CONFIDENTIAL INTERNAL COMMUNICATION

LAST UPDATED: 10/20/17

Policy Details POLICY NUMBER: HWI-IT-001

Acceptable Use
INFORMATION
Access Management SECURITY POLICY
Backup and Restoration The Information Security Policy is designed
to protect and preserve the appropriate
Change Management confidentiality, integrity, and availability of
information and information systems owned by
or in the care of the Company and its subsidiaries,
Compliance affiliates, and service providers. This Policy
identifies and describes the principles that Hilton
Device Management requires to globally protect company information
and company information assets using industry
best practices with a risk-based and business
Encryption aware approach.

Incident Response This policy applies to all owned, leased, and/or

managed hotels, and all corporate offices, wherever
Information Management located. “Hilton” refers to Hilton Worldwide
Holdings Inc., Hilton Domestic Operating Company
Logging and Audit Trails Inc., Hilton Worldwide Manage Limited, any other
company owned in whole or in part by Hilton
Network Worldwide Holdings Inc., and any Hilton-owned,
leased, and/or managed hotel.
Software and Application

Vendor Management

Definitions

Roles and Responsibilities

Related Documents, Tools

and Templates
POLICY NUMBER: HWI-IT-001 2
INFORMATION SECURITY POLICY

POLICY STATEMENT Exclusions/Exceptions

Protecting Company information assets is critical Supplements to this policy may be issued by the
to the reputation, operation, and financial well- Hilton Information Security & Compliance (ISC)
being of Hilton. Security controls must be in place department to address specific concerns or
to protect company information assets, and the operational needs.
business processes they support, against accidental Exceptions to this policy require prior written
or intentional unauthorized use, disclosure, transfer, approval from Information Security & Compliance.
modification, or destruction. These security controls Exception requests can be submitted for approval to
must meet legislative, regulatory, and compliance ISC.Exceptions@Hilton.com by the person responsible
requirements and support Hilton’s Vision, Mission, for the application, system, network, or process.
and Values.

Deviations discovered in risk assessments, internal

or external audits, or security compliance reviews
POLICY DETAILS
must be remediated with timeliness directly
proportionate to the risk involved.
Information Security & Compliance is responsible
for maintaining the Information Security Program.
This policy applies to all Team Members, support
personnel, and service providers using or accessing
Company information by or through systems, A. Information Security Program
technology, and/or Company resources; hereto The Company must create and maintain a formal
referenced as “users”. In addition to this policy, Team Information Security Program that:
Members at the properties (i.e., hotels, resorts) must • Provides for the confidentiality, integrity, and
adhere to the Hotel Information Security Standards, availability of information assets;
which are part of the Hotel Brand Standards. The • Protects against anticipated threats or hazards to
Hotel Information Security Standards are available information assets;
at the Company Policies & Procedures site
• Protects against unauthorized access to, or use of,
information assets;
Questions about this policy should be
• Posts the Information Security Policy on the
directed to Information Security & Compliance
Company Intranet web site, consistent with other
at ISC@Hilton.com.
Company policies;
• Disseminates the Information Security Policy, as
appropriate, to relevant personnel (e.g., vendors,
This policy supersedes the following business partners);
\
information technology related policies:
• Provides awareness training on the Information
SPI IT-03 SPI IT-12 SPI IT-20 FP-HGV-75 FP-HGVIT-100
Security Policy for all new, existing, and temporary
SPI IT-06 SPI IT-13 FP-HGV-67 FP-HGV-76 IT-14
Team Members with access to protected
SPI IT-07 SPI IT-15 FP-HGV-69 FP-HGV-77 IT-22
information. All Team Members will receive
SPI IT-08 SPI IT-16 FP-HGV-71 FP-HGV-79
training upon hire and at least once annually;
SPI IT-09 SPI IT-17 FP-HGV-07 FP-HGV-80
SPI IT-10 SPI IT-18 FP-HGV-73 FN-IT-1
• Ensures the Information Security Policy is
SPI IT-11 SPI IT-19 FP-HGV-74 FN-IT-3
reviewed and updated as necessary at least once
annually or as changes to business practices,
technologies, or risks occur; and
• Ensures the Information Security Program is
reviewed and updated as necessary at least once
annually;
• Monitors and enforces compliance with the policy.

CONFIDENTIAL INTERNAL COMMUNICATION

POLICY NUMBER: HWI-IT-001 3
INFORMATION SECURITY POLICY

B. Policy Scope Policy Areas include: Acceptable Use, Access

The Information Security Policy supports the Management, Backup and Restoration, Change
Company’s Information Security Program. The policy Management, Compliance, Device Management,
is supported by standards, processes, procedures, Encryption, Incident Response, Information
best practices, briefings, and supporting awareness Management, Logging and Audit Trails, Network
materials. The security policy conveys that: Security, Software and Application Security, and
Vendor Management.
Confidential and protected information and
information systems must be protected against Information Security & Compliance is responsible for
any unauthorized access; maintaining the Information Security Policy.

