Is use of admin or high-privilege access monitored or controlled?

Do you know who is using admin passwords and super-user accounts in your business, and are you stopping people from using them carelessly? This is about making sure that powerful accounts—the ones that can change anything, delete anything, or access everything—are only used when absolutely necessary and that you keep a record of what was done with them.

⚡

Why This Matters to Your Business

If admin accounts are handed out freely or used all the time, one careless employee or one hacked password can wipe out your entire database, steal customer data, or lock you out of your own systems. A Delhi manufacturing company lost ₹40 lakhs when a disgruntled IT contractor used their admin access to delete critical production records and customer databases. Without monitoring, you won't know who did what, so you can't stop it, investigate it, or prove to auditors and customers that you're in control. Banks and large customers conducting security audits will fail you if you can't show admin access is restricted.

📊

What Each Maturity Level Looks Like

Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.

Level 0
Absent

You find that anyone with a laptop or access to the office server room can log in with admin credentials written on a sticky note or shared verbally. No one is tracking who logged in as admin or what they changed.

Level 1
Initial

You have some admin passwords, but they are shared among 2–3 people and stored in a notebook or email. There is no log of when someone used the admin account or what they did.

Level 2
Developing

Admin passwords exist and are known to fewer people (maybe just the IT person and one manager). Windows or server login logs exist but nobody is regularly reviewing them for suspicious activity.

Level 3
Defined

Admin access requires a separate login different from regular user accounts. Someone is checking server logs monthly to see who logged in and what major changes were made. Shared admin passwords are being phased out.

Level 4
Managed

Every admin action is logged automatically with timestamps and details of what changed. Access is limited to specific people with a documented approval process. Logs are reviewed weekly and kept for at least 90 days.

Level 5
Optimised

Admin access is restricted to named individuals with multi-factor authentication (MFA). Every action is logged, indexed, and automatically searched for suspicious patterns. Logs are kept for 1+ year and reviewed monthly by a senior manager or external party.

🚀

How to Move Up — Practical Steps

Step	What to Do	Who	Effort
0 → 1	Stop sharing the admin password verbally and via sticky notes. Create a single written record of who has admin access (even if it's a printed list locked in a drawer). Test that you can actually see login records in Windows Event Viewer or server logs.	IT person or office manager	1–2 days
1 → 2	Set up a shared password manager (even a simple encrypted spreadsheet) to replace the notebook. Create a monthly log-checking routine: print or export admin login records and file them. Document the names of people with admin access and have the owner sign off on it.	IT person with sign-off from business owner	1 week
2 → 3	Remove shared admin passwords. Create individual admin accounts for each authorized person (e.g., admin_raj, admin_priya). Enable Windows or Linux audit logging if not already on. Begin a formal approval process: anyone needing admin access must get written permission from the owner.	IT person	2–3 weeks
3 → 4	Set up a centralized log aggregation tool or use cloud-based identity/access management (IAM). Configure automatic alerts for high-risk actions (e.g., password changes, user deletions). Establish a weekly log review meeting. Keep logs for at least 90 days in a secure, tamper-proof location.	IT person with oversight from owner or finance manager	4–8 weeks
4 → 5	Implement multi-factor authentication (MFA) on all admin accounts. Conduct quarterly audits of admin access, comparing actual usage against approved access list. Train all staff annually on why admin access is restricted and what to do if they suspect misuse. Keep audit trail for 12+ months and report findings to the board or owner quarterly.	IT person, with HR conducting training and owner/compliance officer reviewing reports	Ongoing (2–3 hours per month)

📁

Evidence You Should Have

Documents and records that prove your maturity level.

A signed, dated list of people who have admin access and their job roles (e.g., 'Raj Kumar - IT Manager, approved 15 Jan 2024').
At least 90 days of server or Windows login logs showing date, time, user ID, and login success/failure. Print samples or screenshots if digital storage not available.
A log review record sheet or email showing who reviewed logs, when, and what was found (even if nothing unusual—the absence of review is a red flag).
An approval form or email trail for each person granted admin access, signed by the owner or senior manager with justification (e.g., 'Priya needs admin access to manage database backups').
A written policy document (1–2 pages) that says: who can have admin access, how they get it, how long they keep it, and what you do if someone leaves or misuses it.

🔍

What an Auditor Will Ask

Prepare for these questions from customers or third-party reviewers.

"Can you show me a list of everyone who has admin access today? When was this list last updated and who approved each person?"
"Walk me through your login logs for the last month. How are these logs stored, who reviews them, and can you show me evidence of that review?"
"If I told you an admin account was used to delete a customer record last Tuesday, how would you investigate who did it and when?"
"What happens when someone leaves the company or moves to a different job? Can you show me an example of how you removed their admin access?"
"Do you use shared admin passwords (the same password for multiple people)? If yes, how do you track who used it and when?"

🛠

Tools That Work in India

Purpose	Free Option	Paid Option
Store and share admin passwords securely without writing them down or emailing them in plain text	KeePass (open-source password manager; requires someone to manage the master key) or Bitwarden (free tier allows password sharing in a team vault with 2 people).	1Password ₹2,500–4,000/year, LastPass ₹1,500–2,500/year, or Dashlane ₹3,000–4,500/year. For small teams, Bitwarden Teams ₹10,000–15,000/year.
Collect and review admin login logs from servers, databases, and computers in one place	Windows Event Viewer (built into Windows; logs stored locally on each computer—tedious to check across multiple machines). Graylog (open-source log aggregation; requires technical setup).	Splunk ₹200,000+/year (overkill for MSMEs), SolarWinds Event Log Forwarder ₹50,000–100,000/year, or cloud IAM tools like Azure AD ₹500–2,000/user/year.
Enforce multi-factor authentication (MFA) on admin accounts to prevent unauthorized login even if password is stolen	Microsoft Authenticator app (for Windows/Office 365 users, free if you use Azure AD) or Google Authenticator (free, works with many services).	Okta ₹3,000–8,000/user/year, Duo Security ₹500–3,000/month depending on users, or Azure AD Premium ₹700–2,000/user/year.

🛡

How This Makes You More Resilient

When admin access is properly monitored and controlled, a single compromised password or careless insider action cannot instantly destroy your business. You can quickly identify and stop harmful actions, investigate who did what, and prove to customers and banks that your data is protected. This confidence translates directly into fewer customer complaints, faster loan approvals, and a lower insurance premium.

⚠️

Common Pitfalls in India

Sharing one admin password among the entire IT team or keeping it in a shared email folder. When someone leaves or misbehaves, you can't revoke their access without changing the password for everyone—and then no one remembers to do it.
Assuming that because you use Windows or a server, logs are automatically being kept and reviewed. Logs exist but fill up and get deleted, or no one ever looks at them. When an audit happens, you have no proof of who accessed what.
Creating admin accounts for contractors or vendors but forgetting to remove them after the project ends. A year later, that contractor still has full access and no one knows.
Using the admin account for daily work instead of keeping it for emergencies only. This makes it harder to spot unusual activity and increases the chance of accidental damage.
Documenting admin access in a physical notebook kept at the desk, which gets lost, spilled on, or read by visiting vendors. Digital records (even a simple encrypted spreadsheet) are safer and easier to audit.
Not training staff on why admin access is restricted. They think it's bureaucracy and try to bypass it, or they willingly share their password with a 'trusted' colleague.

⚖️

Compliance References

Standard	Relevant Section
DPDP Act 2023	Section 8 (Data Protection Obligation) requires security measures to protect personal data; Section 12 (Consent and Notice) requires audit trails for access to personal data.
CERT-In 2022 Guidelines	Direction 4 requires logging and monitoring of privileged user access and unauthorized access attempts.
ISO 27001:2022	Annex A.9.2.1 (User registration and de-registration), A.9.4.3 (Review of user access rights), and A.8.2.2 (Privileged access rights) require documented access control and monitoring.
NIST CSF 2.0	Govern (GV) function on access control and Protect (PR) function on Access Control (PR.AC-1 and PR.AC-2) require restricting and monitoring privileged access.

Ready to assess your organisation?

Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.

Start Free Self-Assessment →