If your email system requires strong passwords but your accounting software allows simple ones, a hacker will attack the weaker system first and get in. An Indian textile exporter we know had one weak password on their GST filing portal; the attacker got in, changed their tax records, and the business faced a ₹15 lakh audit penalty before discovering the breach. Weak password consistency also means when staff move between systems or contractors use multiple accounts, they reuse the same weak password everywhere—one breach exposes everything. Your customers and banks now expect you to prove password security; if audited for a large order or credit line, missing this can cost you the deal.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You find that different systems have completely different password requirements—some allow 4-digit PINs, others demand 12 characters with special symbols. Staff members write passwords on sticky notes or share login credentials because the rules are too hard to remember across all systems.
Initial
You have documented a password policy (even if informal, like 'at least 6 characters'), but it's only enforced on your main email or one critical system. Other systems like attendance, inventory, or older accounting software ignore the policy entirely.
Developing
You have created a written password policy requiring 8+ characters with uppercase, lowercase, numbers, and symbols, and it's enforced on your main systems (email, accounting, payroll). However, legacy systems, vendor portals, or machines on the shop floor still allow weaker passwords because 'the vendor won't let us change it.'
Defined
All systems you directly control enforce the same password policy consistently—8+ characters with complexity. You've made a list of any vendor systems or legacy systems that can't enforce the policy, documented why, and compensated with extra controls like limiting who can access them or adding extra approval steps.
Managed
Your password policy is enforced across all systems, including those you don't directly own (you've negotiated with vendors to apply the same rules). You've implemented a system-wide password manager or identity platform so users only remember one strong master password, and you monitor password changes through a central log.
Optimised
Password rules are enforced everywhere; a password manager is live in your organization; you've automated regular audits to check that no system is bypassing the policy; staff training happens every quarter; and you receive alerts if someone tries to bypass the policy or reuse old passwords.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Write down the password rules your main email system (Gmail, Outlook, or mail server) already requires. Tell all staff verbally that they must use those same rules on every other system. Create a one-page 'Password Rules' poster and put it near computers. | IT person or office manager | 1 day |
| 1 → 2 | Create a formal written password policy: minimum 8 characters, must include uppercase, lowercase, numbers, and one symbol (@, #, $, etc.); no dictionary words; change every 90 days. Make it official by getting the owner/manager to sign it. Apply the policy to email, accounting software, and payroll system through their admin panels. | IT person with manager approval | 1 week |
| 2 → 3 | Audit all systems your business uses (list: email, accounting, payroll, attendance, ERP, vendor portals, devices on shop floor, WiFi router, CCTV system, etc.). For each, check if it enforces your policy or not. Document those that don't and mark them 'legacy' or 'vendor-controlled.' For those systems, add a compensating control: e.g., only 2 people can access it, or access is logged and reviewed weekly. | IT person | 2–4 weeks |
| 3 → 4 | Introduce a password manager tool (like Bitwarden for team passwords, or KeePass for local use) so staff only need to remember one master password. Migrate critical system logins into it. Set up centralized identity management (if budget allows, use Okta or Microsoft Entra ID) so password changes apply to multiple systems at once. Train staff on the new tool. | IT person with external consultant if needed | 1–2 months |
| 4 → 5 | Automate monthly reports from all systems showing password ages, failed login attempts, and policy violations. Set up alerts if staff try to use weak passwords or reuse old ones. Conduct quarterly security training on password hygiene. Perform an annual third-party audit of password enforcement across all systems. | IT person with annual audit support | Ongoing (2–3 hours/month) |
Documents and records that prove your maturity level.
- Signed, dated password policy document (in English and/or local language) clearly stating minimum length, complexity, expiration, and reuse rules
- List of all systems used in your business (email, accounting, payroll, ERP, vendor portals, machines, WiFi, CCTV, etc.) with a note showing which enforce the policy and which don't
- For systems that don't enforce the policy, a document describing the compensating control (e.g., 'Only Finance Manager and Owner can access GST portal; access logged and reviewed weekly')
- Password policy implementation checklist or screenshot showing that password rules are enforced in at least your main systems (e.g., email admin panel showing 'Minimum password length: 8, Require complexity: enabled')
- Training record or sign-off sheet showing all staff have received guidance on the password policy at least once
Prepare for these questions from customers or third-party reviewers.
- "Show me your password policy document. What is the minimum password length and complexity requirement?"
- "I'll pick three systems your team uses every day. Can you show me that they all enforce the same password rules?"
- "Do you have a list of all systems in your business? For any system that doesn't enforce your password policy, what extra control do you have in place?"
- "If I ask a random staff member to create a password on System A and System B, will they be prompted to follow the same rules? Can you demonstrate this?"
- "Do you monitor or audit whether passwords are being changed regularly and not reused? What's your process?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Enforce password rules centrally across multiple systems and allow staff to use one master password | Bitwarden (open-source, can be self-hosted), KeePass (desktop password manager for smaller teams) | 1Password (₹3,000–5,000/year per user), Dashlane (₹4,000–6,000/year per user), Microsoft Entra ID + Microsoft 365 (₹3,000–8,000/user/year for full identity suite) |
| Check and enforce password policy rules on your email system | Built into most email systems (Gmail admin console, Microsoft 365 admin center, or mail server if self-hosted); no extra cost | Specialist email security tool like Proofpoint (₹10,000+/year for small business) if you want advanced monitoring |
| Monitor password changes, failed logins, and policy violations across systems | Splunk Free (logs up to 500 MB/day), ELK Stack (Elasticsearch, Logstash, Kibana—open-source, requires technical setup) | Splunk Enterprise (₹15,000+/year), Okta (₹5,000–10,000/user/year for full identity management with audit logs) |
- Creating a 'strong' password policy on paper but not actually enforcing it on older or vendor-supplied systems (like attendance machines, CCTV, or GST portal), leaving those systems vulnerable and creating false confidence
- Setting password expiration too short (e.g., 30 days) which causes staff to write passwords down or use predictable patterns like 'Password1!' then 'Password2!', defeating the purpose
- Not accounting for systems that vendor won't let you control (bank portal, government e-filing portal, third-party SaaS)—leaving these undocumented and unmonitored, creating compliance gaps during audits
- Forgetting to include contractor, temporary staff, and vendor accounts in the password policy, creating backdoors for unauthorized access
- Not training staff on why the policy exists, so they resist it or find workarounds; instead, explain the real cost of a breach in their context (e.g., 'If GST records are hacked, we lose the business license')
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 8 (Security of personal data) requires 'reasonable security practices,' which includes strong authentication controls like consistent password policies |
| CERT-In 2022 | CERT-In Direction 2022 Section 6 requires 'strong password policy' and 'password reset procedures' as part of baseline security practices for all organizations |
| ISO 27001:2022 | Annex A, Control A.5.3 (Access Control) and A.6.2 (User Access Management) require user identification, authentication, and password policies to be documented and enforced |
| NIST CSF 2.0 | Govern (GV.RO-1), Identify (ID.AM-1), Protect (PR.AC-1, PR.AT-2) – consistent password rules fall under access control and asset management |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →