Six Star Information Systems Security Policy

Overview

This document contains the information security policy and standards as they apply to Six Star Alliance Ltd (UK), Six Star Global Inc. (USA), Six Star Netherlands B.V., and Six Star Hospitality Ltd (Singapore), T/A Six Star Global (SSG). 

SSG maintains a hierarchy of information security policy and standards documentation.

This document describes “what needs to be done”. It is not intended to be a detailed step by step procedural document. SSG strongly recommends that standard operating procedures are developed to document “how things are done” within each business unit. If possible the work to develop standard operating procedures should be led by the business unit Management teams. Where technically feasible, information systems should be managed consistently, using the same procedures, tools, and utilities.

PCI DSS Compliance

In addition to the standards contained in this document there are a set of requirements detailed in a third party document called the Payment Card Industry Data Security Standard (PCI DSS) that also apply to each cardholder data environment. The hotel must maintain an up to date description of the local cardholder data environment as it relates to PCI DSS compliance. A cardholder data environment is comprised of people, processes and technology that store, process or transmit cardholder data or sensitive authentication data.

The PCI DSS security requirements apply to all system components. In the context of PCI DSS, “system components” are defined as any network component, server, or application that is included in or connected to the cardholder data environment.

“Cardholder data” in the context of PCI refers to the full Primary Account Number (PAN), the cardholder name, and the expiry date.

“Sensitive authentication data” in the context of PCI refers to the contents of the magnetic stripe, the contents of the embedded chip, the security code, and the PIN.

Compliance with the controls in this document leads towards compliance with PCI DSS. 

Organisational Responsibilities

The CEO has overall responsibility for ensuring that the policies and standards listed in this document are implemented and adhered to.

If SSG makes use of services provided by Third Party organisations, the CEO is responsible for confirming that the services provided meet or exceed the requirements in this document.

It is expected that confirmation will usually be in the form of written documentation from the Third Party detailing the services provided centrally. The CEO is responsible for ensuring that all information security requirements not met by services provided by the Third Party or SSG are met by services provided at a local level.

The responsibility for day to day activities in support of the policies may be delegated to SSG nominated individuals such as the EVP, Global Technology, EVP, Global Operations, or Engineering Managers. Throughout this document these nominated individuals are referred to using the term IS Manager (or equivalent).

The term IS Manager (or equivalent) should be taken to mean the person or persons with day to day responsibility for Information Systems in SSG irrespective of their official job title.

Managers must ensure that all security procedures within their area of responsibility are carried out correctly to achieve compliance with security policies and standards.

Records should be maintained in support of any work carried out relating to compliance with the information security policies and standards. In addition to being good business practice, these records will help the hotel during any audit process. For example, where a regular review of system accounts is required, keep a record of what was checked and when this was done.   

Information Classification

Information created, stored or processed by the brands managed entities shall be classified according to the following classification scheme:

• Unrestricted

• Confidential

• Restricted

Classification of an item of information may change over time.

All colleagues must consider information to be governed by the principle of “need - to - know”. Unless an individual has reason to access information in the performance of his or her defined job duties, access should be denied.

Colleagues shall not disclose Confidential or Restricted information to anyone who is not authorised to have it. This includes disclosure through oral and written means, whether electronic or otherwise.

 

Information Handling - Unrestricted Information

  • Unrestricted information is information that is freely available to the general public, or whose release will not cause any harm to the hotel operator/owners.
  • Examples of Unrestricted information include marketing literature, annual reports, and other materials specifically created by the marketing department for public release.
  • Unrestricted information may also be referred to as “Public” which is the previous nomenclature for this classification level.

 

The following procedures for information labelling and handling must be followed for Unrestricted information :

  • There are no special handling or disposal requirements for Unrestricted information and no classification identification markings are required.

 

Information Handling - Confidential Information

Confidential information is information whose unauthorised disclosure, compromise or destruction may directly or indirectly have an adverse impact on the owners/operators, its brands, stakeholders, customers or employees.

It includes all internal business correspondence, records and information created in the normal course of business, and all Personal Data not classified as Restricted.

The following procedures for information labelling and handling must be followed for Confidential information:

a) All non - marked material, which is not Restricted Information, should be treated as Confidential until it is confirmed as Unrestricted information.

b) Confidential Information should be marked “Confidential” before being distributed or exposed to a non - brand party and then only under an approved non - disclosure or similar agreement.

c) Printed Confidential information must be destroyed in a manner to reasonably prevent the misappropriation or other unauthorised use of the Confidential information. Examples include shredding or using a secure document disposal facility provided by a reputable third party.

d) Confidential information must be stored in a secure manner.   

 

Information Handling - Restricted Information

Confidential information is information whose unauthorised disclosure, compromise or destruction may directly or indirectly have an adverse impact on the owners/operators, its brands, stakeholders, customers or employees.

It includes all internal business correspondence, records and information created in the normal course of business, and all Personal Data not classified as Restricted.

The following procedures for information labelling and handling must be followed for Confidential information:

a) All non - marked material, which is not Restricted Information, should be treated as Confidential until it is confirmed as Unrestricted information.

b) Confidential Information should be marked “Confidential” before being distributed or exposed to a non - owner/operator party and then only under an owner/operator - approved non - disclosure or similar agreement.

c) Printed Confidential information must be destroyed in a manner to reasonably prevent the misappropriation or other unauthorised use of the Confidential information. Examples inc lude shredding or using a secure document disposal facility provided by a reputable third party.

d) Confidential information must be stored in a secure manner. 

Information handling - Mixed Information

If a system contains information in more than one sensitivity classification, it shall be treated according to the classification needed for the most sensitive information on the system (for example, Confidential information mixed with Restricted information shall be treated as if all such information was Restricted). 

System Classification

  • Throughout this document, reference is made to critical or sensitive information systems.
  • Critical systems are those vital to the ongoing operation of SSG. If one of these systems were unavailable it would affect the ability of SSG to service it's clients or to manage its business. In addition to the major systems, there may be individual items, such as Server's or Workstations.
  • Sensitive systems are those that contain information that is classified as either Confidential or Restricted.
  • System components in scope for PCI DSS are classified as sensitive.
  • Some systems, such as the Backup Platforms and Business Management (BMS) systems, would be classified as critical and sensitive.

 

Human Resources

All candidates for positions that include administrative level access to systems, applications, databases, or network resources should have their background verified consistent with regional standards. The background check should include verification of:

a) Professional references;

b) Accuracy of the applicants resume or curriculum vitae (CV) as relevant to the position applied for;

c) Confirmation of claimed academic and professional qualifications relevant to the position applied for;

d) An independent identity verification (passport or similar document); and

e) A check of relevant criminal records.

  • All information collected for screening purposes must be collected and handled in accordance with any appropriate legislation existing in the relevant jurisdiction.
  • Colleagues who either maliciously or through negligence of assigned duties have committed a security breach are subject to a formal disciplinary process.
  • In serious cases of misconduct, as determined by the Human Resources Department and/or the General Manager, the process should allow for instant removal of duties, access rights and privileges, and for immediate escorting out of the site, if necessary.
  • Unauthorised access, misuse, or fraudulent actions relating to guest credit card information shall be grounds for disciplinary action up to and including termination of employment.
  • Any fraudulent or criminal activity must be referred to the brand's Risk Management and to enforcement authorities for prosecution and full cooperation should be given to the authorities.

 

Asset Management

All information assets shall be clearly identified and an inventory of all production assets maintained.

The asset inventory should include all information necessary to manage the asset through its complete lifecycle.

Information assets that must be tracked include:

a) Physical assets: computer equipment, communications equipment, mobile devices, information backup media;

b) Software assets: application software, system software, development tools, and utilities;

c) Information: databases, contracts and agreements, system documentation, operational or support procedures, business continuity plans, fallback arrangements, audit trails, and archive materials; and

d) Services contacts: contact information for computing and communications services.

  • SSG must maintain an up to date network diagram including all connections to “untrusted” networks including wireless networks, and connections to “trusted” networks under alternate management.
  • An “untrusted” network is any network that is external to the networks belonging to SSG or which is out of the SSG’s ability to control or manage. Examples of “untrusted” networks include the Internet, networks provided for guest or public use, and any wireless network irrespective of whether it is provided for guest or colleague use.
  • The diagram must include the date it was last updated and the name of the colleague who performed the update.

 

Access Control

Accounts created to grant access to information systems shall be classified according to the following classification scheme:

• User

• Admin

• Service

  • A User account is designed for day to day working and carries no enhanced privileges.
  • An Admin account is a secondary account assigned to an individual requiring enhanced system access privileges.
  • A Service account is designed to enable automated system to automated system communication.
  • The use of a built in administrative account such as Windows “Administrator” and Unix “root” must be restricted to emergency situations.
  • Any use of such an account must be documented and subjected to review by the system owner.
  • Access to SSG information systems is strictly controlled through a formal process for granting and revoking access.
  • Access is granted only to those individuals with an authorised business need and only for the duration of that business need.
  • The level of access granted to an individual shall be commensurate with the requirements of their job. Only the minimum rights required to carry out their duties shall be granted.
  • Access to critical or sensitive information systems must be either via a unique ID protected by a strong password or an individually assigned access card. Passwords shall not be written down, divulged or shared between users.
  • Requests for access are to be documented and approved by the requesting user’s line manager. The IS Manager (or equivalent) shall only act on documented and approved requests.
  • Access to SSG's information systems shall be granted only by the IS Manager (or equivalent). No other individuals shall have the ability to grant or amend access to systems.
  • The personnel function are to notify the IS manager (or equivalent) as soon as a colleague leaves or transfers to another department so that access can be revoked or amended accordingly. The easiest way to facilitate this is to require all leavers to have their termination form (ref: 12.2.11) signed by the IS manager (or equivalent) prior to leaving the hotel. This will prompt the IS manager (or equivalent) to ensure system access is removed.
  • Access must be removed or blocked without unnecessary delay for terminated users.
  • Access rights no longer required must be revoked without unnecessary delay.
  • The IS Manager (or equivalent) must carry out a periodic check, with once per month being the minimum requirement, for accounts no longer required or authorised. For example due to employee termination, contractor expiry, or automated system removal.
  • The IS Manager (or equivalent) must carry out a periodic check, with once per month being the minimum requirement, for Admin and Service accounts to ensure that all such accounts are correctly authorised.

 

User Accounts

Access controls for Information Systems shall be configured to support the following password standards:

• At least eight (8) characters in length

• Consisting of a combination of upper case letters, lower case letter, numbers and other special characters (no fewer than three categories required)

• Does not mirror the user’s user - ID

• Does not include the user’s first, middle or last name

• Changed at least once every ninety (90) days

• Lock out after no more than six (6) invalid log - in attempts. The account must remain locked out for a minimum of thirty (30) minutes or until the system administrator resets the account.

  • These passwords standards apply to all User level access and accounts whether or not a system has the technical capability to enforce the standards automatically. In the absence of technical enforcement SSG is expected to have a process to manually implement these standards.
  • Before a new, replacement or temporary password is provided, the identity of the user being supplied the password must be validated .
  • Temporary passwords shall be given to users in a secure manner; the use of third parties or unprotected (clear text) electronic mail messages shall be avoided.
  • Temporary passwords must be unique to an individual and must be unrelated to the user ID and to any other easily guessable information.
  • Temporary passwords must be set to expire on first use.
  • Admin , administrator, supervisor, or super user accounts must only be used by the IS Manager (or equivalent) and then only when required and not used for normal day to day working.
  • In situations where a system has only one administrator, that administrator must establish a password escrow procedure with Information Security & Compliance so that, in the absence of the administrator, someone else can gain authorised emergency access to the administrator account.

 

Administrator Accounts

Password for Admin, administrator, supervisor, or super user accounts must be:

At least fifteen (15) characters in length

• Consisting of a combination of upper case letters, lower case letter, numbers and other special characters (no fewer than three categories required)

• Does not mirror the user’s user - id

• Does not include the user’s first, middle or last name

• Changed at least once every ninety (90) days

• Lock out after no more than six (6) invalid log - in attempts. The account must remain locked out for a minimum of thirty (30) minutes or until the system administrator resets the account.

  • Admin, administrator, supervisor, or super user accounts when finished with should be signed out/logged off. If this is not possible the screen shall be locked with a screen saver which requires the account password to unlock it.
  • Service accounts must be dedicated solely to their business purpose and not used for interactive log - on by system administrators or other users.
  • Controls must be in place to prevent and to detect the misuse of a service account.
  • All service accounts must have appropriate logging of account activity. Service account usage must be reviewed by the service account holder at least every 30 days.
  • All service account passwords must be at least thirty (30) characters in length. As service accounts are not used for interactive log - on the password may be significantly longer than someone could be expected to remember.

 

SERVICE ACCOUNTS

  • Passwords for Service accounts must be changed at least once every twelve (12) months.
  • In the special case where an application or other control software is specifically designed for service accounts to use ‘non - expiring’ passwords to complete their business purpose, these accounts must be pre - approved by EVP, Global Technology who shall remain as the point of contact. Additional controls must be put in place to closely monitor and mitigate risk caused by non - expiring passwords.
  • A service account password must be changed immediately after any potential compromise or any individual who knows the password leaves SSG.
  • Controls must be in place to prevent self service password reset mechanisms from being configured or used on Admin or Service accounts.
  • Changes to Admin and Service accounts must be logged for periodic review.
  • Access to password - protected systems shall be timed out after an inactivity period of fifteen (15) minutes.

 

Physical and Environmental Security

Secure Areas

  • All critical and sensitive information systems shall be kept physically secure and accessed only by authorised members of staff.
  • All critical and sensitive information systems shall be housed in one or more secure areas. A secure area may be a lockable office or several rooms surrounded by a continuous physical barrier. For legacy hotels this could mean the area behind front office where access is restricted through keyed or combination locks, whilst newer construction would be expected to have separate dedicated rooms for the computer equipment.
  • Physical access to any room designated as a server room shall be restricted to individuals who require such access to perform their job responsibilities. All such rooms should be dedicated as server rooms to reduce the number of individuals requiring access to perform their job responsibilities. Such rooms must not be used as a general storage facility.
  • Access to the secure area must be controlled by the use of access card keys, access code keypads or key locks. A record shall be maintained of personnel who have been granted the access method whether by card, code or key.
  • Cameras or other logged access control mechanisms must be used to monitor the entry and exit points of places where restricted data is stored, processed or transmitted. Access controls mechanisms must include identification of all individuals gaining physical access. Video cameras or other mechanisms should be protected from tampering or disabling. The data collected must be monitored and stored for at least 3 months unless otherwise restricted by law.
  • The provision of keys, access control cards etc. for the secure area must be authorised by the IS Manager (or equivalent).
  • The IS Manager (or equivalent) should regularly review (at least quarterly) the list of personnel with access to the secure area and take action to correct any discrepancies found. Records should be kept to show that this work has been completed.
  • Lost, stolen or non - returned access control cards must be immediately disabled. The IS Manager (or equivalent) should perform periodic review of the entry log files to identify unauthorised access a ttempts.
  • All colleagues, third party consultants, contractors and vendors who do not require continued access to computing facilities in order to perform their job functions are to be considered visitors.
  • Visitor access to the secure area should be authorised by the IS Manager (or equivalent) and recorded in a visitor log showing visitor name, company, date, name of person authorising access, reason for visit and signature. No unsupervised access (e.g. by maintenance staff) should be permitted.
  • All critical information systems must be protected from damage from environmental threats such as fire and flood.
  • Hazardous or combustible material should be stored at a safe distance from the secure area. Bulk supplies such as stationery should not be stored within the secure area.
  • The secure area should be kept clear of debris and general clutter.
  • The secure area shall be protected against environmental damage by installation of an adequate fire detection and protection system, consisting of appropriately placed heat/smoke detectors linked to the main hotel fire alarm system.
  • Where there is potential for water damage (e.g. pipes running through the secure area), appropriate detectors must be installed which are linked to an alarm system or equivalent notification system.
  • Dedicated computer rooms should contain temperature and humidity monitoring devices. These shall be set to manufacturers recommended min/max settings and linked to an alarm system or equivalent notification system.
  • Examples of an equivalent notification system include an SMS or email notification to multiple staff members including at least one person reasonably expected to be on duty at any one time.
  • The secure area should be protected with a fire extinguishing system rated specifically for electrical fires. This system must be operated in accordance with the manufacturer’s instructions.
  • All environmental detection systems shall be subject to regular maintenance and testing, and shall be approved by the local fire authority.

 

Equipment

  • Equipment should be located or protected to reduce the risk of unauthorised access.
  • Any screen where sensitive data is displayed must be positioned to prevent unauthorised persons from viewing the screen.
  • Workstations must be configured with a password protected screen saver which locks automatically after no more than 15 minutes of inactivity.
  • The password protected screen saver should be locked manually when a workstation is left powered on and unattended.
  • Equipment should be protected from power failures and other disruptions caused by failures in supporting utilities.
  • Electrical power systems supporting critical systems shall have an appropriate Uninterruptible Power Supply (UPS) system in place together with backup batteries, which are automatically invoked following a power loss. Batteries shall be able to provide power for sufficient time to allow an emergency generator to start up and run at full load. In the absence of a generator, the UPS should allow sufficient time for the systems to be powered down in an orderly fashion. The UPS should be maintained and tested in accordance with the supplier’s recommended service intervals and specifications. Only authorised personnel should carry out repairs and service the UPS.
  • Critical IT equipment shall be protected from damage resulting from electrical power surges by using an appropriate surge protection system.
  • Equipment should be correctly maintained to ensure its continued availability and integrity.
  • Equipment should be maintained and tested in accordance with the supplier’s recommended service intervals and specifications. Only authorised personnel should carry out repairs and service equipment.
  • Any item containing storage media shall be checked prior to disposal to ensure that any Restricted or Confidential data or licensed software has been securely removed or securely overwritten using techniques that make the information non - retrievable. The standard delete or format functions are not sufficient.
  • Equipment, information or software shall not be taken off - site without prior authorisation from the IS Manager (or equivalent).
  • The IS Manager (or equivalent) should record all equipment taken off - site and ensure that this equipment is returned in the agreed timescales.
  • Where there is a potential for theft, critical and sensitive systems should be physically secured using a computer specific anti - theft product such as a cable lock system. Other equipment may be secured at the discretion of Global Technology.
  • Equipment in areas accessible to the public must be checked on a daily basis for tampering such as the addition of a keyboard logging device.

 

Payment Card Capture Devices

Devices that capture payment card data via direct physical interaction with the card must be protected from tampering and substitution.

The asset inventory should include the following:

• Make, model of device

• Location of device

• Device serial number or other method of unique identification.

Devices must be periodically inspected to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device).

Examples of signs that a device might have been tampered with or substituted include unexpected attachments or cables plugged into the device, missing or changed security labels, broken or differently coloured casing, or changes to the serial number or other external markings.

Training must be provided for personnel to be aware of attempted tampering or replacement of devices. Training should include the following elements:

• Verify the identity of any third - party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices.

• Do not install, replace, or return devices without verification.

• Be aware of suspicious behaviour around devices (for example, attempts by unknown persons to unplug or open devices).

• Report suspicious behaviour and indications of device tampering or substitution to appropriate personnel for example, IS Manager (or equivalent).   

Operations Management

Change Management

  • Changes refer to any item of hardware, software or data that is used to provide hotel systems. This includes operating software , utility software, application software as well as changes to data files and parameter/configuration files. It excludes any normal operational changes such as rate codes and POS items.
  • Changes to operational systems and application software shall be controlled.
  • The IS Manager (or equivalent) is responsible for managing all changes to the hotel information systems.
  • No changes shall be made to any hotel systems without the express authorisation of the IS Manager (or equivalent) with approval by either the Finance Lead or General Manager.
  • All changes shall be documented and logged, highlighting the amendments made and the reason for the change (e.g. upgrade to system software).
  • Changes shall be made at a time that is of least disruption to users. Users shall be warned prior to any change occurring.
  • Steps must be taken prior to any change so that the system can be recovered to its original state if the change has to be backed out. This may be a full system backup, copies of configuration files, copies of standing data, or the ability to rebuild the system from scratch.
  • Where changes are required to be undertaken by third parties (e.g. software suppliers), the above procedures shall still be followed. Requirements for remote access to perform such updates shall be strictly controlled by the IS Manager (or equivalent) including the granting of remote access.
  • Live data containing confidential or restricted information shall not be used on development or test systems. 

 

Protection Against Malicious Code

  • Information systems shall be protected against malicious code such as viruses and worms.
  • The IS Manager (or equivalent) is responsible for ensuring that all network connected hosts and system components have approved software installed and configured to prevent, detect, contain, and eradicate both malicious and unauthorised software.
  • This software should be configured to continuously monitor the system and files for characteristics of viruses, worms, spyware, and Trojan Horses, must detect and alert on unauthorised modification of critical files, should be capable of generating audit logs, and should be regularly updated in line with the release cycle of the software vendor.
  • The IS Manager (or equivalent) should periodically check (critical and sensitive systems plus a random sample of other systems every month) that the software is receiving updates. Any failure should be investigated and must be corrected.
  • Procedures to deal with malicious software (i.e. what action to take) shall be documented and issued to all hotel IT users. Users should also be educated on the dangers of opening unsolicited email attachments or clicking on links in emails.
  • The IS Manager (or equivalent) shall investigate the source of any malicious software and take appropriate corrective action.
  • Software which is no longer supported by the vendor must be upgraded, replaced, retired, or protected by additional compensating controls which have been approved via the information security standards exception process prior to end of support being reached.
  • All network connected hosts and system components must be kept up to date with vendor software security patches. This includes hosts and system components which may only connect to the network intermittently.
  • Critical security patches, as designated by the vendor or Information Security, must be installed within one month of release for all public facing systems, all systems storing or processing Restricted information, and all systems used to browse the Internet or read email.
  • The maximum timeframe for applying an applicable security patch is three months from the date of release.
  • The IS Manager (or equivalent) is responsible for ensuring that the hotel information systems are up to date with vendor security patches. Where patching is performed centrally by the brand, the IS Manager (or equivalent) should periodically check that the patching is taking place as expected. Any failure should be investigated and must be corrected.
  • All critical hotel information systems data shall be backed up to external media (e.g. tape cartridge or hard drive) on at least a daily basis (depending upon the number of transactions handled by the system and hence the time required to re - input data, backup procedures may need to be invoked several times a day).
  • In consultation with the key system users, the IS Manager (or equivalent) shall agree upon the cycle of backup media to be used (full, incremental, daily/weekly/month - end/quarter - end/year - end etc.) and retention period.
  • All backup media shall be clearly labelled identifying the contents of the media and the cycle to which it refers (e.g. Monday, 1st backup).
  • All information classified as Restricted must be encrypted when stored on back up media. The means to decrypt the information must be separate from the back - up media.
  • Backup media containing Restricted information must be labelled “Strictly Confidential” and treated as such.
  • The IS Manager (or equivalent) is responsible for ensuring that system backups have been successful by reference to audit trails, system logs etc. (Note: this may depend upon the type of backup software used) and once satisfied that the backup has completed successfully record this fact in a log file. Any errors encountered during the backup must be noted, investigated and resolved.
  • Removable backup media (e.g tapes and hard drives used as removable media) should be removed as soon as possible after the backup process has been completed which may mean someone other than the IS Manager (or equivalent) is given this responsibility. Removable backup media must be transferred to a location remote from the equipment for secure storage.
  • Non removable backup media (e.g. permanently attached hard drives) should be supplemented with an off line backup regime to reduce the impact of a data breach such as malicious software known as “ransomware”.
  • The location for storing all backup media (i.e. tapes, external hard drives, etc. ) may be in the hotel but should be carefully chosen based on the likelihood of a fire or similar disaster affecting both it and the main system. Backup media is of no use if it is also damaged or destroyed in the same failure that affected the main system.

Where a third party is used to store payment card holder information the third party must agree to:

a) Follow all PCI standards;

b) Cooperate in any breach investigation of customer credit card data; and

c) May be required to provide the brand with annual evidence of compliance on request.

  • Adequate protection shall be given to the media whilst in transit and in storage to protect it from damage, theft or loss.
  • The IS Manager (or equivalent) shall regularly test backup procedures by reviewing log records to ensure completion, verifying that backup media are correctly labelled and stored correctly and by routinely restoring backup data from backup media.
  • Backup media must be replaced in line with manufacturer recommendations.
  • Redundant backup media should be disposed of in a way that prevents the recovery of information from that media, for example, physical destruction.
  • Information back - up solutions utilising third party online or cloud services require prior approval from Six Star. Approved solutions must include data encryption in transit and storage, strict access controls, and compliance with regulations relating to the transfer information across borders. 

 

Network Security

Networks shall be classified according to the following classification scheme:

  1. Trusted network
  2. Untrusted network

A Trusted network is any back of house network provided for use by colleagues for operational purposes. The Trusted network may be segmented into a number of separate networks, however the term Trusted Network applies collectively to all such internal networks. Trusted networks are “trusted” (wireless networks are an exception).

An Untrusted network is any network provided for use by guests or members of the public. Guest networks are “untrusted”.

Unless otherwise specified the generic term “Network” applies to all networks including Trusted and Untrusted networks.

Networks should be controlled and managed to maintain security for the systems and applications using the network.

Do not use vendor supplied default or blank passwords or other security settings. These default settings are widely known and should be changed before any equipment or component is connected to the live network.

Network connections at the logical network perimeter of an environment must be through a firewall device that has been approved by the EVP, Global Technology. This includes any connection between SSG’s Trusted network and an external network such as the Internet, a wireless network, an “untrusted” network, or a segment of the Trusted network under alternative management. The Engineering teams should maintain awareness of the approved list of firewall devices.

Firewalls must be configured to prevent inbound or outbound connections directly between the Internet and any Trusted network where Restricted information is stored.

Firewalls must be configured to prevent internal IP address and routing information being disclosed to unauthorised parties.

Firewall rules and access control lists providing similar protection must be reviewed at least every six months to ensure that the implemented rules are consistent with the documented authorisation and that the authorised business use remains valid.

SSG Engineering shall not install network hardware or software that provides network services, such as routers, switches, hubs and wireless access points, to any Trusted network without prior approval of EVP, Global Technology.

Do not connect guest facing services (for example a Guest network, the guest HSIA or Business Center PCs) directly to Trusted networks.

Converged networks (for example where Trusted and Untrusted network segments are provided on the same physical hardware) must be secured such that any Untrusted network segments and any Trusted network segments are kept logically separate from each other.

Network ports in publically accessible areas (i.e. public conference rooms or visitor rooms) must not be connected to Trusted networks.

Clients must not be allowed to connect their PC or any other technology equipment to the Trusted network or to any device connected to that network.

Clients must not be allowed to use SSGs PCs or any other equipment connected to the Trusted networks unless that equipment is specifically designed for Client use and it has been approved by Global Technology. The Global Technology teams should maintain awareness of the approved client use devices.

Remote administration of any equipment must be accomplished only through the use of methods explicitly approved by Global Technology. All other remote access solutions (including but not limited to LogMeIn, GoToMyPC, PCAnywhere, and Dameware Mini Remote Control) are prohibited except under special circumstances approved by Global Technology. The Global Technology teams should maintain awareness of the approved remote access solutions.

Approved methods must include data encryption, access controls, and logging of activity.

SSG's systems and applications, because of the nature of the data contained in them, require special management oversight and shall be classified as high - risk. Many times these high - risk systems contain Confidential and Restricted information. High risk systems may have a dedicated and isolated computing environment. Any such high security zone shall be protected via an internal firewall device approved by Global Technology. The Global Technology teams should maintain awareness of the approved list of firewall devices.

Installing lower risk systems in a high security zone is discouraged as this will necessitate implementing the same degree of controls on the lower risk system as are in place on the high risk systems in that zone. Failure to maintain isolation of high risk systems reduces the overall effectiveness of the high security zone. 

System Monitoring

  • Audit logs recording user activities, exceptions, and information security events should be produced and kept for a period of time (twelve months were technically and legally possible) to assist in future investigations and access control monitoring.
  • Where it is technically possible and within the boundaries set by local laws and regulations, audit logs should be configured to record security-related events.
  • System administrator and system operator activities should be logged.
  • The audit logs should be configured to record any changes or attempted changes to the system security settings.
  • The clocks of all relevant information processing systems within SSG must be synchronized with an agreed accurate time source.
  • Where a computer or communications device has the capability to operate a real - time clock, this clock should be set to an agreed standard, e.g. Coordinated Universal Time (UTC) or local standard time. As some clocks are known to drift with time, there should be a procedure that checks for and corrects any significant variation.
  • The correct interpretation of the date/time format is important to ensure that the timestamp reflects the real date/time. Local specifics (e.g. daylight savings) should be taken into account.

 

System Maintenance

  • Critical and sensitive IT equipment must either be covered by suitable maintenance agreements or the hotel must keep adequate spare equipment readily available for timely swap out.
  • Maintenance agreements should relate not just to processors (e.g. servers, PC’s, POS terminals), but to all equipment required to support the hotel IT infrastructure (e.g. printers, backup devices, network switches, routers, communications equipment, air conditioning units).
  • It may be more cost-effective in certain scenarios to keep a stock of spare equipment readily available for swap out in a timely manner rather than to pay for a maintenance agreement. Any decision to take this option must be documented and approved by the Finance Lead.
  • A maintenance schedule should be in place listing the above equipment together with appropriate details (supplier contact details, maintenance schedule e.g. when/who). The schedule should be updated as maintenance visits occur and regularly reviewed to ensure that visits take place in accordance with the agreed schedule of visits.
  • All maintenance work shall be documented by the supplier and copies retained on file. Any necessary corrective work must be brought to the attention of management for authorisation.
  • Critical and sensitive IT applications must be covered by vendor support agreements.
  • The level of cover (e.g. 24x7) shall be determined in accordance with business requirements.   

System Support

  • SSG shall ensure that there are adequate procedures in place in order to provide timely support to it's clients.
  • The level of support (working hours) shall be commensurate with client IT user requirements with out of hours contact as necessary.
  • All client IT users should be provided with details of support procedures, including contact numbers and escalation path.
  • The IS Manager (or equivalent) shall keep copies of support documentation for each system. This may include details of support contracts, systems configuration, network diagrams, rack or room layout diagrams.
  • Faults reported by users or by system programs should be logged, investigated and appropriate action taken.
  • Any trends emerging from the fault logs shall be investigated to identify and resolve the underlying causes.
  • SSG should identify designated application experts for all critical and sensitive applications. This may not necessarily be the IS Manager (or equivalent).

 

Information Security Incident Management

  • Information security events should be reported through appropriate management channels as quickly as possible.
  • The IS Manager shall document the procedure for reporting and responding to real or suspected Information Security events. This procedure should include a point of contact, incident response procedures and escalation path. In the absence of any other information to the contrary from the Global Technology team the normal escalation path should initially be to a nominated point of contact within SSG with onward escalation to the SSG's usual Support procedure.
  • All colleagues, contractors and third party users of information systems should be required to note and report any actual or suspected security weaknesses.
  • All colleagues, contractors and third parties should be made aware of the responsibility to report any information security events or weaknesses as quickly as possible usually to SSG line management and to the IS Manager (or equivalent).
  • Under no circumstances attempt to prove the existence of a potential weakness in the security of a system, as this may be interpreted as attempted misuse of the system and could also cause damage to the information system.

 

Business Continuity/IT Disaster Recovery

  • Each department head is responsible for ensuring that appropriate manual procedures are developed, documented and maintained and appropriate staff training carried out, in order to continue operating their department in the event of an interruption to the information systems.
  • SSG is responsible for ensuring that recovery procedures for the information systems are developed, documented, and maintained.
  • All procedures should be tested, reviewed and updated at regular intervals (at least once per year).

 

Software Licensing

  • All computer software operated by SSG shall be licensed.
  • SSG shall administer a system for tracking installed software and software licences.
  • SSG shall maintain an inventory of software purchased showing vendor name, software title and version. Each item in the inventory should be supported by proof of purchase documentation such as a licence agreement and a copy of a paid invoice.
  • SSG shall maintain an inventory of installed software, detailing what software is installed on which computer. This may be done manually for a small number of computers or aided by a software scanning tool.
  • Periodically (at least once a year) the list of installed software should be reconciled against the inventory of purchased software.
  • Any exceptions must be corrected either by removing the software or by the purchase of additional licences. Records s hould be kept to show that this work has been completed.
  • Computer software must only be installed by the IS Manager (or equivalent).
  • Only software that has been approved by the Global Technology team should be purchased and installed.

User Training and Awareness

  • SSG shall ensure that on hire all colleagues with access to sensitive information or computer systems are made aware of and trained in their responsibilities relating to Information Security. Annual refresher training must also be conducted.
  • Training on policies and specific procedures related to credit card transactions and information is a critical element in reducing risks of fraud and supporting a defence against any legal claims. The hotel shall document training activities and record the names of colleagues who participate.
  • SSG is expected to maintain relevant and up to date system knowledge and skills.
  • SSG is expected to maintain awareness of all Information Security policies and standards that apply to their environment.

 

SSG is responsible for promoting best practice and security awareness for all information system users in the hotel. This includes:

a) Changing default vendor passwords

b) Not sharing individually assigned user - ids

c) Selecting strong passwords, keeping those passwords secure and changing them regularly

d) Securing workstations with password protected screen savers, or locking PC screens manually

e) Keeping screens with sensitive information away from prying eyes

f) Keeping guests and hotel back office systems separate

g) Only accessing systems they are authorised to

h) Not installing unauthorised remote access solutions

i) Reporting real or suspected information security events through the appropriate channels

j) Awareness of security measures for devices that capture payment card details through physical interaction.

  • SSG must also consider local data privacy legislation and relevant training should be included in the awareness training as appropriate.