Welcome to Six Star IT Managed Services Support!

 
SixStar_Logo_global.jpg
 

A warm welcome to your team from ours!

You have now joined Six Star's support services.  So we'd like to introduce ourselves properly, and let you know how to get the best from what we have to offer.

 

The reason behind Six Star was simple:

We had been working in the Hospitality IT Industry, and became frustrated by the practices and service levels of the players in the European market. We felt that Hospitality companies and investors weren't receiving the service they demanded, expected, and deserved. This was a problem for the industry, but also ourselves. We were putting our hard-earned reputations on the line, working with, working for, and recommending companies that ultimately didn't provide the level of service that we demanded from ourselves.

This started to cause us problems, so: Six Star was founded on 31st May 2016 by Pawel Wolowski, Rich Stakounis, and Andrew Knight.

 

Our Mission:

To provide the highest levels of support and customer service to the Hospitality Industry across Europe.

 

Our Strategy:

A few bullet points on our strategy:

  • We are determined to make sure the customer always comes first.
     
  • If mistakes are made by us (and they will be!), we will do whatever it takes to put it right, and take whatever steps necessary to learn from our experiences.
     
  • We will always create, build, and improve our tools, systems and processes in order to make our services better. If a task can be automated, then we will automate it. We will examine, on a regular basis, every customer support ticket that comes in to establish why it was raised. If there is anything we can do to stop the flow of similar tickets, either with User documentation, User training, or remedial works, we will undertake these actions in order to minimise the need for our customers to contact us for support.

 

If you have any comments, ideas, or just want to talk, EVERYONE at Six Star has an open door policy. Just drop us a line!

Thank you for joining our very special team, and good luck on your journey with us!

 

Kindest regards

The Six Star Team

Quick Start Guide

Six Star is a Managed Service & Support partner for your business.  Whilst some of your IT systems will be supported by the companies that install them Six Star are happy to try to engage with you as an 'integrator' of these systems and guide you to the correct support channels.

For you PC's and core systems, thats us!  So get in touch if you have a problem and we'll do our best to help.

We ask that you either use the online portal or email us in the first instance, and only call under the circumstances below.  This helps us to route issues to the correct engineers more efficiently, which helps us solve your issues sooner!


Get Support

user-service-request-management.png
licence-compliance-and-renewal.png
headset-1.png

ONLINE

EMAIL

CALL

 

https://sixstar.global/support

 

support@sixstar.global

UK: +44 203 745 6063

EU: +31 20 703 8322

USA: +1 866 766 7401

 

Our online portal will allow you raise and view tickets, raise service requests, order hardware and services and more.

You can send us an email and instantly receive a ticket number in your mailbox. Please provide as much detail of your issue in writing as possible.

If your issue is complex, time-sensitive, or business critical we ask that you call us.


Resources to assist you

Six Star have put together a Customer Resources area where you can view, download, share, print, or order copies of various materials such as the Infographic below.  We find that it can be useful for you and your colleagues to put these around your working environment so that on the rare occasion you need assistance, you have the guides handy. Have a read of the infographic, and then take a look at https://sixstar.global/customerresources.

Global Service Delivery Catalogue

The document below represents current Service Delivery Catalogue as referenced in our Global Managed Services Agreements and Proposals.

 

Terms & Conditions of Business

The documents below represent Six Star Global's current

Terms and Conditions of Business.

 
 
Screenshot 2018-05-09 13.39.17.png

eu

terms and conditions of business

Please view this document if your contract entity is based in the EU.

 
Screenshot 2018-05-09 13.39.28.png

usa

terms and conditions of business 

Please view this document if your contract entity is based in the USA.

 
Screenshot 2018-05-09 13.39.22.png

asia

terms and conditions of business 

Please view this document if your contract entity is based in Asia.

 

Data Protection & Privacy Policy

1. Introduction

Six Star Alliance Ltd (UK), Six Star Global Inc (USA), Six Star Netherlands B.V., and Six Star Hospitality Ltd (Singapore) T/A Six Star Global, (the Company) processes the personal data of living individuals such as its staff, students, contractors, research subjects and customers. This processing is regulated by the General Data Protection Regulation (GDPR). The UK’s regulator for the DPA and GDPR is the Information Commissioner’s Office (ICO).

The Company is registered as a Data Controller with the ICO1 and is responsible for compliance with the GDPR and DPA.

 

1.1 Key Definitions

This DPA and GDPR contain a number of key definitions which are referenced in this policy such as ‘personal data’, ‘processing’ and ‘Data Controller’. Those definitions are set out in Annex A.

 

1.2 Purpose and Objectives of Policy

This policy sets out the Company's commitment to comply with the General Data Protection Regulation (‘the GDPR’).

 

1.3 Scope and Status of the Policy

This policy applies to all Company staff, students and others who use or process any personal data. This policy applies regardless of where personal data is held and or the equipment used if the processing is for the Company purposes. Further, the policy applies to all personal data, sensitive personal data or special category data held in any form whether manual paper records or electronic records.

 

2. Roles and Responsibilities


Executive

The Executive team of the Property's Operating company is responsible for approval of the Policy.

General Manager

The General Manager is responsible for strategic level implementation of the policy, oversight of compliance with the policy and reporting identified risks to the Board.

Information Asset Owners

The Company will appoint Information Asset Owners (IAOs) with local responsibility for data protection compliance for personal data processed in their area.

Information Asset Managers

The Company will appoint Information Asset Managers who will hold local responsibility for data protection compliance processed within their teams. A list of the IAOs and IAMs can be accessed here.

Data Protection Officer

The Company’s Data Protection Officer (DPO) is primarily responsible for advising on and assessing the Company’s compliance with the DPA and GDPR and making recommendations to improve practice in this area. Further, the DPO acts as the Company’s primary point of contact for DPA and GDPR matters.

Legal Services

Legal Services are responsible for providing advice, support and guidance in relation to day-to-day data protection matters.

