Old contractor accounts left active let unauthorized people access your customer data, financial records, or business secrets. A real example: a contract accountant's login remained active 8 months after his project ended; when his account was later compromised via a phishing email, someone downloaded GST and payroll records—leading to a ₹12 lakh data breach fine. If auditors find accounts that should have been deleted still exist, you fail compliance checks and can lose customer contracts (especially if you work with government or large corporates). Forgotten temporary accounts also make it hard to track who accessed what, which means you can't prove your data is secure during an incident investigation.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You find contractor and temporary login details written on sticky notes or in an old email thread, with no record of when they were created or if they were ever removed. No one knows which accounts are actually still active in your systems.
Initial
You have a rough list of contractor names somewhere, and your IT person deletes accounts when someone reminds them—but there's no formal process, no dates recorded, and no way to verify all temporary accounts were actually removed.
Developing
You have a simple spreadsheet of temporary accounts (name, date given, date due to expire) that you review manually every few months, and your IT person deletes accounts based on that list, though the review timing is inconsistent.
Defined
You have a documented process for requesting, approving, and removing temporary accounts; a maintained register with creation and removal dates; and you review active temporary accounts every month to ensure none are overdue for deletion.
Managed
Your access management system automatically flags temporary accounts approaching expiry, sends removal reminders to managers, and IT removes them on schedule; you audit the register quarterly and track removal confirmations.
Optimised
Your system auto-disables temporary accounts on their expiry date, logs all changes, alerts managers, performs monthly reviews of all active accounts against current staffing data, and executives see a dashboard showing compliance status.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Create a simple list of all current contractor and temporary staff; note their names, department, access given, and expected end date. Ask your IT person to delete any accounts for people no longer here. | Office manager or HR lead | 2-3 days |
| 1 → 2 | Build a basic spreadsheet template (Name, Role, Date Access Granted, Expected Expiry Date, Actual Removal Date, Removed By) and commit to reviewing it every 2 months. Document each removal. | IT person or office administrator | 1 week to create and train; then 2 hours per review |
| 2 → 3 | Write a one-page process: temporary account request form (filled by HR), approval by manager, IT creates account with 90-day expiry in a system or calendar reminder, manager re-approves if extension needed. Review register monthly. | HR lead and IT person together | 2-3 weeks |
| 3 → 4 | Move temporary account register into a shared system (Google Sheets with locked columns, or simple inventory software); set up automated email reminders 2 weeks before expiry to the manager; require IT to confirm removal in writing. | IT person or system administrator | 4-6 weeks |
| 4 → 5 | If using cloud platforms (Microsoft 365, Google Workspace, AWS), configure automatic account disable on expiry date through built-in admin tools; set up monthly audit reports comparing temporary account list to active directory; ensure executive reviews results. | IT manager or cloud systems administrator | Ongoing monthly reviews and annual process tuning |
Documents and records that prove your maturity level.
- A register or spreadsheet listing all temporary/contractor accounts created in the last 2 years, with creation date, expiry date, and removal date/confirmation
- Documentation of your temporary account request and approval process (even if it's a simple one-page form template)
- Email chains or signed-off forms showing manager approval for account creation and removal
- Monthly or quarterly review records showing when you checked the register for overdue accounts
- IT confirmation records (email or form) showing that each account was actually deleted from all systems (not just disabled)
Prepare for these questions from customers or third-party reviewers.
- "Show me your list of all temporary and contractor accounts created in the last 12 months. For each one, prove to me the account was removed."
- "How do you decide when a temporary account should expire? Is it documented? What happens if a contractor stays longer than planned?"
- "I'm going to ask your IT person to pull a report of all active user accounts. Are there any old contractor names in that list that shouldn't be there?"
- "Walk me through what happens from the moment you hire a contractor to the moment their login is deleted. What could go wrong in your process?"
- "How often do you review temporary accounts? Can you show me evidence of the last three reviews?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Track and manage temporary account lifecycle with reminders | Google Sheets with conditional formatting and email notifications via Zapier (free tier; ₹0 if you use basic features) | Freshservice (₹4,500–₹15,000/year for small team), Zoho People (₹200–₹600/user/year) |
| Auto-disable or remove accounts on a scheduled date | Windows Task Scheduler (if on-premises) or PowerShell scripts for Microsoft 365 (free if you already have M365) | Microsoft Entra ID (Azure AD) Premium P1 (₹1,500–₹2,000/user/year) for advanced lifecycle management |
| Audit and report on all active user accounts vs. contractor list | Built-in reports in Microsoft 365 admin center or Google Workspace admin console (₹0 if you already subscribe) | Okta or JumpCloud for detailed access audits (₹3,000–₹12,000/year depending on user count) |
- Contractor leaves but his email or project folder is forwarded to someone else, so the account never gets deleted—it just sits dormant until someone finds it 2 years later during an audit.
- Project gets extended verbally ('Just a few more weeks'), and no one updates the removal date, so the temporary account stays active indefinitely because the reminder was based on the old date.
- IT person leaves or gets sick, and no one else knows which contractor accounts exist or when they should be removed, causing a backlog of forgotten accounts.
- You delete the login from one system (like email) but forget to remove it from the office Wi-Fi, VPN, or accounting software, so the person can still access data through a side door.
- Accounts get 'disabled' instead of deleted, and then re-enabled months later without fresh approval, circumventing your review process entirely.
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 8(2)(h) – requirement to implement access control measures; Section 8(3) – responsibility to ensure personal data is processed only by authorized personnel |
| CERT-In 2022 | Direction 4 – access control and user management; temporary accounts must be terminated when no longer needed |
| ISO 27001:2022 | Annex A.5.2 – User access management; A.5.2.2 – User access provisioning and de-provisioning |
| NIST CSF 2.0 | Govern (GV) and Protect (PR) functions – manage access rights and lifecycle; PR.AA-1 and PR.AA-2 |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →