Information Security


Information Security is intrinsic to the operations of our business. Everyone has a role and responsibility in our security posture.


This policy will govern all resources owned or operated by Catalyst. All Catalyst users are in scope as well.


Users should abide by the regulations set forth in the policies governing the resources managed by Business Owners.

Business Owners are responsible for the resources they administer.

Operators are those users who have rights and training to change system configurations. Operators make the necessary changes to grant or revoke system access, but Operators do not have the authority to approve changes. Operators are responsible for ensuring daily system changes do not create security risks.

Managers and Directors are accountable and responsible for upholding the directives of the company’s policies and ensuring that their staff is compliant.

The Security and Compliance Committee is the governing body of Catalyst’s security program. Please see the Security and Compliance Committee Charter for further details.



The aim of this Information Security policy is to outline the strategy of our Business Operations and Strategy (BOS) and Security and Compliance Committee (SCC), as well as the roles individuals play in that strategy. Catalyst maintains a suite of security and compliance policies; it is not the intention of any of these policies to be completely exhaustive. The policies have been organized to target specific risk areas.

Expectations of the Security and Compliance Committee

It is the expectation of the SCC that all users read, understand, abide by, and uphold all directives of the security and compliance policies. Users are responsible for keeping up to date with policy changes. Security and compliance is the responsibility of all system users and ignorance or negligence of responsibility will not be tolerated at Catalyst.


Questions regarding security and compliance should be directed to the Information Security Manager or a member of the SCC. Users should not hesitate to report any security or compliance concerns.


In the event of an acquisition, employees of the subsidiary company will be classified as "subsidiary employees," and will not sign Catalyst company policies unless a designated integration point is defined. The "subsidiary employees" will be subject to Catalyst policies, compliance, and regulations when acting within Catalyst systems and resources and will otherwise be subject to the subsidiary company's policies.

In the event of Catalyst's acquisition, users will continue to comply by Catalyst security and compliance policies until directed otherwise through the parent company.

Policy Availability

  • All policies will be available to Catalyst users on a company resource.
  • Catalyst security and compliance policies will be updated as needed, and the users will be informed via email when policy updates are made.

Existing Security and Compliance Policies at the time of this update

  • Acceptable Use Policy
  • Access Management Policy
  • Business Owner Policy
  • Bring Your Own Device Policy
  • Change Management Policy
  • Clean Desk Policy
  • Device Management Policy
  • Incident Management Policy
  • Information Security Policy
  • Media Disposal Policy
  • Password Policy
  • Physical Access Management Policy
  • Risk Management Policy
  • Media Handling Policy
  • Vendor Management Policy


Policy violations should be reported to the Information Security Manager or a member of the SCC. Violations of the policy will be met with corrective action and carry the possibility of disciplinary action up to, and including, termination.

If there is a willful violation of this, or any Catalyst Policy, it will be grounds for termination. The severity of the incident will be documented and reviewed by the SCC.


Exceptions must be documented and approved by the SCC.


Owner: Security and Compliance Committee

$Date: 2018-12-13 12:29:08 -0700 (Thu, 13 Dec 2018) $

$Revision: 472629 $

results matching ""

    No results matching ""