Running head: MARRIOTT INTERNATIONAL, INC
advertisement
Marriott International Running head: MARRIOTT INTERNATIONAL, INC. Marriott International, Inc. Risk Assessment Report Cynthia P. Lyons University of Maryland University College Graduate School of Management and Technology INFA6109040 March 31, 2010 1 Marriott International 2 Abstract Marriott International, Inc. is a global leader in the hospitality industry offering thousands of hotels, resorts, and conference centers. Marriott’s brands have evolved over the years, providing more styles of accommodations, ranging from the casual to the very elegant. In addition to its stature in the hospitality business, Marriott is very successful in the technology sector. This risk assessment report analyzes Marriott International, Inc. using the model provided in Section 3 of the NIST Risk Management Guide for Information Technology Systems. The scope for this report includes physical threats and cyber threats to the company’s infrastructure. The analysis uses documented attacks as well as possible vulnerabilities based on conclusions derived from published materials. This report is not intended to analyze specific Marriott internal processes, but rather to provide a high-level overview of Marriott’s infrastructure and customer portal. Marriott’s use of innovative data encryption and their unique disaster recovery plan lend support to their success. Using information available to the general public, the risk assessment examines Marriott’s operating system and website architecture and includes the author’s suggestions for mitigating risks. Keywords: Marriott, information technology, security, risk, risk assessment Marriott International Table of Contents Abstract………………………………………........................................................... 2 Executive Summary………………………………………………………………… 4 Company Profile……………………………………………………………………. 5 Information Technology……………………………………………………………. 5 Risk Assessment……………………………………………………………………. 6 Step One – System Characterization Evidence…………………………………. 6 Step One – Conclusion………………………………………………………….. 7 Step Two – Threat Identification Evidence……………………………………... 7 Step Two – Conclusion: Threat Statement……………………………………... 8 Step Three – Vulnerability Identification Evidence…………………………….. 8 Step Three – Conclusion: List of Vulnerabilities………………………………. 10 Table 1: List of Vulnerabilities………………………………………………… 10 Step Four – Control Analysis Evidence………………………………………… 10 Step Four – Conclusion: List of Existing Controls…………….………………. 12 Table 2 – List of Existing Controls…………………………………………….. 12 Step Five – Likelihood Determination………………………………………….. 12 Table 3 – Likelihood of Successful Attacks…………………………………….. 12 Step Six – Impact Analysis Evidence…………………………………………… 13 Step Six – Conclusion: Magnitude of Impact…………………………………... 13 Table 4 – Magnitude of Impact…………………………………………………. 13 Step Seven – Risk Determination Evidence…………………………………….. 14 Table 5 – Risk Level Matrix……………………………………………………... 14 Step Seven – Conclusion: Risk Level Factors………………………………….. 14 Table 6 – Risk Levels…………………………………………………………… 14 Step Eight – Control Recommendations Evidence……………………………... 14 Step Eight – Conclusion: Control Recommendations and Alternatives………... 16 Table 7 – Control Recommendations and Alternatives…………………………. 16 Step Nine – Risk Assessment Report: Summary………….…………………… 18 References…………………………………………………………………………... 19 3 Marriott International 4 Executive Summary The following risk assessment report presents a high-level evaluation of Marriott International, Inc. The purpose is to identify potential physical, technical, and operational weaknesses in Marriott’s corporate structure. The scope of this report includes defining Marriott’s organization and technology infrastructure. Using this information, weaknesses, threats, and risks are identified. This report follows the model used by the National Institute of Standards and Technology (NIST), co-authored by Gary Stoneburner, Alice Goguen, and Alexis Feringa, and published in 2001. The report contains a risk analysis using the matrix proposed by the NIST. Using the calculated risk levels, the report addresses recommended controls and alternatives to mitigating risk. The NIST model lists nine steps to developing a comprehensive risk assessment report. Data in the NIST format is presented as inputs, using methods such as questionnaires, interviews, and access to company files. Subsequently, defined outputs are created at the completion of each step. This report deviates from the NIST standard approach and replaces the input-output methodology with