Hotel Computer security and disaster recovery tips
The recent advance of computer software technology in recent years has given the hotel industry another security concern. Illegal entry into the computer room of a hotel can create a direct threat to the organization's financial stability and moreover their customer database. Fires, natural disasters, and hardware theft can result in damaged or irretrievably of lost data.
Hotels should regularly conduct a audit on risk assessment of all computer systems and software to uncover specific areas of vulnerability. This is an assessment of the risk associated with the loss of each and all systems as well as all data stored on those systems. This assessment should be repeated half yearly or annually or as new software are brought online and old systems are replaced.
The structure and resources of hospitality industry requires that one person carry the responsibility for overall computer system security.In many properties this is either the controller or the director of information systems (MIS) or in smaller hotels it is done by the IT managers.
However, every user must be held accountable for protecting the information resources of the property and the corporation. Sharing system or file access passwords or providing other information that could allow unauthorized access to a property's systems is equivalent to company sabotage or theft.
It becomes important that strict user access levels are deafened according to the designation of the staff, This will limit access to information and systems to those users who require such access to perform their assigned duties.
Audit ability :
It is the responsibility of the designated systems security officer of the property to maintain awareness of when users are accessing information, what they are accessing or modifying, and when and how unauthorised attempts to access a system are being made. They should always track the userlogs on servers and PMS or POS software to see these details.
The use of unique passwords is one acceptable method of authorizing use and protecting computer data. When a property uses passwords, it should strongly encourage employees to avoid writing them down. Some hotels set password change policy for their users to change their passwords every 30 days. Users who don't change their passwords after 30 days has to get it reset through proper channel.
The above practice will help protect passwords of employees who have left or been transferred or terminated and their password and login being used by other employees. Some properties permanently delete the login and passwords of employees when they leave the organisation.
In order to maintain an audit trail and monitor system usage, system administrators in conjunction with the security officer in the property should activate access, violation, and modification logs that track password use. Access logs provide an electronic record of each attempt to log on to a system. Violation logs record who attempted to violate system or file-level security, and modification logs record user information on all files that have been modified.
In some systems, it is possible to have such logs activate an alarm when data gathered in the log fall outside established parameters. Such notification allows the system administrator the opportunity to locate the source of the potential security risk.
It is a fact which we have to admit that there is no security plan or system for computers that is 100 percent foolproof. There is a local saying among hotel computer system managers that,''We do the best We can. even after that, if someone really wants to get into a system, they will get in''.
Unfortunately, this is true. Since such access can happen from within a property or from the outside, it is important to take measures to prevent ''hacking'' into a system on both fronts. It is the responsibility of the appointed systems security officer to perform due diligence as it relates to system integrity, keeping the system continuously operational without data loss or security incident.
The level of security available on a particular system in most cases begins with the operating system. Always keep your computer OS up to date as the OS vendors regularly fix known security issues.
Computer viruses are destructive computer programs that can ''infect'' a computer and damage data files, system files, and applications. Viruses can replicate themselves and can be transmitted as hidden files or programs from one computer to another. Viruses are most often transmitted when users carry a USB from computer to computer, copying files to and from the USB without considering whether or not they might contain a computer virus. An infected USB may invisibly transmit the virus to each computer that reads the files. This in turn infects one computer after another.
As more computer virus infections are through USB it would be a good decision by the hotel management to can block USB access on computers for all users.
The second and much more effective (and malicious) way viruses are spread is over the internet. Internet mail attachments are notorious for carrying computer viruses. Theses programs are attached to e-mail messages and then sent to numerous users. The unsuspecting user then opens the mail and carelessly infects the computer with a virus.
The most effective way to prevent the spread of computer viruses is to use a good anti-virus program to protect computers against the threat of viruses. These programs work as virus shields, scanning files for known computer viruses as they are opened or run. If a virus is detected, it is immediately cleaned from the system. Additionally these programs can be set up to periodically scan the entire computer for viruses. Virus protection programs are extremely effective when installed on a server and used in a local area network (LAN).
When computers have access to the Internet as well as corporate and local area networks, it is important to protect data from unauthorized distribution over the Internet. It is especially critical to control Internet access centrally in any property where computers are connected to the hotel LAN and to the Internet via a modem.
Anytime there is a modem on a PC, there is the possibility for unauthorized transmission of data from the network, out of the hotel, via the modem. It is more secure to provide Internet access via the network so that a firewall can be put in place to protect the hotel’s data and systems. Firewalls are communications filters that allow only authorized access and data transmission to and from a network.
The more people that have access to a computer, the greater the possibility for compromised security. Implementing certain access restrictions can help to maintain system integrity.
One type of restricted access involves the creation of different levels of authorization for access to different levels of information. Such system limits the information available to employees to only those areas necessary for the performance of their jobs. Front desk staff, for example, would be limited to computer access relating to the check-in and check-out functions only.
Physical Access to Servers:
The server room or main computer room in a property should be secured in a separate area from other operations, protected by adequate locks and double-door entry. All movement of personnel into the area should be controlled, and access should be granted only to those who work with the network. A log should be maintained in computer operating areas detailing any stop pages and any resulting problems. Such records should be maintained and reviewed regularly by supervisory personnel.
Physical Protection of the Computer:
Computer security involves more than protecting against fraud or vandalism. The computer itself should be maintained and protected from numerous hazards that could temporarily or permanently incapacitate it.
Properties also should take measures to protect against power failures that may disrupt computer functions. One strategy is to route all computer equipment through an uninterrupted power supply (UPS) unit.
It is most important that all critical data on a hotel’s network be backed up each day. Additionally, critical report information should be printed at regular intervals in case of emergency or system outage. For instance, room occupancy and guest information should be printed regularly (for each shift) so that room status can be determined in the event of the system going down.
Physical backup on tape, high-capacity disk, or recordable CD/DVD should be performed daily and stored off-site in the event of fire or theft of system equipment or data. In some instances, corporate policies will govern backup procedures and the storage of backup media. Otherwise, each property should develop adequate procedures that meet the needs of that property.