Appendix A Mapping to Cybersecurity Framework

Table A-1 shows the National Institute of Standards and Technology (NIST) Cybersecurity Framework Subcategories that are addressed by the property management system (PMS) reference design built in this practice guide. The first three columns show the Cybersecurity Framework Functions, Categories, and Subcategories addressed by the PMS reference design. The next three columns show mappings from the Cybersecurity Framework Subcategories to specific components in the Payment Card Industry Data Security Standard (PCI DSS) v3.2.1; security and privacy controls in NIST Special Publication (SP) 800-53r5; and/or work roles in NIST SP 800-181r1, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework [B11]. This table is included to help connect those with expertise in PCI DSS, NIST SP 800-53, and the NICE Framework with the risk being addressed in this PMS reference design. Examining existing work roles in the NICE Framework may help an organization identify if it has people who can perform tasks and apply the skills described for each work role on its deployment teams. Noting a discrete PCI requirement or NIST SP 800-53r5 control [B9] may match areas of focus within an organization that securing a PMS reference design could help address.

Table A-1 Securing Property Management Systems: NIST Cybersecurity Framework Components Mapping

NIST Cybersecurity Framework v1.1

Standards and Best Practices

Function

Category

Subcategory

PCI DSS v3.2.1

NIST SP 800-53r5 Security and Privacy Controls [B9]

NICE Framework 2017 Work Roles [B11]

IDENTIFY (ID)

Asset Management (ID.AM): The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization’s risk strategy.

ID.AM-1: Physical devices and systems within the organization are inventoried.

CM-8, PM-5

Technical Support Specialist

ID.AM-2: Software platforms and applications within the organization are inventoried.

CM-8, PM-5

Technical Support Specialist

PROTECT (PR)

Identity Management, Authentication, and Access Control (PR.AC): Access to physical and logical assets and associated facilities is limited to authorized users, processes, and devices, and is managed consistent with the assessed risk of unauthorized access to authorized activities and transactions.

PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users, and processes.

2.1 Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network.

AC-1, AC-2, IA-1, IA-2, IA-3, IA-4, IA-5, IA-6, IA-7, IA-8, IA-9, IA-10, IA-11

System Administrator or Product Support Manager

3.6.1 Generate strong keys.

3.6.2 Keys are only distributed to authorized recipients.

3.6.3 Stored keys are stored encrypted.

3.6.4 A reasonable crypto period shall be set.

3.6.5 A key life cycle shall be established, denoting when keys should be destroyed and when keys should be securely kept for archived/legacy encrypted data.

3.6.7 Keys shall only be accepted from authorized sources.

PR.AC-3: Remote access is managed.

8.1.5 Manage IDs used by third parties to access, support, or maintain system components via remote access as follows:

  • enabled only during the time period needed and disabled when not in use

  • monitored when in use

AC-1, AC-17, AC-19, AC-20, SC-15

Information Systems

Security Developer or

System Administrator

PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties.

7.1 Limit access to system components and cardholder data to only those individuals whose job requires such access.

AC-1, AC-2, AC-3, AC-5, AC-6, AC-14, AC-16, AC-24

Technical Support Specialist or System Administrator

7.1.2 Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities.

Technical Support Specialist or System Administrator

7.2 Establish an access control system(s) for systems components that restricts access based on a user’s need to know and is set to “deny all” unless specifically allowed.

PR.AC-5: Network integrity is protected (e.g., network segregation, network segmentation).

1.1 Establish and implement firewall and router configuration standards.

AC-4, AC-10, SC-7

Network Operations

Specialist

1.1.4 requirements for a firewall at each internet connection and between any demilitarized zone (DMZ) and the internal network zone

Network Operations

Specialist

1.2 Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment.

Network Operations

Specialist

1.3.6 Place system components that store cardholder data (such as a database) in an internal network zone, segregated from the DMZ and other untrusted networks.

Network Operations

Specialist

PR.AC-6: Identities are proofed and bound to credentials and asserted in interactions.

8.1.6 Limit the number of failed login attempts.

8.1.7 Establish a reasonable “cool down period” for locked-out accounts prior to automatic unlocking processes.

8.1.8 Reasonable idle time prior to workstation lockout shall be established.

8.2 Where appropriate, multifactor authentication (two or more of something you know, something you have, and something you are) shall be implemented.

8.2.1 Authentication transactions and data are encrypted at rest and in transit.

AC-1, AC-2, AC-3, AC-16, AC-19, AC-24, IA-1, IA-2, IA-4, IA-5, IA-8, PE-2, PS-3

Systems Requirements

Planner

PR.AC-7: Users, devices, and other assets are authenticated (e.g., single factor, multifactor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks).

AC-7, AC-8, AC-9, AC-11, AC-12, AC-14, IA-1, IA-2, IA-3, IA-4, IA-5, IA-8, IA-9, IA-10, IA-11

Systems Requirements Planner

Data Security (PR.DS): Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information.