All staff

All staff, including permanent staff, fixed term contractors and temporary workers must comply with this Policy, the GDPR whenever processing personal data held by the Company or on behalf of the Company.

Contractors and Consultants

Third parties such as consultants, contractors or agents, undertaking work onbehalf of the Company involving personal data, must adhere to the Company’s Data Protection Policy and comply with the GDPR. Provision will be made in contracts with external providers to ensure compliance with this Policy, the DPA and GDPR.

 

3.0 Compliance with the GDPR

The Company will implement, and monitor annual completion of, mandatory Data Protection training for all staff. The content of that training will be reviewed annually.

 

3.1 Privacy By Design

The Company will implement a Privacy By Design Approach to processing personal data through integrating Privacy Impact Assessments into business processes and projects.

 

3.2 Security

The Company will protect the security of personal data by maintaining, and monitoring compliance with the Company’s Information Security Policy and Information Classification Scheme.

 

3.3 Record Keeping & Retention

The Company will maintain a Records Retention and Disposal Schedule setting the periods for which records containing personal data are to be retained.

 

3.4 External Contractors and International Transfers

The Company will enter into legally binding contracts with external bodies where those bodies are engaged to process personal data on our behalf. The Company will implement adequacy arrangements where transferring any personal data outside of the European Union.

 

3.5 Other Third Party Access

The Company will only disclose personal data to third parties such as the police, central government and other education institutions where there is a lawful basis for doing so and appropriate arrangements are in place with those parties.

 

3.6 Internal Sharing

The Company will seek to ensure that personal data is only shared across different teams, divisions or faculties where those areas have a business need for accessing that data.

 

4.0 Data Subject Rights

The Company will comply with requests from an individual to exercise their rights under the GDPR. All individuals have the right to be informed what information the Company holds about them and to request copies of that information. This is known as a Subject Access Request. Any individual wishing to submit a Subject Access Request should contact their representative from the Company.

Under the DPA and GDPR, individuals also have the following rights in relation to their personal data:

  • The right to request their personal data is rectified if inaccurate
  • The right to request erasure of their personal data
  • The right to request that the processing of their personal data is restricted
  • The right of portability in relation to their personal data
  • The right to object to the processing of their personal data
  • The right to object to processing which involves automated decisionmaking or profiling. Individuals who wish to exercise the above rights should contact the Company’s Data Protection Officer via the contact details at the top of this policy. Individuals should submit their request in writing and specify exactly what personal data and/or processing they are referring to and which right they wish to exercise. If you are seeking access to your personal data (i.e. making a‘Subject Access Request’) then you may find it helpful to complete the Company’s Access to Information Form (Data Protection) and send this to Legal Services at the email address at the top of this policy.

Any staff member who receives a Subject Access Request or a request from an individual to exercise the above rights under the DPA and GDPR must be forwarded to Legal Services immediately. All staff are responsible for cooperating with Legal Services to ensure that the Company can comply with an individual’s request under the DPA and GDPR within the statutory timescales.

 

5.0 Own Personal Data

All staff are responsible for checking that information they provide to the Company in connection with their employment is accurate and up to date. Any changes to personal data provided (e.g. change of address) must be promptly notified, in writing, to the Company. The Company cannot be held responsible for errors unless the member of staff has properly informed the Company about them.

 

6.0 Personal Data Breaches

The Company will respond promptly to any identified personal data breaches and thoroughly investigate those incidents to ascertain whether;

  • The breach should or must be reported to the ICO
  • Data subjects should or must be made aware of the breach; and
    It is necessary to amend processes or introduce new measures tomitigate against any further breaches.

Any staff member who knows or suspect an actual or potential personal data breach has occurred must immediately notify Legal Services. All staff are responsible for fully engaging and cooperating with Legal Services in relation to their investigation of a personal data breach.

 

7.0 Compliance

Compliance with this Policy, or the GDPR is the responsibility of all members of staff. Employees must comply with the rules and procedures made by the Company. Any breach of the policy by a member of staff may result in disciplinary action. Serious or deliberate breaches of the DPA can result in a criminal prosecution.

Any breach of the GDPR by the Company may result in a substantial fine or actions imposed upon the Company by the ICO.

 

8.0 Further Information

Questions about the interpretation or operation of this policy should be taken up in the first instance with the Data Protection Officer. Any individual who considers that the Policy has not been followed in respect of personal data about themselves should also raise thematter with the Company’s Data Protection Officer.

Further information about GDPR can be found on the Information Commissioner’s Office (ICO website). Further guidance for staff can be found on the Company’s Data Protection website.

 

Annex A - Key Definitions

  1. ‘Personal Data’ means data which relate to a living individual who can beidentified from those data or from those data and other information which is in the possession of, or is likely to come into the possession of, the Data Controller and includes any expression of opinion about the individual and any indication of the intentions of the Data Controller or any other person in respect of the individual. Under the GDPR, the definition of personal data will explicitly extend to IP addresses.
     
  2. ‘Sensitive Personal Data’ means information about an individual’s ethnicity, political opinions, their religious beliefs or other beliefs of a similar nature, membership of a trade union, disability, sexual orientation, the commission or alleged commission by them of any criminal offence, or any proceedings for any offence committed or alleged to have been committed by them, the disposal of such proceedings of the sentence of any court in such proceedings.
     
  3. Under the GDPR, the term ‘sensitive personal data’ will be replaced by the definition special category data which means any personal data information about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation and their genetic or biometric data.
     
  4. Processing; means any operations or set of operations which is performed on personal data whether or not by automated means such as collection, use, disclosure or storage of personal data etc.
     
  5. ‘Data Controller means the organisation which, either alone or jointly with another organisation, determines the manner and purpose of the processing of personal data. The Data Controller is responsible for compliance with the DPA and GDPR.
     
  6. ‘Data Processor’ means an organisation (such as a contractor) which processes personal data on behalf of a Data Controller.
     
