Access Management Policy


Catalyst desires to exhibit control over the appropriate levels of access to our resources.


This policy will govern resources and access. All users are included in the scope.


Requestors must follow established procedures for submitting access requests.

Operators are responsible for executing grants and revokes of access, but Operators do not have the authority to approve user access changes.

One individual should only fulfill two out the following three access roles: Requester, Operator, and Approver (Business Owner).


Catalyst operates on the principle of least privilege: access is granted only to the information and resources that are necessary for a user's legitimate business purpose.

All Access Changes

All Access Changes should be documented requests using the company ticketing system and submitted according to the current company process.

Granting Access to Resources

Access "grants" are defined as applying new permissions to an account that will allow access to a resource. Approved access is implemented by Operators of the resource.

  • Access to a resource can only be granted by the defined Business Owner.
  • All resource grants should have a valid business purpose and should specify a time frame for the access: indefinite or temporary.
  • Access Grants should be submitted by an individual's supervisor or higher, or through a documented procedure showing supervisor approval.

Revoking Access to Resources

To revoke access is to remove a user's privilege to access a resource.

  • Access revokes do not need Business Owner approval.
  • User Departures: access to critical resources should be revoked within one business day of a voluntary termination and at the time of exit for non-voluntary terminations.


Access audits will be conducted as part of the Risk Management program, and exceptions will be reviewed for remediation opportunities.

Violations of the policy will be met with corrective action and carry the possibility of disciplinary action up to, and including, termination.

Department Directors are responsible for the regular oversight of their department's access management participation and documentation.


Exceptions should be well documented and approved by the SCC where possible.


Owner: Security and Compliance Committee

$Date: 2018-12-13 12:29:08 -0700 (Thu, 13 Dec 2018) $

$Revision: 472629 $

results matching ""

    No results matching ""