The Fundamentals of Systems & Security MaintenanceThe Fundamentals of Systems & Security Maintenance 11 HOTEL TECHNOLOGY 101 1. Environmental Manual operations These threats (fire,

The Fundamentals of Systems & Security Maintenance 1

HOTEL TECHNOLOGY 101

2 ©2001 American Hotel & Lodging Association



TABLE OF CONTENTS

INTRODUCTION .............................................................7SYSTEMS SECURITY......................................................9

An Overview................................................................9THE MAIN THREATS ....................................................10

1. Environmental ................................................................... 112. Electronic .......................................................................... 123. Operational ....................................................................... 19

General Principles & Sample Documents......................21SUMMARY ..................................................................25APPENDIX A ...............................................................27DOWNTIME PROCEDURES ...........................................27

Management/Staff Roles ............................................28Manual Front Desk - Overview ....................................31Returning to Automated Operations............................39

APPENDIX B ...............................................................43Data/System Back Up Procedures ...............................43

System back-up ..................................................................... 43Data back-up ......................................................................... 43

APPENDIX C ...............................................................45Downtime Reports .....................................................45

APPENDIX D ...............................................................47System Documentation ..............................................47

APPENDIX E ...............................................................51Network Diagrams.....................................................51Systems Interactions ................................................52

APPENDIX F................................................................53Information Systems Audit .........................................53


This guide was written by Jon Inge and developed by the TechnologyCommittee of the American Hotel & Lodging Association

Technology CommitteeChairman David Sjolander

Vice President, Hotel Information SystemsCarlson Hospitality Corporation

Vice Chairman Robert Bennett SVP, Systems Property and ServicesPegasus Solutions, Inc.

AH&LA Staff Liaison Richard J. JacksonVice President / CIOAmerican Hotel & Lodging Association

AH&LA, Officer Liaison Kirby D. Payne, CHAPresident / AH&LA Vice ChairmanAmerican Hospitality Management, LLC

Members Carol Beggs, Vice President, TechnologySonesta International Hotels Corporation

Kathleen Pearl Brewer, Ph.D. Associate Dean forAcademic AffairsWilliam F. Harrah College of Hotel Administration

Mark Haley, ConsultantHiTouch Technologies

Danny Hudson, Vice President, DistributionSystemsStarwood Hotels & Resorts Worldwide, Inc.

Jon Inge, PresidentJon Inge & Associates

Gary Mesich, Vice President, IR Business ServicesMarriott International

Darin Pinkham, CHTP, Director of TechnologyBoca Resorts, Inc.

Richard Siegel, Publisher and EditorHospitality Upgrade / Siegel Communications Inc.

Victor L. Vesnaver



Acknowledgments and Special Assistance

Special thanks to Carlson Hospitality Corporation; Starwood Hotels &Resorts Worldwide, Inc.; Pegasus Solutions, Inc.; Marriott Interna-tional; Jon Inge & Associates; Marni Dacy, Director, Marketing, AH&LA;Jim Mitchell, Director, Publishing and Distribution, AH&LA

Design

Drew Banks, Graphics Manager, AH&LA

Disclaimer

This guide is intended only as a general guide concerning computer systems

security matters and does not purport to be, nor should it be used as, a complete

description of computer security problems or solutions. Companies should not

rely on this guide for other than general information and should consult their

employees and attorneys before implementing any suggestions or procedures or

using any forms contained in this guide. AH&LA does not warrant the accuracy of

the guide, the accuracy of completeness of the procedures described in this

guide, the effectiveness of such procedures, or the effectiveness of any forms

contained herein.

©Copyright 2001 by the American Hotel & Lodging Association

All Rights Reserved




INTRODUCTIONGoal

This Security Primer is the first in a series of AH&LA publicationsproduced by the AH&LA Technology Committee on various aspects oftechnology that affect the hospitality industry. Each is intended toprovide AH&LA members with an overview of a single subject, offeringbackground, context, and guidance to those charged with technologyimplementation. They include sample forms that can be used as abasis for properties to develop their own policies and procedures. APDF version of this guide with full size printable forms can be foundon the on the AH&LA Web site (www.ahlaonline.org/techprimer/).




SYSTEMS SECURITYAn Overview

Detailed guest information and operational statistics are among themost valuable assets any property possesses, whether compiledmanually or by computer. If these data are on a computer system, theywill be more comprehensive, more accurate, and will allow for far moreflexible reporting and data analysis than a manual operation can hopeto achieve—and yet they are also more fragile. They are easilydamaged or lost through a cibónt or deliberate attack, and the morewe come to rely on them, the greater the disruption that follows suchdamage.

Paper and electronic records have always been subject to physicaldamage from fire, flood, and so forth. Electronic records are alsovulnerable to threats that aren’t as visible but that can be just asdevastating. The very flexibility and interconnectedness that makemodern systems so valuable and powerful also opens them up tooutside threats, both deliberate and random, and any prudent organi-zation must take measures to protect itself.

Of course, there’s a balance to be struck between leaving your systemswide open and implementing so many security precautions that yourstaff can’t do its job. Nevertheless, the adoption of reasonableprecautions to protect your information is essential to maintain theefficiency of your operation.

This guide reviews the main threats to your information and offerspractical guidelines to making your systems as secure as is reasonablewithout interfering with daily routines.


The Main Threats

It’s an old saying that the only completely secure system has noinputs or outputs, is encased in concrete, and lies at the bottom ofthe sea. All real systems interact with the outside world, acceptinformation, process it, and send it back out in some other form.

Human fallibilityThe weakest security link in any system is human fallibility. Thesoftware programs that perform functions are written by people, andpeople handle the data going into them. People sometimes makemistakes. People aren’t always honest, either, and may have their ownreasons for deliberately corrupting or destroying your information—sometimes even when they work for you.

The main threats to your systems information can be grouped intothree categories:

1. Environmental-These are situations or events that threatenthe very structure of the systems. Apart from the obviouseffects of fire, flood, and earthquakes, there are less dramaticbut still crippling effects from loss of power or externalnetwork connections.

2. Electronic-The data can become corrupted, either by accidentor from viruses, hacker attacks, or other malicious acts spreadelectronically over the network.

3. Operational-The human element will always be a factor,through accidents such as making data entry errors, spillingdrinks on computer hardware, or opening highly suspicious e-mail attachments, or deliberately in the form of attacks onyour data system from disgruntled current or ex-employees.

These threats overlap to some extent, of course, but these categoriesare nevertheless useful for general discussion. Each can be subdividedinto accidental, random, or deliberate causes, but the end results arethe same, and so are the precautions.

Each of the above areas is discussed in detail below, along with somesuggestions for suitable precautions.



1. EnvironmentalManual operationsThese threats (fire, flood, etc.) are the most visible and have the mostdramatic impacts. Obviously, if there is extensive damage the propertymay have to close, but in most cases the impact will be localized,making it possible to continue at least to some extent with manualoperations. So well in advance you need to have thought out how tomanually run each aspect of the property. The priority (after ensuringthe safety of the staff and guests) should be to protect the integrityof your data; you can’t operate effectively if you don’t know who’s inwhich room and who’s due to arrive. Manual operations plans withclear control and coordination responsibilities are invaluable; samplepages from a typical plan are included as Appendix A.

FireBasic physical security—fire/smoke detectors, etc.—should be agiven. Apart from the general property systems, the computer room (orarea where the servers are located) should have its own fire suppres-sion system. This needs to be one that doesn’t use water (whichdamages the equipment unless used in a high-pressure mist) or halon(which damages the atmosphere and is banned in many areas).

FloodMake sure that the computer room is not located against an outsidewall or in any area subject to flooding. This includes being aware ofpotential as well as existing hazards; putting the computer room inthe basement under the swimming pool is not recommended, even if“it’s never leaked yet.”

Power failureSudden power failures can corrupt your data in the blink of an eye, soit’s essential to have the key equipment protected. Most propertieshave a backup generator, but it’s usually not large enough to driveevery piece of equipment. All critical computer equipment—theservers, key workstations and report printers, and the network hubs/switches—should therefore be on a dedicated power circuit.


The power needs to be clean, within definite voltage limits and free of“spikes.” The critical-equipment circuit should therefore be filteredthrough line conditioners to ensure this, and each peripheral device(PC workstation, printer, scanner, etc.) should be plugged into a surgeprotector. The servers should have uninterruptible power supplies(UPSs) to cover the time until the generator comes on line and whichallow for an orderly shutdown of the system if all power sources fail.

More complex properties that completely rely on their systems maywant to investigate installing redundant power supplies, with feedsfrom different utility substations, so that a single exterior failure stillleaves them with electricity.

Network connectionsA network connection can be a lifeline. To those properties operatingin a remote-server or Application Service Provider (ASP) environment(where the main system server is located somewhere else), theconnection to the server is clearly vital. But most properties today relyon a network connection to deliver reservations to them from somecentral source. In either case, having a secondary means of communi-cation available as a fallback is often essential, even if it’s theabsolute minimum of a dial-up modem linking to the remote site.

PracticeOn a periodic basis, during a relatively quiet time, shut down thesystems and run manually. Yes, it’s a hassle, and it imposes extra workon the staff at the time, but the practice is worth it. When the powergoes out for real, you’ll be able to preserve the integrity of your dataand keep running efficiently because the staff has learned what to dobeforehand.

2. ElectronicAttacks from the Internet or from programs attached to e-mails anddocuments receive a lot of publicity, but the majority of attackersaren’t criminal geniuses concocting diabolical new ways to get intosystems. Most successful attacks are made by pranksters trying toshow off by using widely available tools to exploit known securityholes in standard software, taking advantage of servers and PCs thathave been left wide open and vulnerable.



The sad part is that the patches to fix these holes are also widelyavailable, but they often haven’t been installed. Systems administra-tors may feel too overloaded to keep up with them, or they may nothave time to load all of them even if they know they exist. However,tools are available to prevent the great majority of outside attemptsat access from being successful; keeping abreast of new developmentsisn’t that hard, and implementing those tools most important to eachproperty’s situation is just a part of a professional approach to systemmaintenance.

It’s everyone’s responsibilitySecurity isn’t just the administrator’s job. Even if systems servers arepatched to the most current levels, antivirus software is kept consis-tently up-to-date, and individual PC browsers are set to identifyattachments known to be risky, new attacks are constantly beingdeveloped, and their antidotes will always lag a little behind. Everyonewho uses a computer still has to be trained to be aware and toexercise their own good judgment about security risks.

Stay alertIn the past it was good advice never to open an e-mail attachmentfrom someone you didn’t know. Now it’s not that simple; virusescommonly raid your address book for names to send themselves to.This makes it more important than ever to think carefully aboutwhether any message you receive makes sense before opening it. Howmany copies of the ILOVEYOU virus were spread by people unthinkinglyopening messages with that title from colleagues who would be highlyunlikely to express that sentiment? How many received six copies andstill opened it?

If in doubt, call the apparent sender of the e-mail to verify that he orshe sent it. And save all attachments to a specific directory on yourPC, scanning them with current antivirus software before openingthem. Yes, it’s tedious, but it’s not as time-consuming as the monu-mental effort required to clean up after a virus that has spreadthroughout the organization.


PrecautionsThe main precautions to take against electronic attacks are:

❚ Antivirus software

❚ Firewalls

❚ Security patches

Antivirus softwareInstalling antivirus software and keeping it up-to-date is an absoluterequirement; you simply must do it. There are far too many viruses incirculation, both attached to e-mail messages and embedded incommon document formats (Word, Excel, etc.), for any organization torisk operating without it. Some viruses are relatively benign, justdisplaying annoying messages and getting in the way of doing yourwork; others can wreak devastating damage to your system’s data files.

New viruses will always appear unexpectedly, but the vast majority canbe kept at bay simply by installing any of the current products fromNorton, McAfee, Inoculan, and others, and by subscribing to theirautomatic-update services. It’s simple, straightforward, and essential.The update files should be downloaded regularly: every two weeks is agood compromise between minimizing vulnerability and effort. Theupdates should be distributed automatically to all workstations viasign-on scripts.

There’s some debate about whether antivirus software should beloaded on an application server, since on older machines it can causea performance slowdown. If this proves to be the case at your prop-erty, it can be removed as long as the server files are scanned at leastonce a week using the antivirus software on a network-connected PCworkstation. But you need to have a policy in place (and a log kept)to make sure this is done.

HoaxesAlthough not a real threat to the integrity of your systems or data,there are a lot of “hoax” viruses circulating on the Internet that playoff people’s fears about genuine viruses. These are chain-letter-stylee-mails that urge you, for example, to be on the alert for a particularlynasty virus, to add your name to a petition to Congress to save NPR,



or to participate in a Microsoft e-mail test program. These don’tcontain any codes that can be run by or damage a computer, but byencouraging people to “pass this urgent message on immediately to asmany people as possible,” they do clog up the system and are realtime-wasters for both staff and the support team. A number of Websites track these hoaxes and other urban myths; being aware of theirtypical characteristics (they’re remarkably repetitive) will help focusyou and your staff’s attention on real threats.

FirewallsFirewalls are another essential. A firewall is a separate device or just asoftware program (depending on the complexity of your system) thatsits between your property network and the Internet. It restricts thetypes of messages allowed to pass in and out of your network andrestricts access to specified Web sites, according to parameters youset. It can also mask the availability of communications ports on theserver and the Internet addresses of the PCs on your network, hidingthem from potential attackers who search the Internet looking forvulnerable computers.

You may think that no one would be interested in your data files, andyou’d pretty much be right. But hackers looking for a server for theirown reasons don’t care in the least who owns it or what’s stored on it.All they’re looking for is an opportunity to get into someone else’ssystem—anyone else’s system—just to prove that they can, or to useit as a launching pad for attacks on other systems. Any damage theymight do to your operation in the process is completely irrelevant tothem.

Denial of serviceSome of the most powerful attacks that a firewall can help prevent arethe so-called denial-of-service attacks. These involve small softwareprograms downloaded by hackers to hundreds of unsuspecting compa-nies’ servers. They lie dormant until a trigger commands them all toactivate at once and send messages to a single target system. Thisdeluge of messages from so many different sources completelyoverloads the server and shuts it down.


So you do need a firewall, to protect yourself and others from theabove and similar threats. You need one even if you run a single-PCsystem, perhaps especially so, because you have a greater vulnerabil-ity with everything relying on one PC. In fact, one of the betterproducts for this situation is a PC-resident software package calledZone Alarm; it can also be useful for PCs on a complex internalnetwork where you may need to restrict access to some areas for someusers.

But you can’t make firewall settings absolute. Your staff needs tocommunicate with people via the Internet, and there will always beexceptions to the access restrictions. With firewalls, just as withantivirus software that will only catch 99 percent of the viruses outthere, your staff must stay alert.

Mobile usersFirewalls are especially important if you have staff (such as salesmanagers) who travel regularly and need to access your propertysystems from remote locations. At the very least their access throughthe firewall must be subject to very specific authentication proce-dures, such as tightly controlled passwords, and physical keys pluggedinto their laptops or other security measures.

If you are at all concerned about sending valuable information overthe Internet, such access should be made using a virtual privatenetwork (VPN). This communications technique has software compo-nents loaded on both the mobile PC and the server, using any Internetaccess connection to link to your system but encrypting all messages.The downside to VPNs is that the coding and decoding process slowstraffic noticeably, by up to 50 percent compared with unrestrictedaccess, but the security of the data in transit is assured.

Track user activityFirewalls can also allow you to track specific user activity, even downto the keystrokes typed. Few properties would have the time tomonitor this potential mountain of data on any consistent basis, but ifyou suspect any staff member of wasting too much time on theInternet, of attempting to access unauthorized software, or offraudulent activity on his or her main system, these tools can provide



you with key evidence. Just letting it be known that you have thistracking ability is often sufficient to keep people focused on theirwork.

Security patchesSecurity is a continual contest between hackers and those trying tokeep them out. Hackers will always see every new precaution as afresh challenge. They will try different combinations of messages,formats, and protocols to find and exploit potential weaknesses in theserver operating systems. As these holes become known, the vendorsissue patches to correct them, and these should usually be put inplace as soon as possible since word of any successful new attackmethods spreads very quickly.

I say “usually” because occasionally a vendor will issue a fix that goestoo far in imposing traffic restrictions. A recent Microsoft patch toOutlook, for example, prevents any of the commonly used attachmentformats from being received, even if they are uncontaminated.Fortunately, independent organizations have issued patches to theMicrosoft patch to restore a more useful level of functionality, but thisemphasizes the need to keep up with current developments in thesecurity field.

Routers and other programmable network devices also often requiretheir own security updates as potential holes in their software arediscovered. Certainly neither they nor your system servers and PCsshould ever be put into service with their default configurations andpasswords unchanged; that’s the first area hackers check.

Other factorsModems: There should be no local modems on individual workstations,for Internet access or any other reason. All outside communicationsshould go through a shared high-speed connection on the firewall,which will be both faster and more secure. The exceptions will be thelaptops used by roaming managers and sales staff, which needmodems for Internet access on the road, but their users must be madeaware of (and accept responsibility for) the need for security proce-dures. With mobility and freedom of operation come increased respon-sibility.


Network documentation: In larger properties, network managementsystems can help maintain security through their ability to controlconfigurations remotely. There are also very useful network mappingsoftware applications with auto-discovery routines that can be run todetect and record all parts of the networks, and to identify which PCsand servers are connected and the software they’re running. It’s beenknown for these to uncover an old server still in place but not properlysecured—or even one deliberately left in place by a disgruntled ex-employee who used it to obtain access to his former employer’snetwork.

Electronic security is a never-ending process. Keep up-to-date,monitor developments, prioritize them for your own property, and keepa sense of awareness about real versus spurious threats. Also, it’sworth periodically investing in the services of a security consultant toattempt to break into your systems and give you an honest, real-worldview of your vulnerabilities, and to help you set priorities for action.The peace of mind is worth it.

3. OperationalIndividual responsibilityEvery staff member using the systems must understand that security iseverybody’s responsibility; they are all individually responsible to someextent for maintaining the integrity and usefulness of the data.Education and reinforcement help them understand the nature of thepotential risks and accept that there are good reasons for the proce-dures and policies put in place to minimize the risks.

Because the issue is so pervasive, multiple levels of security have tobe used. In the same way that bank safety deposit boxes are locked,inside a locked vault, inside a locked building, users’ access to datamust be partitioned. Users must be required to sign in with passwordsthat are not obvious and that are changed regularly, and they must berestricted to those data areas and functions required for their work.

Restricted accessAll good systems can be set to restrict individual users’ access tovarious combinations of menu functions, further divided into “read-only” or “modify” capabilities for each, combined with detailed audit



trails to identify who made each significant change. Equally, the staffmust have free and open access to all areas that do affect their work.If summary information from a restricted area would be useful tothem, there are often ways of giving them a report based on—butwithout access to—the confidential detail behind it. Again, knowingthat you can do anything you need, but that everything you do can betraced is a powerful inducement to use a system professionally.

It clearly follows that the access privileges and passwords of anyterminated staff member must be revoked immediately, and the mainsystem passwords should be changed at the same time. If they haveany systems knowledge or access to any sensitive data at all, theyshould be escorted off the premises as soon as they are terminated.

PoliciesHaving written policies and procedures in place, and requiring all usersto read and sign them before being given computer access, goes along way toward raising security awareness. Typical policies include:

Standard software only❚ Limiting applications to a clearly defined standard set, with

no other software permitted on the PC workstations. Someoperating systems allow this policy to be enforced through“locking down” the PC desktop configuration, and this ishighly recommended. All users should understand thatkeeping the system as simple as possible will maximize bothits performance and its maintainability. New applications canbe added to the approved set as required, but only afterreview by the operations management to confirm their valueand by the systems management to verify their compatibilitywith existing programs.

No personal floppies, CDs❚ Personal software should not be allowed on removable media

such as floppy disks or CD-ROMs. The danger of contaminationis too great; users may not take the time to scan disks forviruses before running any programs or copying data fromthem.


Personal use❚ Clear e-mail and Internet access policies. Given modern work

schedules, it’s often realistic to permit staff a certain amountof latitude in conducting personal business at work. Thisincludes a clear understanding of whether personal Internetaccess is permitted and under what circumstances, and onthe degree of privacy allotted to all personal information kepton the property’s computers, including e-mail. You can decidewhether to allow this and whether to retain the right to readall personal software and messages on any company PC, butwhatever policy you set, it must be in writing and signed bythe employee.

Passwords❚ Responsible use of passwords. No writing them down on

notes taped to the PC or kept under the mouse pad, nosharing them with other users or non-staff members, regularchange (at no less than six-month intervals) monitored by ITmanagement, and immediate change when key personnelleave.

Computer room security❚ Computer room security must be maintained at all times. The

room should be located away from heavy traffic areas (mostdefinitely not in a through area), with access permitted onlyto those with a real need. It should have a self-closing, self-locking door with at least a combination lock or, preferably,an electronic lock opened with a magnetic-strip or otherintelligent key-card.

Data integrity will always be subject to human error and impatience.There’s no way to prevent mis-typing, but taking the time (forexample) to check whether a caller already has a guest history recordwith you instead of blindly creating a new one will always pay off interms of better guest service and more repeat business. It’s worthemphasizing to everyone that the more consistent and accurate theycan make their data inputs, the more valuable the informationgathered will be.



General Principles and Sample Documents

At the core of all security measures are three fundamentals, withoutwhich any other precautions you take will be far more difficult. Theseare:

❚ Regular system backups, stored off-site.

❚ Complete system documentation (what you have, whosupports it) for the hardware, software, and network,reviewed no less than every six months to ensure that itis up-to-date.

❚ A security audit checklist, reviewed no less than annually, to ensure that your precautions are current.

BackupsBackups are absolutely key, both in the operational sense of havingmanual procedures to fall back on, and in terms of having duplicatecopies of your data and systems software.

Operationally, even without a system running, you can keep bothguest and operations data up-to-date and accurate if you can fall backto pre-defined and tested manual procedures, with clearly definedresponsibilities for control and coordination. It will also help if stand-by kits of the appropriate forms, materials, and supplies are kepthandy and fully stocked. An example of manual operations guidelinesis given in Appendix A.

Software and data backups are essential. If anything at all happens totake down your systems, backups allow you to restore them to aknown point. Even if you have to re-enter manually all changes sincethe last backup was run, that’s still far preferable to losing it all.Backups should be made on a rotating basis, with one tape or CD foreach day of the week, one for each week of a month, and so on. Theymust also be checked periodically to ensure that the information onthem can be read if needed. A guide to good backup routines isattached as Appendix B.


Downtime reportsHowever essential backups are, they do take time to reload onto thesystem, and all transactions that have occurred since the backup wasmade still have to be re-entered to make the system data currentagain. To keep the hotel operating while this is happening, or to usewhen any minor interruption takes the system off-line for a shortperiod, many properties print regular reports on key information atregular intervals during the day. These cover such data as an in-houseguest list, today’s arrivals, folio balances, etc. These reports areusually printed at regular intervals during the day, often scheduledaround major changes such as the main check-out period. Theyconsume a fair amount of paper, but if you ever need them, they areabsolutely indispensable. To save paper, some properties copy thereport data to files on a laptop computer instead of printing them,relying on the laptop’s batteries to retrieve the information if thepower fails. This can be a viable alternative for very small properties.For most hotels, however, it has the drawback that you have to findsome way of printing multiple copies of the reports for staff use whenthe system is down. A sample list of downtime reports is attached asAppendix C.

DocumentationDocumentation can be tedious to create and maintain (althoughautomated tools can help with both functions), but it is also invalu-able. Even in day-to-day operations, you gain both efficiency andpeace of mind from having detailed and complete system documenta-tion in place. This needs to cover hardware, software, and networkequipment: what each item is, its model and version/release number,the name and phone number of whoever supports it, a log of allchanges made to it since installation, and a log of all service callsmade. Some typical forms are given in Appendix D.

Two network diagrams are especially useful; one is a physical sche-matic of how the hardware items (PCs, printers, etc.) are connected tothe various network loops, the other is a software schematic thatillustrates how the different applications interface and interact witheach other. This can be especially useful when determining the impactof any particular system outage. Two examples of these are included asAppendix E.



Security auditThe security audit is the glue that ties all these precautions together,since it serves to check that every aspect of your operation is recog-nized and covered—backup procedures, documentation, physicalaccess, password management, and so on. Again, a sample checklist isincluded, as Appendix F.

It must be emphasized that all the sample documents and schedulesare only guidelines; some items won’t apply to you, and you may havesome areas not covered in the samples. Your own property’s needs andconfiguration are unique and must be uniquely documented to suityour own circumstances.

It can be very worthwhile to have a third party review both thisdocumentation and your actual state of preparedness on a regularbasis. If your property is part of a management group, each propertycan audit another one (to maintain objectivity, they shouldn’t auditeach other on a reciprocal basis); for independent properties, outsideconsultants can perform the same service.




SUMMARYMaintaining system security is a thankless, never-ending task, which,while essential, can never achieve perfect results. It takes constantwork to keep the systems and their vital guest/operations data as safeas is reasonably practical without getting in the way of your staff’srunning of the hotel. Even the best technical security will never beabsolute, and everyone who uses any system must also keep a real-world sense of perspective and awareness about them, watching forthe unexpected—and being prepared to handle it. We hope thisdocument helps.




APPENDIX ADowntime Procedures

These procedures are suggested as an outline for use whenever theproperty management system is down for any significant amount oftime. Each property should prepare its own version based on its ownoperational needs and should prepare similar documents for all othercritical systems (POS, sales and catering, etc.). All of these plansshould be reviewed periodically to ensure that they stay current.

The key to running a hotel manually is good, organized communicationbetween management and all operationally focused departmentswithin the hotel, especially the front desk, reservations, and house-keeping. Most employees will never have worked in a manual environ-ment and will be used to relying exclusively on the front officecomputer system. Consequently, all instructions to employees shouldbe clear and precise, and the plans should be practiced regularly.

Maintaining guest service is of utmost importance during this period.Ensure that all areas in the hotel are aware of and are following theprocedures in this section.

Quick Response Checklist1. Alert managers.

2. If the system is down because of a power failure, turn off allequipment immediately. Failure to do so could result infurther hardware damage. If the critical items are onuninterruptible power supplies (UPSs) with automatedshutdown routines, monitor these to ensure that they are infact closing down correctly.

3. Distribute the most recent downtime reports and destroyprior lists.

4. Designate a rack clerk, responsible for maintaining the roominventory and status, to begin to record all check-ins, check-outs, etc.


5. Designate a posting clerk, responsible for writing all chargeson the guest folios.

6. Alert the outlets that the system is inoperable and that theymust close checks to the manual key. All room charges mustbe taken to the front desk for manual posting.

7. Alert the audit staff no later than four hours before theirshift that the system is down and that they should reportearly to begin a manual audit.

8. Alert the central reservation help desk of the situation andestimated downtime, and arrange an alternative for continueddelivery of reservations and feedback of hotel availabilitystatus.

9. The rooms division manager should write a letter to all in-house guests and arrivals notifying them of the situation.

10. Issue battery-operated radios to all key personnel,including PBX.

Management/Staff Roles

The following roles are suggested for the key management andoperations staff. The task assignments should be customized to yourown hotel; it is acknowledged that many properties will not have asystems manager, but there must be one person who has responsibilityfor coordinating all support activity on the automated systems. It ismost important that the responsibility for performing each task isclearly understood by all.

GM/hotel managerAuthorizes notification of all management personnel.Receives status reports from the systems personnel.Makes/approves operational decisions regarding system downtime.

Systems managerDetermines magnitude of problem; estimates system downtime.Determines status of all correction activities in progress.Notifies response team on severity of problem and recommends degreeof contingency to implement.



Ensures all necessary functions and personnel are prepared to beginmanual operations, if needed, and notifies appropriate service/vendorpersonnel.Keeps management updated regarding contingency status.Supervises repair, restoration, and replacement of data, components,systems, or entire computer room as needed.Prepares report for hotel management detailing the problems, causesand solutions, plan performance, and suggestions for modifications asneeded.

Reception managerCoordinates front office activity with the systems manager andreservations manager.Supervises the front office activity during downtime.Monitors controls and audit trails during downtime.Supervises in-house runners.Supplies food and beverage outlets with current guest list, no-postlist, and cash guest list.Documents observed or perceived problems in plan operation forreview and/or revision.Coordinates reconstruction of data once system is restored.

Front desk supervisorMonitors and controls registration functions.Maintains room status control sheet.Maintains walk-in list.Communicates status changes to housekeeping.Maintains status change log (moves and mods).Supervises bucket clerk.Supervises re-entry of check-ins, check-outs, moves, and mods oncethe system is restored.

Reception agentsControl filing of guest charges and maintenance of current balances.Supervise generation of source documents, vouchers/receipts, etc.Assist cashiers in balancing shift.Assist with posting of charges/payments once the system is restored.


Reservation managerDistributes 30-day and 1-year room availability reports to all reserva-tion agents.Supervises manual booking of reservations.Maintains manual reservations file.Maintains a manual room availability control chart.Supervises re-entry of reservations once the system is restored.

PBXNotifies computer staff when the system is down.Maintains and updates telephone reference list with assistance offront office.

All outlet managersCoordinate food and beverage contingency plan with systems manager.Supervise execution of contingency plan in all food and beverageoutlets.Supervise manual operation of outlets, including ordering, service,payment, and posting of all checks.Supervise entering of all information once system is restored.Assist in balancing process during downtime.

CashiersResponsible for three-part check and check control sheet distributionto outlet cashiers.Monitor the manual tip control sheet and disbursement of charge tips.

Assistant controllerCoordinates accounting department activity with the systems manager.Supervises execution of the contingency plan in the accounting office.Supervises data reconstruction after the system is restored.

Accounts receivable managerWorks with the front desk supervisor and bucket clerk on maintainingthe manual guest ledger.Maintains manual banquet billings.Coordinates advance deposit refunds with accounts payable duringextended downtime.Maintains manual credit card account balances.Monitors advance deposit activity. Supervises restoration of data.



HousekeepingSupervises manual room status controls.Establishes initial room status sheet (p.m.) housekeeping report).Supervises vacant room inspection.Supervises distribution of updated room status lists to front desk.Supervises manual assignment of room attendants.Maintains room status change log.

Night reception managerPerforms regular audit functions when and where necessary.Helps generate manual reports during extended downtime.Supervises the night clerks during downtime.Assists in the restoration of data.Performs update and distribution of reports.Balances hotel accounts at the end of the day.

Manual Front Desk—Overview

Make sure that the room rack report (see sample below) and any otherstandard forms are already filled out with the room numbers and otherdata that do not change. Prepare “crash kits” stocked with all neces-sary office supplies (pens, cards, pads, tape, etc.) and keep themconvenient to the front desk. The following steps outline the basicmanual operation of the front desk, followed by more detailed proce-dures for manual check-in, check-out, etc.


Manual room rack1. Establish a manual room rack on the rack sheets with an accurate

and complete status of all rooms. Obtain as much information aspossible about the status of each room from the downtime reports,the bucket, and the housekeeping reports. Use your staff (includingsecurity, bell persons, and others if needed) to resolve any discrep-ancies.

2. Record the status of each room on the room rack sheets. Use thestatus codes most familiar to your hotel, or the following:

Housekeeping status Front desk statusClean C Vacant VDirty D Occupied OOut of Order OO Arrival Expected AEOut of Service OS Arrival Check-In AC

Departure Not Paid DNDeparture Paid DP

3. For each occupied room, complete the data on the room rack sheet.

Posting clerk4. The posting clerk should create a folio for each registered guest and

carry forward the last balance from the last occupancy report.Attach the folio to each registration card in the bucket. If manualposting becomes necessary, the posting clerk will post charges tothis folio and will carry the balance forward as they post. Ifdeparture folios are relatively current, they may be filed in thebucket in lieu of manually preparing folios. Include the rate and taxon the folio. This process may take some time, and you may need toassign employees from other departments to assist with it.

Housekeeping5. The housekeeping floor supervisors will update the executive

housekeeper on room status.

6. Hourly, the executive housekeeper will update the front officemanager and the reservation manager with the current status of thehotel rooms. The front office manager is responsible for updatingthe rack clerk. These four people are responsible for maintaining anaccurate house count.



Rack clerkThe rack clerk will generate an updated rack report that will bedistributed to each department

7. Gather the registration cards for all arrivals and all departures sincethe time of the last backup list. Enter them on manual arrival anddeparture logs, and write “SYSTEM DOWN” after the last entries sothat arrivals and departures before and after the downtime can bedetermined.

8. The rack clerk will keep track of the house count, including in-houseguests, expected departures, 6 p.m. arrivals, etc.

Check-in9. At 5 p.m. the rack clerk, front desk manager, and executive house-

keeper should compare their reports for discrepancies. Thesediscrepant rooms should be rechecked manually; notify housekeep-ing once there is an accurate accounting of the house status.

10. For new check-ins, the front desk clerk will handwrite a folio, attachit immediately to the registration card, and pass it to the postingclerk for placement in the bucket.

11. Record cash-paying guests on the cash guest report and distributethis to the outlets on a regular basis.

PBX12. Fill out index cards for each occupied room for placement in an “in-

house guest” accordion file for PBX operators. Include each guest’slast name, first name, room number, check-out date, and creditstatus. The credit status is needed to determine if long-distancephone service should be allowed for this guest. Make note of anyguest requiring accessible accommodations. Because this processmay take some time, you may need to assign employees from otherdepartments to assist with it.

Posting clerk13. At a time designated by management, the posting clerk will be

stationed in the cashier/count-out room and will begin posting allcharges from the outlets. Information on the folio will include date,charge /outlet, reference number, and the amount.


Shift closing14. At the end of the shift, the posting clerk will total all outlet charges

by outlet, run a tape, balance each stack of charges, and place allcharges in the night audit basket.

Check-out1. Pull the registration card and folio from the bucket. Make certain

room and tax has been posted each night; if not, manually post theappropriate amount with date.

2. Post any adjustments or paid-outs manually using the appropriateform. Ensure that the type of adjustment, account code, date, andamount are recorded accurately on the folio.

3. Re-add all charges on the folio to ensure that the balance is correctand collect the payment. Attach a copy of the folio, credit cardvoucher, and any miscellaneous vouchers to the registration card,and file it with the appropriate method of payment in the shiftwork.

4. Advise guests at check-out that all charges may not appear on thebill they’ve just been given and that a revised statement will besent to them.

5. Tell the rack clerk that this guest has checked out. The rack clerkwill then change the status of the room on the rack sheet.

6. The rack clerk notifies housekeeping and PBX of the status change.

7. PBX removes the index card for that guest from their folder.

Miscellaneous postingItems needed: Pre-printed posting slips for miscellaneous charges,adjustments, and paid-outs.

The posting clerk will post all guest charges manually.

1. When charges are brought to the front desk from the outlets, theposting clerk will write the amount, time, date, and source ofcharge on the guest’s folio.

2. The posting clerk should initial the charge voucher.

3. A copy of the charge voucher should be placed in the bucket alongwith the guest folio. If the copy machine is not functioning, make amanual copy and mark it as a copy.



4. The posting clerk should set a copy of the charge voucher aside forend-of-shift balance.

Paid-outIn hotels that routinely post charges from outlets that are not a partof the hotel (gift shop, etc.) as paid-outs, the following proceduresshould be followed:

1. Fill out a paid-out voucher and attach it to the receipt that theoutlet presented to you for posting.

2. Present the receipt with the paid-out voucher to the posting clerkfor posting to the guest folio.

3. The posting clerk will include the copy of the receipt in the bucketwith the folio.

4. A copy of the receipt and the paid-out voucher will be includedwith the posting clerk’s shift work.

Shift closingShift closing will be conducted in the usual manner with the exceptionof balancing to the computer. Accounting personnel should beavailable to assist during shift closings.

1. Complete the cash drop form and run a calculator tape to determinethe total cash taken in.

2. Drop the correct amount of cash in the deposit envelope, leavingyour bank at the correct starting amount.

3. Add each type of posting voucher you posted. This includes adjust-ments, miscellaneous vouchers, phone, restaurant, bar, etc.

4. Add each credit card payment by type (AX, VA, etc.).

5. Complete a shift-closing report.

6. Place the shift-closing packet in the night audit basket, includingthe shift closing report and the totaled posting vouchers byaccount and any miscellaneous notes.


Night auditEach night, the night auditor and any additional personnel designatedby the controller will perform an audit to ensure that revenue wasposted properly. Special attention should be paid to each individualfolio to ensure that they are all totaled correctly. Each morning thecontroller and designated representatives from the front office andaccounting will record and audit all transactions that have beenmanually posted from the previous day, producing a manual revenuereport. NOTE: The accounting department should create and attachadditional documentation for this section describing specific functionsto be performed by the audit staff and the posting clerks.

HousekeepingThe housekeeping department will keep a manual record of the statusof all rooms on a daily basis. They should generate manual sectionassignments, which could be implemented at any time. The followingprocedures should be followed once the rack and current house statushave been completed:

1. In the morning, generate room assignments using the rack reportprepared by the rack clerk.

2. Housekeeping floor supervisors will update the executive house-keeper on room status as rooms are cleaned.

3. Hourly, the executive housekeeper will update the front officemanager and the reservation manager; the front office manager isresponsible for updating the rack clerk. These four people areresponsible for maintaining an accurate house count. 4. Reportdiscrepancies immediately to the front office manager as they occurthroughout the day.

5. The rack clerk will periodically generate an updated rack report fordistribution to each department. At 1 p.m., housekeeping, the frontoffice manager, and the rack clerk should verify the status of theexpected departures. Conduct a physical check of the roomsexpected to depart.



6. At 5 p.m., the rack clerk, front desk manager, and housekeepershould compare their reports for discrepancies. These discrepantrooms should be rechecked manually. Notify housekeeping oncethere is an accurate accounting of the house.

7. Begin filling out the manual assignment sheets for the next day’shousekeeping assignments. Any minor changes due to late check-inshould be passed by the rack clerk to housekeeping the nextmorning. Setting up the reports the evening before ensures promptguest service and maintains housekeeping productivity.

PBX and call accountingThe systems that make up your phone system (PBX, call accounting,voice mail, and Property Management System (PMS)interface) couldfail individually or simultaneously.

If the PBX system fails, your phones will not function. To be prepared,the hotel should have several direct lines that do not go through thePBX that can be used if the PBX fails. Your PBX may also have specificpower-failure phones that are designed to work when the PBX systemloses power.

If the PBX interface to your property management system fails, phonesand message lights must be turned on and off manually.

If the call accounting system fails, most PBX systems will buffer thephone call information until the call accounting system is restored.Back charges will then be processed automatically.

If the call accounting interface to your property management systemfails, most call accounting systems will buffer the phone chargeinformation until the call accounting interface is restored. Backcharges will then be processed automatically. Most call accountingsystems also have a backup printer that prints all charge information,which can be used should manual posting of guest folios be required.However, be wary of duplicating charges when the interface connec-tion is restored.

Check to see if the voice mail system has also failed, by attempting toleave and retrieve a test message. If the system is not acceptingmessages, notify the PBX operators, and have them take manual


messages. Check with your PBX, call accounting, and voice mailvendors to find out how your systems work and what backup anddowntime procedures should be practiced by your hotel.

Locating guestsOperators will create an index card for each in-house guest using thelatest occupancy report, indicating the guest’s name and roomnumber. These cards will be filed alphabetically in the accordion file orfile box for use in locating a guest.

Manual posting callsIf manual postings of call charges are necessary, the following stepsshould be taken:

1. The operator will fill out a telephone charge voucher for each callplaced, indicating the room number, time, charge, and type of call(local or long distance), and will send it to the posting clerk foraction.

2. The posting clerk will keep a manual ledger of postings so that thenight audit can balance the phone charges that were posted duringthe day.

Reservation centerNotify the central reservations help desk of the situation and esti-mated downtime. Arrange an alternative procedure for receivingreservations and passing back changes to availability.

Manual reservationsAll reservations should be taken on manual reservation forms, passedto the supervisor to modify future days’ inventory, and placed in anaccordion date file for later use. Reservations taken during this timeshould be filed by the date the reservation was made for proper entryinto the system when it is back up and running. All requests forspecialty rooms should be forwarded to a supervisor. If your hotel hasthe ability to transfer phone calls automatically to the reservationcenter, consider implementing this.



Returning to Automated Operations

Make system currentWhen the system is fully operational again, it won’t know thatanything has happened since it went down, and it must be broughtup-to-date by manually entering all the transactions that occurred inthe interim. This requires an organized effort on the part of allmembers of management to keep all users posting on the correct day.If all night audit work is organized into batches, all staff can concen-trate on one day’s activity at a time. A night audit must be run foreach day that the system was down in order to bring the system up tothe current date. Manual downtime procedures must be maintaineduntil the system is running and its data has been verified as fully up-to-date.

General stepsGeneral steps to bringing the system up-to-date:

1. Process the first day’s work. Process all activity that was not postedon the day that the system went down, including check-ins, check-outs, all transactions, and room status changes.

2. Some systems (PBX, call accounting, mini bars, pay movies, etc.)that use an interface to post charges to guest folios may holdcharges in a buffer. If these systems were operating during the timethat the PMS was not, charges may post automatically when theinterface is restored. This could result in charges being posted tothe wrong accounts, double posting of charges, phones or mini barsbeing turned off or on inappropriately, and so on. Each of thesesystems should have a backup printer to report charges (includingdate, time, and room number) it was unable to send to the PMS.This is the information needed to post charges manually to thecorrect guests’ folios, but the reports do not imply that charges arenot still being held in a buffer. Check with the vendor for each ofthese systems to discuss how their systems work and how best tohandle a situation where the PMS, the interface, or even the systemin question is down. Add this information to this section of themanual instructions.

3. Perform a full rooms and financial audit for that day.


4. Run a night audit process on the computer system. 5. Once theabove procedures are complete and the system is on the next day,process the remaining days’ transactions in the same manner.Perform night audit and run a close day for each day until thecurrent day and time are reached.






APPENDIX BData/System Backup Procedures

Your best insurance against system failure or data loss is having agood backup copy of the data and system files. Restoring from abackup is usually your only way of recovering lost data, apart from re-keying it all in from whatever paper receipts and records you have ofeach transaction. Backups should be made on a very regular basis,either on tape (cheapest) or CD-ROM (easiest to use if you need torestore a particular file). Most properties use tape, which is inexpen-sive and proven to be reliable.

System backupA full system backup of your network should be done on a weeklybasis. As this will take more time than the daily data backup, scheduleit for the least busy night of the week, and always do it on the samenight every week for consistency.

Data backupMake a backup of the data every night, recording it in the backup log(see attached). It’s simplest and most secure to use 21 tapes (threeweekly sets) for your nightly (including the FULL SYSTEM) backup,rotating through them in sequence. This assures you that, if the firstbackup itself is bad, the previous backup is always available.

Each tape should be labeled with the set ID (A, B, and C) and the dayof the week, e.g., A-SUNDAY, A-MONDAY, etc., then B-SUNDAY, and soon. Keep blank tapes on hand to replace any that go bad, and storethem in a location accessible to the person responsible for runningthe nightly backups.

Store all backup tapes, with date notation, in a secure fire- and heat-proof location somewhere away from the computer you are backing up,since in case of a fire or other catastrophe that damages a computer,tapes stored next to the computer also will be damaged. The nightauditors will only need to access the tapes needed for the night thebackup is being done.


One of your three sets of backup tapes should be secured off-site at alltimes. A designated person should take the most current set of backuptapes to an off-site storage location each Monday and bring the oldestset back to the hotel on Tuesday, so there is always one set off-site.You might also arrange for your tape backups to be picked up andtraded with the service you use for your banking delivery, such asWells Fargo or Brinks.



APPENDIX CDowntime Reports

Downtime reports should provide all essential hotel status and guestbilling information. The specific reports that you should run willdepend on your own operation and management needs; a typical list isgiven below.

These reports should be run every two hours. If more than onedepartment will need the same report to operate, make sure youproduce sufficient copies whenever they are run, since you may nothave a printer or copier available when the reports are needed.

The minimum suggested reports are

❚ In-house guest list—in alphabetical order for the PBXand numeric order for the front desk

❚ Availability—All available rooms for the front desk (withclean/dirty status); list of dirty rooms for housekeeping

❚ Arrivals—include arrivals for the next four days

❚ Guest ledger (current folio balances)

❚ Guests paying cash

❚ Expected departures

❚ Guest messages

❚ Room availability forecast for at least one month out

❚ Vacant rooms report

If you know in advance that the system will be down, also print

❚ Guest folios for all occupied rooms, group masters, and houseaccounts


If time permits, housekeeping should run the following:

❚ Late check-outs

❚ Room change report

❚ Early departures

❚ Departures not checked out

❚ All room status (dirty and vacant rooms)



APPENDIX DSystem Documentation

(a) System Description Summaries

One summary sheet should be completed for each system at theproperty, including PBX, POS, call accounting, voice mail, Pay-Per-View movies, etc. The following is one suggested example.

————


b) Summary of Software Licenses

(*) Detailed lists to be kept separately.



(d) Service and Support Call Log


c) Hardware Maintenance Summary



APPENDIX ENetwork Diagrams

This is clearly a very simple example. An actual diagram would includeall hardware on each network segment, with each item labeled with itsmake/model, IP address and any other key data.


Systems Interactions

This is a generic diagram of possible system interactions and variousmeans of passing information between them. Each property shouldprepare a similar diagram reflecting the actual systems, interactionsand data transfer methods in use



APPENDIX FInformation Systems Audit

(Please comment on or explain any “No” responses)





-notes-