Marriott International 1

Running head: MARRIOTT INTERNATIONAL, INC.

Marriott International, Inc.

Risk Assessment Report

Cynthia P. Lyons

University of Maryland University College

Graduate School of Management and Technology

INFA6109040

March 31, 2010

Marriott International 2

Abstract

Marriott International, Inc. is a global leader in the hospitality industry offering thousands

of hotels, resorts, and conference centers. Marriott’s brands have evolved over the years,

providing more styles of accommodations, ranging from the casual to the very elegant. In

addition to its stature in the hospitality business, Marriott is very successful in the technology

sector. This risk assessment report analyzes Marriott International, Inc. using the model

provided in Section 3 of the NIST Risk Management Guide for Information Technology

Systems. The scope for this report includes physical threats and cyber threats to the company’s

infrastructure. The analysis uses documented attacks as well as possible vulnerabilities based on

conclusions derived from published materials. This report is not intended to analyze specific

Marriott internal processes, but rather to provide a high-level overview of Marriott’s

infrastructure and customer portal. Marriott’s use of innovative data encryption and their unique

disaster recovery plan lend support to their success. Using information available to the general

public, the risk assessment examines Marriott’s operating system and website architecture and

includes the author’s suggestions for mitigating risks.

Keywords: Marriott, information technology, security, risk, risk assessment

Marriott International 3

Table of Contents

Abstract………………………………………........................................................... 2

Executive Summary………………………………………………………………… 4

Company Profile……………………………………………………………………. 5

Information Technology……………………………………………………………. 5

Risk Assessment……………………………………………………………………. 6

Step One – System Characterization Evidence…………………………………. 6

Step One – Conclusion………………………………………………………….. 7

Step Two – Threat Identification Evidence……………………………………... 7

Step Two – Conclusion: Threat Statement……………………………………... 8

Step Three – Vulnerability Identification Evidence…………………………….. 8

Step Three – Conclusion: List of Vulnerabilities………………………………. 10

Table 1: List of Vulnerabilities………………………………………………… 10

Step Four – Control Analysis Evidence………………………………………… 10

Step Four – Conclusion: List of Existing Controls…………….………………. 12

Table 2 – List of Existing Controls…………………………………………….. 12

Step Five – Likelihood Determination………………………………………….. 12

Table 3 – Likelihood of Successful Attacks…………………………………….. 12

Step Six – Impact Analysis Evidence…………………………………………… 13

Step Six – Conclusion: Magnitude of Impact…………………………………... 13

Table 4 – Magnitude of Impact…………………………………………………. 13

Step Seven – Risk Determination Evidence…………………………………….. 14

Table 5 – Risk Level Matrix……………………………………………………... 14

Step Seven – Conclusion: Risk Level Factors………………………………….. 14

Table 6 – Risk Levels…………………………………………………………… 14

Step Eight – Control Recommendations Evidence……………………………... 14

Step Eight – Conclusion: Control Recommendations and Alternatives………... 16

Table 7 – Control Recommendations and Alternatives…………………………. 16

Step Nine – Risk Assessment Report: Summary………….…………………… 18

References…………………………………………………………………………... 19

Marriott International 4

Executive Summary

The following risk assessment report presents a high-level evaluation of Marriott

International, Inc. The purpose is to identify potential physical, technical, and operational

weaknesses in Marriott’s corporate structure. The scope of this report includes defining

Marriott’s organization and technology infrastructure. Using this information, weaknesses,

threats, and risks are identified. This report follows the model used by the National Institute of

Standards and Technology (NIST), co-authored by Gary Stoneburner, Alice Goguen, and Alexis

Feringa, and published in 2001. The report contains a risk analysis using the matrix proposed by

the NIST. Using the calculated risk levels, the report addresses recommended controls and

alternatives to mitigating risk.

The NIST model lists nine steps to developing a comprehensive risk assessment report.

Data in the NIST format is presented as inputs, using methods such as questionnaires, interviews,

and access to company files. Subsequently, defined outputs are created at the completion of each

step. This report deviates from the NIST standard approach and replaces the input-output

methodology with the author’s developed evidence-conclusion methodology. At the completion

of each step (gathering evidence) is a conclusion similar to the NIST’s output definition.

