Does every employee or user have their own individual login to company systems?

Are your employees each logging into computers and systems with their own personal username and password, or are people sharing login accounts? This question checks whether you can tell who did what on your systems, because if three people use the same login, you won't know which one made a mistake or caused a problem.

⚡

Why This Matters to Your Business

When employees share logins, you lose the ability to audit who accessed what data—this is a critical failure point in regulatory inspections and customer security audits. If a shared account is misused (intentionally or accidentally), you cannot identify the responsible person, making it impossible to investigate data breaches or fraud. For example, a Delhi-based export company lost a ₹50 lakh contract after a customer audit discovered shared warehouse system logins, because they could not prove who modified shipment records. Banks and large customers conducting due diligence will fail you on this, and you'll lose contracts; additionally, if there's a data breach involving personal customer data, the RBI or CERT-In will ask for audit logs and you won't have them.

📊

What Each Maturity Level Looks Like

Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.

Level 0
Absent

You walk in and see sticky notes with usernames and passwords taped to monitors, or staff sharing a single 'admin' or 'office' account across multiple people. No one knows who accessed the system at any given time.

Level 1
Initial

Most staff have individual logins, but a few shared accounts still exist for critical systems (ERP, accounting software) because 'it was easier that way.' Login records exist but are rarely reviewed.

Level 2
Developing

Every employee has their own individual login for all business-critical systems. Shared accounts are documented with a clear business justification and are reviewed quarterly by management.

Level 3
Defined

Every employee has unique logins across all systems; you have an IT admin or designated person who reviews login activity monthly and investigates unusual access patterns. Shared accounts are banned except with documented approval from leadership.

Level 4
Managed

Unique logins are enforced across all systems with automated monitoring; unusual access attempts are logged and flagged. A formal access control policy exists, is communicated to all staff, and compliance is verified in quarterly audits.

Level 5
Optimised

Automated systems continuously monitor for shared accounts or suspicious login patterns; any deviation triggers alerts. Access reviews happen monthly, deprovisioning is automatic when staff leave, and compliance is certified and demonstrated to customers and auditors on demand.

🚀

How to Move Up — Practical Steps

Step	What to Do	Who	Effort
0 → 1	Conduct a login audit: list all current user accounts in your main business systems (accounting software, ERP, email) and identify which are personal and which are shared. Meet with department heads to document why each shared account exists.	IT person or office manager	3-5 days
1 → 2	Create a written Access Control Policy stating that all staff must have individual logins; document exceptions (e.g., 'shared helpdesk account') with approval from business owner. Begin deprovisioning unnecessary shared accounts and assign individual logins to staff using them.	IT person with owner sign-off	1-2 weeks
2 → 3	Set up a quarterly Access Review process: document all active logins, compare them to current employee roster, and review login activity logs for any unusual access. Remove accounts of staff who have left. Train someone (IT admin or operations lead) to run this review.	IT person or newly designated access control owner	2-3 weeks (initial setup); 1 day per quarter (ongoing)
3 → 4	Enforce unique logins through system configuration and implement basic monitoring: enable login audit logs in all systems, create a simple alert rule (e.g., notify IT if more than 3 failed logins in 15 minutes), and document the policy in employee handbook with consequences for sharing passwords.	IT person or external IT consultant	3-4 weeks
4 → 5	Deploy automated access management: integrate user provisioning/deprovisioning with HR records (so accounts auto-disable when staff leave), set up continuous monitoring for shared or dormant accounts, and establish a formal monthly certification process where department heads sign off on who should have access.	IT person with possible consultant support, or managed service provider	6-8 weeks (initial); ongoing maintenance 2-3 hours/month

📁

Evidence You Should Have

Documents and records that prove your maturity level.

