• Decrease font size
  • Return font size to normal
  • Increase font size
U.S. Department of Health and Human Services

About FDA

  • Print
  • Share
  • E-mail

SMG 2350.3

FDA STAFF MANUAL GUIDES, VOLUME III - GENERAL ADMINISTRATION

FINANCIAL MANAGEMENT

FINANCIAL INTEGRITY

SYSTEM ACCESS CONTROL – USER PROVISIONING

Effective Date: 10/14/2008

[PDF Version]

 1. Purpose
 2. Background
 3. Definitions
 4. Policy
 5. Responsibilities
 6. Effective Date
 7. History

1. PURPOSE 

To establish a procedure with appropriate reviews in place to ensure proper access to financial systems.

2. BACKGROUND 

Financial Information Systems are in compliance with DHHS and OIM policies.

3. DEFINITIONS 

A. Designated Approving Authority (DAA). The DAA is the primary government official responsible for allocating resources. The DAA is a senior government executive with the authority to oversee and influence the budget and business operations of the systems under the DAAs jurisdiction.

B. Segregation of Duties. Segregation of duties are policies, procedures, and an organizational structure established so that one individual cannot control key aspects of operations and thereby conduct unauthorized actions or gain unauthorized access to assets or records.

4. POLICY 

This policy is based on OIM’s requirements for system access control.

FDA Owned Financial Systems

  • Ensure all users of the systems are valid users
  • Review system privileges

System Owners must make a determination regarding where user access should be revoked, or privileges modified.

The quarterly reviews will be due at the first day of the month in each quarter (March 1, June 1, September 1 and December 1st of each year). 

These reviews align closely with the quarterly POA&M reporting.

Non-FDA Owned Financial Systems

Other financial systems, not owned by the FDA, must follow DHHS guidance in regards to system access.

5. RESPONSIBILITIES 

System Owner

The System Owner is responsible for conducting quarterly reviews and reporting results to the DAA.

Designated Approving Authority (DAA)

The Deputy CFO of the FDA acts as the DAA (also known as the Authorizing Official) for the FDA. The DAA certifies to the ISSO that the quarterly review activities were accomplished.

System Users

Systems users must have appropriate authorization for each financial system. This access must be authorized by management.

System Owners/Leads

System owners or leads must maintain records to ensure that access is reviewed as required by FDA OIM and DHHS O&M. In addition, systems owners/leads must follow segregation of duties when defining roles within their system.

6. EFFECTIVE DATE 

This policy was signed by John P. Gentile, Associate Commissioner for Operations, effective October 14, 2008.

 7. Document History -- SMG 2350.3, System Access Control - User Provisioning

STATUS (I, R, C)DATE APPROVEDLOCATION OF CHANGE HISTORYCONTACTAPPROVING OFFICIAL
Initial10/14/2008N/aOC/OO/OM/OFMJohn P. Gentile, Associate Commissioner for Operations