Finally, it is important to note that all information supplied in this report is freely

available on the Internet. Therefore, some assumptions are made by the author. This report is

not intended to provide conclusive evidence as to Marriott’s exposure to risk. Rather, this report

focuses on known issues and can be used as a starting point for a more in-depth, sustainable

document.

Marriott International 5

Company Profile

Marriott International, Inc. (―Company‖) is a leading hotelier with several thousand

hotels located around the globe. The Company began business in 1927 as a small root beer stand

and has evolved into a respected leader in the hospitality industry. Indeed, Marriott is considered

to be one of the best places to work and the most admired company in the industry (Marriott,

2010). In 2009, the Company employed 137,000 employees and reported sales revenue of $10.9

billion (Hoovers, 2010). Marriott possesses over 17 brands (Marriott, 2010).

Information Technology

Overby (2003) reports that Marriott has developed solutions to accommodate its business

needs during sluggish economic times. Marriott’s Automated Reservations System for Hotel

Accommodations (Marsha) was overhauled in the late 1990’s to meet the increasing needs of

customer-driven online reservations. The customer portal has recently been re-engineered and

introduced. Behind the scenes, the Company has merged its systems together so that one system

manages all of its brands. Marsha now connects to customers, partners, and suppliers and is

comprised of over 6,000 programs (Overby, 2003). Marriott invested significant resources to

replace processors needed to support Marsha. The Call Center was also upgraded to a Windows-

based system called Merlin, which handles several million dollars in reservations (Overby,

2003).

Marriott’s success is also a result of its focus on aligning IT and business operations.

Indeed, IT personnel are savvy about cost-saving metrics and operations personnel are

knowledgeable about company IT programs. Seventy-five percent of Marriott’s rooms are

booked online, saving $12 million annually (Overby, 2003). The company’s efforts have paid

off well. For example, in 2007 Marriott received an award for its in-house system developed to

Marriott International 6

encrypt credit card numbers so that employees can reference customer card activity without

knowing the actual card number (CIO.com, 2007). Marriott is gaining more publicity as its

disaster recovery innovations are revealed. Sliwa (2008) describes the Company’s plan to re-

take ownership of its disaster recovery program. Previously, the program was outsourced. In

2009 the company was expected to open its Recovery and Development Center (RDC). The

RDC is a 12,500 square foot facility located 220 feet underground, north of Pittsburgh. Marriott

plans to use virtual servers for monitoring and managing the facility (Sliwa, 2008).

Risk Assessment

Step One – System Characterization Evidence

Marriott Headquarters are located in Bethesda, Maryland. One system is used to manage

reservations for all of Marriott’s brands.

Internet.

The IP address for Marriott.com is owned by Akamai Technologies (ARIN, 2010). The

net type is direct allocation.

Server operating system.

Linux (netcraft.com, 2010). The site is queried daily with up-to-date results, as of March

28, 2010.

Reservation/revenue management system.

One Yield is an in-house system designed to merge and replace two inefficient systems.

The system utilizes ―J2EE architecture, IBM’s WebSphere, and Actuate Corp.’s reporting tool‖

(Thibodeau, 2005, p.1).

Marriott International 7

Human resource/time-tracking system.

PeopleSoft solutions are used for tracking projects, labor costs, and other related

expenses (Overby, 2003).

Disaster recovery system.

Recovery and Development Center (RDC) is located 220 feet underground, north of

Pittsburgh. Marriott can monitor activity remotely using virtualization.

Organizational chart.

The NIST model addresses management responsibility in risk assessment (Stoneburner,

et al., NIST, 2001). Marriott’s corporate structure supports the NIST’s recommendations. In

addition to a CIO, Marriott employs a chief privacy officer (CPO) and a chief security officer

(CSO). The CPO is responsible for addressing privacy needs and resolving issues.

Responsibilities include ―gap analysis, risk assessment and communication‖ (Brenner, 2007,

p.1). The CSO is responsible for developing and maintaining security policies and procedures

(Brenner, 2007). These three areas work together to provide Marriott with reliable systems to

meet the Company’s goals.

Step One – Conclusion

A high-level view of Marriott’s infrastructure and organization indicates that the

Company is dedicated to designing and maintaining its systems in-house as much as possible.

