Business Owner Policy


Controls and oversight are critical to ensuring that Catalyst is treating the platform and customer data with the care and respect our customers require.


The scope of this document is to establish the role of Business Owners throughout Catalyst, and the duties required of this role.


An Approver is the Business Owner who is accountable and responsible for a resource.

Requestors of Grants should typically be supervisors, and requests are subject to the approval of the Business Owner.

Operators are responsible for executing grants and revokes of access, but Operators do not have the authority to approve user access changes.

One individual should only fulfill two out the following three access roles: Requester, Operator, and Approver (Business Owner).


All recognized resources, including vendors, should have a perceived or defined Business Owner.

Access Grants

By granting access to a resource, Business Owners extend trust to the user who has been approved to access the resource. Business Owners will be accountable for resource access approvals ("grants") that they issue through default roles or on an individual basis.


Business owners should understand who has access to the resources they own. Periodic audits of resources should be maintained by the Business Owner.

Change Approval

Business Owners are responsible for reviewing and approving Standard and Normal changes before the change is executed. Business Owners will verify Emergency changes and give post-change approval for the change to remain in place.

Pre-Approved Changes

Some Business Owners may choose to pre-approve changes. Pre-approval does not negate audit and authorization responsibilities of the Business Owner.


Business Owners are responsible for recognizing risk and new risk pertaining to their resources. Business Owners should maintain risk management plans, and are required to run any perceived New Risk through the risk management process - including new vendors.


Violations of the policy will be met with corrective action and carry the possibility of disciplinary action up to, and including, termination.


Exceptions are only expected for sensitive information and must be documented and approved by the SCC.


Owner: Security and Compliance Committee

$Date: 2018-07-18 08:18:26 -0600 (Wed, 18 Jul 2018) $

$Revision: 468886 $

results matching ""

    No results matching ""