December 22, 2014

Accounting System Security

Marine Biological Laboratory
Policy No, H.2.1

Initiated by: Director of Information Technology
Approved by: MBL President/Director
Date: August 29, 1994
Revision: #2 July 28, 2009
Distribution: MBL Community

1.0 Policy Statement:
The MBL’s financial system (Navision) is a critical data asset and must employ the highest level of access controls.

2.0 The Navision Financial System is supported by three levels of security

2.1 First Level of Security: “Navision client level access ONLY”
The Navision system can only be accessed at the user level via an installed client. The CFO and the Controller are the only MBL Staff that have the authority to authorize a Navision client installation. Client installation requests must be initiated via a Helpdesk ticket. The IT Financial Systems Administrator and the IT Security Officer are the only MBL Staff authorized to perform a client install. It is important to manage this process to ensure only valid users have the client software.

2.2 Second Level of Security: “Authorized user/password access”
Authorized users will login to the Navision System with a unique username and password combination. Passwords must meet the standards set by the MBL IT Password Policy (H 2.2). The CFO and the Controller are the only MBL Staff that have the authority to authorize the creation of a Navision user account.

2.3 Third Level of Security: “User access levels defined by system user roles”
Each user of the Navision system will be assigned a user role that provides only the system access level required by that user’s position. Roles will strictly limit what a user may do and see in the system. Best practice dictates that no MBL Financial Services staff be given the highest system role (SuperUser). The Financial Systems Administrator has the SuperUser role.

3.0 Financial System Integrity – System Modification and “Change Control” Process

3.1 The Financial Systems Administrator will maintain a parallel test system. Any changes to the Navision system must be requested by the CFO or Controller in writing via a HelpDesk ticket. Non-posting changes will be verified as functioning on the test system before being deployed.

3.2 Any change that will affect posting can only be done by the MBL’s Navision Value Added Reseller (Watkins IT) and will be verified on the MBL test system before being deployed.

4.0 Policy Clarification and Updates:
Policy clarification and updates are available for the Information Technology office.