Nondisclosure of confidential and protected ACCEPTABLE USE

information must be assured;
Acceptable Use outlines the acceptable use of
the Company’s information technology hardware,
Integrity of information and information systems software, information, and services. This includes,
must be maintained; but is not limited to: business applications,
electronic mail, Internet access, workstations,
 Availability of information and information laptops, phones, tablets, facsimile machines,
systems for business processes must servers, networks, and storage media.
be maintained;
Acceptable Use of information technology
assets and services is usage that aligns with the
 Legislative and regulatory requirements Company’s Mission and business goals.
must be met;

A. General Use and Ownership

 Business continuity plans must be developed, • All data of any nature that is entered into, stored,
maintained, and tested; or received through Company equipment and/or
networks, including but not limited to all email and
 Critical system activities must be voicemail messages, is and will remain the property
logged and monitored; of the Company.
• The Company must monitor email, network,
Information assets must be tracked and disposed; and system activity to protect Company resources
from abuse.
• Subject to applicable law, the Company may
 Information security training must be available
access, inspect, search, and monitor all information
for all Team Members; and
stored on or accessed by any device belonging
to the Company at any time and without notice.
 All actual or suspected information security This includes personal email, instant messages,
breaches or violations must be reported to documents, or communications transmitted or
Information Security & Compliance stored on Company resources. Users have no
for investigation. expectation of privacy for any data that a user
creates, stores, transmits, distributes, or receives
using Company devices or networks. Passwords
are intended to prevent unauthorized access to
Company systems and do not confer any right or
expectation of privacy.

CONFIDENTIAL INTERNAL COMMUNICATION

POLICY NUMBER: HWI-IT-001 4
INFORMATION SECURITY POLICY

• The Company reserves the right to audit Company • Network monitoring, port scanning, or security/
resources at any time to ensure compliance with vulnerability scanning, including the ‘testing’ of
this policy. security tools on any Company resources without
• Users, including support personnel and service authorization;
providers, must be explicitly authorized to use • Circumventing user authentication or Company
Company information assets. Assignment of a information security controls;
device to a user and / or granting logical access to • Installing or circumventing software with the direct
a device or service in accordance with the Access or indirect result of avoiding information security
Management section of this policy constitutes services and restrictions at Company;
explicit authorization. • Providing confidential information about or lists
• Users, including support personnel and service of Company guests, clients, service providers, or
providers, may use Company equipment and / or candidates to parties outside Company without
networks during non-working time for transmitting prior authorization from Company Senior
personal messages and / or Internet browsing, so Management and only as permissible and in
long as such use does not interfere with the user’s compliance with applicable law;
or other users’ personal job responsibilities, unduly • Violating copyright, trade secret, patent, or other
impact the operation of the Company computer intellectual property rights or similar laws or
network, or otherwise violate any other provisions of regulations. This includes, but is not limited to, the
this policy. installation or distribution of “pirated” or other
software products that are not appropriately
B. Prohibited Activities licensed for use by Company;
Company Team Members must not engage in any • Copying copyrighted material including, but
activity that is unlawful under local, state, federal, not limited to, digitization and distribution of
or international law while utilizing Company-owned photographs from magazines, books, or other
resources. copyrighted sources; copyrighted music; and the
installation of any copyrighted software for which
The following activities are considered by the Company does not have an active license; and
Company, at a minimum, to be categorized as • Exporting software, technical information,
unacceptable use and are strictly prohibited: encryption software, or technology in violation
• Introducing or downloading malicious programs of international or regional export control laws.
onto Company technology resources (e.g., viruses, Exceptions must be preapproved by Information
worms, Trojan Horses, email bombs, malware); Security & Compliance to export any questionable
• Using Company technology resources to advertise material.
or sell products, items, or services for personal gain;
• Breaching or disrupting network communications. C. Prohibited Electronic Communication Activities
Security breaches and disruptions include, but are The following activities are strictly prohibited when
not limited to: using Company information technology resources:
• Knowingly accessing information for which the • Using Company equipment and / or networks for
user is not an intended recipient; non-business-related activities during working
• Logging into a server or account that the user is times, with the exception of incidental and
not expressly authorized to access; occasional personal messages or Internet usage.
• Generating excessive network traffic or causing • Transmitting or accessing by email or other form
any type of denial-of-service condition; of electronic communication any material that
• Performing network reconnaissance and analysis is profane, obscene, sexually explicit, or offensive
activities without authorization (e.g., network based on any protected characteristic (e.g., sexual
sniffing); and comments or images, racial or ethnic slurs,
• Introducing malformed or malicious network comments that may be offensive on the basis of
traffic (e.g., ping floods, packet smooth, forging an individual’s age, religious or political belief, sex,
routing information); disability, or any other status protected by law) or any
other such conduct that may violate the law

CONFIDENTIAL INTERNAL COMMUNICATION

POLICY NUMBER: HWI-IT-001 5
INFORMATION SECURITY POLICY

and / or the Company’s policies prohibiting D. Enforcement

harassment and / or protecting equal employment • The Company must monitor and log access
opportunity in the workplace; activities to Company resources to ensure
• Transmitting, conveying, or accessing any materials compliance with this and other Company policies,
in violation of Company policies; standards, processes, and procedures.
• Transmitting, conveying, or accessing • Any user found to have violated this policy may be
any materials in violation of the Hilton subject to disciplinary action, up to and including
Communications Policy and Social Media termination of employment, legal action, or both.
Guidelines, or otherwise engaging in excessive No provision of this policy will alter the contractual
use of Company systems to engage in blogging employment relationship with the Company.
or to participate in social media in a manner that
would violate other provisions of this policy;
• Sending by email unsolicited and not business ACCESS MANAGEMENT
related ‘junk mail’ or ‘spam’ without complying
with the Controlling the Assault of Non- Access management establishes requirements
Solicited Pornography and Marketing (“CAN- to ensure that access to Company systems
SPAM”) Act of 2003. All Hilton email marketing and resources is business justified, approved,
communications must be coordinated with and tracked.
Customer Marketing and only as permissible
and in compliance with applicable law;
• Knowingly downloading or opening attachments A. Approvals
from un-trusted, non-Company resources that may • All access must be approved, in writing or an
contain viruses and/or malicious programs; equivalent electronic form, by an authorized
• Unauthorized use or forging of email header approver prior to access being granted to a system
information; or information. This approval must be in a form that
• Creating or forwarding chain letters or pyramid specifies the user’s required privileges.
schemes of any type; • Access approval documentation must be retained
• Use of unsolicited email originating from within by User Account Administrators.
Company networks or other Internet, intranet,
or extranet service providers on behalf of, or to B. Reviews
advertise, any service hosted by the Company or • Access to systems and data must be reviewed at
connected via the Company network; least once annually, unless increased frequency is
• Postings by users from a Company email address required to meet legal, regulatory, or compliance
or resource to newsgroups under circumstances standards applicable to the Company (e.g., PCI DSS,
indicating that the post represents the opinions Sarbanes-Oxley).
or position of the Company, without a disclaimer • Review documentation must be retained for a
stating that the opinions expressed are strictly the minimum of one year.
user’s own opinion and not necessarily those of the
Company; and C. User Accounts
• Breaking any laws pertaining to the handling and • User accounts must be unique and assigned to a
disclosure of copyrighted or export controlled specific individual.
materials, Company trademarks, logos, and • Generic or shared user accounts must not be
any other Company intellectual property. “Fair created or used.
use” of trademarks, logos and other intellectual • User accounts granted system level access must
property generally does not violate the law. not bypass the required logging and audit trails
(e.g., requiring Unix root-level access to occur
through use of the “su” command).

CONFIDENTIAL INTERNAL COMMUNICATION

POLICY NUMBER: HWI-IT-001 6
INFORMATION SECURITY POLICY

• User accounts granted system administration • Changes to user access and/or roles must follow
privileges must only be used for administration the same approval requirements as user accounts
purposes. Accounts granted administrative-level identified in Section A.
access privileges must not be used for general use • Assignment of access must correlate with approval
(e.g., reading email, Internet browsing). records.
• User accounts temporarily assigned to vendors for • RBAC must be implemented through automated
maintenance purposes must only be activated as access control systems; the Company will maintain
needed and be disabled when not in use. and support technology to provide information
• System and service account passwords must be access controls, secure configurations that support
changed from vendor defaults and are subject to strong access control, and implement applications
the Access Management Standard. that enable implementation of RBAC based on the
• User accounts granted to contractors, consultants, principle of least privilege.
and/or temporary employees must automatically
expire after a period of time as defined in the F. Access Removals
Access Management Standard. Reactivation of the • Human Resources must immediately notify User
account must be approved. Account Administrators responsible for physical
access and logical access of job terminations and
D. Access Requests job transfers.
• Access must be requested using the principle of • Physical access and logical access to each
least privilege, whereby users are assigned only system, application, or database must be disabled
those permissions consistent with their job title, immediately following a job termination or job
classification, or function. Permissions are not to be transfer notification.
granted functionality based on a “copy” of another
user account with similar job responsibilities. G. Authentication and Passwords
Authentication and Password systems are
E. Access Assignments implemented by and the responsibility of Information
Access assignment is performed by and the Technology or an authorized service provider. Any
responsibility of Information Technology or an other authentication or password systems used in
authorized service provider. the Company environment must be pre-approved
• Permissions must be assigned using a Role Base by Information Technology and compliant with the
Access Control (RBAC) model that implements Information Security Policy.
the principle of least privilege, whereby users are • Access control systems must require both a user
assigned only those permissions consistent with account as well as at least one other method to
their job title, classification, or function. Permissions authenticate the user (e.g., password, token).
are not to be granted functionality based on a • Passwords must be securely delivered to any user
“copy” of another user account with similar job and kept secured at all times.
responsibilities. • Passwords must change upon initial logon, system
• RBAC records must be defined, documented, and permitting, by the user and subsequently changed
maintained, including: every 90 days.
• Access roles (e.g., groups, profiles) and their • After six unsuccessful password attempts, the
associated system functionality; device (not including mobile phones or tablets) must
• A RBAC “matrix” or similar model that associates be made unavailable to the user via account locking,
roles with job titles, classifications, or functions; keyboard locking, and/or screen blanking for at least
and 30 minutes or until an administrator unlocks the
• Roles that introduce separation of duties issues user’s account.
when assigned to the same user. • After ten unsuccessful password attempts,
• Transferring to a different job function must trigger Blackberry, iPhone, iPad, and Android devices will be
a review of current user access. If access needs disabled and erased.
to be modified, it must follow the same approval
requirements as identified in Section A.

CONFIDENTIAL INTERNAL COMMUNICATION

POLICY NUMBER: HWI-IT-001 7
INFORMATION SECURITY POLICY

• Passwords must never be stored electronically • For data centers and computer rooms, an offsite
in plain text (e.g., in computer files, on computing copy of data must be kept to help ensure the
devices, on smart phones). recoverability of data in the event of a physical
• Sharing of passwords to individual user accounts is disaster at the primary location.
prohibited. • Physical backup media (e.g., backup tapes) must
• Passwords must comply with the following rules and be subject to management processes that include
contain: labeling (barcoding), location tracking, and periodic
• a minimum of seven characters; inventory.
• alpha-numeric characters; • Physical backup media must be secured when
• a minimum of one special character (e.g., !, #, $, %) in transit between Company or non-Company
(system permitting); and locations.
• upper and lower case letters (system permitting). • Transmittal records must be retained when physical
• Passwords for mobile phones and tablets must backup media is sent offsite or returned to site.
comply with the following rules and contain: • A security review of the facility where physical
• a minimum of five characters. backup media are stored must be performed at
• Passwords must not: least annually.
• repeat any of the four most recently used • Laptops must have Company online backup
passwords; software installed.
• use standalone words from a dictionary, the
movies, or geographical locations; B. Restoration
• use month, day, year combinations (e.g., Jan07, Restoration of protected information must be
07Jan13, Jan2013); and tested semi-annually to ensure the information
• contain proper names (e.g., oneself, family, friends, is recoverable and complete in the event of an
colleagues, vendors). information loss.
• A user’s identity must be positively verified before a
request to reset the user’s password is performed. C. Business Continuity
Business process and data owners must define and
are responsible for maintaining a risk-based business
BACKUP AND RESTORATION continuity plan.
• The business continuity plan must be maintained
Backup and Restoration management protects to ensure critical business functions are available as
Company information from intentional or needed.
accidental loss and ensures timely restoration of • The business continuity plan must define recovery
the information. timeframes and prioritize resumption of functions
as prioritized by the business.
• The business continuity plan must be tested at least
A. Backups once annually and maintained by annual reviews,
Backups are performed by and the responsibility of unless increased frequency is required in order to
Information Technology or an authorized service meet legal, regulatory, or compliance standards
provider, as well as authorized Team Members at the applicable to the Company (e.g., PCI DSS, Sarbanes-
properties. Oxley), to ensure that it is up-to-date and effective.
• Business owners are responsible for identifying
protected information to be backed up and D. Disaster Recovery
retention requirements. The disaster recovery plan must be maintained by
• Company information must be backed up on a Information Technology or its authorized service
regular basis to ensure recovery point and time provider to ensure the recovery or continuation of
objectives are met. the technology infrastructure critical to the Company
• Backups must be stored in a secured location following a natural or human-induced disaster.
accessible only to authorized users.

CONFIDENTIAL INTERNAL COMMUNICATION

POLICY NUMBER: HWI-IT-001 8
INFORMATION SECURITY POLICY

• The disaster recovery plan must be tested at least are not limited to, the following areas: Information
once annually and maintained by annual reviews, Security, Access Management, Change Management,
unless increased frequency is required in order to Configuration Management, Vulnerability
meet legal, regulatory, or compliance standards Management, and Physical Security.
applicable to the Company (e.g., PCI DSS, Sarbanes-
Oxley) to ensure that it is up-to-date and effective. B. Independent Third Party Assessments
Independent third parties, with the appropriate
expertise, must assess information security
CHANGE MANAGEMENT compliance on a periodic basis. Information Security &
Compliance is responsible for managing independent
Change management establishes mechanisms third party assessments.
to ensure the requirements of the Company
Information Security Program are met whenever C. Risk Assessments
technology infrastructure and application systems IT risk assessments that identify and evaluate threats
changes are installed into production. and vulnerabilities must be performed annually and
after a security incident, unless increased frequency
is required to meet legal, regulatory, or compliance
A. Infrastructure and Applications standards applicable to the Company (e.g., PCI DSS,
Information Technology or an authorized service Sarbanes-Oxley). Information Security & Compliance
provider is responsible for defining and maintaining a is responsible for managing risk assessments.
Change Management process.
• All technology infrastructure and application D. Vulnerability Scanning and Penetration Testing
systems used for production processing of critical Vulnerability scans and penetration tests must
business functions at the Company must employ a be performed, as required by legal, regulatory, or
formal change control process. compliance standards applicable to the Company
• The change control process must establish (e.g., PCI DSS, Sarbanes-Oxley). Information Security &
requirements for documentation of required Compliance is responsible for managing vulnerability
activities (e.g., testing), as well as authorizations and scanning and penetration testing.
approvals.
• Emergency changes to the Company production E. Vulnerability Management
environment must follow an emergency change Known vulnerabilities must be remediated, or
control procedure, including changes made to the Information Security & Compliance approved
Company production environment by third parties. compensating controls put in place, with timeliness
directly proportionate to the risk involved as required by
legal, regulatory, or compliance standards application to
COMPLIANCE the Company (e.g., PCI DSS, Sarbanes-Oxley).

Compliance establishes mechanisms to ensure F. Human Resources

the requirements of the Company Information • A formal security awareness training program
Security Program are met. Information Security must be implemented. Information Security &
& Compliance is responsible for maintaining the Compliance is responsible for managing an annual
Information Technology Compliance Program, security awareness program.
which ensures the proper security controls are in • Users of Company resources must validate upon
place to meet the requirements of the Information hire and at least once annually that they have taken
Security Policy. the security awareness training.
• Users of Company resources must acknowledge
A. Internal Audits at least once annually that they have read and
Internal audits must be performed on a periodic understand the Information Security Policy.
basis to assess compliance with security policies and
standards. Internal audits must be performed on, but

CONFIDENTIAL INTERNAL COMMUNICATION

POLICY NUMBER: HWI-IT-001 9
INFORMATION SECURITY POLICY

• Background checks must be conducted on users B. Physical Security

prior to gaining access to cardholder data or • All devices must be secured at all times from
administering the cardholder data environment unauthorized access.
– subject to local laws and company policy (i.e., • Information users must protect laptops, mobile
Background Policy). devices, and removable media that store, process, or
transmit Company information from unauthorized
access. Physical security measures must, at a
DEVICE MANAGEMENT minimum, include the following:
• Devices must not be left unattended without
Device management establishes safeguards for employing adequate safeguards (e.g., cable
the use of computing devices that connect to locks, restricted access environments, lockable
the Company’s network. Devices are capable of cabinets);
storing, processing, transmitting, displaying, and • When possible, devices must remain under visual
deleting Company information. Devices include, control while traveling. If visual control cannot be
but are not limited to, servers, network devices, maintained, then necessary safeguards must be
workstations, laptops, mobile devices (e.g., mobile employed to protect the device; and
phones, tablets) and removable media (e.g., • Safeguards must be taken to avoid unauthorized
portable hard drives, USB flash drives). viewing of protected information in public or
common areas.
Personal devices must not be used when • Information technology administrators must
administering the Company’s production protect Company servers and network devices that
environment. Any personal device used to store, process, or transmit Company information
store, process, transmit, or display Company from unauthorized access. Physical security
information must consistently adhere to the measures must meet minimum standards based on
Company’s Information Security Policy. The location type.
Device Usage Standards provide additional • Devices must have physical (e.g., asset tab with
information concerning how devices must be bar code) or logical (e.g., hostname) identifiers that
used and managed in support of the Company’s enable correlation of a device to its owner / primary
business operations. contact and purpose.

C. Anti-Virus Protection
A. Inventory Information Technology or an authorized service
Information Technology or an authorized service provider is responsible for managing the anti-virus
provider is responsible for managing a device systems.
inventory. • Up-to-date anti-virus software must be installed
• The Company must maintain an inventory of on all Company or personal devices that store,
Company devices authorized for work use on the process, or transmit Company information and that
Company’s network. The inventory shall include are commonly affected by malicious software and
descriptive characteristics that enable the device to configured according to the Anti-Virus Standard.
be uniquely identified. Information Technology or an authorized service
• The Company must maintain lists of devices provider is responsible for implementing anti-virus
and related technologies, as well as associated software on devices.
authorization, location, and product lists as required • Anti-virus software log generation must be enabled
by specific compliance requirements (e.g., PCI DSS, and logs must be retained.
Sarbanes-Oxley). • Anti-virus software must not be disabled on any
• Inventory and security audits of company devices device without prior authorization from Information
must be performed at least once annually and Security & Compliance.
documented.
• Inventory of systems and applications that store
protected information must be maintained.

CONFIDENTIAL INTERNAL COMMUNICATION

POLICY NUMBER: HWI-IT-001 10
INFORMATION SECURITY POLICY

D. Configuration Standards
• All Company or personal devices that store ENCRYPTION
Company information must meet Company
Encryption management ensures protected
Configuration Standards as well as any laws,
Company information is not exposed to
regulations, and compliance standards applicable
unauthorized parties. Information Technology or
to the Company (e.g., PCI DSS, Sarbanes-Oxley).
an authorized service provider is responsible for
Information Technology is responsible for defining
encryption systems.
and maintaining Company configuration standards.
• Users must never disable or alter standard
configurations, security services, devices, or software. A. Encryption
• Company information must be encrypted according
E. Disposal to Company data classification.
• Company or personal devices that store Company • Information Technology is responsible for ensuring
information must be properly disposed of to ensure the appropriate encryption technology is applied
that no Company information remains on the device based on Company data classification.
(e.g., degaussing, physical destruction). See the • Only approved algorithms must be used as the basis
Equipment Disposal & Decommissioning Standard. for encryption technologies. See the Encryption
Standard for approved algorithms.
F. Inactivity
• Users must lock or logoff all devices whenever a
system is left unattended.
• Company and personal portable computing devices,
INCIDENT RESPONSE
desktops, and workstations must have a secure
Incident Response establishes the procedures that
inactivity timeout function enabled and set to 15
must be followed when responding to suspected
minutes or less.
or confirmed information security incidents.
Information Security & Compliance is responsible
G. Lost or Stolen
for managing the Incident Response Program.
• Users must immediately report any lost or stolen
devices, suspected or confirmed, to:
• Direct Supervisor or Manager; and A. Incident Reporting
• ISC@Hilton.com; and • All suspected, potential, and actual information
• HTS.Mobile@Hilton.com (mobile wireless security incidents must be reported immediately to
devices only). Information Security & Compliance at ISC@hilton.
• A standard tracking and recovery tool must be com. Information security incidents include, but are
installed on laptops. Information Technology or not limited to:
an authorized service provider is responsible for • Unauthorized access to electronic systems owned
installation. or operated by or for the Company;
• Users must never disable the standard tracking and • Malicious alteration or destruction of data,
recovery tool. information, or communications;
• Mobile phone and tablet configurations must allow • Unauthorized interception or monitoring of
remote wipes and disabling. communications; and
• Any deliberate and unauthorized destruction or
H. Vendor Management damage of IT resources.
• Vendors and service providers, who maintain • Information Security & Compliance must notify the
devices that store, process, or transmit Company appropriate entities according to the guidelines in
information must adhere to Sections A through G. the Incident Response Plan.

CONFIDENTIAL INTERNAL COMMUNICATION

POLICY NUMBER: HWI-IT-001 11
INFORMATION SECURITY POLICY

B. Incident Response Plan • Information must be handled according to

Information Security & Compliance is responsible for Company Information Management Standards.
managing the Incident Response Program. • Cardholder information must not be sent
• The Incident Response Plan must outline a unprotected via end-user messaging technologies
consistent, repeatable escalation process to protect such as email and instant messaging.
Company information assets, including pre-incident • Protected information must not be stored on any
preparation, incident detection, investigation, third party data storage or data sharing product (e.g.,
assessment, containment, eradication, recovery, iDisk, iCloud, DropBox) without prior explicit written
reporting, and lessons learned. approval.
• The Incident Response Plan must be tested at • Protected information must not be stored on
least once annually, unless increased frequency is personal devices or removable media.
required to meet legal, regulatory, or compliance • Responsibility for monitoring and controlling all
requirements applicable to the Company (e.g., PCI access to protected information must be formally
DSS, Sarbanes-Oxley). assigned.
• Designated personnel must be available 24/7/365 • Verbal discussions containing protected information
for incident response and monitoring coverage for must never be intentionally or unintentionally
any evidence of unauthorized activity, detection shared with unauthorized audiences
of unauthorized wireless access points, critical
IDS alerts, and/or reports of unauthorized critical C. Email
system or content file changes. • Company business-related email must never be
• Appropriate training for staff with security breach automatically copied or forwarded to a personal
response responsibilities is required email account.
• All business correspondence must occur through
Company-assigned email accounts.
INFORMATION MANAGEMENT

Information management ensures that

confidentiality, integrity, and availability of LOGGING AND AUDIT TRAILS
Company information is handled according to
Company data classification. Logging and audit trails ensure a record of system
activity is available to identify or research system-
related incidents. Information Technology or its
A. Data Classification authorized service provider is responsible for
• Company information must be handled according to managing logging and audit trail systems.
Company data classification. The data classification
“protected” includes personally identifiable
information (PII), financial information, cardholder A. Monitoring, Logging, and Audit Trails
information, and health record information (HIPAA), • Information assets that store, process, or transmit
as defined in the Company’s Data Classification protected information or that provide essential
Policy. security or operational services must be monitored
by authorized personnel daily. Exceptions must be
B. Handling addressed with timeliness directly proportionate to
• Protected information stored, processed, or the risk involved..
transmitted must have proper controls in place to • Activities on information assets that store,
protect against unauthorized access, on, but not process, or transmit protected information must
limited to: be logged to ensure proper operation, security
• Private or public networks; breach detection, and preservation of historical
• Logical domains within the larger Company system activity. The Security Event Logging
network; and Standard defines specific requirements for logging,
• Paper or other physical media that must also be monitoring, and log retention.
locked and/or stored when not in use.

CONFIDENTIAL INTERNAL COMMUNICATION

POLICY NUMBER: HWI-IT-001 12
INFORMATION SECURITY POLICY

• Access logs must be maintained and protected • Wireless environments and technologies must
from unauthorized physical or logical access or be tested and deemed acceptable before being
modifications. installed and used.
• Audit trails must be consistently maintained and • Wireless networks must require authentication for
preserved for operating system events with security connectivity.
implications (e.g., security events). • Wireless network activity must be logged.
• Audit trail history must be retained for at least one • Scanning must be conducted twice per calendar
year, with a minimum of 90 days immediately year to identify unauthorized wireless access points,
available for analysis. unless more frequent scanning is required to meet
• Anti-Virus logs must be maintained for at least legal, regulatory, or compliance requirements
one year. applicable to the Company (e.g., PCI DSS, Sarbanes-
Oxley).
• An inventory identifying and describing all wireless
NETWORK technologies in use and the security measures in
place must be maintained.
Network management establishes requirements • Current network diagrams and cardholder data
to ensure the appropriate protection and flows must include wireless networks and must be
continuous operation of the Company network maintained.
infrastructure. Information Technology or its • Perimeter firewalls must be installed between
authorized service provider is responsible for any wireless networks and the cardholder data
managing the Company networks. environment. These firewalls must be configured
to deny or control (if such traffic is necessary for
A. Firewalls and General Network Security business purposes) any traffic from the wireless
• All Company private networks must be separated environment into the cardholder data environment.
from any non-Company private or public networks
by the use of a firewall device. C. Remote Access and Modem Security
• All inbound Internet connections to Company • Remote access to Company private networks must
private networks must be separated by the use of a be provisioned as defined in the Remote Access
firewall. Standard.
• The default firewall rule must deny all traffic except • Remote access over a public network such as
for explicitly approved traffic. the Internet or a wireless network must utilize
• All firewall and router rule sets must be reviewed at encryption technology (e.g. virtual private network)
least once every six months. as described in the Encryption Standard.
• All firewalls rules must restrict traffic based on • Modem connections inside Company facilities must
business requirements and meet legal, regulatory, be formally documented and approved.
or compliance standards applicable to the Company • Reviews must be conducted twice per calendar
(e.g., PCI DSS, Sarbanes-Oxley). year to identify unauthorized remote access
mechanisms, unless more frequent reviews are
B. Wireless required to meet legal, regulatory, or compliance
• Wireless access points must be architected, requirements applicable to the Company (e.g., PCI
installed, and maintained by the Company as DSS, Sarbanes-Oxley).
defined in the Wireless Standard. • Remote access used by vendors must be enabled
• Wireless access points cannot be placed on the only during the time period needed, monitored
Company network or installed in a Company facility when in use, and immediately deactivated when
without prior explicit written approval from access is no longer required.
#Standards-Architecture@hilton.com. • Remote access technologies must require an
• Wireless environments must conform to automatic session disconnect after a specific period
compliance standards applicable to the Company of inactivity.
(e.g., PCI DSS, Sarbanes-Oxley) as outlined in the
Wireless Standard.

CONFIDENTIAL INTERNAL COMMUNICATION

POLICY NUMBER: HWI-IT-001 13
INFORMATION SECURITY POLICY

• Central VPN gateways (e.g., IPSec or SSL VPNs)

SOFTWARE AND APPLICATION
must not permit more than one concurrent
connection from a user.
Software and Application management ensures
that software and applications installed on the
D. Internet Proxy Servers and Web Content Filtering
Company network are appropriately developed,
• Proxy servers must be installed and maintained by
tested, approved, and maintained. Information
the Company to filter and control egress Internet
Technology or its authorized service provider is
traffic.
responsible for managing software and application
• Proxy servers must implement content filtering that
systems. Any other software or applications
is consistent with Web Proxy Server and Content
systems deployed in the Company environment
Management Standards.
must be pre-approved by Information Technology
• External web browsing and instant messaging must
and compliant with the Information Security Policy.
be performed through authorized proxy servers.
• External web browsing and instant message activity A. Software and Application Development
must be logged and may be reviewed without • All software and applications developed internally
notice. by or on behalf of the Company must follow the
Company methodology (e.g., Hilton Enterprise
E. Network Time Protocol Methodology) as well as laws, regulations, and
• Time must be synchronized to ensure all devices compliance standards applicable to the Company
maintain an accurate system clock; (e.g., PCI DSS, Sarbanes-Oxley). The software and
• Time synchronization practices and use of Network applications must have documented specifications,
Time Protocol (NTP) must adhere to the Time access control systems, and contingency plans.
Synchronization standard. • All source code written by or on behalf of the
Company must be in line with secure coding
F. Services practices, as well as laws, regulations, and
• Unnecessary services running on all applications compliance standards applicable to the Company
and systems must be disabled/removed (e.g., telnet, (e.g., PCI DSS, Sarbanes-Oxley). The source code
ftp, rsh, finger). must not expose the application to malicious
• Services that do not encrypt traffic must not be activity and must successfully pass a secure
used to transmit Company protected information code review. Code changes must be reviewed by
over a public network such as the Internet. individuals, other than the original author, who are
• Services that transmit username and password in knowledgeable in secure coding practices. Code
clear text must not be used (e.g., ftp, telnet, rsh, rcp). vulnerabilities must be remediated and approved
by management prior to release. Internet facing
G. Public Network Jacks web applications must successfully pass a web
• Network jacks in public areas must not permit application security test.
access to internal Company networks. Network • All production software deployment and software
jacks that permit access to internal Company maintenance activities performed internally by or
networks must either be attended when activated on behalf of the Company must adhere to Company
or located in an area not accessible to the public. Change Management Procedures.
• Applications developed by or on behalf of the
Company to process protected information must
provide access audit trails consistent with laws,
regulations, and compliance standards applicable to
the Company (e.g., PCI DSS, Sarbanes-Oxley).

CONFIDENTIAL INTERNAL COMMUNICATION

POLICY NUMBER: HWI-IT-001 14
INFORMATION SECURITY POLICY

VENDOR MANAGEMENT

Vendor management ensures that independent

third party vendor services are compliant with the
Information Security Policy.

A. Contract Language
• Vendor contracts must ensure the services
provided are consistently compliant with the
Company Information Security Policy and allow
for independent risk assessments to validate
compliance.
• Vendor contracts must require known
administrative, technical, and physical vulnerabilities
be remediated, or approved compensating controls
put in place, with timeliness directly proportionate
to the risk involved as required by legal, regulatory, or
compliance standards application to the Company
(e.g., PCI DSS, Sarbanes-Oxley).
• Vendor contracts must require documented
process and procedures be in place and followed
as required by legal, regulatory, or compliance
standards application to the Company (e.g., PCI DSS,
Sarbanes-Oxley).
• Vendor contracts must incorporate the Hilton
Privacy & Data Protection Policy for Service
Providers for third party vendors or resources that
store, process, or transmit protected information
as required by legal, regulatory, or compliance
standards application to the Company (e.g., PCI DSS,
Sarbanes-Oxley).
• Information Technology will lead and approve all
technology and technology enabled/enabling
agreements or contracts, including, but not
limited to, software, software-as-a-service, web
development, and hosting agreements.

B. Inventory
• A list of third party vendors or resources that store,
process, transmit, or access Company protected
information must be maintained by Information
Technology and available.

C. Monitoring
• A vendor management program, appropriate for the
vendor, must be defined and implemented to ensure
on-going compliance with key security and contract
requirements.

CONFIDENTIAL INTERNAL COMMUNICATION

POLICY NUMBER: HWI-IT-001 15
INFORMATION SECURITY POLICY

DEFINITIONS
TERM / ACRONYM DEFINITION
Awareness Training Training on the Information Security Policy for all new, existing, and
temporary team members with access to protected information.
Cardholder Data / Information Consists minimally of the full payment account number (PAN), but can also
include cardholder name, expiration date, and / or service code.
Company Those business entities that comprise Hilton, including Owned and Managed
properties, Franchise properties, and Corporate.
Company Information Information not intended for public consumption.
Company Information Assets The systems that store, process, or transmit Company information.
Company Data Classification Company Information groups that identify the proper handling of
information to ensure consistent protection when that information is stored,
processed, or transmitted. This policy references “protected information”,
which includes personally identifiable information (PII), financial information,
cardholder information, and health record information (HIPAA), as defined in
the Company’s Data Classification Policy.
Company Devices Company devices are pieces of hardware that are maintained or issued by
the Company that connect to the Company network or store Company
information (e.g. servers, desktop, laptop, smart phones, tablets, flash drives).
Generic User Account A user account used by more than one individual, thereby eliminating
accountability for actions taken with that account.
PCI DSS Payment Card Industry – Data Security Standards is an annual audit that
measures the safe handling of cardholder information at every step and is
conducted and validated by a Qualified Security Assessor (QSA).
Personal Devices Personal devices are any piece of hardware that is not issued by the
Company that connects to the Company network or stores Company
information, (e.g. smart phones, laptops, tablets, flash drives).
Portable Computing Devices Includes smart phones, tablets, and laptops.
Production Environment Technical environment where software and other products are put into
operation for their intended use by end users.
Protected Information See “Company Data Classification”.
Removable Computer Media Includes CDs and backup tapes.
Removable Storage Includes hard drives and USB flash drives and mobile phone drives.
Sarbanes-Oxley Sarbanes-Oxley Act of 2002 is a United States federal law that set new
or enhanced standards for all U.S. public company boards, management,
and public accounting firms to individually certify the accuracy of financial
information.
Security Controls Administrative, technical, and physical controls in place to protect Company
information assets (e.g., access management, encryption, firewalls, intrusion
detection and prevention, logging).
Security Tenets Confidentiality, Integrity, and Availability.
Shared User Account See “Generic User”.

CONFIDENTIAL INTERNAL COMMUNICATION

POLICY NUMBER: HWI-IT-001 16
INFORMATION SECURITY POLICY

ROLES AND RESPONSIBILITIES

ENTITY / PERSONNEL RESPONSIBILITIES
Chief Information Officer (CIO) Ensures the Company’s technical strategies align with the business
strategies.
Information Security & Ensures the Company’s Information Security Program and Policies
Compliance Lead protect Company information assets against accidental or intentional
unauthorized use, disclosure, transfer, modification or destruction; creates
and distributes security policies and supporting security requirements;
assumes overall responsibility for Company information security.
Data Privacy Lead Ensures compliance with legislative, regulatory, and compliance
requirements related to data privacy.
Business Owners See “Information Owners”.
Business Process Owners Ensure confidentiality, integrity, and accuracy of information and
information assets are maintained through the appropriate processes.
Data Owners See “Information Owners”.
Information Owners Ensure information assets have a designated owner responsible for
controlling production, maintenance, use, and access according to
Company policies; controls access to information by approving, or
delegating responsibility for approving, access requests.
Information Technology Ensures the technology involving the development, implementation,
maintenance, and use of computer systems, software, and networks
for processing and distribution of data are in place. This is the global
Information Technology organization lead by the CIO.
Information Technology Ensure information assets are protected through consistent adherence to
Administrators the Information Security Policy with installations, change management,
daily operations, incident management, service monitoring, and service
continuity.
Information Users Ensure confidentiality of all passwords, report suspected information
security violations to ISC@hilton.com, protect Company information
assets at all times, and adhere to the Information Security Policy.
Security Event Managers Provide direction and oversight to the Company’s management security
service providers responsible for supporting Security Information and
Event Management infrastructure and processes; support monitoring
of critical alerts, including those alerts related to data access violations;
ensure escalation and communication processes are implemented to
distribute security alert and / or incident information to appropriate
information security team members, Information Technology
Administrators, Information Owners, and, if applicable, business unit
management personnel.
Security Incident Response Define, execute, and manage the Company’s security incident response
Managers program; create and distribute incident response processes and
procedures; train appropriate personnel on response processes; provide
direction and oversight to service providers supporting the security
incident response program.
Users All Team Members, support personnel, and service providers using or
accessing Company information by or through systems, technology, and/
or Company resources.

CONFIDENTIAL INTERNAL COMMUNICATION

POLICY NUMBER: HWI-IT-001 17
INFORMATION SECURITY POLICY

RELATED DOCUMENTS, TOOLS AND TEMPLATES

POLICIES & PROCEDURES LOCATION
Company Policies &
Hotel Information Security Standards
Procedures site

Access Management Standard In Process

Anti-Virus Standard In Process

Configuration Standard In Process

Encryption Standard In Process

Equipment Disposal & Decommissioning Standard In Process

Network Architecture Standard In Process

Information Management Standard In Process

Security Event Logging Standard In Process

Remote Access Standard In Process

Software Development & Change Management Security Standard In Process

Time Synchronization Standard In Process

Web Proxy Server & Content Management Standard In Process

Wireless Standard In Process

Data Classification Policy Review Policy

POLICY NUMBER: HWI-IT-001

POLICY OWNER: Information Security & Compliance
LAST UPDATED: 10/20/17

CONFIDENTIAL INTERNAL COMMUNICATION