This policy establishes under what circumstances individuals can access University-wide financial systems. Access to these systems will be granted only where there are valid business reasons. All financial-systems access requests must originate from tub-appointed Authorized Requestors, and all requests are granted by administrative personnel within Financial Systems Solutions (FSS).
All data and information stored on Harvard’s financial applications is considered confidential and must be handled in accordance with the University’s Enterprise Information Security Policy.
Reason for Policy
Certain Harvard employees and other individuals connected to the University must have access to the University’s financial systems to allow the University to operate efficiently and to enable local units to process University payments and other financial transactions in accordance with risk-control requirements like separation of duties. This policy is necessary to minimize the risks associated with granting access to Harvard’s financial systems.
Who Must Comply
All Harvard University schools, tubs, local units, Affiliate Institutions, Allied Institutions and University-wide Initiatives must comply.
- Identify business need for new or changes to existing systems access. Access to Harvard financial systems is only granted where required by a University business need. Where required by a valid business need, the University permits financial systems access of varying levels to the following four types of financial- systems users:
- Harvard employees
- Temporary Harvard employees (including students with jobs)
- Harvard temporary employees (including students) may be granted access to certain Harvard financial systems in limited situations.
- These individuals are generally not allowed access to the PCard settlement system.
- Affiliated hospital employees
- Affiliated hospital employees may be granted access to Harvard’s financial systems in limited situations. See the Appendix A of this policy for more information.
- Non-Harvard Medical School tubs should note that HMS has done extensive work in the area of establishing procedures for granting systems access to its affiliates. HMS has developed standard forms and agreements that must be signed by the affiliated hospital employees prior to granting financial-systems access. These forms might serve as a model for other tubs with non-Harvard employees requiring financial-systems access.
- Consultants and agency employees
- Consultants and agency employees may be granted access to Harvard’s financial systems in limited situations. These situations are expected to be rare given risks associated with security, maintenance, and monitoring of such activity.
- These individuals are not allowed access to the PCard settlement system.
- Ensure user has a valid HUID. All users of Harvard’s financial systems must have a valid University-issued identification number (HUID), which may be a permanent-employee ID or a temporary ID.
- Send request documenting business need to tub Authorized Requestor (AR).
- All access requests must originate from Authorized Requestors, established in each of the tubs. Refer to the “Responsibilities” and “Definitions” sections of this policy for more information.
- Certain types of access (e.g., University-wide access, access to other tubs’ data) require additional approvals.
- See Appendix B for detailed instructions on how to request, change or terminate access for different types of users.
- Validate user access annually. Each year, Authorized Requestors must review the list of users and their associated access for appropriateness, making changes where needed. Authorized Requestors must sign off on final lists for their respective areas.
Responsibilities and Contacts
Financial deans or equivalent tub financial officers are responsible for ensuring that local units abide by this policy. Tubs are responsible for appointing Authorized Requestors, and for ensuring that local financial-systems users are adequately trained, have appropriate systems security privileges, and are aware of and compliant with the University’s Enterprise Information Security Policy. In particular, tubs granting access to non-employees (i.e., students, post-docs or third-party employees) must ensure that the access granted to such individuals is necessary to assist Harvard employees in performing administrative tasks. Tubs must periodically review local users who have been granted system access, and change, grant, or delete access as appropriate.
Authorized Requestors are responsible for requesting financial-systems access for a certain group of individuals within a tub or for individuals across an entire tub, depending on local tub policies and procedures. Authorized Requestors must determine the minimum level of system access necessary for each designated user to perform his or her required job duties. Authorized Requestors must send all requests directly to Financial Systems Solutions (FSS) using established practices, and must maintain documentation to support those requests.
Financial Systems Solutions (FSS) is responsible for responding to tub Authorized Requestor requests for financial-systems access, and for regularly monitoring active financial-systems users for appropriateness of system access, using employee-termination data and other information. Contact: http://vpf-web.harvard.edu/fss/ or 617-496-2001
Affiliated Hospital Employee: An individual who performs Harvard business but who is paid by one of the affiliated Harvard hospitals. The affiliated hospital employee (or “affiliate”) must have a special ID number issued by Harvard University Identification and Data (HUID) Services for the purpose of logging into the financial systems. Note: Harvard affiliate institutions other than affiliated hospitals, whose workers are not Harvard employees, may apply this policy to their own employees. Affiliate institutions in this situation should follow the guidelines related to affiliated-hospital employees when applying this policy.
Agency Employee: Worker hired on a short-term basis from an employment agency; must have a special ID number issued by Harvard University ID Services for the purpose of logging into the financial systems.
Authorized Requestor: Tub financial dean or designee responsible for determining user security access in their tub. Financial Systems Solutions (FSS) will not accept any user security request unless it originates from an Authorized Requestor.
Consultant: An independent contractor or individual representing a firm providing services for Harvard; must have a special ID number issued by Harvard University ID Services for the purpose of logging into the financial systems.
Harvard Employee: An individual with an active job record or appointment in Harvard’s PeopleSoft (PS) Human Resources Management System (HRMS) and a valid Harvard University ID number, including Less than Half Time employees (LHT). Employees generally receive some form of benefits such as pension, medical, dental, vacation, sick days, etc.
Harvard University ID Number (HUID #): A unique eight-digit identification number generated by Harvard’s PeopleSoft (PS) Human Resources Management System (HRMS) or the HIRES system. Most degree students also have identification numbers issued by HUID services.
Temporary Harvard Employee: An individual with a job record in Harvard’s PeopleSoft (PS) Human Resources Management System (HRMS) and a valid Harvard University ID number. This definition includes Harvard and non-Harvard students with jobs. This group generally does not receive employee benefits. Payroll is driven by hours submitted each week.
University-wide Financial Systems: For purposes of this policy, University-wide financial systems include the Oracle E-Business Suite, the Grants Management Application Suite (GMAS) and the Harvard University Budgeting System (HUBS). Note that PeopleSoft is a Human Resources system; contact HR for information on PeopleSoft access.
6/30/2013: Updated format