the author’s developed evidence-conclusion methodology. At the completion of each step (gathering evidence) is a conclusion similar to the NIST’s output definition. Finally, it is important to note that all information supplied in this report is freely available on the Internet. Therefore, some assumptions are made by the author. This report is not intended to provide conclusive evidence as to Marriott’s exposure to risk. Rather, this report focuses on known issues and can be used as a starting point for a more in-depth, sustainable document. Marriott International 5 Company Profile Marriott International, Inc. (―Company‖) is a leading hotelier with several thousand hotels located around the globe. The Company began business in 1927 as a small root beer stand and has evolved into a respected leader in the hospitality industry. Indeed, Marriott is considered to be one of the best places to work and the most admired company in the industry (Marriott, 2010). In 2009, the Company employed 137,000 employees and reported sales revenue of $10.9 billion (Hoovers, 2010). Marriott possesses over 17 brands (Marriott, 2010). Information Technology Overby (2003) reports that Marriott has developed solutions to accommodate its business needs during sluggish economic times. Marriott’s Automated Reservations System for Hotel Accommodations (Marsha) was overhauled in the late 1990’s to meet the increasing needs of customer-driven online reservations. The customer portal has recently been re-engineered and introduced. Behind the scenes, the Company has merged its systems together so that one system manages all of its brands. Marsha now connects to customers, partners, and suppliers and is comprised of over 6,000 programs (Overby, 2003). Marriott invested significant resources to replace processors needed to support Marsha. The Call Center was also upgraded to a Windowsbased system called Merlin, which handles several million dollars in reservations (Overby, 2003). Marriott’s success is also a result of its focus on aligning IT and business operations. Indeed, IT personnel are savvy about cost-saving metrics and operations personnel are knowledgeable about company IT programs. Seventy-five percent of Marriott’s rooms are booked online, saving $12 million annually (Overby, 2003). The company’s efforts have paid off well. For example, in 2007 Marriott received an award for its in-house system developed to Marriott International 6 encrypt credit card numbers so that employees can reference customer card activity without knowing the actual card number (CIO.com, 2007). Marriott is gaining more publicity as its disaster recovery innovations are revealed. Sliwa (2008) describes the Company’s plan to retake ownership of its disaster recovery program. Previously, the program was outsourced. In 2009 the company was expected to open its Recovery and Development Center (RDC). The RDC is a 12,500 square foot facility located 220 feet underground, north of Pittsburgh. Marriott plans to use virtual servers for monitoring and managing the facility (Sliwa, 2008). Risk Assessment Step One – System Characterization Evidence Marriott Headquarters are located in Bethesda, Maryland. One system is used to manage reservations for all of Marriott’s brands. Internet. The IP address for Marriott.com is owned by Akamai Technologies (ARIN, 2010). The net type is direct allocation. Server operating system. Linux (netcraft.com, 2010). The site is queried daily with up-to-date results, as of March 28, 2010. Reservation/revenue management system. One Yield is an in-house system designed to merge and replace two inefficient systems. The system utilizes ―J2EE architecture, IBM’s WebSphere, and Actuate Corp.’s reporting tool‖ (Thibodeau, 2005, p.1). Marriott International 7 Human resource/time-tracking system. PeopleSoft solutions are used for tracking projects, labor costs, and other related expenses (Overby, 2003). Disaster recovery system. Recovery and Development Center (RDC) is located 220 feet underground, north of Pittsburgh. Marriott can monitor activity remotely using virtualization. Organizational chart. The NIST model addresses management responsibility in risk assessment (Stoneburner, et al., NIST, 2001). Marriott’s corporate structure supports the NIST’s recommendations. In addition to a CIO, Marriott employs a chief privacy officer (CPO) and a chief security officer (CSO). The CPO is responsible for addressing privacy needs and resolving issues. Responsibilities include ―gap analysis, risk assessment and communication‖ (Brenner, 2007, p.1). The CSO is responsible for