BSCLMR146320

INFORMATION SYSTEMS SECURITY

LI-ONE RESTAURANTS

INFORMATION SYSTEMS SECURITY POLICY

INFORMATION SYSTEM SECURITY POLICY

TABLE OF CONTENTS

1.INTRODUCTION

1.1: Scope
1.2: Objectives
1.3: Principles
2. Information security objectives
2.3: Legislation
2.4: Privacy
2.5: Insurance
3. Responsibilities
4. General Controls
5. Consequences
Information Security 

POLICY TITLE: Information Security Policy

DATE OF ISSUANCE: This policy was approved by the LI-

ONE Council on December 17, 2008.
Administrative changes were made July
2018.

RESPONSIBLE Office of the Chief Information Officer.

DEPARTMENT/UNIT: Questions about this Policy should be
directed to the Information Security
Office, 412-268-8556.

2
1.INTRODUCTION

This document has li-ones Information Security and the use of its IT policy and procedures, and

the responsibilities of everyone using systems and IT in the company.

This information security policy outlines our approach to information security management. It

provides the guiding principles and responsibilities necessary to safeguard the security of the

Hotels information systems. Supporting policies, codes of practice, procedures and guidelines

provide further details.

As a company our objective is to ensure that when guests are with us, they feel comfortable,

private, and secure. There is a considerable focus on enforcing physical security within the hotel,

doors have smart locks, and rooms have electronic safes with pin codes that can be set by the
guest. However, we strive to ensure that they have the same level of protection even when they

are connected to the hotel’s digital infrastructure.

1.1: Scope
This Policy applies to all faculty, staff and third-party Agents of the University as well as any
other University affiliate, including students, who are authorized to access Institutional Data.

1.2: Objectives
The objective of this Information Security and Acceptable Use of IT Policy is to protect the

company’s information assets from all threats, whether internal or external, deliberate, or

accidental, to ensure business continuity, minimize business damage and maximize return on

investments and business opportunities.

This policy is critical for providing assurance to funders, regulators, auditors, and governments

that we take seriously the confidentiality, integrity and availability of data placed in its care.

1.3: Principles
There are three main principles to this policy:

a) to consider the sensitivity of the information being handled,

b) to protect information in proportion to its sensitivity by ensuring that information, whatever

its format, is secured by physical or approved electronic means and

2. Information security objectives

It includes the end goals of the company and the three strategies used to achieve the goals.

Information security is concerned with the CIA triad i.e.

4
  Confidentiality: data and information are protected from unauthorized access. Guest

information is not disclosed to other guests or employees, not employees should have the

privileged to access guest data.

 Integrity: Data is intact, complete, and accurate. The staff should record and enter the

right data for guests, data is not to be tampered with by people without the correct

privileges.

 Availability: IT systems are available when needed.

2.1:Threats
The following are some of the leading threats faced by the hotel and leisure industry as of

January 2021:

 Phishing attacks: Phishing attacks is primarily a pre-step to a full blown targeted

malicious attack towards an organization. The primary objective being to gain user

credentials through social engineering techniques and infiltrate an agency’s system to

plant and launch advanced persistent threats.

 Wi-Fi-based attacks: Unless secured, traditional Wi-Fi as these systems are vulnerable

and malicious actors (This could be insiders such as employees or hotel guests or external

factors such as hackers, cyber criminals etc.) could use them to breach into corporate

systems or fellow users.

DDoS and botnet attacks: Distributed-denial-of-service attacks have grown in popularity to

conduct a range of malware injection activities. Within such attacks, hackers utilize botnets

of compromised networks to flood critical systems (e.g., online ticket booking) with traffic,

which results in a crash of the platform. Attackers may also ask for a ransom amount from
 the authorities to prevent disruption of such critical systems. Ransomware: These attacks

have grown in popularity in the last few years, and we have some real crippling attacks

wherein the attackers gain access to the organizations system and encrypts the data. The

businesses are then asked to pay a ransom to be able to get a key to decrypt the data.

Data Leakage: These are attacks where malicious actor gain access to your systems and stay
there as much as possible and try to identify and exfiltrate critical data outside the organization.
The data includes business data as well as guests’ information (personal / financial (credit cards)
etc.)

2.2: Understanding the risks

As any business, the biggest risk for the hotel emanates from the biggest expectations our guests

i.e., Comfort, Privacy and Security. Some of the information we hold is personal information

such as details about passport, any other identity cards, credit cards, personal or business

addresses, travel itineraries, personal likes, and habits etc. A malicious actor can use such

information to impersonate identity, mount social engineering or phishing attacks or commit

financial frauds amongst other things. As such the business itself is at risk as they may become

the focus of attack for such information.

The key risks that we face include:

1. Loss of personal data relating to guests, resulting in breaches of privacy law obligations and,

potentially, individual loss claims.

2. Loss of confidential information, which may amount to a breach of contract and/or loss of

commercial advantage.

3. Denial-of-service attacks, preventing the use of operational systems, including booking

systems.

6
4. Financial fraud with customer credit card information, including bookings made using stolen

identities.

5. Reputational damage caused as the consequence of any of these risks occurring

2.3: Legislation
The management system has defined controls in line with regulatory requirements. The

regulatory requirements include local as well as international (where applicable) requirements.

Some of the key regulatory requirements include:

1. Adherence to National Information Assurance Policy (Kenya).

2. Adherence to Personal Information Privacy Protection Law (Kenya).

3. Adherence to Cyber Crime Law (Kenya).

4. Adherence to Electronic Commerce and Transaction Law

5. Adherence to GDPR if applicable

2.4: Privacy
Protection of Personal Information is a key regulatory requirement both locally as well as

internationally. It is therefore key to note that our systems have been designed in line with the

privacy regulatory requirement, which includes: The regulation constitutes of a number of rights

to the individuals such as Right to be forgotten, right to information, Need for consent etc. To

enable this, we will only collect data that is required for the business and share only what needs

to be shared. We do this since a key strategy in effective Privacy Management is to ensure

reduction in risk by reducing the amount of data that is collected, ensuring its usage based on the

consent received and disposal of data as soon as the need has been finished.
2.5: Insurance
A data security breach is an incident in which the confidentiality, integrity, or availability of data

(often stored electronically) is compromised, such that the data is vulnerable to access or

acquisition by unauthorized persons. Hackers or malevolent individuals do not cause all data

breaches; some are caused by individual carelessness, such as leaving an unsecured laptop

somewhere and exposing the data to an unsecured environment. With personally identifiable

information — such as QID numbers, financial account numbers or access credentials — the loss

of confidentiality potentially can lead to identity theft, unauthorized credit or debit card charges,

and bank account fraud. Such may lead to experience of direct and indirect losses, including

fines and penalties imposed by the card associations. The company may also face third-party

liability in the form of lawsuits and claims, regulatory fines, and, in some cases, even civil and

criminal penalties.

Cyber Insurance ensures that in case of a breach, an organization can manage some of the

liabilities at least from a financial perspective. This makes sense in a strong regulatory

environment where an organization may be liable of disciplinary fines and / or costs related to

breach notification.

The scope of coverage can be tailored to a variety of risk scenarios and should cover the

following: Asset Liability, Network Security Liability, Privacy Liability, Regulatory Defense

and Penalties, Network Extortion, Network Business Interruption and Breach Event Expenses.

3. Responsibilities
Tribe Hotels IT Directors hold ultimate responsibility for information security.

8
Information Security Officer has responsibility for information security and acting as the point of

contact with our service providers and compliance.

Data Protection Officer will support the Information Security Officer by ensuring effective

engagement and communication of any data related issues that may compromise Information

Security and reporting any risks/issues raised

Procurement Officer is responsible for ensuring contracts are sufficiently robust and clear about

the responsibilities of third party/partners and instigating periodical checks to assess compliance.

Managers are responsible for information security in their area and must ensure all permanent

and temporary staff and contractors are aware of their responsibilities and take action to instigate

re-training where required.

All Staff must comply with this policy including the maintenance of data confidentiality and data

integrity

Managers (in all departments)

All Managers must give their full backing to all the guidelines and procedures as set out and

agreed in this document.

- They are to ensure that inexperienced staff who require access to ICT are provided with

log-in credentials and access privileges as appropriate.

- Managers must also take responsibility to ensure that all inexperienced staff receive a

briefing on this policy as part of their induction and formally sign the Acknowledgement

of Acceptance before they are given access to any of our IT systems.

 - All staff should to review this Policy and re-confirm acceptance on an annual basis or

when invited to do so.

4. General Controls
The company’s IT team should take these considerations into account, but hotel guests are also

encouraged to take measures that minimize the chances of information theft.

The hotel’s management & IT team should therefore:

1. Configure networks & servers with data encryption

2. Implement Threat intelligence feeds that include a data breach notification System Which

provide notification and real-time threats reports that show that hotel guests have been targeted

or will be targeted in the future.

3. Guests are to use VPN services to block attacks whenever connecting to the hotel’s WIFI. This

is because VPNs encrypt all digital communications and prevent sensitive data from being

intercepted.

4. Use HTTPS which implies that the browsers on uses are secure.

5. Activation of the firewalls.

6. Use of VLAN wherever possible.

7. Updating of antiviruses and scanning for malware from time to time.

10
5. Consequences
To ensure that the organization remains complaint with the law and the parties involves are

compliant with the above policy document the following will be implemented in case of a

breach:

 Fine

 Jail sentence

 Loss of your job

 Down time or downgrading of your job in the company

Each case of breach by the employees, by the guest or by third parties will be severely punished

to ensure that we follow the law and achieve the organizations goals.