Information Security


Information Security is intrinsic to the operations of our business. Everyone has a role and responsibility in our security posture.


This policy will govern all resources owned or operated by Catalyst. All Catalyst users are in scope as well.


Users must abide by the regulations set forth in the policies governing the resources managed by Business Owners.

Business Owners are responsible for the resources they administer.

Operators are those users who have rights and training to change system configurations. Operators make the necessary changes to grant or revoke system access, but they do not control if users should be granted access or not. Operators are responsible for ensuring daily system changes do not create security risks.

Managers and Directors are accountable and responsible for upholding the directives of the company’s policies and ensuring that their staff is compliant.

The Security and Compliance Committee is the governing body of Catalyst’s security program. Please see the Security and Compliance Committee Charter for further details.



The aim of this Information Security policy is to outline the strategy of our Business Operations and Strategy (BOS) and Security and Compliance Committee (SCC), as well as the roles individuals play in that strategy. Catalyst maintains a suite of security and compliance policies; it is not the intention of any of these policies to be completely exhaustive. The policies have been organized to target specific risk areas.

Expectations of the Security and Compliance Committee

It is the expectation of the Security and Compliance Committee that all users read, understand, abide by, and uphold all directives of the information security policies. Users are responsible for keeping up to date with policy changes. Information security is the responsibility of all system users and ignorance or negligence of responsibility will not be tolerated at Catalyst.


Questions regarding security and compliance should be directed to the Information Security Manager or a member of the SCC. Users should not hesitate to report any security or compliance concerns.


In the event of an acquisition, employees of the subsidiary company will be classified as "subsidiary employees," and will not sign Catalyst company policies unless a designated integration point is defined. The "subsidiary employees" will be subject to Catalyst policies, compliance, and regulations when acting within Catalyst systems and resources and will otherwise be subject to the subsidiary company's policies.

Policy Availability

  • All policies will be available to Catalyst users on a company resource.
  • Catalyst security and compliance policies will be updated as needed, and the users will be informed via email when policy updates are made.

Existing Policies at the time of this update

  • Acceptable Use Policy
  • Access Management Policy
  • Business Owner Policy
  • Bring Your Own Device Policy
  • Change Management Policy
  • Device Management Policy
  • Incident Management Policy
  • Information Security Policy
  • Media Disposal Policy
  • Password Policy
  • Physical Access Management Policy
  • Risk Management Policy
  • Media Handling Policy
  • Vendor Management Policy


Policy violations should be reported to the Information Security Manager or a member of the SCC. Violations of the policy will be met with corrective action and carry the possibility of disciplinary action up to, and including, termination.

If the SCC identifies a willful violation of this, or any Catalyst Policy, it will be grounds for termination. The severity of the incident will be documented and reviewed by the SCC.


Exceptions must be documented and approved by the SCC.


Owner: Security and Compliance Committee

$Date: 2018-07-18 08:18:26 -0600 (Wed, 18 Jul 2018) $

$Revision: 468886 $

results matching ""

    No results matching ""