HOTEL ACCOUNTING MANUAL

DECEMBER 2011
 Table of Contents

Chapter 1 Introduction Page 1

Chapter 2 Global Profit & Loss Accounts and Supporting Definitions Page 6

Chapter 3 Unallocated and Allocated Costs Page 13

Chapter 4 Statistic and Ratio Analysis and Supporting Definitions Page 19

Chapter 5 Internal Control, Control Self Assessment and Internal Audit Page 36

Chapter 6 Revenue Page 44

Chapter 7 Extension of Credit and Accounts Receivable Page 56

Chapter 8 Credit Cards Page 66

Purchasing, Receiving, Accounts Payable, Contracts and Travel
Chapter 9 Page 75
Expenses
Chapter 10 Inventory and Cost Control Page 88

Chapter 11 Bank and Cash Page 97

Chapter 12 Payroll Page 107

Chapter 13 Fixed Assets, Capital & FF&E Approval Page 116

Chapter 14 Miscellaneous Accounting Matters Page 122

Chapter 15 Information Systems Page 130

Chapter 16 Pre-Openings, hotel Conversions and Hotel Opening Manager Page 148

Chapter 17 De-flagging Page 161

Chapter 18 Code of Conduct, Bribery Policy and Fraud Page 165

Chapter 19 Hotel Delegation of Authority Page 176

CHAPTER 1

Introduction

1
This manual is applicable to all IHG owned and managed hotels. It is mandatory to follow the
requirements, subject to the following:

• Exceptions to the requirements of this manual should be rare (for example, following
specific instructions from a hotel owner) and may only be approved by the area Vice
President of Finance (or equivalent). In order to minimise misunderstanding during the
Control Self Assessment process (ref: 5.3), any such exceptions should be notified to the
regional Director Global Internal Audit by the area Vice President of Finance.
• For hotels serviced by a Business Service Centre (BSC), some of the procedures noted
in this manual may be performed by the BSC. It is the responsibility of the Finance Lead
(or equivalent) to ensure that they understand which tasks are to be performed by the
BSC and ensure following agreement with the area Director of Finance (or equivalent)
that these are not duplicated at both the BSC and hotel. Where part of a process is
performed by the BSC, the Finance Lead must follow the requirements of this manual for
all items which he/she is required to perform.

IHG has three approved Global Hotel Accounting Manuals, as follows:

• Full service manual (this document)

• Limited service manual
• Extended Stay manual

Following the requirements of the limited service and extended stay operations, these
manuals provide a less comprehensive control environment, reflecting both the extent of
items covered in the full manual which are not applicable to certain hotels and the recognition
that staffing models at certain hotels, whilst appropriate for those businesses, do not allow
some of the controls to be applied in the manner described in the full service manual. In these
circumstances, alternative procedures are included in the limited service and extended stay
manuals, which maximise the impact of available staff on the control environment.

The CFO for each region will determine which manual applies and will communicate this to all
hotels in the region. The CFO for each region will maintain a comprehensive listing of which
hotels in their region will use each manual. The following table is the default position in
determining the manual which applies:

Hotel type Offering Manual applicability

InterContinental Full Service Full Service

Crowne Plaza Full Service Full Service
Hotel Indigo Full Service Full Service
Holiday Inn Full Service Full Service
Holiday Inn Express Limited Service Limited Service
Staybridge Suites Extended Stay Extended Stay
Candlewood Extended Stay Extended Stay
Other - Full service if any F&B
offering, otherwise limited
service (subject to SVP
approval)

2
In order for a Holiday Inn to use the limited service manual (due to the F&B offering or the
volume of accounting staff), a compelling case must be made to the regional SVP Finance
and Business Support for his approval. The regional Director of Internal Audit must also agree
to this exception, so that the appropriate CSA questions can be directed to that hotel.
Annually, the SVP Internal Audit and SVP & Group Financial Controller will review the list of
exceptions to ensure that a consistent approach is being adopted globally, partly in order to
maintain the integrity of CSA results.

In order to ensure global consistency, in the event of no existing precedent for any
combination of offering and staffing levels, the manual to be applied will be determined by the
regional SVP Finance and Business Support, the SVP Internal Audit and the SVP & Group
Financial Controller.

If job titles change, or vary between regions, such that an organisational structure does not
exactly fit the provisions of this document, approval should be sought from a level of
management that is clearly above that required by this policy. In the event of queries, please
contact the Controller Group in Branston (details below).
To translate from regions to Global Functions - (i) the authority of a regional Chief Executive
is held by the EVP (ii) the authority of a COO is held by the Heads of Functions (iii) CFO
authority is held by the relevant Business Support Lead for each function.

Throughout this manual any reference to Finance Lead is in reference to the senior finance
person at the hotel. This could relate to Director of Finance, Financial Controller, Finance
Manager or Finance Lead.

MUST: This word, or the terms "REQUIRED" or "SHALL", mean that the definition is an
absolute requirement of the standard.

MUST NOT: This phrase, or the phrase "SHALL NOT", mean that the definition is an absolute
prohibition of the standard.

SHOULD: This word, or the adjective "RECOMMENDED", mean that there may exist valid
reasons in particular circumstances to ignore a particular item, but the full implications must
be understood and carefully weighed before choosing a different course.

SHOULD NOT: This phrase, or the phrase "NOT RECOMMENDED" mean that there may
exist valid reasons in particular circumstances when the particular behaviour is acceptable or
even useful, but the full implications should be understood and the case carefully weighed
before implementing any behaviour described with this label.

!" # $

This manual is owned by InterContinental Hotels Group PLC and it is the responsibility of the
SVP & Group Financial Controller to approve any changes to the manual.

This version of the manual was prepared in 2010-11 by a committee of IHG personnel,
selected from all regions and many corporate departments and approved by the SVP & Group
Financial Controller.

Future minor changes will be approved by the SVP & Group Financial Controller and

3
communicated through the IHG Merlin intranet and other appropriate channels. The
Committee will conduct a review of the entire manual on an annual basis.

%&

In the event of queries, hotel finance leads (or equivalent) should contact their regional
financial management.

Regional and corporate management should contact the Director, Financial Governance at
the Branston or Denham Corporate Offices in the UK.

' # (

This manual was originally drafted in 2002 and updated in August 2007, as the first organised
effort to establish a uniform set of policies and procedures for the owned and managed hotels
of Six Continents plc (now InterContinental Hotels Group plc). This edition has updated those
versions to reflect changes to technologies and associated changes to working practices at
the hotels and, to the extent practical, to provide a clear global approach to finance policies
and procedures at IHG hotels worldwide.

This edition could not have been completed without the efforts of the committee appointed by
Ralph Wheeler (SVP & Group Financial Controller) to undertake the completion of this task,
together with others who contributed significantly. We would like to acknowledge the following
and thank them for their efforts:

Tarun Agarwal, Middle East and Africa

Mazen AbuSakha, Middle East and Africa
Paul Ayris, Financial Governance Business Service Centres
Michael Capizzi, Americas
Jinny Chong, Greater China
Lub-Hei Choo, Greater China
Gerasimos Ferentinos, InterContinental Berlin
Rod Kamleshwaran, Asia Australasia
Cindy Jenkins, Global Finance Transformation
Ana Liberatore, Middle East and Africa
Monte Nash, Global Internal Audit
Wanda Nielsen, Business Service Centres
Jennifer Oswalt, Global Internal Audit
Peter O'Toole, Global Information Technology
John Peach, Europe
Diana Saldarriaga, Latin America
Desmond Tan, Global Internal Audit
Jeffrey Wong, Europe

)* #

Reference is made throughout this document to other policies, procedures and manuals. Most
of these should be readily available on Merlin, or please contact your regional finance
support.

Any reference to the Uniform System of Accounts for the Lodging Industry is in relation to the
th
10 Edition of this publication.

4
 + #

This document is confidential proprietary business information of InterContinental Hotels

Group plc and must not be copied or distributed without its consent. Any questions regarding
the distribution of this document should be addressed to the applicable Regional Head of
Finance or to the Director of Global Financial Governance at IHG's Branston or Denham
Offices in the UK.

5
CHAPTER 15

Information Systems

130
 , # # . #

This document contains the information security policy and standards as they apply to IHG
Owned and Managed hotels.
IHG maintains a hierarchy of information security policy and standards documentation.
There are two documents called the IHG Information Security Policy and the IHG Information
Security Standards that apply to all IHG managed entities. The documents are available on
Merlin and are the first point of reference for clarification of any control.
This Chapter of the Hotel Accounting Manual is drawn from those two documents but is
tailored for hotels. If there is any discrepancy between the controls in this document and the
controls in the Information Security Policy or Standards documents, the other documents take
precedent.
This document describes “what needs to be done”. It is not intended to be a detailed step by
step procedural document. The IHG Information Security Department strongly recommends
that standard operating procedures are developed to document “how things are done”. If
possible the work to develop standard operating procedures should be led by the Regional
Global Technology teams. Where technically feasible, information systems should be
managed consistently, using the same procedures, tools, and utilities.
PCI DSS Compliance

In addition to the IHG standards contained in this document there are a set of requirements
detailed in a third party document called the Payment Card Industry Data Security Standard
(PCI DSS) that also apply to each cardholder data environment. A cardholder data
environment is comprised of people, processes and technology that store, process or transmit
cardholder data or sensitive authentication data.

The PCI DSS security requirements apply to all system components. In the context of PCI
DSS, “system components” are defined as any network component, server, or application that
is included in or connected to the cardholder data environment.

In many cases the IHG standards are consistent with the PCI DSS, but in some cases the
PCI DSS contains requirements which are seen as too onerous for widespread deployment
across lower risk systems. Therefore a separate and additional Information Security Standard
specifically for systems in scope for PCI DSS has been developed and is available on Merlin.

!#$ #

The hotel General Manager has overall responsibility for ensuring that the policies and
standards listed in this document are implemented and adhered to.
If the hotel makes use of services provided centrally by IHG the hotel General Manager is
responsible for confirming that the services provided meet or exceed the requirements in this
document. It is expected that confirmation will usually be in the form of written documentation
from IHG detailing the services provided centrally. The General Manager is responsible for
ensuring that all information security requirements not met by services provided centrally by
IHG are met by services provided at a local level.
If services are provided to the hotel by an external party the hotel General Manager is
responsible for ensuring the services provided are in line with or exceed the requirements set
out in this document.
The responsibility for day to day activities in support of the policies may be delegated to hotel
nominated individuals such as the Information Systems Manager (if the post exists), the
Finance Lead or the Front Office Manager. Throughout this document these nominated
individuals are referred to using the term IS Manager (or equivalent).

131
The term IS Manager (or equivalent) should be taken to mean the person or persons with day
to day responsibility for Information Systems in the hotel irrespective of their official job title.

Managers must ensure that all security procedures within their area of responsibility are
carried out correctly to achieve compliance with security policies and standards.

Records should be maintained in support of any work carried out relating to compliance with
the information security policies and standards. In addition to being good business practice,
these records will help the hotel during any audit process. For example, where a regular
review of system accounts is required, keep a record of what was checked and when this was
done.

, # &

Information created, stored or processed by IHG managed entities shall be classified

according to the following classification scheme:
• Public
• Confidential
• Restricted
Classification of an item of information may change over time.
All employees must consider information to be governed by the principle of “need-to-know”.
Unless an individual has reason to access information in the performance of his or her
defined job duties, access should be denied.
Employees shall not disclose Confidential or Restricted information to anyone who is not
authorised to have it. This includes disclosure through oral and written means, whether
electronic or otherwise.
Information handling - Public information
Public information is information that is freely available to the general public, or whose release
will not cause any harm to IHG. Examples of Public information include marketing literature,
annual reports, and other materials specifically created by the marketing department for
public release.
The following procedures for information labelling and handling must be followed for IHG
Public information:
a) There are no special handling or disposal requirements for Public information and no
classification identification markings are required.
Information handling - Confidential information
Confidential is the default classification of information at IHG and includes all of IHG’s internal
business correspondence, records, and information created in the normal course of business.
This includes all business email as well as all correspondences with third parties.
General business information must be treated as Confidential.
The following procedures for information labelling and handling must be followed for IHG
Confidential information:
a) All non-marked material, which is not Restricted Information, should be treated as
Confidential until it is confirmed as Public information.
b) Confidential Information should be marked “Confidential” before being distributed or
exposed to a non-IHG party and then only under an IHG-approved non-disclosure or similar
agreement.

132
c) Printed Confidential information must be destroyed in a manner to reasonably prevent
the misappropriation or other unauthorised use of the Confidential information. Examples
include shredding or using a secure document disposal facility provided by a reputable third
party.
d) Confidential information must be stored in a secure manner.
Information handling - Restricted information
Restricted information includes all information subject to restriction in access, storage or
processing by law, or regulation, or by customer contract and any IHG-owned information that
could cause significant harm to IHG if inappropriately disclosed, accessed or modified. This
information includes, but is not limited to, all non-public personally identifiable information (for
example, names, addresses, social security numbers and consumer credit information),
information that IHG receives, stores or processes for consumers and our customers, as well
as IHG information such as intellectual property, business plans, sensitive employee
information, etc.
Guest credit card data, passport details and other identification data such as driver’s licence
numbers must be treated as Restricted. Employee payroll details must be treated as
Restricted.
The following procedures for information labelling and handling must be followed for IHG
Restricted information:
a) Restricted information should be encrypted in storage, and shall be encrypted when
stored on portable devices such as laptops and removable media.
b) Restricted information shall be encrypted during transmission to/from the IHG
network, including when shipped manually or being sent by email. Depending on contractual
or legal requirements, encryption may be mandatory. Non-electronic, Restricted Information
being transported must be shipped using an IHG-approved shipping method.
c) Payment Card Primary Account Numbers (PANs) must never be sent unencrypted by
end-user messaging technologies (for example, email, instant messaging, or chat).
d) Restricted information must not be distributed to, nor can access be provided to,
anyone who does not have a specific business reason to receive or access it.
e) Restricted information should be marked “Strictly Confidential” before being
distributed or exposed to a non-IHG party and then only under an IHG-approved non-
disclosure or similar agreement.
f) Printed Restricted information must be destroyed in a manner to reasonably prevent
the misappropriation or other unauthorised use of the Restricted information. Examples
include shredding or using a secure document disposal facility provided by a reputable third
party.
g) Restricted information stored electronically must be securely disposed of when no
longer needed.
h) Restricted information must be stored in a secure manner.
i) Access to systems containing Restricted information, and to printed copy Restricted
information in store or archive, must be reviewed annually.
Information handling - Mixed information
If a system contains information in more than one sensitivity classification, it shall be treated
according to the classification needed for the most sensitive information on the system (for
example, Confidential information mixed with Restricted information shall be treated as if all
such information was Restricted).
System classification
Throughout this document reference is made to critical or sensitive information systems.
Critical systems are those vital to the ongoing operation of the hotel. If one of these systems
were unavailable it would affect the ability of the hotel to cater for guests or to manage its

133
business. In addition to the major systems, there may be individual items, such as a printer on
the Front Desk, which are classified as critical.
Sensitive systems are those that contain information that is classified as either Confidential or
Restricted.
Some systems, such as the Property Management and Point of Sales (POS) systems, would
be classified as critical and sensitive.

8 * #

All candidates for positions that include administrative level access to systems, applications,
data bases, or network resources should have their background verified consistent with
regional standards. The background check should include verification of:

a) Character references;

b) Accuracy of the applicants resume or curriculum vitae (CV);

c) Confirmation of claimed academic and professional qualifications;

d) An independent identity check; and

e) A detailed check of relevant criminal records.

All information collected for screening purposes must be collected and handled in accordance
with any appropriate legislation existing in the relevant jurisdiction.

Employees who either maliciously or through negligence of assigned duties have committed a
security breach are subject to a formal disciplinary process.

In serious cases of misconduct, as determined by the Human Resources Department and/or

the General Manager, the process should allow for instant removal of duties, access rights
and privileges, and for immediate escorting out of the site, if necessary.

Access to system resources may, and ordinarily will, be suspended immediately at the
request of the IHG Information Security Department during a review of a potential security
breach and throughout the duration of the disciplinary process. The Human Resources
Department may at any time make a determination to have suspended access reinstated.

Unauthorised access, misuse, or fraudulent actions relating to guest credit card information
shall be grounds for disciplinary action up to and including termination of employment.

Any fraudulent or criminal activity must be referred to IHG Risk Management and to
enforcement authorities for prosecution and full cooperation should be given to the
authorities.

( $

All information assets shall be clearly identified and an inventory of all production assets
maintained.

The asset inventory should include all information necessary in order to recover from a
disaster, such as type of asset, format, location, backup information, license information,
acceptable network locations for the asset and a business value.

134
Information assets that must be tracked include:

a) Physical assets: computer equipment, communications equipment, information

backup media;

b) Software assets: application software, system software, development tools, and

utilities;

c) Information: data bases, contracts and agreements, system documentation,

operational or support procedures, business continuity plans, fallback arrangements, audit
trails, and archive materials; and

d) Services contacts: contact information for computing and communications services.

The hotel must maintain an up to date network diagram including all connections to
“untrusted” networks including wireless networks, and connections to “trusted” networks
under alternate management.

An “untrusted” network is any network that is external to the networks belonging to the hotel
and/or which is out of the hotel’s ability to control or manage. Examples of “untrusted”
networks include the Internet, networks provided for guest or public use, and any wireless
network in the hotel irrespective of whether it is provided for guest or employee use.

The diagram must include the date it was last updated and the name of the employee who
performed the update.

A copy of the updated network diagram must be provided to Regional Global Technology
within 7 days of a network change.

The hotel must maintain an up to date description of the local cardholder data environment as
it relates to PCI DSS compliance. A cardholder data environment is comprised of people,
processes and technology that store, process or transmit “cardholder data” or “sensitive
authentication data”. The PCI DSS security requirements apply to all system components. In
the context of PCI DSS, “system components” are defined as any network component, server,
or application that is included in or connected to the cardholder data environment.
“Cardholder data” in the context of PCI refers to the full Primary Account Number (PAN), the
cardholder name, and the expiry date.
“Sensitive authentication data” in the context of PCI refers to the contents of the magnetic
stripe, the contents of the embedded chip, the security code, and the PIN.

% & #

Accounts created to grant access to information systems shall be classified according to the
following classification scheme
• User
• Privilege
• Service
A User account is designed for day to day working and carries no enhanced privileges.
A Privilege account is a secondary account assigned to an individual requiring enhanced
system access privileges.
A Service account is designed to enable automated system to automated system
communication.

135
Access to hotel information systems is strictly controlled through a formal process for granting
and revoking access.
Access is granted only to those individuals with an authorised business need and only for the
duration of that business need.
The level of access granted to an individual shall be commensurate with the requirements of
their job. Only the minimum rights required to carry out their duties shall be granted.
Access to critical or sensitive information systems must be either via a unique ID protected by
a strong password or an individually assigned access card. Passwords shall not be written
down, divulged or shared between users.
Requests for access are to be documented and approved by the requesting user’s line
manager. The IS Manager (or equivalent) shall only act on documented and approved
requests.
Access to hotel information systems shall be granted only by the IS Manager (or equivalent).
No other individuals shall have the ability to grant or amend access to systems.
The personnel function are to notify the IS manager (or equivalent) as soon as an employee
leaves or transfers to another department so that access can be revoked or amended
accordingly. The easiest way to facilitate this is to require all leavers to have their termination
form (ref: 12.2.11) signed by the IS manager (or equivalent) prior to leaving the hotel. This will
prompt the IS manager (or equivalent) to ensure system access is removed.
The IS Manager (or equivalent) shall periodically review (at least quarterly) the list of user-ids
on all critical and sensitive systems to ensure that access privileges remain appropriate. Any
accounts no longer required shall be removed.
Where it is technically possible the Information Systems shall be configured to support the
following password standards:
• At least eight (8) characters in length
• Consisting of a combination of upper case letters, lower case letter, numbers and other
special characters (no fewer than three categories required)
• Does not mirror the user’s user-ID
• Does not include the user’s first, middle or last name
• Changed at least once every ninety (90) days
• Lock out after no more than six (6) invalid log-in attempts. The account must remain
locked out for a minimum of thirty (30) minutes or until the system administrator resets the
account.

These passwords standards apply to all User level access and accounts whether or not a
system has the technical capability to enforce the standards automatically. In the absence of
technical enforcement hotels are expected to have a process to manually implement these
standards.

Before a new, replacement or temporary password is provided, the identity of the user being
supplied the password must be validated.

Temporary passwords shall be given to users in a secure manner; the use of third parties or
unprotected (clear text) electronic mail messages shall be avoided.

Temporary passwords should be unique to an individual and should not be guessable.

Temporary passwords must be set to expire on first use.

Privilege, administrator, supervisor, or super user accounts must only be used by the IS
Manager (or equivalent) and then only when required and not used for normal day to day
working.
Password for privilege, administrator, supervisor, or super user accounts must be:
• At least fifteen (15) characters in length

136
• Consisting of a combination of upper case letters, lower case letter, numbers and other
special characters (no fewer than three categories required)
• Does not mirror the user’s user-id
• Does not include the user’s first, middle or last name
• Changed at least once every thirty (30) days
• Lock out after no more than six (6) invalid log-in attempts. The account must remain
locked out for a minimum of thirty (30) minutes or until the system administrator resets the
account.

Privilege, administrator, supervisor, or super user accounts when finished with should be
signed out/logged off. If this is not possible the screen shall be locked with a screen saver
which requires the account password to unlock it.

Service accounts must be dedicated solely to their business purpose and not used for
interactive log-on by system administrators or other users.
Controls must be in place to prevent and to detect the misuse of a service account.

All service accounts must have appropriate logging of account activity. Service account
usage must be reviewed by the service account holder at least every 30 days.

All service account passwords must exceed privileged account password complexity
standards. As service accounts are not used for interactive log-on the password may be
significantly longer than someone could be expected to remember.

Whenever possible, service account passwords must have change intervals 180 days (6
months) as maximum.

In the special case where an application or other control software is specifically designed for
service accounts to use ‘non-expiring’ passwords to complete their business purpose, these
accounts must be pre-approved by the IHG Information Security Department. The Regional
Global Technology teams shall remain as the point of contact for hotels. Additional controls
must be put in place to closely monitor and mitigate risk caused by non-expiring passwords.

A service account password must be changed immediately after any potential compromise or
any individual who knows the password leaves the hotel, Regional Global Technology, or
IHG.

Controls must be in place to prevent self service password reset mechanisms from being
configured or used on service accounts.

Changes to service accounts must be logged for periodic review.

Where possible and practical, access to password-protected systems shall be timed out after
an inactivity period of fifteen (15) minutes.

'. 1 9# #

' # #

All critical and sensitive information systems shall be kept physically secure and accessed
only by authorised members of staff.
All critical and sensitive information systems shall be housed in one or more secure areas. A

137
secure area may be a lockable office or several rooms surrounded by a continuous physical
barrier. For legacy hotels this could mean the area behind front office where access is
restricted through keyed or combination locks, whilst newer construction would be expected
to have separate dedicated rooms for the computer equipment.
Physical access to any room designated as a server room shall be restricted to individuals
who require such access to perform their job responsibilities. All such rooms should be
dedicated as server rooms to reduce the number of individuals requiring access to perform
their job responsibilities. Such rooms must not be used as a general store room.
Access to the secure area must be controlled by the use of access card keys, access code
keypads or key locks. A record shall be maintained of personnel who have been granted the
access method whether by card, code or key.
Cameras or other logged access control mechanisms must be used to monitor the entry and
exit points of places where restricted data is stored, processed or transmitted. Video cameras
or other mechanisms should be protected from tampering or disabling. The data collected
must be monitored and stored for at least 3 months unless otherwise restricted by law.
The provision of keys, access control cards etc. for the secure area must be authorised by the
IS Manager (or equivalent).
The IS Manager (or equivalent) should regularly review (at least quarterly) the list of
personnel with access to the secure area and take action to correct any discrepancies found.
Records should be kept to show that this work has been completed.
Lost, stolen or non-returned access control cards must be immediately disabled. The IS
Manager (or equivalent) should perform periodic review of the entry log files to identify
unauthorised access attempts.
Visitor access to the secure area should be authorised by the IS Manager (or equivalent) and
recorded in a visitor log showing visitor name, company, date, name of person authorising
access, reason for visit and signature. No unsupervised access (e.g. by maintenance staff)
should be permitted.
All critical information systems must be protected from damage from environmental threats
such as fire and flood.
Hazardous or combustible material should be stored at a safe distance from the secure area.
Bulk supplies such as stationery should not be stored within the secure area.
The secure area should be kept clear of debris and general clutter.
The secure area shall be protected against environmental damage by installation of an
adequate fire detection and protection system, consisting of appropriately placed heat/smoke
detectors linked to the main hotel fire alarm system.
Where there is potential for water damage (e.g. pipes running through the secure area),
appropriate detectors must be installed which are linked to an alarm system or equivalent
notification system.
Dedicated computer rooms should contain temperature and humidity monitoring devices.
These shall be set to manufacturers recommended min/max settings and linked to an alarm
system or equivalent notification system.
Examples of an equivalent notification system include an SMS or email notification to multiple
staff members including at least one person reasonably expected to be on duty at any one
time.
The secure area should be protected with a fire extinguishing system rated specifically for
electrical fires. This system must be operated in accordance with the manufacturers
instructions.
All environmental detection systems shall be subject to regular maintenance and testing, and
shall be approved by the local fire authority.

138
 ' 1A

Equipment should be sited or protected to reduce the risk of unauthorised access.

Any screen where sensitive data is displayed must be positioned to prevent unauthorised
persons from viewing the screen.
Equipment should be protected from power failures and other disruptions caused by failures
in supporting utilities.
Electrical power systems supporting critical systems shall have an appropriate Uninterruptible
Power Supply (UPS) system in place together with backup batteries, which are automatically
invoked following a power loss. Batteries shall be able to provide power for sufficient time to
allow an emergency generator to start up and run at full load. In the absence of a generator,
the UPS should allow sufficient time for the systems to be powered down in an orderly
fashion. The UPS should be maintained and tested in accordance with the supplier’s
recommended service intervals and specifications. Only authorised personnel should carry
out repairs and service the UPS.
Critical IT equipment shall be protected from damage resulting from electrical power surges
by using an appropriate surge protection system.
Equipment should be correctly maintained to ensure its continued availability and integrity.
Equipment should be maintained and tested in accordance with the supplier’s recommended
service intervals and specifications. Only authorised personnel should carry out repairs and
service equipment.
Any item containing storage media shall be checked prior to disposal to ensure that any
Restricted or Confidential data or licensed software has been securely removed or securely
overwritten using techniques that make the information non-retrievable. The standard delete
or format functions are not sufficient.
Equipment, information or software shall not be taken off-site without prior authorisation from
the IS Manager (or equivalent).
The IS Manager (or equivalent) should record all equipment taken off-site and ensure that this
equipment is returned in the agreed timescales.
Where there is a potential for theft, critical and sensitive systems should be physically
secured using a computer specific anti theft product such as a cable lock system. Other
equipment may be secured at the discretion of the hotel.

)! # ( $

) & $ ( $

Changes refer to any item of hardware, software or data that is used to provide hotel systems.
This includes operating software, utility software, application software as well as changes to
data files and parameter/configuration files. It excludes any normal operational changes such
as rate codes and POS items.

Changes to operational systems and application software shall be controlled.

The IS Manager (or equivalent) is responsible for managing all changes to the hotel

139
information systems.
No changes shall be made to any hotel systems without the express authorisation of the IS
Manager (or equivalent) with approval by either the Finance Lead or General Manager.
All changes shall be documented and logged, highlighting the amendments made and the
reason for the change (e.g. upgrade to system software).
Changes shall be made at a time that is of least disruption to users. Users shall be warned
prior to any change occurring.
Steps must be taken prior to any change so that the system can be recovered to its original
state if the change has to be backed out. This may be a full system backup, copies of
configuration files, copies of standing data, or the ability to rebuild the system from scratch.
Where changes are required to be undertaken by third parties (e.g. software suppliers), the
above procedures shall still be followed. Requirements for remote access to perform such
updates shall be strictly controlled by the IS Manager (or equivalent) including the granting of
remote access.

Live data containing confidential or restricted information shall not be used on development or
test systems.

) .# $ ( &

Information systems shall be protected against malicious code such as viruses and
worms.

The IS Manager (or equivalent) is responsible for ensuring that anti-virus software is installed
on all information systems.
The anti-virus software must be kept up to date with virus signature files released by the
supplier.
The anti-virus software must be configured to scan in real time and to also perform a full
system scan no less than once per week.
The IS Manager (or equivalent) should periodically check (critical and sensitive systems plus
a random sample of other systems every month) that the anti-virus software is receiving virus
signature updates. Any failure should be investigated and must be corrected.
Procedures to deal with viruses (i.e. what action to take) shall be documented and issued to
all hotel IT users. Users should also be educated on the dangers of opening unsolicited email
attachments or clicking on links in emails.
The IS Manager (or equivalent) shall investigate the source of any virus infection and take
appropriate corrective action.

Information systems shall be kept up to date with vendor security patches.

Critical security patches must be installed within 14 days for all systems containing/supporting
Restricted information.
Critical security patches must be installed within 30 days on all internal or non-public facing
systems.
The following table is shown as a reference point in addressing timeframes in general within
the procedures:

140
 Critical systems Non-critical systems

Critical security patch (i.e. 14 days maximum 30 days maximum

Qualys 3,4,5)

Non-critical security patch 30 days maximum 90 days maximum

(i.e. Qualys 1,2)

The IS Manager (or equivalent) is responsible for ensuring that the hotel information systems
are up to date with vendor security patches. Where patching is performed centrally by IHG the
IS Manager (or equivalent) should periodically check that the patching is taking place as
expected. Any failure should be investigated and must be corrected.

) 6 @

All critical hotel information systems data shall be backed up to external media (e.g. tape
cartridge or hard drive) on at least a daily basis (depending upon the number of transactions
handled by the system and hence the time required to re-input data, backup procedures may
need to be invoked several times a day).
In consultation with the key system users, the IS Manager (or equivalent) shall agree upon
the cycle of backup media to be used (full, incremental, daily/weekly/month-end/quarter-
end/year-end etc.) and retention period.
All backup media shall be clearly labelled identifying the contents of the tape and the cycle to
which it refers (e.g. Monday, 1st backup).
Backup media containing Restricted information must be labelled “Strictly Confidential” and
treated as such.
The IS Manager (or equivalent) is responsible for ensuring that system backups have been
successful by reference to audit trails, system logs etc. (Note: this may depend upon the type
of backup software used) and once satisfied that the backup has completed successfully
record this fact in a log file. Any errors encountered during the backup must be noted,
investigated and resolved.
Portable backup media (i.e. tapes) should be removed as soon as possible after the backup
process has been completed which may mean someone other than the IS Manager (or
equivalent) is given this responsibility. Portable backup media must be transferred to a
location remote from the equipment for secure storage.
The location for storing all backup media (i.e. tapes, external hard drives, etc) may be in the
hotel but should be carefully chosen based on the likelihood of a fire or similar disaster
affecting both it and the main system. Backup media is of no use if it is also damaged or
destroyed in the same failure that affected the main system.
Where a third party is used to store payment card holder information the third party must
agree to:
a) Follow all PCI standards;
b) Cooperate in any breach investigation of customer credit card data; and
c) May be required to provide IHG with annual evidence of compliance on request.
Adequate protection shall be given to the media whilst in transit and in storage to protect it
from damage, theft or loss.
The IS Manager (or equivalent) shall regularly test backup procedures by reviewing log
records to ensure completion, verifying that backup media are correctly labelled and stored
correctly and by routinely restoring backup data from backup media.

141
Backup media must be replaced in line with manufacturer recommendations.
Redundant backup media should be disposed of in a way that prevents the recovery of
information from that media, for example, physical destruction.

) 5 " #@ #

The networks in a hotel shall be classified according to the following classification scheme:
• Back Office
• Guest
A “Back Office” network is any back of house network provided for use by hotel employees for
operational purposes. The Back Office network may be segmented into a number of separate
networks such as front office, admin LAN etc, however the term “Back Office” applies
collectively to all such internal networks. Back Office networks are normally “trusted” (wireless
networks are an exception).
A “Guest” network is any network provided for use by guests or members of the public. Guest
networks are “untrusted”.
Unless otherwise specified the generic term “Network” applies to all hotel networks including
Back Office and Guest networks.
Networks should be controlled and managed to maintain security for the systems and
applications using the network.
Do not use vendor supplied default or blank passwords or other security settings. These
default settings are widely known and should be changed before any equipment is connected
to the live network.
Network connections at the logical network perimeter of a hotel environment must be through
a firewall device that has been approved by the IHG Information Security Department. This
includes any connection between the hotel’s Back Office network and an external network
such as the Internet, a wireless network, an “untrusted” network, or a segment of the Back
Office network under alternative management. The Regional Global Technology teams
should maintain awareness of the Information Security Department approved list of firewall
devices and shall remain as the point of contact for hotels.

The default configuration for a firewall is to deny all traffic. Only traffic required for business
purposes is to be enabled and records kept for each protocol and service allowed. In each
case the minimum number of ports and addresses shall be configured.

Web browsing is only permissible through a dedicated web browsing proxy server. The
firewalls shall be configured to only allow outbound web browsing traffic from the proxy
servers unless authorised in writing by the IHG Information Security Department. The
Regional Global Technology teams shall remain as the point of contact for hotels.

Internet email is only permissible through a dedicated email server. The firewalls shall be
configured to only allow outbound email traffic from the email servers unless authorised in
writing by the IHG Information Security Department. The Regional Global Technology teams
shall remain as the point of contact for hotels.

File transfer protocols require authorisation in writing from the IHG Information Security
Department. The Regional Global Technology teams shall remain as the point of contact for
hotels.

A copy of the updated firewall configuration must be provided to Regional Global Technology
within 7 days of a network change.

142
Hotels shall not install network hardware or software that provides network services, such as
routers, switches, hubs and wireless access points, to any Back Office network without prior
approval of Regional Global Technology.

Do not connect guest facing services (for example a Guest network, the guest HSIA or
Business Center PCs) directly to the hotel’s Back Office networks.

Converged networks (for example where Back Office and Guest network segments are
provided on the same physical hardware) must be secured such that any Guest network
segments and any Back Office network segments are kept logically separate from each other.

Network ports in publically accessible areas (i.e. public conference rooms or visitor rooms)
must not be connected to the hotel’s Back Office networks.

Guests must not be allowed to connect their PC or any other technology equipment to the
hotel’s Back Office network or to any device connected to that network.

Guests must not be allowed to use hotel PCs or any other equipment connected to the hotel’s
Back Office networks unless that equipment is specifically designed for guest use (for
example a check in, check out self service kiosk) and it has been approved by the IHG
Information Security Department. The Regional Global Technology teams should maintain
awareness of the Information Security Department approved guest use devices and shall
remain as the point of contact for hotels.

Remote administration of any equipment located at the hotel must be accomplished only
through the use of methods explicitly approved by the IHG Information Security Department.
All other remote access solutions (including but not limited to LogMeIn, GoToMyPC,
PCAnywhere, and Dameware Mini Remote Control) are prohibited. The Regional Global
Technology teams should maintain awareness of the Information Security Department
approved remote access solutions and shall remain as the point of contact for hotels.

Two factor authentication is required for remote server administration of any kind.

The PMS, POS and certain other systems and applications, because of the nature of the data
contained in them, require special management oversight and shall be classified as high-risk.
Many times these high-risk systems contain Confidential and Restricted information. High risk
systems may have a dedicated and isolated computing environment. Any such high security
zone shall be protected via an internal firewall device approved by the IHG Information
Security Department. The Regional Global Technology teams should maintain awareness of
the Information Security Department approved list of firewall devices and shall remain as the
point of contact for hotels.

Installing lower risk systems in a high security zone is discouraged as this will necessitate
implementing the same degree of controls on the lower risk system as are in place on the
high risk systems in that zone. Failure to maintain isolation of high risk systems reduces the
overall effectiveness of the high security zone.

+ ( # $

Audit logs recording user activities, exceptions, and information security events should be
produced and kept for a period of time (twelve months where technically and legally possible)
to assist in future investigations and access control monitoring.
Where it is technically possible and within the boundaries set by local laws and regulations,
audit logs should be configured to record security related events.
System administrator and system operator activities should be logged.

143
The audit logs should be configured to record any changes or attempted changes to the
system security settings.

The clocks of all relevant information processing systems within the hotel should be
synchronized with an agreed accurate time source.

Where a computer or communications device has the capability to operate a real-time clock,
this clock should be set to an agreed standard, e.g. Coordinated Universal Time (UTC) or
local standard time. As some clocks are known to drift with time, there should be a procedure
that checks for and corrects any significant variation.

The correct interpretation of the date/time format is important to ensure that the timestamp
reflects the real date/time. Local specifics (e.g. daylight savings) should be taken into
account.

7 (

Critical and sensitive IT equipment must either be covered by suitable maintenance

agreements or the hotel must keep adequate spare equipment readily available for timely
swap out.

Maintenance agreements should relate not just to processors (e.g. servers, PC’s, POS
terminals), but to all equipment required to support the hotel IT infrastructure (e.g. printers,
backup devices, network switches, routers, communications equipment, air conditioning
units).
It may be more cost effective in certain scenarios to keep a stock of spare equipment readily
available for swap out in a timely manner rather than to pay for a maintenance agreement.
Any decision to take this option must be documented and approved by the Finance Lead or
General Manager.
A maintenance schedule should be in place listing the above equipment together with
appropriate details (supplier contact details, maintenance schedule e.g. when/who). The
schedule should be updated as maintenance visits occur and regularly reviewed to ensure
that visits take place in accordance with the agreed schedule of visits.
All maintenance work shall be documented by the supplier and copies retained on file. Any
necessary corrective work must be brought to the attention of management for authorisation.

Critical and sensitive IT applications must be covered by vendor support agreements.

The level of cover (e.g. 24x7) shall be determined in accordance with business requirements.

The hotel shall ensure that there are adequate procedures in place in order to provide timely
support to the hotel IT users.
Each hotel shall have a nominated internal or external IT support person or team e.g. Hotel
rd
employee, Corporate support function or 3 party contract. Individuals within this team shall
be appropriately trained in hardware and software used within the hotel.
The level of support (working hours) shall be commensurate with hotel IT user requirements
with out of hours contact as necessary.
All hotel IT users should be provided with details of support procedures, including contact

144
numbers and escalation path.
The IS Manager (or equivalent) shall keep copies of support documentation for each system.
This may include details of support contracts, systems configuration, network diagrams, rack
or room layout diagrams.
Faults reported by users or by system programs should be logged, investigated and
appropriate action taken.

Any trends emerging from the fault logs shall be investigated to identify and resolve the
underlying causes.

The hotel should identify designated application experts for all critical and sensitive
applications. This may not necessarily be the IS Manager (or equivalent).

, # # , ( $

Information security events should be reported through appropriate management channels as

quickly as possible.
The IS Manager (or equivalent) shall document the procedure for reporting and responding to
real or suspected Information Security events. This procedure should include a point of
contact, incident response procedures and escalation path. In the absence of any other
information to the contrary from the Regional Global Technology team the normal escalation
path should initially be to a nominated point of contact within the hotel with onward escalation
to the hotel’s usual IHG IT help desk.
All employees, contractors and third party users of information systems should be required to
note and report any actual or suspected security weaknesses.
All employees, contractors and third parties should be made aware of the responsibility to
report any information security events or weaknesses as quickly as possible usually to hotel
line management and to the IS Manager (or equivalent).
Under no circumstances attempt to prove the existence of a potential weakness in the
security of a system, as this may be interpreted as attempted misuse of the system and could
also cause damage to the information system.

6 & =, #* 9#

Each department head is responsible for ensuring that appropriate manual procedures are
developed, documented and maintained and appropriate staff training carried out, in order to
continue operating their department in the event of an interruption to the information systems.
For example Front Desk staff will need to know what to do in the event that the PMS is
unavailable.
The IS Manager (or equivalent) is responsible for ensuring that recovery procedures for the
information systems are developed, documented, and maintained.
All procedures should be tested, reviewed and updated at regular intervals (at least once per
year).

145
 " # / $

All computer software operated by the hotel shall be licensed.

The hotel shall administer a system for tracking installed software and software licences.
The IS Manager (or equivalent) shall maintain an inventory of software purchased showing
vendor name, software title and version. Each item in the inventory should be supported by
proof of purchase documentation such as a licence agreement and a copy of a paid invoice.
The IS Manager (or equivalent) shall maintain an inventory of installed software, detailing
what software is installed on which computer. This may be done manually for a small number
of computers or aided by a software scanning tool.

Periodically (at least once a year) the list of installed software should be reconciled against
the inventory of purchased software. Any exceptions must be corrected either by removing
the software or by the purchase of additional licences. Records should be kept to show that
this work has been completed.
Computer software must only be installed by the IS Manager (or equivalent).
Only software that has been approved by the Regional Global Technology team should be
purchased and installed.

0 # # $ " #

The hotel shall ensure that on hire all employees are made aware of and trained in their
responsibilities relating to Information Security of Restricted and Confidential information.
Annual refresher training must also be conducted.

Training on policies and specific procedures related to credit card transactions and
information is a critical element in reducing risks of fraud and supporting a defence against
any legal claims. The hotel shall document training activities and record the names of
employees who participate.
Training and awareness materials are available from a number of IHG sources.
www.ihgmerlin.com/informationsecurity
• Information Security Policy
• Information Security Standards
• PCI DSS Compliant Policy and Standards
• Introduction to Information Security training module
• Handling credit cards securely training module
www.ihgmerlin.com/risklearningcenter

• Privacy directions for hospitality (video)

• Data Privacy 10 minute trainers
myLearning (search for PCI)
• Understanding PCI compliance
• PCI Best practices for hospitality management

146
 • PCI Privacy directions for hospitality (copy of video from the Risk Training Center)
The IS Manager (or equivalent) is expected to maintain relevant and up to date hotel system
knowledge and skills.
The IS Manager (or equivalent) is expected to maintain awareness of all IHG Information
Security policies and standards that apply to their environment.
The IS Manager (or equivalent) is responsible for promoting best practice and security
awareness for all information system users in the hotel. This includes:
a) Changing default vendor passwords
b) Not sharing individually assigned user-ids
c) Selecting strong passwords, keeping those passwords secure and changing them
regularly
d) Securing workstations with password protected screen savers, or locking PC screens
manually
e) Keeping screens with sensitive information away from prying eyes
f) Keeping guests and hotel back office systems separate
g) Only accessing systems they are authorised to

h) Not installing unauthorised remote access solutions

i) Reporting real or suspected information security events through the appropriate

channels
The hotel must also consider local data privacy legislation and relevant training should be
included in the awareness training as appropriate.

147