Dedicated departments identify needs, develop solutions, and maintain systems. Separate leaders

oversee information systems, security, and privacy.

Step Two – Threat Identification Evidence

There have been two highly publicized attacks on Marriott and one notable natural

disaster. According to Bremner (2005) tapes containing personal information of 206,000 people

Marriott International 8

were missing from Marriott’s Orlando office. Those affected were employees, timeshare

owners, and timeshare customers. The article cannot confirm if the data was encrypted.

Apparently the tapes were stolen from storage, as opposed to being intercepted during transit

(Bremner, 2005).

In July 2009 the JW Marriott and the Ritz-Carlton hotels in Jakarta, Indonesia were the

targets of a terrorist suicide bombing attack which killed at least nine people and injured 50

others. Marriott owns both of these hotels in Indonesia. Also, in 2003 the same JW Marriott

hotel was bombed, killing thirteen people. It is believed that at least one of the perpetrators in

the 2009 attack was a guest at the Marriott hotel. In 2003 a Marriott hotel in Pakistan was

attacked, killing 53 people and injuring more than 250 people (Goldman, 2009).

Hurricane Katrina devastated 63 Marriott properties in the New Orleans area, wiping out

infrastructures and destroying equipment, supplies, and integral data (Collett, 2008).

Step Two- Conclusion: Threat Statement

Marriott’s global presence and large, diverse staff expose the Company to many different

threat sources. In addition, the very transient nature of the hotel industry predisposes the

Company to a variety of threats. Threat sources include the following: ―natural disasters,

terrorist, industrial espionage, and acts perpetrated by disgruntled employees‖ (Stoneburner, et

al., NIST, 2001, p. 14).

Step Three – Vulnerability Identification Evidence

Vulnerabilities are divided into three categories for this report.

Category 1: Physical structures.

Physical exposure: Marriott’s presence extends to 66 countries and their 137,000

employees represent many of those countries. Marriott’s four primary regions outside of the

Marriott International 9

United States are as follows: Asia/Pacific; Latin America, Caribbean, & Mexico; Europe; and

Middle East & Africa (Marriott, 2010). Marriott’s upscale brands attract dignitaries and

noteworthy guests. In addition, some hotels are located in tourist areas subject to natural

disasters.

Category 2: Internal weaknesses.

Marriott’s vast and diverse employee base make it highly susceptible to internal fraud

and malicious acts by disgruntled employees.

Category 3: System vulnerabilities.

A combination of in-house solutions and open source software are used at Marriott.

Their customer portal and reservation system, One Yield, were developed in-house (Thibodeau,

2005). Because this was developed by Marriott, there are inherent risks: inadequate security to

protect access points; identifying and troubleshooting attacks; insufficient testing and real-time

use; and terminated employees who take their knowledge with them. Furthermore, the system

design could contain intentional flaws, which might guarantee an employee’s job security, or

compromise the system.

Marriott has also developed its own data encryption tool for securing credit card numbers

(CIO.com, 2007). Again, employees possessing this proprietary information increase the

Company’s vulnerabilities. Moreover, it is likely that people will attempt to determine how

these card numbers are encrypted.

It is important to note that Higgins (2010) reports that hotels were the number one target

for hackers in 2009. According to her article, ―98 percent of targeted data was payment card

information‖ (Higgins, 2010, p.1). Most of the attacks were the result of compromised

passwords and performed from remote locations. Surprisingly, the breaches were not

Marriott International 10

discovered for an average of 156 days (Higgins, 2010). Consider the ramifications of a hacker

who has gained unauthorized access to Marriott’s network and goes unnoticed for five months.

Marriott’s web server operates using Linux, which may reduce vulnerabilities. However,

Linux is susceptible to spyware and other attacks. Indeed, Mimoso (2003) states that even

though Linux may not be vulnerable to ―self-propagating viruses,‖ it is vulnerable to Trojan

attacks (Mimoso, 2003, p.1). Mimoso expresses a concern that Linux vulnerabilities may

surface as more companies switch to Linux. There needs to be more emphasis on identifying the

risks of Linux systems, similar to the attention paid to Windows systems (Mimoso, 2003).