  7. ‘PersonalDataBreach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

SSG - Client Information Systems Security Policy

Information Security Policy and Standards

This document contains the information security policy and standards as they apply to Six Star Global (SSG) Managed and/or Supported properties.

SSG maintains a hierarchy of information security policy and standards documentation.

This document describes “what needs to be done”. It is not intended to be a detailed step by step procedural document. SSG strongly recommends that standard operating procedures are developed to document “how things are done” within each client property. If possible the work to develop standard operating procedures should be led by the Hotel Management teams. Where technically feasible, information systems should be managed consistently, using the same procedures, tools, and utilities.

PCI DSS Compliance

In addition to the standards contained in this document there are a set of requirements detailed in a third party document called the Payment Card Industry Data Security Standard (PCI DSS) that also apply to each cardholder data environment. The hotel must maintain an up to date description of the local cardholder data environment as it relates to PCI DSS compliance. A cardholder data environment is comprised of people, processes and technology that store, process or transmit cardholder data or sensitive authentication data.

The PCI DSS security requirements apply to all system components. In the context of PCI DSS, “system components” are defined as any network component, server, or application that is included in or connected to the cardholder data environment.

“Cardholder data” in the context of PCI refers to the full Primary Account Number (PAN), the cardholder name, and the expiry date.

“Sensitive authentication data” in the context of PCI refers to the contents of the magnetic stripe, the contents of the embedded chip, the security code, and the PIN.

Compliance with the controls in this document leads towards compliance with PCI DSS. 

Organisational Responsibilities

The hotel General Manager has overall responsibility for ensuring that the policies and standards listed in this document are implemented and adhered to at a local level.

If the hotel makes use of services provided centrally by the hotel Brand, the hotel General Manager is responsible for confirming that the services provided meet or exceed the requirements in this document.

It is expected that confirmation will usually be in the form of written documentation from the brand detailing the services provided centrally. The General Manager is responsible for ensuring that all information security requirements not met by services provided centrally by the brand or SSG are met by services provided at a local level.

If services are provided to the hotel by an external party the hotel General Manager is responsible for ensuring the services provided are in line with or exceed the requirements set out in this document.

The responsibility for day to day activities in support of the policies may be delegated to hotel nominated individuals such as the

Information Systems / Technology Manager (if the post exists), the Finance Lead or the Front Office Manager. Throughout this document these nominated individuals are referred to using the term IS Manager (or equivalent).

The term IS Manager (or equivalent) should be taken to mean the person or persons with day to day responsibility for Information Systems in the hotel irrespective of their official job title.

Managers must ensure that all security procedures within their area of responsibility are carried out correctly to achieve compliance with security policies and standards.

Records should be maintained in support of any work carried out relating to compliance with the information security policies and standards. In addition to being good business practice, these records will help the hotel during any audit process. For example, where a regular review of system accounts is required, keep a record of what was checked and when this was done.   

Information Classification

Information created, stored or processed by the brands managed entities shall be classified according to the following classification scheme:

• Unrestricted

• Confidential

• Restricted

Classification of an item of information may change over time.

All colleagues must consider information to be governed by the principle of “need - to - know”. Unless an individual has reason to access information in the performance of his or her defined job duties, access should be denied.

Colleagues shall not disclose Confidential or Restricted information to anyone who is not authorised to have it. This includes disclosure through oral and written means, whether electronic or otherwise.    

 

Information Handling - Confidential Information

Unrestricted information is information that is freely available to the general public, or whose release will not cause any harm to the hotel operator/owners.

Examples of Unrestricted information include marketing literature, annual reports, and other materials specifically created by the marketing department for public release.

Unrestricted information may also be referred to as “Public” which is the previous nomenclature for this classification level.

The following procedures for information labelling and handling must be followed for Unrestricted information :

a) There are no special handling or disposal requirements for Unrestricted information and no classification identification markings are required.   

 

Information Handling - Confidential Information

Confidential information is information whose unauthorised disclosure, compromise or destruction may directly or indirectly have an adverse impact on the owners/operators, its brands, stakeholders, customers or employees.

It includes all internal business correspondence, records and information created in the normal course of business, and all Personal Data not classified as Restricted.

The following procedures for information labelling and handling must be followed for Confidential information:

a) All non - marked material, which is not Restricted Information, should be treated as Confidential until it is confirmed as Unrestricted information.

b) Confidential Information should be marked “Confidential” before being distributed or exposed to a non - brand party and then only under an approved non - disclosure or similar agreement.

c) Printed Confidential information must be destroyed in a manner to reasonably prevent the misappropriation or other unauthorised use of the Confidential information. Examples include shredding or using a secure document disposal facility provided by a reputable third party.

d) Confidential information must be stored in a secure manner.   

 

Information Handling - Restricted Information

Confidential information is information whose unauthorised disclosure, compromise or destruction may directly or indirectly have an adverse impact on the owners/operators, its brands, stakeholders, customers or employees.

It includes all internal business correspondence, records and information created in the normal course of business, and all Personal Data not classified as Restricted.

The following procedures for information labelling and handling must be followed for Confidential information:

a) All non - marked material, which is not Restricted Information, should be treated as Confidential until it is confirmed as Unrestricted information.

b) Confidential Information should be marked “Confidential” before being distributed or exposed to a non - owner/operator party and then only under an owner/operator - approved non - disclosure or similar agreement.

c) Printed Confidential information must be destroyed in a manner to reasonably prevent the misappropriation or other unauthorised use of the Confidential information. Examples inc lude shredding or using a secure document disposal facility provided by a reputable third party.

d) Confidential information must be stored in a secure manner. 

 

Information handling - Mixed Information

If a system contains information in more than one sensitivity classification, it shall be treated according to the classification needed for the most sensitive information on the system (for example, Confidential information mixed with Restricted information shall be treated as if all such information was Restricted). 

 

System Classification

Throughout this document, reference is made to critical or sensitive information systems.

Critical systems are those vital to the ongoing operation of the hotel. If one of these systems were unavailable it would affect the ability of the hotel to cater for guests or to manage its business. In addition to the major systems, there may be individual items, such as a printer on the Front Desk, which are classified as critical.

Sensitive systems are those that contain information that is classified as either Confidential or Restricted.

System components in scope for PCI DSS are classified as sensitive.

Some systems, such as the Property Management and Point of Sales (POS) systems, would be classified as critical and sensitive.  

Human Resources

All candidates for positions that include administrative level access to systems, applications, databases, or network resources should have their background verified consistent with regional standards.

The background check should include verification of:

a) Professional references;

b) Accuracy of the applicants resume or curriculum vitae (CV) as relevant to the position applied for;

c) Confirmation of claimed academic and professional qualifications relevant to the position applied for;

d) An independent identity verification (passport or similar document); and

e) A check of relevant criminal records.

All information collected for screening purposes must be collected and handled in accordance with any appropriate legislation existing in the relevant jurisdiction.

Colleagues who either maliciously or through negligence of assigned duties have committed a security breach are subject to a formal disciplinary process.

In serious cases of misconduct, as determined by the Human Resources Department and/or the General Manager, the process should allow for instant removal of duties, access rights and privileges, and for immediate escorting out of the site, if necessary.

Unauthorised access, misuse, or fraudulent actions relating to guest credit card information shall be grounds for disciplinary action up to and including termination of employment.

Any fraudulent or criminal activity must be referred to the brand's Risk Management and to enforcement authorities for prosecution and full cooperation should be given to the authorities.   

Asset Management

All information assets shall be clearly identified and an inventory of all production assets maintained.

The asset inventory should include all information necessary to manage the asset through its complete lifecycle.

Information assets that must be tracked include:

a) Physical assets: computer equipment, communications equipment, mobile devices, information backup media;

b) Software assets: application software, system software, development tools, and utilities;

c) Information: databases, contracts and agreements, system documentation, operational or support procedures, business continuity plans, fallback arrangements, audit trails, and archive materials; and

d) Services contacts: contact information for computing and communications services.

The hotel/SSA must maintain an up to date network diagram including all connections to “untrusted” networks including wireless networks, and connections to “trusted” networks under alternate management.

An “untrusted” network is any network that is external to the networks belonging to the hotel and/or which is out of the hotel’s ability to control or manage. Examples of “untrusted” networks include the Internet, networks provided for guest or public use, and any wireless network in the hotel irrespective of whether it is provided for guest or colleague use.

The diagram must include the date it was last updated and the name of the colleague who performed the update.

Access Control

Accounts created to grant access to information systems shall be classified according to the following classification scheme

• User

• Admin

• Service

A User account is designed for day to day working and carries no enhanced privileges.

An Admin account is a secondary account assigned to an individual requiring enhanced system access privileges.

A Service account is designed to enable automated system to automated system communication.

The use of a built in administrative account such as Windows “Administrator” and Unix “root” must be restricted to emergency situations.

Any use of such an account must be documented and subjected to review by the system owner.

Access to hotel information systems is strictly controlled through a formal process for granting and revoking access.

Access is granted only to those individuals with an authorised business need and only for the duration of that business need.

The level of access granted to an individual shall be commensurate with the requirements of their job. Only the minimum rights required to carry out their duties shall be granted.

Access to critical or sensitive information systems must be either via a unique ID protected by a strong password or an individually assigned access card. Passwords shall not be written down, divulged or shared between users.

Requests for access are to be documented and approved by the requesting user’s line manager. The IS Manager (or equivalent) shall only act on documented and approved requests.

Access to hotel information systems shall be granted only by the IS Manager (or equivalent). No other individuals shall have the ability to grant or amend access to systems.

The personnel function are to notify the IS manager (or equivalent) as soon as a colleague leaves or transfers to another department so that access can be revoked or amended accordingly. The easiest way to facilitate this is to require all leavers to have their termination form (ref: 12.2.11) signed by the IS manager (or equivalent) prior to leaving the hotel. This will prompt the IS manager (or equivalent) to ensure system access is removed.

Access must be removed or blocked without unnecessary delay for terminated users.

Access rights no longer required must be revoked without unnecessary delay.

The IS Manager (or equivalent) must carry out a periodic check, with once per month being the minimum requirement, for accounts no longer required or authorised. For example due to employee termination, contractor expiry, or automated system removal.

The IS Manager (or equivalent) must carry out a periodic check, with once per month being the minimum requirement, for Admin and Service accounts to ensure that all such accounts are correctly authorised.

Access controls for Information Systems shall be configured to support the following password standards:

• At least eight (8) characters in length

• Consisting of a combination of upper case letters, lower case letter, numbers and other special characters (no fewer than three categories required)

• Does not mirror the user’s user - ID

• Does not include the user’s first, middle or last name

• Changed at least once every ninety (90) days

• Lock out after no more than six (6) invalid log - in attempts. The account must remain locked out for a minimum of thirty (30) minutes or until the system administrator resets the account.

These passwords standards apply to all User level access and accounts whether or not a system has the technical capability to enforce the standards automatically. In the absence of technical enforcement hotels are expected to have a process to manually implement these standards.

Before a new, replacement or temporary password is provided, the identity of the user being supplied the password must be validated .

Temporary passwords shall be given to users in a secure manner; the use of third parties or unprotected (clear text) electronic mail messages shall be avoided.

Temporary passwords must be unique to an individual and must be unrelated to the user ID and to any other easily guessable information.

Temporary passwords must be set to expire on first use.

Admin , administrator, supervisor, or super user accounts must only be used by the IS Manager (or equivalent) and then only when required and not used for normal day to day working.

In situations where a system has only one administrator, that administrator must establish a password escrow procedure with Information Security & Compliance so that, in the absence of the administrator, someone else can gain authorised emergency access to the administrator account. The Regional Global Technology teams shall remain as the point of contact for hotels.

Password for Admin, administrator, supervisor, or super user accounts must be:

• At least fifteen (15) characters in length

• Consisting of a combination of upper case letters, lower case letter, numbers and other special characters (no fewer than three categories required)

• Does not mirror the user’s user - id

• Does not include the user’s first, middle or last name

• Changed at least once every ninety (90) days

• Lock out after no more than six (6) invalid log - in attempts. The account must remain locked out for a minimum of thirty (30) minutes or until the system administrator resets the account.

Admin, administrator, supervisor, or super user accounts when finished with should be signed out/logged off. If this is not possible the screen shall be locked with a screen saver which requires the account password to unlock it.

Service accounts must be dedicated solely to their business purpose and not used for interactive log - on by system administrators or other users.

Controls must be in place to prevent and to detect the misuse of a service account.

All service accounts must have appropriate logging of account activity. Service account usage must be reviewed by the service account holder at least every 30 days.

All service account passwords must be at least thirty (30) characters in length. As service accounts are not used for interactive log - on the password may be significantly longer than someone could be expected to remember.

Passwords for Service accounts must be changed at least once every twelve (12) months.

In the special case where an application or other control software is specifically designed for service accounts to use ‘non - expiring’ passwords to complete their business purpose, these accounts must be pre - approved by Information Security & Compliance The Regional Global Technology teams shall remain as the point of contact for hotels. Additional controls must be put in place to closely monitor and mitigate risk caused by non - expiring passwords.

A service account password must be changed immediately after any potential compromise or any individual who knows the password leaves the hotel, Regional Global Technology, or the brand.

Controls must be in place to prevent self service password reset mechanisms from being configured or used on Admin or Service accounts.

Changes to Admin and Service accounts must be logged for periodic review.

Access to password - protected systems shall be timed out after an inactivity period of fifteen (15) minutes.   

Physical and Environmental Security

Secure Areas

All critical and sensitive information systems shall be kept physically secure and accessed only by authorised members of staff.

All critical and sensitive information systems shall be housed in one or more secure areas. A secure area may be a lockable office or several rooms surrounded by a continuous physical barrier. For legacy hotels this could mean the area behind front office where access is restricted through keyed or combination locks, whilst newer construction would be expected to have separate dedicated rooms for the computer equipment.

Physical access to any room designated as a server room shall be restricted to individuals who require such access to perform their job responsibilities. All such rooms should be dedicated as server rooms to reduce the number of individuals requiring access to perform their job responsibilities. Such rooms must not be used as a general storage facility.

Access to the secure area must be controlled by the use of access card keys, access code keypads or key locks. A record shall be maintained of personnel who have been granted the access method whether by card, code or key.

Cameras or other logged access control mechanisms must be used to monitor the entry and exit points of places where restricted data is stored, processed or transmitted. Access controls mechanisms must include identification of all individuals gaining physical access. Video cameras or other mechanisms should be protected from tampering or disabling. The data collected must be monitored and stored for at least 3 months unless otherwise restricted by law.

The provision of keys, access control cards etc. for the secure area must be authorised by the IS Manager (or equivalent).

The IS Manager (or equivalent) should regularly review (at least quarterly) the list of personnel with access to the secure area and take action to correct any discrepancies found. Records should be kept to show that this work has been completed.

Lost, stolen or non - returned access control cards must be immediately disabled. The IS Manager (or equivalent) should perform periodic review of the entry log files to identify unauthorised access a ttempts.

All colleagues, third party consultants, contractors and vendors who do not require continued access to computing facilities in order to perform their job functions are to be considered visitors.

Visitor access to the secure area should be authorised by the IS Manager (or equivalent) and recorded in a visitor log showing visitor name, company, date, name of person authorising access, reason for visit and signature. No unsupervised access (e.g. by maintenance staff) should be permitted.

All critica l information systems must be protected from damage from environmental threats such as fire and flood.

Hazardous or combustible material should be stored at a safe distance from the secure area. Bulk supplies such as stationery should not be stored within the secure area.

The secure area should be kept clear of debris and general clutter.

The secure area shall be protected against environmental damage by installation of an adequate fire detection and protection system, consisting of appropriately placed heat/smoke detectors linked to the main hotel fire alarm system.

Where there is potential for water damage (e.g. pipes running through the secure area), appropriate detectors must be installed which are linked to an alarm system or equivalent notification system.

Dedicated computer rooms should contain temperature and humidity monitoring devices. These shall be set to manufacturers recommended min/max settings and linked to an alarm system or equivalent notification system.

Examples of an equivalent notification system include an SMS or email notification to multiple staff members including at least one person reasonably expected to be on duty at any one time.

The secure area should be protected with a fire extinguishing system rated specifically for electrical fires. This system must be operated in accordance with the manufacturer’s instructions.

All environmental detection systems shall be subject to regular maintenance and testing, and shall be approved by the local fire authority. 

Equipment

Equipment should be located or protected to reduce the risk of unauthorised access.

Any screen where sensitive data is displayed must be positioned to prevent unauthorised persons from viewing the screen.

Workstations must be configured with a password protected screen saver which locks automatically after no more than 15 minutes of inactivity.

The password protected screen saver should be locked manually when a workstation is left powered on and unattended.

Equipment should be protected from power failures and other disruptions caused by failures in supporting utilities.

Electrical power systems supporting critical systems shall have an appropriate Uninterruptible Power Supply (UPS) system in place together with backup batteries, which are automatically invoked following a power loss. Batteries shall be able to provide power for sufficient time to allow an emergency generator to start up and run at full load. In the absence of a generator, the UPS should allow sufficient time for the systems to be powered down in an orderly fashion. The UPS should be maintained and tested in accordance with the supplier’s recommended service intervals and specifications. Only authorised personnel should carry out repairs and service the UPS.

Critical IT equipment shall be protected from damage resulting from electrical power surges by using an appropriate surge protection system.

Equipment should be correctly maintained to ensure its continued availability and integrity.

Equipment should be maintained and tested in accordance with the supplier’s recommended service intervals and specifications. Only authorised personnel should carry out repairs and service equipment.

Any item containing storage media shall be checked prior to disposal to ensure that any Restricted or Confidential data or licensed software has been securely removed or securely overwritten using techniques that make the information non - retrievable. The standard delete or format functions are not sufficient.

Equipment, information or software shall not be taken off - site without prior authorisation from the IS Manager (or equivalent).

The IS Manager (or equivalent) should record all equipment taken off - site and ensure that this equipment is returned in the agreed timescales.

Where there is a potential for theft, critical and sensitive systems should be physically secured using a computer specific anti - theft product such as a cable lock system. Other equipment may be secured at the discretion of the hotel.

Equipment in areas accessible to the public must be checked on a daily basis for tampering such as the addition of a keyboard logging device.   

Payment Card Capture Devices

Devices that capture payment card data via direct physical interaction with the card must be protected from tampering and substitution.

The asset inventory should include the following:

• Make, model of device

• Location of device

• Device serial number or other method of unique identification.

Devices must be periodically inspected to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device).

Examples of signs that a device might have been tampered with or substituted include unexpected attachments or cables plugged into the device, missing or changed security labels, broken or differently coloured casing, or changes to the serial number or other external markings.

Training must be provided for personnel to be aware of attempted tampering or replacement of devices. Training should include the following elements:

• Verify the identity of any third - party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices.

• Do not install, replace, or return devices without verification.

• Be aware of suspicious behaviour around devices (for example, attempts by unknown persons to unplug or open devices).

• Report suspicious behaviour and indications of device tampering or substitution to appropriate personnel for example, IS Manager (or equivalent).   

Operations Management

Change Management

Changes refer to any item of hardware, software or data that is used to provide hotel systems. This includes operating software , utility software, application software as well as changes to data files and parameter/configuration files. It excludes any normal operational changes such as rate codes and POS items.

Changes to operational systems and application software shall be controlled.

The IS Manager (or equivalent) is responsible for managing all changes to the hotel information systems.

No changes shall be made to any hotel systems without the express authorisation of the IS Manager (or equivalent) with approval by either the Finance Lead or General Manager.

All changes shall be documented and logged, highlighting the amendments made and the reason for the change (e.g. upgrade to system software).

Changes shall be made at a time that is of least disruption to users. Users shall be warned prior to any change occurring.

Steps must be taken prior to any change so that the system can be recovered to its original state if the change has to be backed out. This may be a full system backup, copies of configuration files, copies of standing data, or the ability to rebuild the system from scratch.

Where changes are required to be undertaken by third parties (e.g. software suppliers), the above procedures shall still be followed. Requirements for remote access to perform such updates shall be strictly controlled by the IS Manager (or equivalent) including the granting of remote access.

Live data containing confidential or restricted information shall not be used on development or test systems. 

Protection Against Malicious Code

Information systems shall be protected against malicious code such as viruses and worms.

The IS Manager (or equivalent) is responsible for ensuring that all network connected hosts and system components have approved software installed and configured to prevent, detect, contain, and eradicate both malicious and unauthorised software.

This software should be configured to continuously monitor the system and files for characteristics of viruses, worms, spyware, and Trojan Horses, must detect and alert on unauthorised modification of critical files, should be capable of generating audit logs, and should be regularly updated in line with the release cycle of the software vendor.

The IS Manager (or equivalent) should periodically check (critical and sensitive systems plus a random sample of other systems every month) that the software is receiving updates. Any failure should be investigated and must be corrected.

Procedures to deal with malicious software (i.e. what action to take) shall be documented and issued to all hotel IT users. Users should also be educated on the dangers of opening unsolicited email attachments or clicking on links in emails.

The IS Manager (or equivalent) shall investigate the source of any malicious software and take appropriate corrective action.

Software which is no longer supported by the vendor must be upgraded, replaced, retired, or protected by additional compensating controls which have been approved via the information security standards exception process prior to end of support being reached.

All network connected hosts and system components must be kept up to date with vendor software security patches. This includes hosts and system components which may only connect to the network intermittently.

Critical security patches, as designated by the vendor or Information Security, must be installed within one month of release for all public facing systems, all systems storing or processing Restricted information, and all systems used to browse the Internet or read email.

The maximum timeframe for applying an applicable security patch is three months from the date of release.

The IS Manager (or equivalent) is responsible for ensuring that the hotel information systems are up to date with vendor security patches. Where patching is performed centrally by the brand, the IS Manager (or equivalent) should periodically check that the patching is taking place as expected. Any failure should be investigated and must be corrected.

All critical hotel information systems data shall be backed up to external media (e.g. tape cartridge or hard drive) on at least a daily basis (depending upon the number of transactions handled by the system and hence the time required to re - input data, backup procedures may need to be invoked several times a day).

In consultation with the key system users, the IS Manager (or equivalent) shall agree upon the cycle of backup media to be used (full, incremental, daily/weekly/month - end/quarter - end/year - end etc.) and retention period.

All backup media shall be clearly labelled identifying the contents of the media and the cycle to which it refers (e.g. Monday, 1st backup).

All information classified as Restricted must be encrypted when stored on back up media. The means to decrypt the information must be separate from the back - up media.

Backup media containing Restricted information must be labelled “Strictly Confidential” and treated as such.

The IS Manager (or equivalent) is responsible for ensuring that system backups have been successful by reference to audit trails, system logs etc. (Note: this may depend upon the type of backup software used) and once satisfied that the backup has completed successfully record this fact in a log file. Any errors encountered during the backup must be noted, investigated and resolved.

Removable backup media (e.g tapes and hard drives used as removable media) should be removed as soon as possible after the backup process has been completed which may mean someone other than the IS Manager (or equivalent) is given this responsibility. Removable backup media must be transferred to a location remote from the equipment for secure storage.

Non removable backup media (e.g. permanently attached hard drives) should be supplemented with an off line backup regime to reduce the impact of a data breach such as malicious software known as “ransomware”.

The location for storing all backup media (i.e. tapes, external hard drives, etc. ) may be in the hotel but should be carefully chosen based on the likelihood of a fire or similar disaster affecting both it and the main system. Backup media is of no use if it is also damaged or destroyed in the same failure that affected the main system.

Where a third party is used to store payment card holder information the third party must agree to:

a) Follow all PCI standards;

b) Cooperate in any breach investigation of customer credit card data; and

c) May be required to provide the brand with annual evidence of compliance on request.

Adequate protection shall be given to the media whilst in transit and in storage to protect it from damage, theft or loss.

The IS Manager (or equivalent) shall regularly test backup procedures by reviewing log records to ensure completion, verifying that backup media are correctly labelled and stored correctly and by routinely restoring backup data from backup media.

Backup media must be replaced in line with manufacturer recommendations.

Redundant backup media should be disposed of in a way that prevents the recovery of information from that media, for example, physical destruction.

Information back - up solutions utilising third party online or cloud services require prior approval from Six Star. Approved solutions must include data encryption in transit and storage, strict access controls, and compliance with regulations relating to the transfer information across borders. 

Network Security

The networks in a hotel shall be classified according to the following classification scheme:

• Back Office or Trusted network

• Guest or Untrusted network

A “Back Office” network is any back of house network provided for use by hotel colleagues for operational purposes. The Back Office network may be segmented into a number of separate networks such as front office, admin LAN etc. , however the term “Back Office” applies collectively to all such internal networks. Back Office networks are “trusted” (wireless networks are an exception).

A “Guest” network is any network provided for use by guests or members of the public. Guest networks are “untrusted”.

Unless otherwise specified the generic term “Network” applies to all hotel networks including Back Office and Guest networks.

Networks should be controlled and managed to maintain security for the systems and applications using the network.

Do not use vendor supplied default or blank passwords or other security settings. These default settings are widely known and should be changed before any equipment or component is connected to the live network.

Network connections at the logical network perimeter of a hotel environment must be through a firewall device that has been approved by Information Security and Compliance. This includes any connection between the hotel’s Back Office network and an external network such as the Internet, a wireless network, an “untrusted” network, or a segment of the Back Office network under alternative management. The Regional Global Technology teams should maintain awareness of the approved list of firewall devices and shall remain as the point of contact for hotels.

Firewalls must be configured to prevent inbound or outbound connections directly between the Internet and any Trusted network where Restricted information is stored.

Firewalls must be configured to prevent internal IP address and routing information being disclosed to unauthorised parties.

Firewall rules and access control lists providing similar protection must be reviewed at least every six months to ensure that the implemented rules are consistent with the documented authorisation and that the authorised business use remains valid.

Hotels shall not install network hardware or software that provides network services, such as routers, switches, hubs and wireless access points, to any Back Office network without prior approval of Regional Global Technology .

Do not connect guest facing services (for example a Guest network, the guest HSIA or Business Center PCs) directly to the hotel’s Back Office networks.

Converged networks (for example where Back Office and Guest network segments are provided on the same physical hardware) must be secured such that any Guest network segments and any Back Office network segments are kept logically separate from each other.

Network ports in publically accessible areas (i.e. public conference rooms or visitor rooms) must not be connected to the hotel’s Back Office networks.

Guests must not be allowed to connect their PC or any other technology equipment to the hotel’s Back Office network or to any device connected to that network.

Guests must not be allowed to use hotel PCs or any other equipment connected to the hotel’s Back Office networks unless that equipment is specifically designed for guest use (for example a check in, check out self - service kiosk) and it has been approved by Information Security and Compliance. The Regional Global Technology teams should maintain awareness of the approved guest use devices and shall remain as the point of contact for hotels.

Remote administration of any equipment located at the hotel must be accomplished only through the use of methods explicitly approved by Information Security All other remote access solutions (including but not limited to LogMeIn, GoToMyPC, PCAnywhere, and Dameware Mini Remote Control) are prohibited. The Regional Global Technology teams should maintain awareness of the approved remote access solutions and shall remain as the point of contact for hotels.

Approved methods must include data encryption, access controls, and logging of activity.

The PMS, POS and certain other systems and applications, because of the nature of the data contained in them, require special management oversight and shall be classified as high - risk. Many times these high - risk systems contain Confidential and Restricted information. High risk systems may have a dedicated and isolated computing environment. Any such high security zone shall be protected via an internal firewall device approved by Information Security and Compliance . The Regional Global Technology teams should maintain awareness of the approved list of firewall devices and shall remain as the point of contact for hotels.

Installing lower risk systems in a high security zone is discouraged as this will necessitate implementing the same degree of controls on the lower risk system as are in place on the high risk systems in that zone. Failure to maintain isolation of high risk systems reduces the overall effectiveness of the high security zone. 

System Monitoring

Audit logs recording user activities, exceptions, and information security events should be produced and ke pt for a period of time (twelve months were technically and legally possible) to assist in future investigations and access control monitoring.

Where it is technically possible and within the boundaries set by local laws and regulations, audit logs should be configured to record security-related events.

System administrator and system operator activities should be logged.

The audit logs should be configured to record any changes or attempted changes to the system security settings.

The clocks of all relevant information processing systems within the hotel must be synchronized with an agreed accurate time source.

Where a computer or communications device has the capability to operate a real - time clock, this clock should be set to an agreed standard, e.g. Coordinated Universal Time (UTC) or local standard time. As some clocks are known to drift with time, there should be a procedure that checks for and corrects any significant variation.

The correct interpretation of the date/time format is important to ensure that the timestamp reflects the real date/time. Local specifics (e.g. daylight savings) should be taken into account. 

System Maintenance

Critical and sensitive IT equipment must either be covered by suitable maintenance agreements or the hotel must keep adequate spare equipment readily available for timely swap out.

Maintenance agreements should relate not just to processors (e.g. servers, PC’s, POS terminals), but to all equipment required to support the hotel IT infrastructure (e.g. printers, backup devices, network switches, routers, communications equipment, air conditioning units).

System expenses relating to such maintenance agreements, including expenses of accounting system, HR system, local and wide area network system are to be charged to the Information and Telecommunications Systems Department (a new Undistributed Operating Department). The Uniform System of Accounts provides more details of such system expenses that are being charged to this department.

It may be more cost-effective in certain scenarios to keep a stock of spare equipment readily available for swap out in a timely manner rather than to pay for a maintenance agreement. Any decision to take this option must be documented and approved by the Finance Lead or General Manager.

A maintenance schedule should be in place listing the above equipment together with appropriate details (supplier contact details, maintenance schedule e.g. when/who). The schedule should be updated as maintenance visits occur and regularly reviewed to ensure that visits take place in accordance with the agreed schedule of visits.

All maintenance work shall be documented by the supplier and copies retained on file. Any necessary corrective work must be brought to the attention of management for authorisation.

Critical and sensitive IT applications must be covered by vendor support agreements.

The level of cover (e.g. 24x7) shall be determined in accordance with business requirements.   

System Support

The hotel shall ensure that there are adequate procedures in place in order to provide timely support to the hotel IT users.

Each hotel shall have a nominated internal or external IT support person or team e.g. Hotel colleague, corporate support function or 3rd party contract. Individuals within this team shall be appropriately trained in hardware and software used within the hotel.

The level of support (working hours) shall be commensurate with hotel IT user requirements with out of hours contact as necessary.

All hotel IT users should be provided with details of support procedures, including contact numbers and escalation path.

The IS Manager (or equivalent) shall keep copies of support documentation for each system. This may include details of support contracts, systems configuration, network diagrams, rack or room layout diagrams.

Faults reported by users or by system programs should be logged, investigated and appropriate action taken.

Any trends emerging from the fault logs shall be investigated to identify and resolve the underlying causes.

The hotel should identify designated application experts for all critical and sensitive applications. This may not necessarily be the IS Manager (or equivalent).    

Information Security Incident Management

Information security events should be reported through appropriate management channels as quickly as possible.

The IS Manager (or Six Star) shall document the procedure for reporting and responding to real or suspected Information Security events. This procedure should include a point of contact, incident response procedures and escalation path. In the absence of any other information to the contrary from the Regional Global Technology team the normal escalation path should initially be to a nominated point of contact within the hotel with onward escalation to the hotel’s usual IT help desk.

All colleagues, contractors and third party users of information systems should be required to note and report any actual or suspected security weaknesses.

All colleagues, contractors and third parties should be made aware of the responsibility to report any information security events or weaknesses as quickly as possible usually to hotel line management and to the IS Manager (or equivalent).

Under no circumstances attempt to prove the existence of a potential weakness in the security of a system, as this may be interpreted as attempted misuse of the system and could also cause damage to the information system.   

Business Continuity/IT Disaster Recovery

Each department head is responsible for ensuring that appropriate manual procedures are developed, documented and maintained and appropriate staff training carried out, in order to continue operating their department in the event of an interruption to the information systems. For example Front Desk staff will need to know what to do in the event that the PMS is unavailable.

The IS Manager (or Six Star) is responsible for ensuring that recovery procedures for the information systems are developed, documented, and maintained.

All procedures should be tested, reviewed and updated at regular intervals (at least once per year).

Software Licensing

All computer software operated by the hotel shall be licensed.

The hotel shall administer a system for tracking installed software and software licences.

The Six Star shall maintain an inventory of software purchased showing vendor name, software title and version. Each item in the inventory should be supported by proof of purchase documentation such as a licence agreement and a copy of a paid invoice.

The Six Star shall maintain an inventory of installed software, detailing what software is installed on which computer. This may be done manually for a small number of computers or aided by a software scanning tool.

Periodically (at least once a year) the list of installed software should be reconciled against the inventory of purchased software.

Any exceptions must be corrected either by removing the software or by the purchase of additional licences. Records s hould be kept to show that this work has been completed.

Computer software must only be installed by the IS Manager (or equivalent).

Only software that has been approved by the Regional Global Technology team should be purchased and installed.

System expenses such as software licences and maintenance, software as a service fees, hosting storage fees, and technical support fees are to be charged to the Information and Telecommunications Systems Department (a new Undistributed Operating Department). The Uniform System of Accounts provides more details of such system expenses that are being charged to this department.   

User Training and Awareness

The hotel shall ensure that on hire all colleagues with access to sensitive information or computer systems are made aware of and trained in their responsibilities relating to Information Security of Restricted and Confidential information. Annual refresher training must also be conducted.

Training on policies and specific procedures related to credit card transactions and information is a critical element in reducing risks of fraud and supporting a defence against any legal claims. The hotel shall document training activities and record the names of colleagues who participate.

The IS Manager (or Six Star) is expected to maintain relevant and up to date hotel system knowledge and skills.

The IS Manager (or Six Star) is expected to maintain awareness of all brand Information Security policies and standards that apply to their environment.

The IS Manager (or Six Star) is responsible for promoting best practice and security awareness for all information system users in the hotel. This includes:

a) Changing default vendor passwords

b) Not sharing individually assigned user - ids

c) Selecting strong passwords, keeping those passwords secure and changing them regularly

d) Securing workstations with password protected screen savers, or locking PC screens manually

e) Keeping screens with sensitive information away from prying eyes

f) Keeping guests and hotel back office systems separate

g) Only accessing systems they are authorised to

h) Not installing unauthorised remote access solutions

i) Reporting real or suspected information security events through the appropriate channels

j) Awareness of security measures for devices that capture payment card details through physical interaction.

The hotel must also consider local data privacy legislation and relevant training should be included in the awareness training as appropriate.