Are old or unused user accounts removed or disabled in a timely manner?

Do you regularly find and remove accounts that nobody uses anymore—like a person who left the company two years ago or a temporary contractor account that's no longer needed? Old, unused accounts are like unlocked doors that hackers try because they're often forgotten and poorly monitored.

⚡

Why This Matters to Your Business

An unused account is an easy target for hackers because nobody notices suspicious activity on it. In 2023, a Delhi-based fintech firm lost ₹8 lakhs when attackers accessed a former employee's account that was never disabled and used it to transfer funds undetected. If a regulator or customer audits you and finds active accounts for people who don't work for you, you fail compliance checks and lose trust. Your data breach insurance may also refuse to pay if unused accounts were the entry point.

📊

What Each Maturity Level Looks Like

Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.

Level 0
Absent

You have no list of who has access to what systems. When people leave, their accounts may or may not still work—you're not sure.

Level 1
Initial

You have a rough idea of who should have access, but you haven't formally disabled old accounts in the past year. Deleted employees' Gmail or bank logins might still be active.

Level 2
Developing

You have a basic list of user accounts and you disable them when someone leaves, but there's no written process and it sometimes takes weeks. You've never actually checked if disabled accounts are truly locked.

Level 3
Defined

You have a documented process: when someone is fired or leaves, HR tells IT within 1 day and IT disables all accounts within 2 days. You do a quarterly manual review to spot any stragglers.

Level 4
Managed

You have an automated system that flags accounts inactive for 90 days, you disable them after a second notice, and you do monthly audits of all active accounts matched against your current employee list.

Level 5
Optimised

Your system automatically disables inactive accounts after 60 days, integrates with your HR system so accounts are disabled the same day someone leaves, and you have continuous monitoring that alerts you to any re-enabled accounts or unusual access patterns.

🚀

How to Move Up — Practical Steps

Step	What to Do	Who	Effort
0 → 1	Create a simple spreadsheet listing all systems (email, accounting software, ERP, VPN, etc.) and which employees have access to each. Note the last login date if the system shows it.	IT person or office manager	2-3 days
1 → 2	Write a one-page checklist: when an employee leaves, disable accounts in email, accounting software, and any other business systems within 2 days. Have HR send IT a notification form when someone exits.	Owner or IT person	1 day
2 → 3	Create a quarterly account audit: download active user lists from each system, check them against your current employee roster, and disable any mismatches. Document the date and who approved each removal.	IT person	2-3 weeks to set up, then 4-6 hours per quarter
3 → 4	Set up a simple alert rule: in your accounting or email system, flag any account with no login in the past 90 days. Review flagged accounts monthly and disable those that shouldn't be active. Keep a log.	IT person with help from tool vendor if needed	3-4 weeks
4 → 5	Integrate your HR system with your identity management platform so that when HR marks someone as 'terminated', their accounts are automatically disabled across all systems within hours. Set up continuous logging to detect if anyone re-enables an account.	IT person or consultant	8-12 weeks depending on system complexity

📁

Evidence You Should Have

Documents and records that prove your maturity level.

Documented user access policy or checklist showing what happens when someone leaves (e.g., 'disable within 2 days')
Exit checklist signed by HR and IT each time someone leaves, with dates of account disablement
Quarterly or monthly account audit report showing active accounts matched against current employee list, with sign-off
System-generated user access reports from email, accounting software, and other key systems showing last login dates
Log or spreadsheet of disabled/removed accounts with dates and reason (e.g., 'Employee terminated 15-Nov-2024, accounts disabled 16-Nov-2024')

🔍

What an Auditor Will Ask

Prepare for these questions from customers or third-party reviewers.

"Walk me through your process: if an employee is terminated today, what specific steps happen and by when are their accounts actually locked?"
"Show me your current user access list for your email system and your accounting software. How do you verify these people are still supposed to have access?"
"Can you provide a report of all user accounts that have not logged in for the past 6 months? Why are they still active?"
"Do you have a record of when and why each user account was removed or disabled in the past 12 months?"
"How do you verify that a 'disabled' account is actually disabled and cannot be used to access data?"

🛠

Tools That Work in India

Purpose	Free Option	Paid Option
Track when employees leave and trigger account disablement notifications	Google Sheets + email reminders (basic but manual), or local HR software like Zoho People	Zoho People, Keka HR (₹3,000–8,000/month depending on employee count)
Monitor user login activity and flag inactive accounts	Built-in features in Google Workspace Admin or Microsoft 365 admin center (included if you use these)	Okta or JumpCloud for centralized identity management (₹2,000–15,000/month)
Automatically disable accounts or enforce password resets based on rules	Active Directory (if using Windows domain), or GitHub/GitLab if managing developer accounts	Okta, Azure AD Premium, or Delinea Privilege Manager (₹5,000–50,000/month depending on scale)

🛡

How This Makes You More Resilient

When you remove unused accounts promptly, hackers lose a backdoor they commonly target. Your business avoids regulatory fines and customer trust loss that come from audits discovering stale accounts. If a breach does happen, investigators will see a clean audit trail, making it easier to prove you acted responsibly and potentially reducing liability.

⚠️

Common Pitfalls in India

Disabling an account in email but forgetting to disable it in your accounting software, bank portal, or supplier management system—the person can still access financial data.
Keeping accounts 'just in case' someone comes back, leading to dozens of stale accounts. In India, with high job turnover, this accumulates fast and becomes unmanageable.
Assuming that a disabled password is the same as a disabled account—some systems allow disabled logins but still allow API access or single sign-on tokens to work.
Not informing vendors and third-party service providers (cloud hosting, SaaS apps) when an employee who had access leaves, so they retain credentials.
Failing to document which accounts were removed and why, so during an audit or investigation, you have no proof you acted in time.

⚖️

Compliance References

Standard	Relevant Section
DPDP Act 2023	Section 8 (privacy by design and data minimization) and Schedule II (reasonable security practices) require that access is limited to necessary individuals and promptly revoked.
CERT-In Guidelines 2022	Direction 4.1 and 4.2 require periodic review of user access and timely deactivation of unused accounts.
ISO 27001:2022	Annex A, A.8.2 (User registration and access provisioning) and A.8.3 (Access management) require removal of access rights when no longer needed.
NIST CSF 2.0	Govern (GV) and Protect (PR) functions emphasize access control and periodic review of user rights.

Ready to assess your organisation?

Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.

Start Free Self-Assessment →