Change Management


The production environment changes each day, and it is important that the changes users make be tracked to reduce risk and ensure the integrity of catalyst's products.


The addition, deletion, or alteration of state to the configuration, components, software or hardware in production. Additionally, the non- reversible alteration or deletion of customer data.


An Approver is the Business Owner who is accountable and responsible for a resource.

Requesters may request changes for their own accounts subject to the approval of the Business Owner, or they may be requesting a change for another account or system.

Operators are responsible for executing changes, but Operators do not have the authority to approve changes.

One individual should only fulfill two out the following three access roles: Requester, Operator, and Approver (Business Owner).


All changes in the production environment should follow the documented change process. Changes will be categorized with a system.

  • Standard Changes should have an approved and documented procedure with a well understood outcome and appropriate appreciation of risk. They are pre-qualified but not always pre-approved.
  • Normal Changes should follow the full Change Management Process. Normal changes should be individually approved by the Business Owner of the resource and may not be pre-approved.
  • Emergency Changes may be a Standard or Normal Change but will be on an accelerated timeline. Operators should always attempt to follow the full Change Management Process.

Appropriate review of changes shall be conducted with an appreciation of risk. Business Owners will use the review as grounds for approval. The Business Owner, upon review, can approve a documented procedure to transition the activity from a Normal to a Standard Change.


Department Directors are responsible for the regular oversight of their department’s change participation and documentation.

Violations of the policy will be met with corrective action and carry the possibility of disciplinary action up to, and including, termination.


Exceptions are only expected for sensitive information within a Security Incident. Security Incident exceptions must be documented and approved by the Security Committee.


Owner: Security and Compliance Committee

$Date: 2018-12-13 12:29:08 -0700 (Thu, 13 Dec 2018) $

$Revision: 472629 $

results matching ""

    No results matching ""