Business Owner Policy


Controls and oversight are critical to ensuring that Catalyst is treating the platform and customer data with the care and respect our customers require.


The scope of this document is to establish the role of Business Owners throughout Catalyst and the duties required of this role.


An Approver is the Business Owner who is accountable and responsible for a resource.

Access Grants should be submitted by an individual's supervisor or higher, or through a documented procedure showing supervisor approval.

Operators are responsible for executing grants and revokes of access, but Operators do not have the authority to approve user access changes.

One individual should only fulfill two out the following three access roles: Requester, Operator, and Approver (Business Owner).


All recognized resources, including vendors, should have a perceived or defined Business Owner.

Access Grants

By granting access to a resource, Business Owners extend trust to the user who has been approved to access the resource. Business Owners will be accountable for resource access approvals ("grants") that they issue through default roles or on an individual basis.


Business owners shall understand who has access to the resources they own. Periodic audits of resources shall be maintained by the Business Owner.

Change Approval

Business Owners are responsible for reviewing and approving Standard and Normal changes before the change is executed. Business Owners will verify Emergency changes and give post-change approval for the change to remain in place.

Pre-Approved Changes

Business Owners may choose to pre-approve some standard changes. Pre-approval does not negate the audit and authorization responsibilities of the Business Owner.


Business Owners are responsible for recognizing risk and new risk pertaining to their resources. Business Owners must maintain risk management plans, and are required to run any perceived New Risk through the risk management process - including new vendors.


Violations of the policy will be met with corrective action and carry the possibility of disciplinary action up to, and including, termination.


Exceptions are only expected for sensitive information and chupacabra attacks. Exceptions should be documented and approved by the SCC.


Owner: Security and Compliance Committee

$Date: 2019-01-15 15:19:40 -0700 (Tue, 15 Jan 2019) $

$Revision: 473378 $

results matching ""

    No results matching ""