FDA STAFF MANUAL GUIDES, VOLUME III - GENERAL ADMINISTRATION
SYSTEM ACCESS CONTROL – USER PROVISIONING
Effective Date: 10/14/2008
|6. Effective Date|
To establish a procedure with appropriate reviews in place to ensure proper access to financial systems.
Financial Information Systems are in compliance with DHHS and OIM policies.
A. Designated Approving Authority (DAA). The DAA is the primary government official responsible for allocating resources. The DAA is a senior government executive with the authority to oversee and influence the budget and business operations of the systems under the DAAs jurisdiction.
B. Segregation of Duties. Segregation of duties are policies, procedures, and an organizational structure established so that one individual cannot control key aspects of operations and thereby conduct unauthorized actions or gain unauthorized access to assets or records.
This policy is based on OIM’s requirements for system access control.
FDA Owned Financial Systems
- Ensure all users of the systems are valid users
- Review system privileges
System Owners must make a determination regarding where user access should be revoked, or privileges modified.
The quarterly reviews will be due at the first day of the month in each quarter (March 1, June 1, September 1 and December 1st of each year).
These reviews align closely with the quarterly POA&M reporting.
Non-FDA Owned Financial Systems
Other financial systems, not owned by the FDA, must follow DHHS guidance in regards to system access.
The System Owner is responsible for conducting quarterly reviews and reporting results to the DAA.
Designated Approving Authority (DAA)
The Deputy CFO of the FDA acts as the DAA (also known as the Authorizing Official) for the FDA. The DAA certifies to the ISSO that the quarterly review activities were accomplished.
Systems users must have appropriate authorization for each financial system. This access must be authorized by management.
System owners or leads must maintain records to ensure that access is reviewed as required by FDA OIM and DHHS O&M. In addition, systems owners/leads must follow segregation of duties when defining roles within their system.
This policy was signed by John P. Gentile, Associate Commissioner for Operations, effective October 14, 2008.
|STATUS (I, R, C)||DATE APPROVED||LOCATION OF CHANGE HISTORY||CONTACT||APPROVING OFFICIAL|
|Initial||10/14/2008||N/a||OC/OO/OM/OFM||John P. Gentile, Associate Commissioner for Operations|