H.2.1 Accounting System Security
Marine Biological Laboratory
Policy No, H.2.1
Initiated by: Director of Information Technology
Approved by: MBL Director
Revision: #3 October 27, 2025
Distribution: MBL Community
1.0 Policy Statement
The MBL’s financial system (NetSuite) is a critical data asset and must employ the highest level of access controls.
2.0 General Access
- 2.1 Employees who are on MBL payroll will be granted NetSuite access at the time of hire.
- 2.2 All users are required to use a complex password and multi-factor authentication (MFA) to access the financial system.
- 2.3 MBL employees with a @mbl.edu email will authenticate using the MBL Single Sign-On system. All other users will use authentication built into the financial system.
3.0 Roles
- 3.1 Users are assigned one or more roles that are made up of permissions that determine the pages a user can see in the user interface and the tasks that can be completed.
- 3.2 Financial Services may create a new role in partnership with IT.
- 3.3 All users are assigned, at a minimum, the MBL Employee Center – Basic role.
- 3.4 Roles with additional access are based on job function and may be requested by an user’s supervisor. Approval is required from all parties as defined by the matrix below, and will be tracked in the Help Desk ticketing system.
|
Requestor |
Supervisor Approval |
Business Unit Leader Approval* |
Financial Services Approval** |
|
|---|---|---|---|---|
|
Requesting Full License |
Supervisor |
Yes |
Yes |
Yes |
|
Requesting Basic License |
Supervisor |
Yes |
Yes |
No |
|
Requesting Role 1 Access |
Supervisor |
Yes |
No |
No |
|
Requesting Role 2 Access |
Supervisor |
Yes |
No |
Yes |
|
Requesting Role 3 Access |
Supervisor |
Yes |
Yes |
Yes |
* Based on the budget manager within NetSuite
** CFO or Controller
4.0 Financial System Integrity – System Modification and “Change Control” Process
- 4.1 The MBL will maintain a parallel test system. Any changes to the financial system must be requested by the CFO or Controller in writing via a MBL Help Desk ticket or through MBL’s authorized financial system support partners’ system. Non-posting changes will be verified as functioning on the test system before being deployed.
- 4.2 Any change that will affect posting can only be done by the MBL’s authorized financial system support partners and will be verified on the test system before being deployed.
5.0 Policy Clarification and Updates:
Policy clarification and updates are available for the Information Technology office.