tresorit (approx ₹20,000–50,000/year for team); Boxcryptor (approx ₹10,000–25,000/year) |
| Monitor and log access to sensitive files in real-time to detect unusual activity | Windows Event Viewer (built-in, limited); Auditbeat by Elastic (open-source) | Splunk (approx ₹5–15 lakhs/year); Microsoft Sentinel (approx ₹80–200 per user/month on Azure) |
| Automate access provisioning and de-provisioning based on job role changes | Active Directory (Microsoft, built into Windows Server licensing) with basic role-based access; FreeIPA (open-source identity management) | Okta (approx ₹1–3 lakhs/year for SMEs); Azure AD Premium (approx ₹700–1,500 per user/year) |
- Giving everyone on the team access to all folders 'to be safe' or 'in case someone is absent'. This defeats the purpose of access controls and increases the risk of accidental or malicious data leaks. Instead, define roles and access rules up front, even if it is as simple as 'Finance team can access Finance folder' and 'Sales team can access Customer folder'.
- Setting up access permissions once at the start and then never reviewing them. Over months and years, access accumulates (people move to new roles but keep old access, former employees are never fully removed, temporary contractors are forgotten). Commit to a quarterly or biannual review, even if it takes just 2–3 hours.
- Storing all sensitive data in a single shared folder with no distinction between who should and should not see it. For example, a common mistake is keeping salary sheets in the same 'Finance' folder that the receptionist uses for invoices. Separate sensitive data into its own folder structure with stricter access controls.
- Relying on file name conventions (e.g., 'CONFIDENTIAL_CustomerList.xlsx') instead of actual technical controls. A file name is not a security control; anyone with folder access can still read and copy it. Use folder-level permissions and encryption instead.
- Not tracking access removals. When someone leaves, their user account is disabled, but their access to shares and folders is never formally removed from the access list. After a few years, dozens of inactive ex-employees still have phantom access permissions, creating an audit nightmare and potential liability.
| Standard | Relevant Section |
|---|---|
| Digital Personal Data Protection Act 2023 | Section 6 (principles of data fiduciaries) and Section 8 (reasonable security practices); Schedule 2 outlines expected safeguards including 'access control measures' for personal data |
| CERT-In Guidelines 2022 | Direction 5 (access control and credential management) and Direction 6 (data protection and encryption); specifies that organisations must implement role-based access control and limit access to sensitive data |
| ISO 27001:2022 | Annex A 6.2 (Permitted information security activities) and A 6.3 (Segregation of duties); Control A 8.2 (User registration and de-registration) and A 9.2 (User access provisioning) |
| NIST CSF 2.0 | Govern (GV.RO-02: Information and Records Management) and Protect (PR.AC-01: Inventory and management of physical and logical access points; PR.AC-03: Access enforcement) |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →