Your All-in-One AI-Powered Toolkit for Academic Success.

+13062052269

info@desklib.com

Available 24*7 on WhatsApp / Email

Company

Tools

Support

Developing a Strategic Security Policy for Choice Hotels International

Verified

Added on 2023/06/07

AI Summary

This report discusses the development of a strategic security policy for Choice Hotels International, identifying potential threats and vulnerabilities of the hotel's network and how to mitigate them.

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.

Running head: INFORMATION SECURITY
Information Security
Name of the Student:
Name of the University:
Author note:

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

1Information Security
Executive Summary:
Information is considered as one of the vital asset to any organization especially in case of
service-driven organization such as hotel where information is related to customer, service,
administration, management. The purpose of this report is to research, formulate and develop a
strategic security policy for Choice Hotels International, Inc. which is the chosen organization in
this report. Further, the report identifies and assesses the potential threats and vulnerabilities of
the Hotel’s network and finally discusses how such threats and vulnerabilities can be mitigated
based on the research findings.

2Information Security
Table of Contents
Introduction......................................................................................................................................3
Answer to (a):..................................................................................................................................3
Strategic Security Policy:-...........................................................................................................3
Answer to (b):..................................................................................................................................5
Identification and assessment of the potential threats and vulnerabilities of the hotel’s network.
.....................................................................................................................................................5
References........................................................................................................................................9

3Information Security
Introduction:
Information security is referred as the strategies that manages the tools, processes as well
as policies to identify, protect or prevent the digital as well as non-digital information and
information assets irrespective of the format of information and whether the information is in
state of transit, or in state of being processed or is at rest in storage. An information asset is a
body of information, an information storage system or an information processing system, which
is of value to the organization. Information security policy is designed and developed in order to
protect integrity, availability and confidentiality of computer system data from malicious users
(Safa, Von Solms, and Furnell 2016). An effective security strategy is dynamic, comprehensive
and flexible to reply to security threat type. The process of developing a security strategy
consists of planning, assessment, regular monitoring and implementation and include mix of
actions such as access management measures, policies and procedures, communications systems,
technologies and systems integration practices to counter imaginable threats and vulnerabilities.
The security strategy document defines and arranges information security as well as security
initiatives that the organization must initiate to strengthen the protection of information and the
related technology (Obes, Yamada and Richarte, 2013). In the context of data security any
potential danger to the information or system can be referred to as threat. One important function
of data security is to identify and assess the potential threats assessment, categorically classify
them and evaluate the potential damage that might be caused by them (Rao and Selvamani
2015).
Answer to (a):
Strategic Security Policy:-
Choice Hotels International identifies information security as one of its primary requirement for
smooth running of its business operations. The hotel has formulated strategic security policy to
protect data and information assets. This policy involves the security and management of the
Choice Hotels International’s information assets (Kim, Lee and Ham 2013). It is notable that
besides information technology (IT) department everybody must also take the responsibility of
information security. A security strategy can be considered as successful if it includes every
stakeholder and can develop persistent processes and strategies to motivating users in taking
ownership and help build a strong security policy.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

4Information Security
 The Choice Hotels International should provide appropriate resources to create and
maintain an effective approach to security;
 The hotel must periodically review policy implementation with employees, staff,
customers and shareholders.
 The hotel must follow the laws and regulations that is related to information security.
 The hotel must assign responsibilities to the designated persons such information security
officers for managing the information security management system.
 The hotel must keep internal rules such as manuals, basic policy, regulations to ensure
information security and should review these rules regularly to strengthen the information
security management system.
 The hotel must educate and train all its board members and other employees to make
them understand about the importance of information security and information assets. It
should also update employees regarding compliance of regulated laws, regulations and
internal rules such as basic policy and regulations.
 The laws, industry regulations as well as other requirements regarding protection of data
and personal information must be followed by hotel management. In addition,
appropriate handling of customer related information must be ensured by the hotel.
 The hotel must collect personal information and data of its customers and other related
parties in a fair and legal manner. In addition, while collecting such information and data
the hotel authority must provide clarification regarding purpose of the usage of such
information and data to the extent necessary for business.
 The hotel must use customer as well as other parties related personal information to
provide services, service improvement, conduct questionnaire surveys and so on.
 Without prior permission of the customer and related parties, the hotel authority must not
disclose any personal information obtained from them to any third party. However, this is
not applicable if the law, courts and law enforcement agencies are required to disclose
such information.
 The hotel must ensure that customer as well as other parties related personal information
needs to be accurate and up to date. In addition, proper security measures needs to be
implemented to prevent any falsification, leakage, loss or other issues that is related to
such information.

5Information Security
 Regarding usage suspension, disclosure, correction or deletion of personal information
the hotel must take any necessary actions and/or measures in reply to its customers and
other related parties requests.
The hotel management must reassure their customer that digital security is as important as
physical security and the customer information must be secured against any potential/cyber
threats. However, the following information security principles must be followed to implement
all the above strategic security policy
 Information will be protected in line with all applicable legislation and relevant hotel
policies, notably those relating to data protection, human rights, prevent and freedom of
information.
 There will be a nominated owner for each information asset. Proper use of asset as well as
proper security measures to protect the asset are the responsibility of the nominated owner.
 Person having the legitimate requirement for accessing information will be provided the
same after confirmation.
 Information classification will be done as per appropriate security level.
 Integrity of information needs to be maintained.
 Those individuals who have the permission granted for information access must take the
responsibility to proper handling of information as per its classification.
 Protection of information against unauthorised access.
It is notable that if this information security policy is breached then it will be treated as
misconduct and accordingly compliance will be enforced.
Answer to (b):
Identification and assessment of the potential threats and vulnerabilities of the hotel’s
network.
The following threats are that are generally faced by the hotel’s network.
1) Wi-Fi based threats:-The target for the hacker can be hotel networks as well as customer
connecting to those networks. The high-speed wireless internet illustrates the vulnerability of
the hotel to cyber threats. There are several security weaknesses of hotel’s Wi-Fi networks
hotels have several security weaknesses most of which are similar to the weaknesses of the
public Wi-Fi networks. These networks increase the customers’ susceptibility to man-in-the-

6Information Security
middle attack and other attacks that compromise their personal information. Security
vulnerabilities of the hotel persist to increase due to its dependency upon wireless
communications (Shen et al. 2016).
2) Phishing attacks:- The main purpose of this attack is to get user credentials through social
engineering techniques and access an agency system to launch an advanced resolute threat
(Alsharnouby, Alaca and Chiasson 2015).
3) Spear-phishing and backdoor attacks:- An example of such attack is The Dark hotel
malware. This malware selectively attack business customer of hotel through hotel’s Wi-Fi
network (Krombholz et al. 2015).
4) Ransomware:- In this attack, the attackers encrypts the data by getting access to the
organization system. The organization are then asked for ransom payment to get the key to
decrypt data (Mercaldo et al. 2016).
5) Distributed-denial-of-service (DDoS) and botnet attacks:- This attack carry out activities
of malware injection. Here hackers flood the critical systems with traffic such as online hotel
booking by using botnets of compromised networks (Yan and Yu 2015).
6) Man-in-the-middle (MITM) attacks:- In this attack, malicious code are placed between the
victim and a valuable resource such as hotel’s login page by the hackers. The advanced mode
of MITM attack is done through browsers where the data transfer between the hotel login
page and the user’s browser and is silently recorded by the malware (Vallivaara, Sailio and
Halunen 2014).
7) Address Resolution Protocol (ARP) spoofing or flooding:-This technique is also used to
attack hotel networks. Here hackers modify the data exchange by sniffing the hotel network’s
traffic. Here fake ARP messages are send to the LAN by the criminals and victim’s IP
address gets associated with the criminal’s MAC address. Consequently, instead of being
transfer to the victim’s IP address the data is transferred to the criminal. In addition, the
hacker can attack victims through denial-of-service by establishing connection of victim’s IP
address with imaginary MAC address (Venkatramulu and Rao 2013).
8) Data leakage:- In this attack, malicious actor get access to the consumers system and stay
there for long time and identify and extracts critical data which can be customer’s personal
and financial information (Katz, Elovici and Shapira 2014).

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

7Information Security
To mitigate and prevent attacks on hotel networks and hotel customer the following
security policy can be used. The chances of information theft can be minimized by taking these
considerations into account. The hotel management and IT team should perform the following:-
1) Caution signs must be displayed at front desks as well as in rooms to remind the following to
the guests.
 Sensitive information such as social security numbers must not be entered into the login
page.
 Any announcement about software update must be cross-checked with the front desk.
 The browser or any site must not be enabled to remember user password and always
logout of sensitive accounts.
 Temporary internet files and history needs to be cleared after finishing the work.
 The computer must not be left unattended in public areas of the hotel.
2) To secure customer’s personal information, hotels must configure all its networks and servers
with data encryption so that any entered information through hotel forms on the hotel login page
are transmitted in encrypted format. In this measure, during the sign-up or login process the
secure socket layer (SSL) technology protects the customer’s personal information and safe data
transmission is ensured. In addition, to protect the customer data many hotels also uses 256-bit
data encryption with validated security certificate (Karagiannis et al. 2015).
3) Hotels must implement threat intelligence feeds. Such feeds contain real-time threat reports
and data breach notification that indicate which customers have already been targeted or will be
targeted in future. The generating reports are analyzed to prevent attackers from re-targeting the
guests in the future.
4) Using virtual private network (VPN) whenever connecting to hotel Wi-Fi can block
DarkHotel malware attack. Unless a wireless traffic is not routed through a VPN, then such
traffic can be sniffed by any hacker. VPN prevent the interruption of sensitive data by hacker
through encryption of all the digital communications (Border, Dillon and Pardee 2015).
5) Hyper Text Transfer Protocol Secure (HTTPS) implies browser’s security and by using this
extension, the browser can be forced to secure connection. HTTPS are used by websites, email
services, cloud application and such system display a locked padlock in the browser to indicate
the automatic encryption of user data. However, encryption for all websites can be activated by
using this extension (Fielding and Reschke 2014).

8Information Security
6) Virtual local area network (VLAN) must be used whenever possible as it is safer than Wi-Fi
and it is also password protected. Some hotels charge customer for wired internet services or
high-speed Internet. A hotel without a VLAN service would likely offer a Wi-Fi connection. Use
of credit / debit cards and sensitive information must be avoided on wireless networks and where
possible Ethernet must be used as it provides security (Udutha and Rapeti 2015).
7) Security program such as firewall must be activated before connecting to the web via hotel
networks. Firewalls are generally present in most operating systems (OS) and antivirus
programs. Firewall prevents hacking and malware attacks by blocking the unauthorized system
access. The data that can and cannot be transmitted from the system are also regulated by
firewall (Suh et al. 2014).
8) Before check-in into the hotel, the customer must update his/her OS security and ensure that
antivirus, anti-malware that are running on the device are completely updated. During web
surfing on hotel network, any offer on the unsolicited software update must be avoided.
9) The configuration of all the network and security devices must be secured. A backup copy of
tested and updated configuration must be stored so that it can be used in case of any disaster.
10) All network devices must be synchronized by configuring the network time server.
11) Finally, all systems must conform and include the following things.
 All known security patches must be applied.
 All unwanted application must be uninstalled and all unwanted services must be
disabled.
 All necessary logs for system, security and audit must be enabled.
 Endpoint protection programs such as Host based Intrusion Detection Systems
(HIDS), application firewall, anti-malicious software must be installed.

9Information Security
References:
Alsharnouby, M., Alaca, F. and Chiasson, S., 2015. Why phishing still works: User strategies for
combating phishing attacks. International Journal of Human-Computer Studies, 82, pp.69-82.
Border, J., Dillon, D. and Pardee, P., Hughes Network Systems LLC, 2015. Method and system
for communicating over a segmented virtual private network (VPN). U.S. Patent 8,976,798.
Fielding, R. and Reschke, J., 2014. Hypertext Transfer Protocol (HTTP/1.1):
Authentication (No. RFC 7235).
Karagiannis, V., Chatzimisios, P., Vazquez-Gallego, F. and Alonso-Zarate, J., 2015. A survey on
application layer protocols for the internet of things. Transaction on IoT and Cloud
Computing, 3(1), pp.11-17.
Katz, G., Elovici, Y. and Shapira, B., 2014. CoBAn: A context based model for data leakage
prevention. Information Sciences, 262, pp.137-158.
Kim, H.B., Lee, D.S. and Ham, S., 2013. Impact of hotel information security on system
reliability. International Journal of Hospitality Management, 35, pp.369-379.
Krombholz, K., Hobel, H., Huber, M. and Weippl, E., 2015. Advanced social engineering
attacks. Journal of Information Security and applications, 22, pp.113-122.
Mercaldo, F., Nardone, V., Santone, A. and Visaggio, C.A., 2016, June. Ransomware steals your
phone. formal methods rescue it. In International Conference on Formal Techniques for
Distributed Objects, Components, and Systems (pp. 212-221). Springer, Cham.
Obes, J.L., Yamada, C.E.S. and Richarte, G.G., Core Security Technology, 2013. System and
method for extending automated penetration testing to develop an intelligent and cost efficient
security strategy. U.S. Patent 8,490,196.
Rao, R.V. and Selvamani, K., 2015. Data security challenges and its solutions in cloud
computing. Procedia Computer Science, 48, pp.204-209.
Safa, N.S., Von Solms, R. and Furnell, S., 2016. Information security policy compliance model
in organizations. Computers & Security, 56, pp.70-82.
Shen, W., Yin, B., Cao, X., Cai, L.X. and Cheng, Y., 2016. Secure device-to-device
communications over WiFi direct. IEEE Network, 30(5), pp.4-9.
Suh, M., Park, S.H., Lee, B. and Yang, S., 2014, February. Building firewall over the software-
defined network controller. In Advanced Communication Technology (ICACT), 2014 16th
International Conference on (pp. 744-748). IEEE.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

10Information Security
Udutha, S.C. and Rapeti, M., Cisco Technology Inc, 2015. Preventing leaks among private
virtual local area network ports due to configuration changes in a headless mode. U.S. Patent
8,989,188.
Vallivaara, V.A., Sailio, M. and Halunen, K., 2014, March. Detecting man-in-the-middle attacks
on non-mobile systems. In Proceedings of the 4th ACM conference on Data and application
security and privacy (pp. 131-134). ACM.
Venkatramulu, S. and Rao, C.G., 2013. Various solutions for address resolution protocol
spoofing attacks. International Journal of Scientific and Research Publications, 3(7), p.1.
Yan, Q. and Yu, F.R., 2015. Distributed denial of service attacks in software-defined networking
with cloud computing. IEEE Communications Magazine, 53(4), pp.52-59.

1 out of 11

+13062052269

info@desklib.com

Developing a Strategic Security Policy for Choice Hotels International

Contribute Materials

Secure Best Marks with AI Grader

Paraphrase This Document

Secure Best Marks with AI Grader

Paraphrase This Document

Related Documents

Information Security: Shangri-La Hotel

Information Security: Holiday Inn Australia

Information Technology for Managers

iT Security

Risk Assessment: BYOD Policy

BYOD Policy Threats and Security Strategies for Cybersecurity