Beaver (2009) also identifies Linux weaknesses, particularly due to oversight and lack of

support. Administrators are more focused on patching Windows applications and allocating

resources to Windows support. Meanwhile, Linux systems are using outdated software and not

properly maintained (Beaver, 2009).

Step Three – Conclusion: List of Vulnerabilities

Category Vulnerability

Physical,

Internal, and

System

Exposure to human threats and to natural disasters

Physical Control of assets

System Many access points; in-house developed software

applications; network and Internet traffic; confidential

information transmission

Table 1: List of Vulnerabilities

Step Four – Control Analysis Evidence

Research does not provide evidence on Marriott’s response to the stolen data tapes in

2005. Pariseau (2006b) reports that Marriott notified the affected customers and offered them a

one year subscription to a credit monitoring service. Furthermore, Pariseau (2006a) indicated

Marriott International 11

that legislation is pending requiring businesses which do not encrypt data to provide secure,

acceptable policies and procedures for transporting and storing data (Pariseau, 2006a). There are

many companies specializing in secure data storage and transport. It is unclear whether Marriott

utilizes such a service.

Marriott’s organizational structure provides management controls and indicates a

commitment to IT. Aligning IT with business operations is the foundation for the Company’s

strategy in identifying risk and developing solutions. Marriott is the recipient of numerous

awards and accolades. For example, Marriott has received the annual CIO 100 award ten times

and is often included in lists of the best-managed companies (Marriott, 2010). As previously

mentioned, the organization employs a CIO, CSO, and CPO who all work together and, with the

Company’s CEO, develop technological solutions (Brenner, 2007).

Marriott’s security strategy in Jakarta, Indonesia is similar to airport security. There are

cameras, scanning devices, plexiglass windows, security professionals, a canine unit, and

barricades surrounding the buildings (Public Intelligence, 2010). In addition, Marriott

outsources security surveillance to a local provider. Marriott has installed a blast wall, capable

of withstanding approximately 10 tons of TNT. Finally, Marriott has implemented a ―See

Something, Say Something‖ program for communicating suspicious behavior (Public

Intelligence, 2010).

Windle (2005) describes Marriott’s preparedness prior to Hurricane Katrina, which

exemplifies the organization’s dedication to business continuity and disaster recovery planning.

Marriott deployed an expert to the New Orleans area to gather personnel and equipment needed

for surviving the anticipated storm. Indeed, Marriott’s planning was pivotal to the survival of

many people and diverting total disaster (Windle, 2005). The Company’s latest decision to lease

Marriott International 12

an underground site for disaster recovery further supports their commitment to security and

accountability.

Step Four – Conclusion: List of ExistingControls

Vulnerability Control

Exposure to human threats and natural

disasters

Increase physical security measures and

devices; business continuity and disaster

recovery planning

Control of Assets Unavailable.

Confidential data transmission through Internet

and Intranet; many access points

SSL and firewalls (Marriott, 2010); in-house

data encryption model (CIO.com, 2007)

In-house software development Unavailable.

Table 2: List of Existing Controls

Step Five – Likelihood Determination

Threat-Source Likelihood of Successful Attack

Terrorist Attack High – Marriott’s presence in high-risk areas and since their clientele

includes dignitaries, elite, and other prominent personnel, this makes their

properties prime targets for anti-American terrorist groups.

Natural Disaster Medium – Many properties are located in attractive tourist areas subject to

hurricanes, tsunamis, earthquakes, and other uncontrollable disasters

Data Theft Low to Medium – This report presumes that Marriott has put into place

sufficient measures as a response to its data theft in 2005.

Network Hackers Low to Medium – Unable to accurately determine. However, Marriott’s

business volume, international customer base, and the dynamics of

conducting business over the Internet indicate a low-to-medium likelihood

of a successful attack. Best practices should always consider intrusion and

interception at least a low level likelihood. That is, never presume a

network is 100% secure.

Internal Malicious

Acts

Unable to determine. Public information surmises that Marriott is a

positive and caring work environment. It is impossible to conclude

whether employees would intentionally sabotage Marriott’s systems.

There is no publicly available litigation information or legal evidence to

suggest otherwise.

Table 3: Likelihood of Attack

Marriott International 13

Step Six – Impact Analysis Evidence

Marriott is such a large corporation with so many stakeholders, that it would take a

disaster of extreme proportions to have a widespread effect. However, history reveals that single

organizational disasters can devastate the economy. Consider the recent Congressional bailouts

of large corporations and the abolition of Enron, Arthur Andersen, and others. It is important to

assess the impact a security attack would have on Marriott.

Step Six – Magnitude of Impact

Attack Magnitude of Impact Description

Terrorist High Loss of Integrity, Availability, and Confidentiality. Any

data breaches associated with a terrorist attack could result

in highly sensitive information transferred to terrorist

groups.

High probability of loss of lives, assets, controls, and

could prevent business continuity.

Could also eliminate any possibilities of disaster and data

recovery.

Natural

Disaster

Low to High depending

on type and scale of

disaster

Loss of availability and confidentiality. Depending on

site, could also include loss of integrity.

Depending on the magnitude of the disaster, lives could be

lost.

Likely to lose assets.

Inability to resume business and status of disaster recovery

depends on the scope of the disaster.

Data

Theft

High Loss of Integrity, Availability, and Confidentiality.

Marriott’s success relies heavily on its abilities to secure

data transmissions and to control access to confidential

data.

Network

Hackers

Low Presumably Marriott’s systems are secured and designed

in segments such that if one network is infected, the attack

would remain isolated to that network.

A publicized attack could negatively affect Marriott’s

image.

Internal

Attack

Medium Could destroy the customized programs prevalent in

Marriott’s environment. Loss of Integrity, Availability,

and Confidentiality.

Table 4: Magnitude of Impact

Marriott International 14

Step Seven – Risk Determination – Evidence

To determine risk level:

Threat

Likelihood

Impact

Low (10) Medium (50) High (100)

High (1.0) Low 10 X 1.0 = 10 Medium 50 X 1.0=50 High 100 X 1.0 = 100

Medium (0.5) Low 10 X 0.5 = 5.0 Medium 50 X 0.5 = 25 Medium 100 X 0.5 = 50

Low (0.1) Low 10 X 0.1 = 1.0 Low 50 X 0.1 = 5.0 Low 100 X 0.1 = 10

Table 5: Risk Level Matrix

Risk Scale: High (> 50 to 100); Medium (>10 to 50); Low (1 to 10)

Source: NIST (2001), Risk Management Guide for Information Technology Systems, p. 25

Step Seven – Conclusion: Risk Level Factors

Threat Threat

Likelihood

Impact Risk Level

Terrorist 1.0 100 100.0 High

Natural Disaster 0.5 50 25.0 Medium

Data Theft 0.1 100 10.0 Low

Network Hackers 1.0 10 10.0 Low

Internal Attack 0.5 50 10.0 Low

Table 6: Risk Levels

Examining these results it appears that Marriott has an overall medium risk level. The overall

average risk value is 155/5 = 31. The three areas with risk levels of 10.0 are approaching a

medium risk factor.

Step Eight – Control Recommendations Evidence

Effgen (2002) classifies controls designed to prevent, limit, and detect and respond to

threats. Controls may be technological, management, operational, or supportive. Once

weaknesses are identified, organizations develop controls, evaluate the cost – effectiveness, and

determine which methods to adopt. Often the decision is tied to the organizational goals as well

Marriott International 15

as the impact on the current state and available resources (Effgen, 2002). In Marriott’s case, the

company is committed to providing hospitality services around the world. Their desire is to be

an inclusive organization, socially and environmentally responsible, and to provide brands that

meet the basic needs to luxurious accommodations (Marriott, 2010).

The U.S. Department of Homeland Security hosts a website titled Common Weakness

Enumeration (CWE). According to their site, home grown software is susceptible to security

weaknesses. During the software development lifecycle it is advantageous to use proven security

methods and models available in libraries. This prevents re-inventing a framework that has

failed in the past, or introducing even more vulnerabilities (CWE, 2010).

The Conclusion for Step Eight begins on the next page.

Marriott International 16

Step Eight – Conclusion: Control Recommendations and Alternative Solutions to Mitigate Risk

Threat Control Alternative

Terrorist Attack In high risk areas, implement stricter security

checkpoints. Security education for employees.

Limited open spaces, such as lobbies and other

common areas.

Offsite data storage.

Secured Wi Fi which enables the network

provider to identify users on the network.

Marriott may want to employ its on security personnel

in third-world or other vulnerable sites. Their ―own‖

personnel may be more diligent and must respond to

Marriott standards, rather than local standards.

Involves extensive training and development programs

which Marriott may not be able to support.

Natural Disaster In high risk areas develop a business continuity

and disaster recovery plan. Marriott has evidence

of recognizing and preparing for imminent

disasters.

Offsite data storage.

Response teams specializing in data security and

recovery.

Isolated, regional data centers which monitor and

physically control data residing in high risk areas. This

is a segmented, or layered, approach. Data would be

transported to safer ground.

Data Theft A dedicated commitment to educating employees

on proper handling, transportation, and storage of

secured data. Spot checks by the CSO and CPO

to ensure compliance. Disciplinary action for

non-compliance.

Marriott uses its own award-winning data

encryption model.

Engage the services of a reputable company

specializing in secured data transport and storage.

Marriott would relinquish physical control of the data

and would need to evaluate the integrity and reliability

of the provider.

Network Hackers Implement secure firewalls and stricter password

requirements. Increase authentication to include

two or three factors. Require users to change

their passwords to a unique password regularly.

Ensure only active employees have access and

access is granted on a need to know basis.

Outsourcing or employing a service to scan and

monitor Internet and network activity. Based on the

evidence gathered, Marriott’s organizational structure,

coupled with its ability to design software solutions,

indicates that the Company is IT savvy. Although, the

scope of their operations may be a challenge even to

Marriott International 17

Continuous server monitoring for hackers and

any unusual activities. Put in place procedures

for securing the server if unusual activity is

spotted.

their knowledge base.

Internal Attacks Implement performance assessment criteria that

include employee compliance with Company IT

policies and procedures. Employees should be

required to change passwords regularly, abide by

acceptable computing standards, refrain from

visiting questionable websites, and access should

be granted on a need to know basis.

Additionally, the security access matrix should be

reviewed regularly and updated to ensure

terminated employees no longer have access.

Educate employees on safe computing practices

and recognizing viruses, worms, and Trojan

horses.

Restrict remote access to only a select group of users.

This may inhibit productivity and employee

resourcefulness.

Disallow the use of personally-owned mobile devices.

Table 7: Control Recommendations and Alternative Solutions

Marriott International 18

Step Nine – Risk Assessment Report: Summary

The information gathered throughout this report is a high-level assessment of Marriott

International, Inc. using information available to the public. Based on the evidence gained,

Marriott appears to be subject to serious physical attacks. Although, in the scope of their

business operations, the probability and impact of these attacks would not immediately

jeopardize its financial position. However, Marriott’s image and business practices would suffer

damages. Marriott appears to be proactive in developing and implementing controls to guard

against attacks.

Due to the limited information available, it is difficult to determine system vulnerability.

However, there are inherent risks associated with in-house developed solutions. For example, an

in-house solution may not contain sufficient security and audit controls. Moreover, employees

who develop solutions may leave the company for more lucrative offers elsewhere. Thus,

system support may suffer.

This risk assessment report on Marriott International, Inc. provides a basis for identifying

risks and developing controls. Marriott’s ample resources and dedication to customer

satisfaction promote rapid responses to attacks. Finally, published acknowledgements of

Marriott’s success in information technology and their innovative approaches to disaster

recovery and credit card data encryption make Marriott a reputable leader in the hospitality

industry.

Marriott International 19

References

Beaver, K. (2009). Expert tips for eliminating linux security risks. TechTarget. Retrieved

March 22, 2010 from

http://viewer.media.bitpipe.com/978030848_42/1257194670_442/sElinuxPocketEguide_

Security.pdf

Bremner, K. (2005). Marriott notifies 206,000 of data breach. DMNews. Retrieved February

28, 2010 from http://www.dmnews.com/marriott-notifies-206000-of-data-

breach/article/89808/

Brenner, B. (2007). Experts: Privacy and security officers living in silos. SearchSecurity.com.

Retrieved February 10, 2010 from

http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1282982,00.html

CIO.com (2007). 2007 Winner profile Marriott International. CIO. Retrieved February 16, 2010

from http://www.cio.com/cio100/detail/1717

Collett, S. (2008). Disaster survivor: Marriott tested by tragic events. Computerworld. Retrieved

March 26, 2010 from

http://www.computerworld.com/s/article/314240/Marriott_International

Common Weakness Enumeration.. (2010). 2010 CWE/SANS Top 25: Monster mitigations.

Retrieved February 17, 2010 from http://cwe.mitre.org/top25/mitigations.html

Effgen, C. (2002). Mitigating risk/threat of terrorism and other risks. Retrieved March 1, 2010

from http://www.disastercenter.com/terror/0_risk.htm#Risk Mitigation

Goldman, R. (2009). Are U.S.-owned hotels terror targets? ABC/News. Retrieved March 26,

2010 from http://abcnews.go.com/Business/story?id=8112518&page=1

Marriott International 20

Higgins, K.J. (2010). Hospitality industry hit hardest by hacks. DarkReading. Retrieved March

11, 2010 from

http://www.darkreading.com/database_security/security/attacks/showArticle.jhtml?article

ID=222601178

Hoovers, (2010). Marriott International, Inc. retrieved February 28, 2010 from

http://www.hoovers.com/company/Marriott_International_Inc/hjfkxi-1-1njea5.html

Marriott International, Inc. (2010). Marriott.com. Retrieved February 6, 2010 – March 30, 2010

from http://www.marriott.com/marriott/aboutmarriott.mi

Mimoso, M.S. (2003). Enterprise linux news: Don’t dismiss possibility of malicious code on

Linux. TechTarget. Retrieved March 21, 2010 from

http://searchenterpriselinux.techtarget.com/news/article/0,289142,sid39_gci890925,00.ht

ml

Netcraft, (2010). www.marriott.com. Netcraft. Retrieved February 5, 2010 from

http://searchdns.netcraft.com/?position=limited&host=marriott.com

Network Solutions. (2010). Marriott.com. Retrieved February 4, 2010 from

http://www.networksolutions.com/whois-search/marriott.com

Overby, S. (2003). The keys to Marriott’s success. CIO.com. Retrieved March 11, 2010 from

http://www.cio.com/article/29617/The_Keys_to_Marriott_s_Success

Pariseau, B. (2006a). Marriott breach spotlights internal data security. SearchStorage.com.

Retrieved February 8, 2010 from

http://searchstorage.techtarget.com/news/article/0,289142,sid5_gci1155825,00.html

Marriott International 21

Pariseau, B. (2006b). Marriott timeshare unit reports lost tapes. SearchStorage.com.

Retrieved March 1, 2010 from

http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1155398,00.html

Public Intelligence (2010). (U//FOUO) Jakarta hotel bombings: A look at insider threats and the

targeting of western executives. Retrieved March 29, 2010 from

http://publicintelligence.net/ufouo-jakarta-hotel-bombings-a-look-at-insider-threats-and-

the-targeting-of-western-executives/

Sliwa, C. (2008). Marriott goes underground with disaster recovery, virtualization effort.

CIO.com. Retrieved February 8, 2010 from

http://www.cio.com/article/433665/Marriott_Goes_Underground_With_Disaster_Recove

ry_Virtualization_Effort

Stoneburner, G., Goguen, A., & Feringa, A. (2001). Risk management guide for information

technology systems [pdf format]. National Institute of Standards and Technology.

Retrieved from

Lecture Notes Online web site:

http://nova.umuc.edu/~jtray/infa610/sp800-30_risk.pdf

Thibodeau, P. (2005). Marriott links two data streams with revenue management system.

Computerworld. Retrieved March 26, 2010 from

http://www.computerworld.com/s/article/99963/Marriott_Links_Two_Data_Streams_Wit

h_Revenue_Management_System?taxonomyId=9

Windle, L.P. (2005). Marriott: No time to rest. Facilitiesnet. Retrieved March 5, 2010 from

http://www.facilitiesnet.com/emergencypreparedness/article/Disaster-Response-

Hurricane-Katrina-Puts-Five-Organizations-Plans-to-the-Ultimate-Test—3513