When multiple employees share one login account, you cannot trace who accessed what data or made which changes—this hides theft and negligence. If a shared account is compromised, you must change it for everyone, disrupting work. In a real scenario, a Delhi IT services firm had three people sharing an 'accounts' login; when invoices were altered and ₹15 lakhs went missing, they could not prove who did it and faced a police case plus loss of client trust. Regulators like CERT-In and auditors expect individual accountability—shared accounts can cause you to fail compliance checks and lose enterprise clients who require this security.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You walk in and find a sticky note on the desk with a password written on it, shared among 4-5 people for the email and accounting software. No one tracks who logged in when, and when something goes wrong, nobody knows who to blame.
Initial
You see that most critical systems still use shared accounts, but there is at least one written list somewhere (messy, outdated) of who has access to what. People complain frequently that they cannot do their job because someone else changed a password and did not tell them.
Developing
You find a spreadsheet tracking user accounts for major systems (email, accounting, databases), and most staff have individual logins, but a few admin or service accounts are still shared among 2-3 people. Access is rarely reviewed or removed when someone leaves.
Defined
You see that individual accounts exist for all business-critical systems and most people can log in with their own username. There is a documented list of shared service accounts (clearly marked as exceptions) and access is reviewed every 6 months, but no audit logs are actively monitored.
Managed
Every person has a unique login for all systems they need; shared service accounts are minimal, documented, and have multi-person approval for use. Access is reviewed quarterly, removed promptly when staff leave, and logs are checked regularly for unusual activity.
Optimised
You see a mature system where every user has unique credentials across all systems; any shared accounts are locked down with dual authentication and time-based access approval. Access reviews happen monthly, departing staff are offboarded within 24 hours, and continuous monitoring alerts the team to suspicious login patterns.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Create a simple spreadsheet listing all business systems (email, accounting software, bank portal, databases, file servers) and document who currently has access to each, including any shared accounts. Assign one person to own and update this list monthly. | Finance Manager or owner | 3-4 hours |
| 1 → 2 | For at least the top 3 critical systems (email, accounting, banking), create individual user accounts for each staff member using a naming standard (e.g., firstname.lastname). Retire the shared logins and update the access spreadsheet weekly. Document the reason why any account must remain shared. | IT person or outsourced support | 1-2 weeks |
| 2 → 3 | Extend individual logins to all remaining business systems; create a formal 'Shared Account Policy' stating that shared accounts are only permitted for service accounts (like system backups) and require written business justification. Set up a quarterly access review process and document it. | IT person with owner sign-off | 3-4 weeks |
| 3 → 4 | Implement a basic access request and approval workflow (email-based or simple ticketing); enable basic login logging (most systems log this by default); conduct quarterly access reviews and maintain a formal record of approvals and removals. Train all staff on password hygiene. | IT person and HR/manager | 6-8 weeks |
| 4 → 5 | Deploy a centralized identity management tool (or set up SSO if budget allows) to automate user provisioning/deprovisioning; implement multi-factor authentication for all remote and admin logins; set up automated monthly access reviews with audit log monitoring; document all exceptions and escalate unusual login activity within 24 hours. | IT person with external consultant if needed | 2-3 months |
Documents and records that prove your maturity level.
- A current, signed 'User Access and Account Policy' document clearly stating shared accounts are not permitted except for documented service accounts
- A maintained spreadsheet or system report showing each employee's individual user accounts across all critical systems (email, ERP/accounting, banking, databases, file storage)
- A record of at least one completed quarterly access review, signed by a manager, confirming who has what access and removing unnecessary accounts
- Documented exceptions list: if any shared accounts exist, proof of business justification and approval by owner or compliance officer
- Offboarding checklist showing that when staff leave, their accounts are disabled and removed from the access list within a defined timeframe (e.g., end of day)
Prepare for these questions from customers or third-party reviewers.
- "Show me your policy on shared accounts. Which accounts in your business are shared, and why?"
- "Pick three employees at random. Can you show me their individual user accounts across your email, accounting system, and database? Who has access to what and when was it last reviewed?"
- "A developer left your company three weeks ago. Show me proof that their login to the server and code repository was disabled on or before their last day."
- "Do you have audit logs showing who accessed sensitive data (invoices, customer records, financial reports) in the last month? Can you trace each access to a specific person?"
- "If I find that two people are sharing a login account, what business reason justifies that, and who approved it in writing?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Track and manage who has access to which systems and review access regularly | Google Sheets or LibreOffice Calc (simple spreadsheet with conditional formatting to highlight old reviews) | Okta or Freshworks Identity Management (₹3,00,000–₹8,00,000/year for small team); Microsoft Entra ID (part of Microsoft 365 enterprise) |
| Create and enforce a strong password policy and detect weak/reused passwords across systems | Bitwarden (open-source password manager with free tier) | 1Password or LastPass enterprise (₹1,50,000–₹4,00,000/year for team) |
| Monitor login activity and alert to unusual access patterns or shared account usage | Native OS and application audit logs (enable and export via Event Viewer on Windows or system logs on Linux) | Splunk Cloud or Microsoft Sentinel (₹2,00,000–₹10,00,000/year depending on data volume) |
- Keeping 'admin' or 'superuser' accounts that all IT staff share because 'it's faster'—instead, create individual admin accounts with elevation logs so you know who made what change
- Allowing shared accounts for contractors, consultants, or temporary staff because 'they only need 3 months'—always issue a personal account and disable it the day they leave to prevent data theft
- Assuming that 'no one will notice if we share the accounts'—customers, auditors, and regulators specifically check for this; failing it can cost you contracts worth lakhs, especially with corporate or government clients who require compliance proof
- Forgetting that shared accounts for 'service' purposes (backups, API integrations, system jobs) still need controls—document them, limit their permissions to only what is needed, and monitor their use
- Not removing accounts when staff leave because 'they might need to access old files'—ex-employees with active logins are a top insider threat; disable immediately and restore access via formal request if truly needed
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 8 (Principle of Accountability) requires organisations to maintain records of who accessed personal data; shared accounts prevent this accountability |
| CERT-In 2022 Guidelines | Direction on 'User Access Control' (Guideline 5) mandates unique user identification and non-repudiation of actions |
| ISO 27001:2022 | Annex A, Control A.8.2.1 (User Registration and Access Rights) and A.8.2.4 (Access Management) require unique user identities and removal of unused access |
| NIST CSF 2.0 | Govern Function (GV.AT-01) and Protect Function (PR.AC-01: Processes exist to manage access—requires user identification and authentication) |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →