HomeGuidesIdentity & Access › IS-07
IS-07 Identity & Access 8% of OML score

Are admin or high-privilege accounts limited to a small number of trusted users?

Do you have only a few carefully chosen people who can access the super-admin controls of your systems? These are the accounts that can lock everyone out, delete everything, or turn off your security—so they need to be guarded like the keys to your office safe. This question asks: have you actually limited who has these powers, and do you know who they are?

Why This Matters to Your Business

If your admin passwords are shared among many people, or written on sticky notes, or given to someone who leaves your company, a single disgruntled employee or hacker can wipe your entire database, steal customer payment records, or shut down your operations for days. A Delhi export company lost ₹2.3 crore when a former IT contractor used lingering admin access to delete all shipment records and customer invoices. Your auditors (and customers like large enterprises or government agencies) will fail your security review if you cannot prove you control who has admin access. You could lose contracts, face regulatory action, or face liability if customer data is stolen through your compromised admin account.

📊
What Each Maturity Level Looks Like

Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.

Level 0
Absent

You don't have a clear list of who has admin access, and the same password may be shared among 5-6 people or written down somewhere. You have no idea when or how admin accounts are being used.

Level 1
Initial

You have identified who the admin users are (maybe the owner, one IT person, the accountant), but there's no formal list and no one checks whether they should still have access. Access requests are verbal and unrecorded.

Level 2
Developing

You have a written list of admin users and their names are reviewed once a year, but there's no process to remove access when someone leaves or changes roles. You don't log or monitor what admins actually do.

Level 3
Defined

You have a documented, signed list of admin users reviewed quarterly, and you remove access within one week of someone leaving or changing roles. You keep a basic log of admin activities (like password resets or user deletions) that you review monthly.

Level 4
Managed

Your admin account list is maintained in a controlled access request system, reviewed every quarter, and automatically disabled 24 hours after an employee leaves. All admin actions are logged in real-time and reviewed for suspicious activity weekly by a named person.

Level 5
Optimised

Admin accounts are managed through a formal Identity & Access Management (IAM) system with multi-factor authentication required for every admin login. All admin actions are logged, monitored continuously against a policy baseline, unusual activity triggers automatic alerts, and the system generates a monthly compliance report you can show to auditors.

🚀
How to Move Up — Practical Steps
StepWhat to DoWhoEffort
0 → 1 Gather all admin usernames and passwords into one document (encrypted file or password manager). Interview the owner, IT person, and finance lead to list everyone with admin access. Ask why each person needs it. Business owner + IT person 1 day
1 → 2 Create a signed document listing admin users (name, email, role, reason for access, date approved). Get owner signature. Review it once a year in writing and keep a dated copy. IT person (draft) + Business owner (approve and sign) 1 week
2 → 3 Set up a simple exit checklist: when an employee leaves, IT person removes their admin access the same day and documents it. Start a basic activity log (Google Sheet is fine) where you note each admin password change, user creation, or firewall rule change with date and who did it. Review this log monthly. IT person + HR lead 2-4 weeks
3 → 4 Move admin account list into a simple access request form (Google Form or Excel with approval workflow). Set calendar reminders to review access every quarter. Automate admin account disabling within 24 hours of resignation using your hosting provider's tools or a simple script. Increase log review frequency to weekly. IT person + HR lead 1-2 months
4 → 5 Implement multi-factor authentication (MFA) for all admin logins. Deploy a centralized logging tool (cloud or on-premise) that captures all admin actions in real-time. Set up automated alerts for risky actions (mass user deletion, permission changes). Generate and review a monthly compliance dashboard for auditors. IT person + (possibly) external vendor for IAM setup Ongoing (quarterly reviews, continuous monitoring, monthly reporting)
📁
Evidence You Should Have

Documents and records that prove your maturity level.

  • Signed, dated list of all admin users with their role, reason for access, and approval signature from owner or manager
  • Exit checklist or process document showing that admin access is removed when an employee leaves (with at least 3 dated examples of recent removals)
  • Admin activity log or screenshot showing who performed which admin actions (password resets, user additions, system changes) and when, reviewed at least monthly with reviewer initials and date
  • Quarterly access review record showing the list was reviewed, any removals were justified, and signed off by management
  • For higher maturity: automated activity report from your hosting provider or IAM tool showing real-time logging and alerting of admin actions
🔍
What an Auditor Will Ask

Prepare for these questions from customers or third-party reviewers.

  • "Show me your current list of admin users. How is it kept up to date, and who approves changes to it?"
  • "An employee was terminated last month—show me evidence that their admin access was removed on their last day. How do you ensure this happens consistently?"
  • "What activities are your admins performing, and how do you monitor them? Can you show me a log of admin actions from the last 30 days?"
  • "If a customer or regulator asks you 'who had access to modify their data last week,' how would you answer that question in 24 hours?"
  • "Do your admin accounts use multi-factor authentication (like a one-time code from their phone), or can they log in with just a password?"
🛠
Tools That Work in India
PurposeFree OptionPaid Option
Create and store your admin user list securely with approval history Google Sheets with owner + IT access; use 'Suggested edits' feature for change tracking. For passwords: Bitwarden (free tier, self-hosted) Microsoft Excel with OneDrive + Azure AD (₹2,500–5,000/user/year if you have Office 365 already); dedicated password manager like 1Password (₹8,000–12,000/year)
Log and monitor what admins are actually doing on your systems Native OS logging (Windows Event Viewer, Linux auditd) + manual review; cloud provider dashboards (AWS CloudTrail, Azure Activity Log, Google Cloud Audit Logs are partially free) Splunk (₹5,00,000+/year, overkill for MSME); Elastic Stack (₹1,50,000–3,00,000/year); Microsoft Sentinel (₹2,500–10,000/month); simpler alternative: ManageEngine EventLog Analyzer (₹1,20,000–2,50,000/year)
Enforce multi-factor authentication (MFA) for admin accounts so passwords alone can't grant access Google Authenticator, Microsoft Authenticator, or Authy app (free); built into Google Workspace, Microsoft 365, and most cloud platforms at no extra cost Okta (₹3,000–8,000/user/month); Auth0 (₹1,50,000–5,00,000/year); Duo Security (₹800–2,000/user/year)
🛡
How This Makes You More Resilient
When only a few trusted people can access admin functions and you monitor what they do, a disgruntled employee or hacker using a stolen admin password cannot silently delete your customer records or disable your backup system without you noticing quickly. You can recover from human error faster because you know exactly which admin made which change and when. Your business survives a security incident because you have a clear audit trail to show customers, auditors, and police—which protects your reputation and contracts.
⚠️
Common Pitfalls in India
  • Sharing one admin password among the entire team or storing it in a group chat or email—when someone leaves, you never change it, so they still have access months later
  • Giving admin access 'temporarily' during a project or crisis and forgetting to remove it; contractors, consultants, or temporary staff end up with permanent admin rights
  • Not documenting WHY someone has admin access, so during a review you can't tell if they still need it; no one dares remove access for fear of breaking something
  • Assuming your IT person's personal laptop or home internet is safe enough for admin tasks; if their laptop is stolen or hacked, all your systems are compromised
  • Logging admin activities but never actually reading the logs until there's a breach; finding out months later that a fired employee was accessing customer data for weeks
⚖️
Compliance References
StandardRelevant Section
DPDP Act 2023 Section 8 (purpose and necessity of processing); Schedule II (security safeguards) requires documentation of who accesses personal data
CERT-In Advisory 2022 Direction on Baseline Cyber Security Practices—requires minimizing privileged user accounts and implementing access controls
ISO 27001:2022 Annex A.5.3 (segregation of duties), A.8.2 (user access management), A.8.3 (user responsibilities)
NIST CSF 2.0 Govern (GV.RO-1: roles and responsibilities), Manage (MA.AC-1: access control policy)

Ready to assess your organisation?

Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.

Start Free Self-Assessment →