developing and maintaining security policies and procedures (Brenner, 2007). These three areas work together to provide Marriott with reliable systems to meet the Company’s goals. Step One – Conclusion A high-level view of Marriott’s infrastructure and organization indicates that the Company is dedicated to designing and maintaining its systems in-house as much as possible. Dedicated departments identify needs, develop solutions, and maintain systems. Separate leaders oversee information systems, security, and privacy. Step Two – Threat Identification Evidence There have been two highly publicized attacks on Marriott and one notable natural disaster. According to Bremner (2005) tapes containing personal information of 206,000 people Marriott International 8 were missing from Marriott’s Orlando office. Those affected were employees, timeshare owners, and timeshare customers. The article cannot confirm if the data was encrypted. Apparently the tapes were stolen from storage, as opposed to being intercepted during transit (Bremner, 2005). In July 2009 the JW Marriott and the Ritz-Carlton hotels in Jakarta, Indonesia were the targets of a terrorist suicide bombing attack which killed at least nine people and injured 50 others. Marriott owns both of these hotels in Indonesia. Also, in 2003 the same JW Marriott hotel was bombed, killing thirteen people. It is believed that at least one of the perpetrators in the 2009 attack was a guest at the Marriott hotel. In 2003 a Marriott hotel in Pakistan was attacked, killing 53 people and injuring more than 250 people (Goldman, 2009). Hurricane Katrina devastated 63 Marriott properties in the New Orleans area, wiping out infrastructures and destroying equipment, supplies, and integral data (Collett, 2008). Step Two- Conclusion: Threat Statement Marriott’s global presence and large, diverse staff expose the Company to many different threat sources. In addition, the very transient nature of the hotel industry predisposes the Company to a variety of threats. Threat sources include the following: ―natural disasters, terrorist, industrial espionage, and acts perpetrated by disgruntled employees‖ (Stoneburner, et al., NIST, 2001, p. 14). Step Three – Vulnerability Identification Evidence Vulnerabilities are divided into three categories for this report. Category 1: Physical structures. Physical exposure: Marriott’s presence extends to 66 countries and their 137,000 employees represent many of those countries. Marriott’s four primary regions outside of the Marriott International 9 United States are as follows: Asia/Pacific; Latin America, Caribbean, & Mexico; Europe; and Middle East & Africa (Marriott, 2010). Marriott’s upscale brands attract dignitaries and noteworthy guests. In addition, some hotels are located in tourist areas subject to natural disasters. Category 2: Internal weaknesses. Marriott’s vast and diverse employee base make it highly susceptible to internal fraud and malicious acts by disgruntled employees. Category 3: System vulnerabilities. A combination of in-house solutions and open source software are used at Marriott. Their customer portal and reservation system, One Yield, were developed in-house (Thibodeau, 2005). Because this was developed by Marriott, there are inherent risks: inadequate security to protect access points; identifying and troubleshooting attacks; insufficient testing and real-time use; and terminated employees who take their knowledge with them. Furthermore, the system design could contain intentional flaws, which might guarantee an employee’s job security, or compromise the system. Marriott has also developed its own data encryption tool for securing credit card numbers (CIO.com, 2007). Again, employees possessing this proprietary information increase the Company’s vulnerabilities. Moreover, it is likely that people will attempt to determine how these card numbers are encrypted. It is important to note that Higgins (2010) reports that hotels were the number one target for hackers in 2009. According to her article, ―98 percent of targeted data was payment card information‖ (Higgins, 2010, p.1). Most of the attacks were the result of compromised passwords and performed from remote locations. Surprisingly, the breaches were not Marriott International 10 discovered for an average of 156 days (Higgins, 2010). Consider the ramifications of a hacker who has gained unauthorized access to Marriott’s network and goes unnoticed for five months. Marriott’s web server operates using Linux, which may reduce vulnerabilities. However, Linux is susceptible to spyware and other attacks. Indeed, Mimoso (2003) states that even though Linux may not be vulnerable to ―self-propagating viruses,‖ it is vulnerable to Trojan attacks (Mimoso, 2003, p.1). Mimoso expresses a concern that Linux vulnerabilities may surface as more companies switch to Linux. There needs to be more emphasis on identifying the risks of Linux systems, similar to the attention paid to Windows systems (Mimoso, 2003). Beaver (2009) also identifies Linux weaknesses, particularly due to oversight and lack of support. Administrators are more focused on patching Windows applications and allocating resources to Windows support. Meanwhile, Linux systems are using outdated software and not properly maintained (Beaver, 2009). Step Three – Conclusion: List of Vulnerabilities Category Vulnerability Physical, Internal, and System Physical Exposure to human threats and to natural disasters Control of assets System Many access points; in-house developed software applications; network and Internet traffic; confidential information transmission Table 1: List of Vulnerabilities Step Four – Control Analysis Evidence Research does not provide evidence on Marriott’s response to the stolen data tapes in 2005. Pariseau (2006b) reports that Marriott notified the affected customers and offered them a one year subscription to a credit monitoring service. Furthermore, Pariseau (2006a) indicated Marriott International 11 that legislation is pending requiring businesses which do not encrypt data to provide secure, acceptable policies and procedures for transporting and storing data (Pariseau, 2006a). There are many companies specializing in secure data storage and transport. It is unclear whether Marriott utilizes such a service. Marriott’s organizational structure provides management controls and indicates a commitment to IT. Aligning IT with business operations is the foundation for the Company’s strategy in identifying risk and developing solutions. Marriott is the recipient of numerous awards and accolades. For example, Marriott has received the annual CIO 100 award ten times and is often included in lists of the best-managed companies (Marriott, 2010). As previously mentioned, the organization employs a CIO, CSO, and CPO who all work together and, with the Company’s CEO, develop technological solutions (Brenner, 2007). Marriott’s security strategy in Jakarta, Indonesia is similar to airport security. There are cameras, scanning devices, plexiglass windows, security professionals, a canine unit, and barricades surrounding the buildings (Public Intelligence, 2010). In addition, Marriott outsources security surveillance to a local provider. Marriott has installed a blast wall, capable of withstanding approximately 10 tons of TNT. Finally, Marriott has implemented a ―See Something, Say Something‖ program for communicating suspicious behavior (Public Intelligence, 2010). Windle (2005) describes Marriott’s preparedness prior to Hurricane Katrina, which exemplifies the organization’s dedication to business continuity and disaster recovery planning. Marriott deployed an expert to the New Orleans area to gather personnel and equipment needed for surviving the anticipated storm. Indeed, Marriott’s planning was pivotal to the survival of many people and diverting total disaster (Windle, 2005). The Company’s latest decision to lease Marriott International 12 an underground site for disaster recovery further supports their commitment to security and accountability. Step Four – Conclusion: List of ExistingControls Vulnerability Control Exposure to human threats and natural disasters Increase physical security measures and devices; business continuity and disaster recovery planning Unavailable. Control of Assets Confidential data transmission through Internet and Intranet; many access points In-house software development Table 2: List of Existing Controls SSL and firewalls (Marriott, 2010); in-house data encryption model (CIO.com, 2007) Unavailable. Step Five – Likelihood Determination Threat-Source Likelihood of Successful Attack High – Marriott’s presence in high-risk areas and since their clientele includes dignitaries, elite, and other prominent personnel, this makes their properties prime targets for anti-American terrorist groups. Natural Disaster Medium – Many properties are located in attractive tourist areas subject to hurricanes, tsunamis, earthquakes, and other uncontrollable disasters Data Theft Low to Medium – This report presumes that Marriott has put into place sufficient measures as a response to its data theft in 2005. Network Hackers Low to Medium – Unable