Appendix A Mapping to Cybersecurity Framework¶
Table A-1 shows the National Institute of Standards and Technology (NIST) Cybersecurity Framework Subcategories that are addressed by the property management system (PMS) reference design built in this practice guide. The first three columns show the Cybersecurity Framework Functions, Categories, and Subcategories addressed by the PMS reference design. The next three columns show mappings from the Cybersecurity Framework Subcategories to specific components in the Payment Card Industry Data Security Standard (PCI DSS) v3.2.1; security and privacy controls in NIST Special Publication (SP) 800-53r5; and/or work roles in NIST SP 800-181r1, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework [B11]. This table is included to help connect those with expertise in PCI DSS, NIST SP 800-53, and the NICE Framework with the risk being addressed in this PMS reference design. Examining existing work roles in the NICE Framework may help an organization identify if it has people who can perform tasks and apply the skills described for each work role on its deployment teams. Noting a discrete PCI requirement or NIST SP 800-53r5 control [B9] may match areas of focus within an organization that securing a PMS reference design could help address.
Table A-1 Securing Property Management Systems: NIST Cybersecurity Framework Components Mapping
NIST Cybersecurity Framework v1.1 |
Standards and Best Practices |
||||
---|---|---|---|---|---|
Function |
Category |
Subcategory |
PCI DSS v3.2.1 |
NIST SP 800-53r5 Security and Privacy Controls [B9] |
NICE Framework 2017 Work Roles [B11] |
IDENTIFY (ID) |
Asset Management (ID.AM): The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization’s risk strategy. |
ID.AM-1: Physical devices and systems within the organization are inventoried. |
CM-8, PM-5 |
Technical Support Specialist |
|
ID.AM-2: Software platforms and applications within the organization are inventoried. |
CM-8, PM-5 |
Technical Support Specialist |
|||
PROTECT (PR) |
Identity Management, Authentication, and Access Control (PR.AC): Access to physical and logical assets and associated facilities is limited to authorized users, processes, and devices, and is managed consistent with the assessed risk of unauthorized access to authorized activities and transactions. |
PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users, and processes. |
2.1 Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network. |
AC-1, AC-2, IA-1, IA-2, IA-3, IA-4, IA-5, IA-6, IA-7, IA-8, IA-9, IA-10, IA-11 |
System Administrator or Product Support Manager |
3.6.1 Generate strong keys. 3.6.2 Keys are only distributed to authorized recipients. 3.6.3 Stored keys are stored encrypted. 3.6.4 A reasonable crypto period shall be set. 3.6.5 A key life cycle shall be established, denoting when keys should be destroyed and when keys should be securely kept for archived/legacy encrypted data. 3.6.7 Keys shall only be accepted from authorized sources. |
|||||
PR.AC-3: Remote access is managed. |
8.1.5 Manage IDs used by third parties to access, support, or maintain system components via remote access as follows:
|
AC-1, AC-17, AC-19, AC-20, SC-15 |
Information Systems Security Developer or System Administrator |
||
PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties. |
7.1 Limit access to system components and cardholder data to only those individuals whose job requires such access. |
AC-1, AC-2, AC-3, AC-5, AC-6, AC-14, AC-16, AC-24 |
Technical Support Specialist or System Administrator |
||
7.1.2 Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities. |
Technical Support Specialist or System Administrator |
||||
7.2 Establish an access control system(s) for systems components that restricts access based on a user’s need to know and is set to “deny all” unless specifically allowed. |
|||||
PR.AC-5: Network integrity is protected (e.g., network segregation, network segmentation). |
1.1 Establish and implement firewall and router configuration standards. |
AC-4, AC-10, SC-7 |
Network Operations Specialist |
||
1.1.4 requirements for a firewall at each internet connection and between any demilitarized zone (DMZ) and the internal network zone |
Network Operations Specialist |
||||
1.2 Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment. |
Network Operations Specialist |
||||
1.3.6 Place system components that store cardholder data (such as a database) in an internal network zone, segregated from the DMZ and other untrusted networks. |
Network Operations Specialist |
||||
PR.AC-6: Identities are proofed and bound to credentials and asserted in interactions. |
8.1.6 Limit the number of failed login attempts. 8.1.7 Establish a reasonable “cool down period” for locked-out accounts prior to automatic unlocking processes. 8.1.8 Reasonable idle time prior to workstation lockout shall be established. 8.2 Where appropriate, multifactor authentication (two or more of something you know, something you have, and something you are) shall be implemented. 8.2.1 Authentication transactions and data are encrypted at rest and in transit. |
AC-1, AC-2, AC-3, AC-16, AC-19, AC-24, IA-1, IA-2, IA-4, IA-5, IA-8, PE-2, PS-3 |
Systems Requirements Planner |
||
PR.AC-7: Users, devices, and other assets are authenticated (e.g., single factor, multifactor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks). |
AC-7, AC-8, AC-9, AC-11, AC-12, AC-14, IA-1, IA-2, IA-3, IA-4, IA-5, IA-8, IA-9, IA-10, IA-11 |
Systems Requirements Planner |
|||
Data Security (PR.DS): Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information. |
PR.DS-1: Data at rest is protected. |
3.2 Do not store sensitive authentication data after authorization (even if encrypted). If sensitive authentication data is received, render all data unrecoverable upon completion of the authorization process. |
MP-8, SC-12, SC-28 |
Information Systems Security Developer |
|
3.2.1 Do not store the full contents of any track (from the magnetic stripe located on the back of a card, equivalent data contained on a chip, or elsewhere) after authorization. This data is alternatively called full track, track, track 1, track 2, and magnetic-stripe data. |
Information Systems Security Developer |
||||
3.2.2 Do not store the card verification code or value (three-digit or four-digit number printed on the front or back of a payment card used to verify card-not-present transactions) after authorization. |
Information Systems Security Developer |
||||
3.2.3 Do not store the personal identification number (PIN) or the encrypted PIN block after authorization. |
Information Systems Security Developer |
||||
3.4 Render Primary Account Number unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches: |
Information Systems Security Developer |
||||
PR.DS-2: Data in transit is protected. |
1.2.3 Install perimeter firewalls between all wireless networks and the cardholder data environment, and configure these firewalls to deny or, if traffic is necessary for business purposes, permit only authorized traffic between the wireless environment and the cardholder data environment. |
SC-8, SC-11, SC-12 |
Information Systems Security Developer or Cyber Defense Analyst |
||
1.3 Prohibit direct public access between the internet and any system component in the cardholder data environment. |
Information Systems Security Developer or Cyber Defense Analyst |
||||
PR.DS-5: Protections against data leaks are implemented. |
AC-4, AC-5, AC-6, PE-19, PS-3, PS-6, SC-7, SC-8, SC-13, SC-31, SI-4 |
Information Systems Security Developer |
|||
Information Protection Processes and Procedures (PR.IP): Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage protection of information systems and assets. |
PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained, incorporating security principles (e.g., concept of least functionality). |
CM-2, CM-3, CM-4, CM-5, CM-6, CM-7, CM-9, SA-10 |
Enterprise Architect or Cyber Policy and Strategy Planner |
||
PR.IP-3: Configuration change control processes are in place. |
CM-3, CM-4, SA-10 |
Systems Developer or Systems Security Analyst |
|||
Protective Technology (PR.PT): Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements. |
PR.PT-3: The principle of least functionality is incorporated by configuring systems to provide only essential capabilities. |
1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic. |
AC-3, CM-7 |
Privacy Officer/Privacy Compliance Manager |
|
PR.PT-4: Communications and control networks are protected. |
AC-4, AC-17, AC-18, CP-8, SC-7, SC-20, SC-21, SC-22, SC-23, SC-24, SC-25, SC-29, SC-32, SC-36, SC-37, SC-38, SC-39, SC-40, SC-41, SC-43 |
Security Architect or Communications Security (COMSEC) Manager |
|||
DETECT (DE) |
Anomalies and Events (DE.AE): Anomalous activity is detected, and the potential impact of events is understood. |
DE.AE-2: Detected events are analyzed to understand attack targets and methods. |
AU-6, CA-7, IR-4, SI-4 |
Cyber Defense Analyst |
|
Security Continuous Monitoring (DE.CM): The information system and assets are monitored to identify cybersecurity events and verify the effectiveness of protective measures. |
DE.CM-1: The network is monitored to detect potential cybersecurity events. |
AC-2, AU-12, CA-7, CM-3, SC-5, SC-7, SI-4 |
Cyber Defense Analyst |
||
DE.CM-3: Personnel activity is monitored to detect potential cybersecurity events. |
CA-7, PE-3, PE-6, PE-20 |
Network Operations Specialist |
|||
DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed. |
AU-12, CA-7, CM-3, CM-8, PE-3, PE-6, PE-20, SI-4 |
Threat/Warning Analyst |
|||
Detection Processes (DE.DP): Detection processes and procedures are maintained and tested to ensure awareness of anomalous events. |
DE.DP-4: Event detection information is communicated. |
10.1 Audit logs are generated, documenting user activity. 10.2 Audit events are logged. 10.2.1 User account privileges are documented. 10.2.7 The creation and deletion of system level objects are logged. 10.3 Events are logged so that they are auditable. 10.5 Audit logs are strongly protected, including encryption and strong role-based authentication for authorized log users. |
AU-6, CA-2, CA-7, RA-5, SI-4 |
Cyber Defense Infrastructure Support Specialist |
Appendix B Privacy Framework Mapping¶
Table B-1 shows National Institute of Standards and Technology (NIST) Privacy Framework Subcategories as outcomes addressed in this practice guide and mapped to the property management (PMS) reference design components.
Table B-1 Securing Property Management Systems: NIST Privacy Framework Components Mapping
Privacy Framework Function |
Privacy Framework Category |
Privacy Framework Subcategory |
PMS Reference Design Component |
---|---|---|---|
Identify-P |
Inventory and Mapping (ID.IM-P) |
ID.IM-P4: Data actions of the systems/products/services are inventoried. |
Forescout CounterACT 8.1 |
ID.IM-P8: Data processing is mapped, illustrating the data actions and associated data elements for systems/products/services, including components, roles of the component owners/operators, and interactions of individuals or third parties with the systems/products/services. |
CryptoniteNXT Secure Zone 2.9.1 StrongKey KeyAppliance |
||
Control-P |
Data Processing Management (CT.DM-P) |
CT.DM-P1: Data elements can be accessed for review. |
Solidres PMS Forescout CounterACT 8.1 |
CT.DM-P2: Data elements can be accessed for transmission or disclosure. |
Solidres PMS |
||
CT.DM-P3: Data elements can be accessed for alteration. |
Solidres PMS |
||
CT.DM-P4: Data elements can be accessed for deletion. |
Solidres PMS |
||
CT.DM-P8: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy and incorporating the principle of data minimization. |
Remediant SecureONE 18.06.3-ce |
Appendix C Deployment Recommendations¶
The example implementation was developed in a lab environment. It does not reflect the complexity of a production environment, and we did not use production deployment processes. Before production deployment, it should be confirmed that the example implementation capabilities meet the organization’s architecture, reliability, and scalability requirements.
Deployment of a zero trust architecture to secure a property management system (PMS) into an existing infrastructure will require an organization to consider its existing practices for interoperability and usability.
Deployers should adhere to best practice guidance for vulnerability and patch management [B20], continuity of operations planning, and environment elements that are not addressed in this document.
The individual organizations that compose every enterprise are experiencing an increase in the frequency, creativity, and severity of cybersecurity attacks. The National Institute of Standards and Technology recommends that all organizations and enterprises, regardless of size or type, should ensure that cybersecurity risks receive appropriate attention as they carry out their Enterprise Risk Management (ERM) functions. As such, a deployment of a zero trust architecture around a PMS reduces cybersecurity risk and should be included in all the cybersecurity risk information used to inform the overall ERM [B21]. By doing so, enterprises and their component organizations can better identify, assess, and manage their cybersecurity risks in the context of their broader mission and business objectives.
Appendix D List of Acronyms¶
2FA |
Two-Factor Authentication |
CNSSI |
Committee on National Security Systems Instruction |
CRS |
Central Reservation System |
FIPS |
Federal Information Processing Standards |
GDPR |
General Data Protection Regulation |
IP |
Internet Protocol |
IT |
Information Technology |
IoT |
Internet of Things |
NCCoE |
National Cybersecurity Center of Excellence |
NIST |
National Institute of Standards and Technology |
PII |
Personally Identifiable Information |
PMS |
Property Management System |
POS |
Point of Sale |
SP |
Special Publication |
VLAN |
Virtual Local Area Network |
ZTA |
Zero Trust Architecture |
Appendix E Glossary¶
Access Control |
The process of granting or denying specific requests: 1) for obtaining and using information and related information processing services; and 2) to enter specific physical facilities (e.g., Federal buildings, military establishments, and border crossing entrances). SOURCE: Committee on National Security Systems Instruction (CNSSI) 4009-2015 |
Architecture |
The design of the network of the hotel environment and the components that are used to construct it. |
Authentication |
The process of verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system. SOURCE: Federal Information Processing Standards (FIPS) 200 |
Authorized User |
Any appropriately provisioned individual with a requirement to access an information system. SOURCE: CNSSI 4009-2015 |
Console |
A visually oriented input and output device used to interact with a computational resource. |
Continuous Monitoring |
Maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. SOURCE: National Institute of Standards and Technology (NIST) Special Publication (SP) 800-150 |
Firewall |
A part of a computer system or network that is designed to block unauthorized access while permitting outward communication. SOURCE: NIST SP 800-152 |
Information Security |
The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability. SOURCE: FIPS 200 |
Multifactor Authentication |
Authentication using two or more factors to achieve authentication. Factors include: (i) something you know (e.g., password/personal identification number [PIN]); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric). SOURCE: CNSSI 4009-2015 |
Personally Identifiable Information |
Information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual. SOURCE: NIST SP 800-37 Rev. 2 |
Privilege |
A right granted to an individual, a program, or a process. SOURCE: CNSSI 4009-2015 |
Security Control |
A safeguard or countermeasure prescribed for an information system or an organization designed to protect the confidentiality, integrity, and availability of its information and to meet a set of defined security requirements. SOURCE: NIST SP 800-161 |
Vulnerability |
Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source. SOURCE: FIPS 200 |
Wi-Fi |
A generic term that refers to a wireless local area network that observes the IEEE 802.11 protocol. SOURCE: NIST Interagency or Internal Report 7250 |
Appendix F References¶
- B1
National Cybersecurity Center of Excellence (NCCoE) Securing Property Management Systems for the Hospitality Sector, A Notice by the National Institute of Standards and Technology on 11/24/2017. Available at https://www.federalregister.gov/documents/2017/11/24/2017-25427/national-cybersecurity-center-of-excellence-nccoe-securing-property-management-systems-for-the.
- B2
Hotel Technology Next Generation (HTNG). Secure Payments Framework for Hospitality, version 1.0. Feb. 2013. Available at https://cdn.ymaws.com/htng.site-ym.com/resource/collection/CC1CE2B8-0377-457E-9AB0-27CFDD77E17B/HTNG_Secure_Payments_Framework_v1.0_FINAL.pdf.
- B3
HTNG. Payment Tokenization Specification. Feb. 21, 2018. Available at https://cdn.ymaws.com/htng.site-ym.com/resource/collection/CC1CE2B8-0377-457E-9AB0-27CFDD77E17B/HTNG_Secure_Payments_Framework_v1.0_FINAL.pdf.
- B4
HTNG. Payment Systems & Data Security Specifications 2010B. Oct. 22, 2010. Available at https://cdn.ymaws.com/www.htng.org/resource/resmgr/Files/Specifications/2010B/HTNG_2010B_PaymentsWG_Paymen.pdf.
- B5
HTNG. EMV for the US Hospitality Industry. Oct. 1, 2015. Available at https://cdn.ymaws.com/sites/htng.site-ym.com/resource/collection/CC1CE2B8-0377-457E-9AB0-27CFDD77E17B/2015-09-23_EMV_White_Paper.pdf.
- B6
Payment Card Industry Data Security Standard version 3.2.1. May 2018. Available at https://www.pcisecuritystandards.org/documents/PCI_DSS-QRG-v3_2_1.pdf.
- B7
HTNG. GDPR for Hospitality. June 1, 2019. Available at https://cdn.ymaws.com/www.htng.org/resource/collection/CC1CE2B8-0377-457E-9AB0-27CFDD77E17B/GDPR_for_Hospitality_-_V2_-_2019.pdf.
- B8
National Institute of Standards and Technology (NIST). Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1. Apr. 16, 2018. Available at https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf.
- B9(1,2)
Joint Task Force Transformation Initiative, Security and Privacy Controls for Information Systems and Organizations, NIST Special Publication (SP) 800-53 Rev. 5, NIST, Gaithersburg, Md., Sept. 2020. Available at https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf.
- B10
P. Grassi et al., Digital Identity Guidelines, NIST SP 800-63-3, NIST, Gaithersburg, Md., June 22, 2017. Available at https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-3.pdf.
- B11(1,2)
R. Petersen et al., Workforce Framework for Cybersecurity (NICE Framework), NIST SP 800-181 Revision 1, NIST, Gaithersburg, Md., Nov. 2020. Available at https://www.nist.gov/itl/applied-cybersecurity/nice/nice-framework-resource-center.
- B12
National Institute of Standards and Technology. NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management, Version 1.0. Available at https://www.nist.gov/system/files/documents/2020/01/16/NIST%20Privacy%20Framework_V1.0.pdf.
- B13
S. Rose et al., Zero Trust Architecture, NIST SP 800-207, NIST, Gaithersburg, Md., Aug. 2020, 59 pp. Available at https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf.
- B14
Abbasi et al., 2019 Trustwave Global Security Report, 2019 Trustwave Holdings, Inc. Available at https://www.trustwave.com/en-us/resources/library/documents/2019-trustwave-global-security-report/.
- B15
*NIST. Risk Management Framework: Quick Start Guides. Available at https://csrc.nist.gov/Projects/risk-management.
- B16
Joint Task Force, Risk Management Framework for Information Systems and Organizations, NIST SP 800-37 Revision 2, NIST, Gaithersburg, Md., Dec. 2018. Available at https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf.
- B17
Joint Task Force, Guide for Conducting Risk Assessments, NIST SP 800-30 Revision 1, NIST, Gaithersburg, Md., Sept. 2012. Available at https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf.
- B18
Social Tables. Cybersecurity for Hotels: 6 Threats Just Around the Corner from Your Property. Available at https://www.socialtables.com/blog/hospitality/cyber-security-hotels/.
- B19
C. Paulsen, R. Byers, Glossary of Key Information Security Terms, NIST Interagency or Internal Report NISTIR) 7298 Rev. 3, NIST, Gaithersburg, Md., July 2019. Available at https://csrc.nist.gov/glossary/term/vulnerability.
- B20
NCCoE. Critical Cybersecurity Hygiene: Patching the Enterprise. Available at https://www.nccoe.nist.gov/projects/building-blocks/patching-enterprise.
- B21
NIST. NISTIR 8286: Integrating Cybersecurity and Enterprise Risk Management (ERM), Oct. 2020. Available at https://nvlpubs.nist.gov/nistpubs/ir/2020/NIST.IR.8286.pdf.
*Superseded on March 15, 2021 by Quick Start Guides (QSG) for the RMF Steps found at the bottom of https://csrc.nist.gov/Projects/risk-management/about-rmf which is a link off of NIST’s new NIST Risk Management Framework (RMF) https://csrc.nist.gov/Projects/risk-management website.