If you don't disable old accounts, departed employees or those moved to new roles can still access sensitive customer data, financial records, or intellectual property. A disgruntled ex-employee from your accounts team could access your banking portal and transfer funds; a salesperson moved to HR could still see customer lists and contact competitors. In India, RBI has issued warnings about insider threats in fintech and banking, and companies have faced penalties for data breaches traced back to unused accounts. Without this control, you risk regulatory fines under DPDP Act, customer loss due to data breach, and audit failure.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You have no formal process—when someone leaves, you might remember to ask IT to disable them, or you might not. You don't have a list of active employees or their system access, and you cannot easily say who should have access to what.
Initial
You have a basic exit checklist that IT follows when told someone is leaving, but there is no formal notification process from HR to IT, so sometimes accounts sit active for weeks. You have no regular audit of active accounts against the current employee list.
Developing
HR sends IT a formal exit list weekly with names and last days, and IT disables all known accounts on or within 2 days of the exit date. You maintain a spreadsheet of who has access to which systems, but it is not always current and you do not regularly verify it.
Defined
You have a documented exit process: HR notifies IT at the time of resignation or role change, IT disables accounts on the last day, and you do a monthly reconciliation between active employee list and active system accounts to catch orphaned accounts. You have documented sign-off that access has been removed.
Managed
Your process is automated or semi-automated: HR system feeds employee status changes to IT system or ticketing tool, accounts are automatically flagged for disabling on exit date, and you perform a quarterly risk-based audit of high-risk systems (banking, customer data, email). You have audit logs showing when each account was disabled.
Optimised
Access removal is integrated into your identity management system: role changes or termination automatically trigger account disabling in real time across all connected applications, you continuously monitor for anomalous access from disabled accounts, and you conduct monthly automated reports of account status vs. employee status with zero tolerance for mismatches. Audits are independent and quarterly.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Create a simple written exit checklist (1 page) listing all systems where your company has user accounts (email, accounting software, CRM, banking portal, cloud storage, etc.). Make HR responsible for sending this checklist to IT whenever someone resigns or is terminated. | IT Lead / HR Manager | 1 day |
| 1 → 2 | Create and maintain a spreadsheet of all employees (name, role, start date, email) and cross-reference it with a list of active accounts in each system. Every month, compare the two lists and disable any account for someone no longer in that role or no longer employed. Document who disabled each account and when. | IT Lead | 1 week to set up; 2 hours/month to maintain |
| 2 → 3 | Formalize the exit process in a documented policy. Define: (1) who must notify whom when an employee leaves or changes role (e.g., manager tells HR, HR tells IT within 24 hours), (2) which systems must be checked, (3) when access must be removed (same day or next business day), (4) sign-off that disabling is complete. Have HR and IT jointly review and sign this policy. | IT Lead / HR Manager / Compliance Lead (if exists) | 2–4 weeks (includes review and testing) |
| 3 → 4 | Implement a simple ticketing or task system (e.g., Google Forms, Zoho Desk free tier) so HR submits exit requests and IT tracks completion. Add a quarterly audit task: download active user lists from each critical system (email, accounting, CRM, banking) and verify every account belongs to a current employee in that role. Report any mismatches to management. | IT Lead / System Administrator | 1–2 months (includes setup, staff training, first audit cycle) |
| 4 → 5 | If budget allows, migrate to an identity management tool (even a basic one like Okta or JumpCloud free tier) that can sync your employee list and automatically disable accounts when an employee is marked as 'terminated' in HR system. Set up monthly automated audit reports and integrate anomaly detection (e.g., alerts if a disabled account logs in). Conduct quarterly independent audit of access controls. | IT Lead / External consultant (1–2 weeks) | Ongoing (automation reduces monthly effort to <4 hours) |
Documents and records that prove your maturity level.
- Documented exit process or policy (signed by HR, IT, and management) that defines who notifies whom, by when, and which systems must be checked
- Exit checklist or form completed and filed for each employee who left in the past 12 months, showing date of termination and account removal sign-offs
- Monthly or quarterly reconciliation report comparing active employee list (from HR) against active user accounts in each critical system (email, accounting software, CRM, banking portal, VPN, cloud storage), with evidence that mismatches were investigated and resolved
- Audit log or report from each system showing when user accounts were created and disabled, or export of active user list with last login date (if available)
- Signed management approval or review of access audit findings, showing leadership is aware of and accountable for this control
Prepare for these questions from customers or third-party reviewers.
- "Walk me through your process when an employee resigns. Who tells IT, how, and within how many hours are their accounts disabled?"
- "Can you show me the list of all users with active access to your banking portal, CRM, and customer database, and confirm that every person on that list is a current employee authorized to use that system?"
- "In the last 12 months, did any employee access a system after their termination date or after moving to a role that should not have access to that system? How did you detect or prevent this?"
- "Do you have a regular audit (monthly, quarterly) that compares your employee roster against active accounts in your critical systems? Show me the last audit and any remediation taken."
| Purpose | Free Option | Paid Option |
|---|---|---|
| Track and manage employee onboarding and exit process with automated notifications to IT | Google Forms + Google Sheets (manual but free); Zoho Recruit (free tier, limited) | Zoho People (₹2,500–5,000/month); BambooHR (₹7,000–15,000/month) |
| Centralized identity and access management to sync employees with systems and auto-disable accounts | Keycloak (open source, self-hosted); Okta free tier (up to 100 users) | Okta (₹4,000–8,000/user/year); JumpCloud (₹3,000–6,000/user/year); Microsoft Entra ID (₹1,000–2,500/user/month with Office 365) |
| Generate and audit user access reports across multiple systems to detect orphaned or unauthorized accounts | Built-in admin panels of email (Gmail, Outlook) and accounting software (Zoho Books); Microsoft 365 admin center (free with license) | Varonis (₹10,00,000+/year, for large enterprises); SailPoint (enterprise pricing); custom audit scripts via consultants (₹50,000–2,00,000 one-time) |
- HR forgets to notify IT, or notifies IT verbally without a paper trail—weeks later, the old account is still active. Use a formal exit checklist or ticketing system with email confirmation.
- You disable email but forget about banking portal, CRM, or cloud drive access—the ex-employee still has sensitive access elsewhere. Maintain a checklist of all systems and verify all are disabled before closing the exit ticket.
- You disable the account but the system does not actually delete it—it is just 'inactive'—and the person can still log in if the account is re-enabled by mistake. Test that disabled accounts truly cannot log in, and archive rather than just deactivate where possible.
- You have no list of who has access to what, so when someone leaves, you guess at which systems to check and miss some. Create and maintain a system access matrix (even a simple spreadsheet) showing which roles have access to which systems.
- You do an exit check at the time of resignation but do not audit afterward—orphaned accounts pile up. Schedule a monthly or quarterly audit to catch any disabled accounts that somehow got re-enabled or slipped through the cracks.
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 8 (consent and purpose limitation) and Section 10 (storage limitation)—personal data must not be retained longer than necessary; disabling access when role changes supports this principle. |
| CERT-In 2022 (Guidelines for Secure Software Development) | Direction 3 (access control)—user access must be revoked immediately on role change or termination; no orphaned accounts permitted. |
| ISO 27001:2022 | Annex A.5.3 (Access Control)—user access rights must be reviewed and updated on role change; Annex A.6.2 (Onboarding and Offboarding)—all access must be deprovisioned on termination. |
| NIST CSF 2.0 | Govern (GV.RO-01, GV.RO-02)—role-based access control and removal on role change; Manage (GM-AC-01, GM-AC-02)—access review and removal procedures. |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →