Security Tips for LP
An Overview of the
High Risk Areas within MVCI Sites
Bob Samson
Director, Information Protection & Privacy
The Disclaimer
Marriott Vacation Club International (MVCI) disclaims
liability for any personal injury, property, or other
damages of any nature whatsoever, whether special,
indirect, consequential, or compensatory, directly or
indirectly resulting from the publication, use of, or
reliance on this course material. In issuing and making
this course available, MVCI is not undertaking to
render professional or other services for or on behalf of
any person or entity. Nor is MVCI undertaking to
perform any duty owed by any person or entity to
someone else. Anyone using this course material
should rely on his or her own independent judgment
or, as appropriate, seek the advice of a competent
professional in determining the exercise of reasonable
care in any given circumstance.
• Defining the boundaries of protection
• 7 simple steps for protecting Data
• A test – Can you spot the security failures?
• 4 steps for protecting associates and properties
• Business Continuity Planning
• Wrap up
The Opportunity
What needs protection?
• Confidential Information is defined as information created, obtained or
used by a company that derives independent value from not being
generally known to the public. Confidential Information can exist in
different mediums (including paper documentation, computer files,
compact disks, voicemail, e-mail and other digital media and oral
information) and includes, but is not limited to, information regarding:
– guests
– associates
– franchisees
– joint venture partners
– owners
– prospective owners
– residential owners
– sales and marketing plans and forecasts
– revenue management techniques
– pricing strategy
– personnel matters
– business location financial results, budgets and forecasts
– standard operating procedures
– manuals
What needs protection?
• Personally Identifiable Information is a special category of Confidential
Information defined broadly to include information that can be associated
with or traced to any individual, such as an individual’s:
telephone number
e-mail address
credit card information
social security number (SSN)
banking information
credit history (e.g., consumer credit report)
personal preferences
any other similar information
• Personally Identifiable Information is also known as PII.
The BIGGIES are: credit card information & social security number (SSN)
High Risk Data is information that can lead to fines and/or other penalties if
accidently disclosed.
What needs protection?
• The Personal Safety of All Associates and Guests – Every site
must have:
– An Emergency Plan for guest and associate safety
– A Business Continuity Plan to sustain critical processes during a
– Up to date contact information for their BCP team
• Team Membership
• Work information
• Home information
• Alternative contact methods: cell phone, home email
– A BCP test plan
– A tested BCP test plan
– A work environment free from hazards
7 Actions that can Protect Data
Policies granting authority to LP
Education/Training of Associates
Minimizing Collection
Limiting Access
Protecting what is Collected (paper & electronic)
Secure Disposal of Confidential and PII data
Protection of electronic resources
STEP 1: Policies Granting Authority to LP
• You need a policy for Information
Security and Confidential Information
• You need a policy for Business Continuity
• You need a policy assuring Personal
Information Privacy
• You need a policy protecting the Security
of Assets
• Loss Prevention should have the power
to Confiscate and Protect Laptops When
Observed at Risk
• You need policies protecting the Security
of Laptops, Desktops and Mobile
Computing Devices
Clear policies establish overall guidance on many areas of
confidential and personally identifiable information and grant you
authority to intercede when information is placed at risk.
STEP 2: Education/Training of Associates
• Associate Awareness is one of the best defenses against accidental and
criminal data loss.
– Encourage the use of training programs in safety and security.
– Take all of your course material yourself – it will increase your
awareness and skills.
– Establish poster programs – they are inexpensive and effective
• Use your Intranet resources
– Internal Communications vehicles are a excellent way to get the
word out.
• Periodically, invite management team on your walk thru to see what you
see. A trained management team is a good defense.
• Remind all associates and management that confidential information
must be identified (marked) as such – don’t expect people to protect it if
they don’t know what it is.
STEP 3: Minimizing Collection
• Companies must protect what it collects – Therefore, you should be
collecting only the information needed to supply the intended services:
– Look for copies being made of drivers licenses, passports and
other personal identification that are not necessary.
– Question the process that requires making copies of this type of
sensitive data. It is rare that any business process needs to
retain copies of this type. If there is a legitimate reason, the
copies must be physically protected at all times.
• If forms are left in the open and unsecured, check forms for credit card
data, social security numbers or personally identifiable information.
– For hotels, guest data such as room number and name should
never be made public.
• Spot check what associates carry in and out of your facilities.
Associates should not be taking Confidential or Personally Identifiable
Information out of our facilities without the permission of management.
STEP 4: Limiting Access
• Physical Access must be restricted to only those associates or third party
service providers with a clear business need-to-know.
– Physical security standards must be up-to-date on locks, cameras,
– Keep walls up to ceilings – avoid partitions for areas holding sensitive
– Computer rooms must have a hard copy written log of entrants and
• Interrogable Locks (keep a record of each entrant and time)
– Computer rooms and communications areas.
– Finance areas that process and store credit cards.
– HR areas that process and store SSNs.
• “Combination Safe” standards should require both key and combination and
must be secured to floor. The same associate should never have both.
• Put copiers in protected areas to limit open use by unauthorized associates
or use copiers that have a code.
• Where manual keys are used, a key management system must be in place
to control access to physical keys.
• Any 3rd party access to a server room must me only when a signed legal
agreement is in place – service technicians must be accompanied while in
the room.
STEP 5: Protecting what is Collected
• Your site should have a physical inventory (identified by location) of where
Confidential and PII data is stored along with an evacuation plan for data.
• Computer Rooms, Workstations and Storage Areas must be secure.
– All file cabinets and desks with PII and Confidential data must be
locked when offices are not occupied.
• There should be adequate lockable file storage.
– Protect Telecommunications and Server areas.
Cameras with 90 days of storage.
No signage to tell outsiders what is in the room.
No direct access from outdoor common areas.
No paper, cardboard or other storage of combustibles in a server room.
Smoke alarms must be tied to general building alarms.
– Backup tapes must be in a secure off-site location, never in the server
room. Move them through bonded couriers only.
Locate faxes that receive Confidential and PII data in secure areas
(especially if they receive the faxes after hours).
Examine copiers and printers for Confidential and PII data that is forgotten
after hours.
Look at open mail room boxes for Confidential and PII left out overnight.
Check waste paper baskets and recycle bins for discarded Confidential and
PII data periodically, noting offenders.
STEP 6: Secure Disposal of Protected Data
• Cross-cut shred, incinerate, or pulp any hardcopy materials – Make sure space and
equipment are provided and working.
• Storage containers for information to be destroyed must be secured with a lock.
• Discourage the placement of confidential documents in an unshredded form in
recycle bins or the trash..
• Have sufficient shred bins located at the points where Confidential and PII data is
discarded – This is especially important in sales centers with multiple locations/floors,
remote check-in or other off-site services such as HR.
• Prior to disposing of a computer, blackberry or electronic media the data must be
securely disposed of
Follow an approved process
• Periodically, check the dumpster for Confidential and PII data.
STEP 7: Protection of Electronic Resources
• Any software that collects, processes, stores or transmits credit card data must
mask the card number on the screen displays and printed customer receipts.
• All computers must have their screen savers set to lock the keyboards after 15
minutes or less.
– No computer should be left on overnight without being locked from access
by a password.
• All laptops must be cable-locked to a large object such as a desk during the day.
• All laptops must be either cable-locked to a large object, placed in a locked
cabinet or a locked individual office after hours.
• Any desktop in a location with public access must be cabled-locked to a large
Inspect PCs accessible by the public frequently for keystroke loggers
• Look for sticky notes with passwords on desks or near computers. Remove
them and take them to your office noting the location.
• Modems
– These are typically in the server rooms used for 3 rd party support – the
modems should be on only when they are needed and access monitored.
• Public Network Connections
– Any public access to a company’s internal network should be eliminated or
public network connection physically secured.
• Example: a LAN connection in public area or lobby.
How many security violations can you find?
Lets take a closer look
Lets take a closer look
Lets take a closer look
Lets take a closer look
Lets take a closer look
Here they are – 10 of them
1. Cable lock to the docking station
It should be on the laptop to do any good
2. Report on desk marked confidential
Confidential material must never be left out unprotected
3. Report on desk that should be marked confidential
Confidential Material should be marked as such
4. Password stuck to screen
Passwords must never be shared and always protected
5. Desk unlocked (with customer PII inside)
Associates should be made responsible for protection of all PII
6. Confidential Information in waste basket
Store all confidential information in locked containers until shredding
7. Note pad with customer credit card number written down
Anytime a credit card number is present on a form,
the associate must limit access and protect the forms
8. Computer logged in and no password-protected screen saver set
All data on PC and server including email is accessible
to anyone
9. Copy of a driver’s license
Should never be created – Collect only what is absolutely necessary
10. A CD Marked “Backup of laptop”
Must be marked Confidential and always secured
LP’s Role in Business Continuity Planning
Each location should have a plan.
1. Emergency plan focusing on guest and associate safety.
2. Shelter-In-Place component should be required.
3. Business Continuity plan focusing on critical/key processes to sustain
business activity during a crisis.
The plan must be reviewed and updated annually (twice a year is a best
The plan needs a “test plan,” a formal description of steps to ascertain
that your property is ready for a crisis.
Your “test plan” must be tested annually or you don’t have a plan.
Follow up Questions
Send any follow up questions or suggestions to
[email protected]

Information Protection - Management of Access to …