Active Directory, Google Workspace, or other system showing a list of all user accounts with date created, last login, and who owns/is responsible for each
Written Access Control Policy approved and dated by business owner, stating that shared logins are not permitted (or listing approved exceptions with justification)
Documented access review records (spreadsheet or signed form) from the last 3 months showing: employee name, systems accessed, login activity review, and sign-off by manager or IT lead
Login audit logs (exported from ERP, accounting software, email, or network) covering at least the last 60 days, showing user, date/time, and action performed
Employee onboarding and offboarding checklists showing account creation and deletion steps, with evidence that accounts were created for new hires and disabled for departing staff

🔍

What an Auditor Will Ask

Prepare for these questions from customers or third-party reviewers.

"Can you show me a list of all active user accounts in your critical systems and confirm that each one belongs to a specific named employee?"
"What is your policy on shared logins? Are there any shared accounts in use right now, and if so, why and for how long?"
"Walk me through your process when an employee leaves the company—how do you ensure their accounts are disabled across all systems?"
"Can you produce login audit logs for the past 60 days showing who accessed your ERP/accounting system, when, and what they did?"
"How do you verify that users are not sharing passwords? Do you conduct access reviews, and if so, how frequently and what do you look for?"

🛠

Tools That Work in India

Purpose	Free Option	Paid Option
Create and manage employee accounts with individual logins for email, cloud storage, and basic business apps	Google Workspace free tier (up to 50 accounts; includes Gmail, Drive, Sheets, Docs) or Microsoft 365 free tier (very limited); both include basic audit logs	Google Workspace Business Standard (₹480/user/month); Microsoft 365 Business Basic (₹360/user/month, approx)
Export and review login audit logs from ERP, accounting software, or network systems to see who accessed what and when	Microsoft Excel or Google Sheets (for manually compiling log data); Windows Event Viewer (built-in for Windows servers, shows local login activity)	Splunk (₹30,000–₹100,000+/year for small deployments); ELK Stack (open-source but requires technical setup); most ERP vendors include basic logging in standard license
Automate user account creation, password management, and disable accounts when staff leave, reducing manual errors	Active Directory (if you use Windows Server on-premises; included in Windows Server license); FreeIPA (open-source identity management; requires technical expertise)	Okta (₹50,000–₹200,000+/year); JumpCloud (₹30,000–₹80,000/year); Microsoft Entra ID (₹3,000–₹10,000/year depending on licensing)

🛡

How This Makes You More Resilient

When every employee has their own login, you can prove to auditors and customers exactly who did what on your systems, which protects you during security investigations and regulatory inspections. If there's a data breach or mistake, you can identify the cause and responsible person, reducing legal liability and making it easier to prevent repeat incidents. You also avoid contract losses from customers who audit your security controls—many large Indian buyers and banks now require this before engaging vendors.

⚠️

Common Pitfalls in India

Allowing 'shared helpdesk' or 'admin' accounts to persist because 'multiple people need to do that job'—instead, create individual accounts and use a ticketing system or shared tool to track who handled what issue
Creating individual logins but never removing accounts when staff leave, leading to dormant accounts that can be compromised or misused; set up an offboarding checklist and assign someone to verify account deletion within 24 hours of departure
Not documenting why shared accounts exist, so during an audit you cannot justify exceptions, and auditors mark you as non-compliant; always write down (even in a simple spreadsheet) the business reason for any shared account and how long you plan to keep it

⚖️

Compliance References

Standard	Relevant Section
DPDP Act 2023	Section 6 (principles: purpose limitation, data minimisation); Section 8 (lawful basis); Schedule 1 (reasonable security measures requiring accountability and audit trails)
CERT-In 2022	Guideline 2 (Access Control and User Management): 'Implement a unique user identification and strong authentication mechanism'; Guideline 5 (Audit and Accountability): 'Maintain audit logs and make them available for review'
ISO 27001:2022	Annex A, Control A.8.1 (User Registration and De-registration); Control A.8.2 (User Access Provisioning); Control A.8.3 (Access Entitlement Review); Control A.8.5 (Access Control)
NIST CSF 2.0	Govern Function (GV.PO-2 and GV.RM-1: risk management and policies); Protect Function (PR.AA: identity and access management); Detect Function (DE.AE-1: audit logs and monitoring)

Ready to assess your organisation?

Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.

Start Free Self-Assessment →