PR.DS-1: Data at rest is protected.

3.2 Do not store sensitive authentication data after authorization (even if encrypted). If sensitive authentication data is received, render all data unrecoverable upon completion of the authorization process.

MP-8, SC-12, SC-28

Information Systems

Security Developer

3.2.1 Do not store the full contents of any track (from the magnetic stripe located on the back of a card, equivalent data contained on a chip, or elsewhere) after authorization. This data is alternatively called full track, track, track 1, track 2, and magnetic-stripe data.

Information Systems

Security Developer

3.2.2 Do not store the card verification code or value (three-digit or four-digit number printed on the front or back of a payment card used to verify card-not-present transactions) after authorization.

Information Systems

Security Developer

3.2.3 Do not store the personal identification number (PIN) or the encrypted PIN block after authorization.

Information Systems

Security Developer

3.4 Render Primary Account Number unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches:

Information Systems

Security Developer

PR.DS-2: Data in transit is protected.

1.2.3 Install perimeter firewalls between all wireless networks and the cardholder data environment, and configure these firewalls to deny or, if traffic is necessary for business purposes, permit only authorized traffic between the wireless environment and the cardholder data environment.

SC-8, SC-11, SC-12

Information Systems

Security Developer or

Cyber Defense Analyst

1.3 Prohibit direct public access between the internet and any system component in the cardholder data environment.

Information Systems

Security Developer or

Cyber Defense Analyst

PR.DS-5: Protections against data leaks are implemented.

AC-4, AC-5, AC-6, PE-19, PS-3, PS-6, SC-7, SC-8, SC-13, SC-31, SI-4

Information Systems Security Developer

Information Protection Processes and Procedures (PR.IP): Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage protection of information systems and assets.

PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained, incorporating security principles (e.g., concept of least functionality).

CM-2, CM-3, CM-4, CM-5, CM-6, CM-7, CM-9, SA-10

Enterprise Architect or

Cyber Policy and Strategy Planner

PR.IP-3: Configuration change control processes are in place.

CM-3, CM-4, SA-10

Systems Developer or

Systems Security Analyst

Protective Technology (PR.PT): Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements.

PR.PT-3: The principle of least functionality is incorporated by configuring systems to provide only essential capabilities.

1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.

AC-3, CM-7

Privacy Officer/Privacy Compliance Manager

PR.PT-4: Communications and control networks are protected.

AC-4, AC-17, AC-18, CP-8, SC-7, SC-20, SC-21, SC-22, SC-23, SC-24, SC-25, SC-29, SC-32, SC-36, SC-37, SC-38, SC-39, SC-40, SC-41, SC-43

Security Architect or

Communications Security (COMSEC) Manager

DETECT (DE)

Anomalies and Events (DE.AE): Anomalous activity is detected, and the potential impact of events is understood.

DE.AE-2: Detected events are analyzed to understand attack targets and methods.

AU-6, CA-7, IR-4, SI-4

Cyber Defense Analyst

Security Continuous Monitoring (DE.CM): The information system and assets are monitored to identify cybersecurity events and verify the effectiveness of protective measures.

DE.CM-1: The network is monitored to detect potential cybersecurity events.

AC-2, AU-12, CA-7, CM-3, SC-5, SC-7, SI-4

Cyber Defense Analyst

DE.CM-3: Personnel activity is monitored to detect potential cybersecurity events.

CA-7, PE-3, PE-6, PE-20

Network Operations

Specialist

DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed.

AU-12, CA-7, CM-3, CM-8, PE-3, PE-6, PE-20, SI-4

Threat/Warning Analyst

Detection Processes (DE.DP): Detection processes and procedures are maintained and tested to ensure awareness of anomalous events.

DE.DP-4: Event detection information is communicated.

10.1 Audit logs are generated, documenting user activity.

10.2 Audit events are logged.

10.2.1 User account privileges are documented.

10.2.7 The creation and deletion of system level objects are logged.

10.3 Events are logged so that they are auditable.

10.5 Audit logs are strongly protected, including encryption and strong role-based authentication for authorized log users.

AU-6, CA-2, CA-7, RA-5, SI-4

Cyber Defense Infrastructure Support Specialist

Appendix B Privacy Framework Mapping

Table B-1 shows National Institute of Standards and Technology (NIST) Privacy Framework Subcategories as outcomes addressed in this practice guide and mapped to the property management (PMS) reference design components.

Table B-1 Securing Property Management Systems: NIST Privacy Framework Components Mapping

Privacy Framework Function

Privacy Framework Category

Privacy Framework Subcategory

PMS Reference Design Component

Identify-P

Inventory and Mapping (ID.IM-P)

ID.IM-P4: Data actions of the systems/products/services are inventoried.

Forescout

CounterACT 8.1

ID.IM-P8: Data processing is mapped, illustrating the data actions and associated data elements for systems/products/services, including components, roles of the component owners/operators, and interactions of individuals or third parties with the systems/products/services.

CryptoniteNXT Secure Zone 2.9.1

StrongKey KeyAppliance

Control-P

Data Processing Management (CT.DM-P)

CT.DM-P1: Data elements can be accessed for review.

Solidres PMS

Forescout

CounterACT 8.1

CT.DM-P2: Data elements can be accessed for transmission or disclosure.

Solidres PMS

CT.DM-P3: Data elements can be accessed for alteration.

Solidres PMS

CT.DM-P4: Data elements can be accessed for deletion.

Solidres PMS

CT.DM-P8: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy and incorporating the principle of data minimization.

Remediant SecureONE 18.06.3-ce

Appendix C Deployment Recommendations

The example implementation was developed in a lab environment. It does not reflect the complexity of a production environment, and we did not use production deployment processes. Before production deployment, it should be confirmed that the example implementation capabilities meet the organization’s architecture, reliability, and scalability requirements.

Deployment of a zero trust architecture to secure a property management system (PMS) into an existing infrastructure will require an organization to consider its existing practices for interoperability and usability.

Deployers should adhere to best practice guidance for vulnerability and patch management [B20], continuity of operations planning, and environment elements that are not addressed in this document.

The individual organizations that compose every enterprise are experiencing an increase in the frequency, creativity, and severity of cybersecurity attacks. The National Institute of Standards and Technology recommends that all organizations and enterprises, regardless of size or type, should ensure that cybersecurity risks receive appropriate attention as they carry out their Enterprise Risk Management (ERM) functions. As such, a deployment of a zero trust architecture around a PMS reduces cybersecurity risk and should be included in all the cybersecurity risk information used to inform the overall ERM [B21]. By doing so, enterprises and their component organizations can better identify, assess, and manage their cybersecurity risks in the context of their broader mission and business objectives.

Appendix D List of Acronyms

2FA

Two-Factor Authentication

CNSSI

Committee on National Security Systems Instruction

CRS

Central Reservation System

FIPS

Federal Information Processing Standards

GDPR

General Data Protection Regulation

IP

Internet Protocol

IT

Information Technology

IoT

Internet of Things

NCCoE

National Cybersecurity Center of Excellence

NIST

National Institute of Standards and Technology

PII

Personally Identifiable Information

PMS

Property Management System

POS

Point of Sale

SP

Special Publication

VLAN

Virtual Local Area Network

ZTA

Zero Trust Architecture

Appendix E Glossary

Access Control

The process of granting or denying specific requests: 1) for obtaining and using information and related information processing services; and 2) to enter specific physical facilities (e.g., Federal buildings, military establishments, and border crossing entrances).

SOURCE: Committee on National Security Systems Instruction (CNSSI) 4009-2015

Architecture

The design of the network of the hotel environment and the components that are used to construct it.

Authentication

The process of verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system.

SOURCE: Federal Information Processing Standards (FIPS) 200

Authorized User

Any appropriately provisioned individual with a requirement to access an information system.

SOURCE: CNSSI 4009-2015

Console

A visually oriented input and output device used to interact with a computational resource.

Continuous Monitoring

Maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.

SOURCE: National Institute of Standards and Technology (NIST) Special Publication (SP) 800-150

Firewall

A part of a computer system or network that is designed to block unauthorized access while permitting outward communication.

SOURCE: NIST SP 800-152

Information Security

The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.

SOURCE: FIPS 200

Multifactor Authentication

Authentication using two or more factors to achieve authentication. Factors include: (i) something you know (e.g., password/personal identification number [PIN]); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric).

SOURCE: CNSSI 4009-2015

Personally Identifiable Information

Information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual.

SOURCE: NIST SP 800-37 Rev. 2

Privilege

A right granted to an individual, a program, or a process.

SOURCE: CNSSI 4009-2015

Security Control

A safeguard or countermeasure prescribed for an information system or an organization designed to protect the confidentiality, integrity, and availability of its information and to meet a set of defined security requirements.

SOURCE: NIST SP 800-161

Vulnerability

Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.

SOURCE: FIPS 200

Wi-Fi

A generic term that refers to a wireless local area network that observes the IEEE 802.11 protocol.

SOURCE: NIST Interagency or Internal Report 7250

Appendix F References

B1

National Cybersecurity Center of Excellence (NCCoE) Securing Property Management Systems for the Hospitality Sector, A Notice by the National Institute of Standards and Technology on 11/24/2017. Available at https://www.federalregister.gov/documents/2017/11/24/2017-25427/national-cybersecurity-center-of-excellence-nccoe-securing-property-management-systems-for-the.

B2

Hotel Technology Next Generation (HTNG). Secure Payments Framework for Hospitality, version 1.0. Feb. 2013. Available at https://cdn.ymaws.com/htng.site-ym.com/resource/collection/CC1CE2B8-0377-457E-9AB0-27CFDD77E17B/HTNG_Secure_Payments_Framework_v1.0_FINAL.pdf.

B3

HTNG. Payment Tokenization Specification. Feb. 21, 2018. Available at https://cdn.ymaws.com/htng.site-ym.com/resource/collection/CC1CE2B8-0377-457E-9AB0-27CFDD77E17B/HTNG_Secure_Payments_Framework_v1.0_FINAL.pdf.

B4

HTNG. Payment Systems & Data Security Specifications 2010B. Oct. 22, 2010. Available at https://cdn.ymaws.com/www.htng.org/resource/resmgr/Files/Specifications/2010B/HTNG_2010B_PaymentsWG_Paymen.pdf.

B5

HTNG. EMV for the US Hospitality Industry. Oct. 1, 2015. Available at https://cdn.ymaws.com/sites/htng.site-ym.com/resource/collection/CC1CE2B8-0377-457E-9AB0-27CFDD77E17B/2015-09-23_EMV_White_Paper.pdf.

B6

Payment Card Industry Data Security Standard version 3.2.1. May 2018. Available at https://www.pcisecuritystandards.org/documents/PCI_DSS-QRG-v3_2_1.pdf.

B7

HTNG. GDPR for Hospitality. June 1, 2019. Available at https://cdn.ymaws.com/www.htng.org/resource/collection/CC1CE2B8-0377-457E-9AB0-27CFDD77E17B/GDPR_for_Hospitality_-_V2_-_2019.pdf.

B8

National Institute of Standards and Technology (NIST). Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1. Apr. 16, 2018. Available at https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf.

B9(1,2)

Joint Task Force Transformation Initiative, Security and Privacy Controls for Information Systems and Organizations, NIST Special Publication (SP) 800-53 Rev. 5, NIST, Gaithersburg, Md., Sept. 2020. Available at https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf.

B10

P. Grassi et al., Digital Identity Guidelines, NIST SP 800-63-3, NIST, Gaithersburg, Md., June 22, 2017. Available at https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-3.pdf.

B11(1,2)

R. Petersen et al., Workforce Framework for Cybersecurity (NICE Framework), NIST SP 800-181 Revision 1, NIST, Gaithersburg, Md., Nov. 2020. Available at https://www.nist.gov/itl/applied-cybersecurity/nice/nice-framework-resource-center.

B12

National Institute of Standards and Technology. NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management, Version 1.0. Available at https://www.nist.gov/system/files/documents/2020/01/16/NIST%20Privacy%20Framework_V1.0.pdf.

B13

S. Rose et al., Zero Trust Architecture, NIST SP 800-207, NIST, Gaithersburg, Md., Aug. 2020, 59 pp. Available at https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf.

B14

Abbasi et al., 2019 Trustwave Global Security Report, 2019 Trustwave Holdings, Inc. Available at https://www.trustwave.com/en-us/resources/library/documents/2019-trustwave-global-security-report/.

B15

*NIST. Risk Management Framework: Quick Start Guides. Available at https://csrc.nist.gov/Projects/risk-management.

B16

Joint Task Force, Risk Management Framework for Information Systems and Organizations, NIST SP 800-37 Revision 2, NIST, Gaithersburg, Md., Dec. 2018. Available at https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf.

B17

Joint Task Force, Guide for Conducting Risk Assessments, NIST SP 800-30 Revision 1, NIST, Gaithersburg, Md., Sept. 2012. Available at https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf.

B18

Social Tables. Cybersecurity for Hotels: 6 Threats Just Around the Corner from Your Property. Available at https://www.socialtables.com/blog/hospitality/cyber-security-hotels/.

B19

C. Paulsen, R. Byers, Glossary of Key Information Security Terms, NIST Interagency or Internal Report NISTIR) 7298 Rev. 3, NIST, Gaithersburg, Md., July 2019. Available at https://csrc.nist.gov/glossary/term/vulnerability.

B20

NCCoE. Critical Cybersecurity Hygiene: Patching the Enterprise. Available at https://www.nccoe.nist.gov/projects/building-blocks/patching-enterprise.

B21

NIST. NISTIR 8286: Integrating Cybersecurity and Enterprise Risk Management (ERM), Oct. 2020. Available at https://nvlpubs.nist.gov/nistpubs/ir/2020/NIST.IR.8286.pdf.

*Superseded on March 15, 2021 by Quick Start Guides (QSG) for the RMF Steps found at the bottom of https://csrc.nist.gov/Projects/risk-management/about-rmf which is a link off of NIST’s new NIST Risk Management Framework (RMF) https://csrc.nist.gov/Projects/risk-management website.