to accurately determine. However, Marriott’s business volume, international customer base, and the dynamics of conducting business over the Internet indicate a low-to-medium likelihood of a successful attack. Best practices should always consider intrusion and interception at least a low level likelihood. That is, never presume a network is 100% secure. Internal Malicious Unable to determine. Public information surmises that Marriott is a Acts positive and caring work environment. It is impossible to conclude whether employees would intentionally sabotage Marriott’s systems. There is no publicly available litigation information or legal evidence to suggest otherwise. Table 3: Likelihood of Attack Terrorist Attack Marriott International 13 Step Six – Impact Analysis Evidence Marriott is such a large corporation with so many stakeholders, that it would take a disaster of extreme proportions to have a widespread effect. However, history reveals that single organizational disasters can devastate the economy. Consider the recent Congressional bailouts of large corporations and the abolition of Enron, Arthur Andersen, and others. It is important to assess the impact a security attack would have on Marriott. Step Six – Magnitude of Impact Attack Terrorist Magnitude of Impact High Natural Disaster Low to High depending on type and scale of disaster Data Theft High Network Hackers Low Internal Attack Medium Table 4: Magnitude of Impact Description Loss of Integrity, Availability, and Confidentiality. Any data breaches associated with a terrorist attack could result in highly sensitive information transferred to terrorist groups. High probability of loss of lives, assets, controls, and could prevent business continuity. Could also eliminate any possibilities of disaster and data recovery. Loss of availability and confidentiality. Depending on site, could also include loss of integrity. Depending on the magnitude of the disaster, lives could be lost. Likely to lose assets. Inability to resume business and status of disaster recovery depends on the scope of the disaster. Loss of Integrity, Availability, and Confidentiality. Marriott’s success relies heavily on its abilities to secure data transmissions and to control access to confidential data. Presumably Marriott’s systems are secured and designed in segments such that if one network is infected, the attack would remain isolated to that network. A publicized attack could negatively affect Marriott’s image. Could destroy the customized programs prevalent in Marriott’s environment. Loss of Integrity, Availability, and Confidentiality. Marriott International 14 Step Seven – Risk Determination – Evidence To determine risk level: Threat Likelihood Impact Low (10) Medium (50) High (100) High (1.0) Low 10 X 1.0 = 10 Medium 50 X 1.0=50 High 100 X 1.0 = 100 Medium (0.5) Low 10 X 0.5 = 5.0 Medium 50 X 0.5 = 25 Medium 100 X 0.5 = 50 Low (0.1) Low 10 X 0.1 = 1.0 Low 50 X 0.1 = 5.0 Low 100 X 0.1 = 10 Table 5: Risk Level Matrix Risk Scale: High (> 50 to 100); Medium (>10 to 50); Low (1 to 10) Source: NIST (2001), Risk Management Guide for Information Technology Systems, p. 25 Step Seven – Conclusion: Risk Level Factors Threat Threat Impact Likelihood Terrorist 1.0 100 Natural Disaster 0.5 50 Data Theft 0.1 100 Network Hackers 1.0 10 Internal Attack 0.5 50 Table 6: Risk Levels Risk Level 100.0 25.0 10.0 10.0 10.0 High Medium Low Low Low Examining these results it appears that Marriott has an overall medium risk level. The overall average risk value is 155/5 = 31. The three areas with risk levels of 10.0 are approaching a medium risk factor. Step Eight – Control Recommendations Evidence Effgen (2002) classifies controls designed to prevent, limit, and detect and respond to threats. Controls may be technological, management, operational, or supportive. Once weaknesses are identified, organizations develop controls, evaluate the cost – effectiveness, and determine which methods to adopt. Often the decision is tied to the organizational goals as well Marriott International 15 as the impact on the current state and available resources (Effgen, 2002). In Marriott’s case, the company is committed to providing hospitality services around the world. Their desire is to be an inclusive organization, socially and environmentally responsible, and to provide brands that meet the basic needs to luxurious accommodations (Marriott, 2010). The U.S. Department of Homeland Security hosts a website titled Common Weakness Enumeration (CWE). According to their site, home grown software is susceptible to security weaknesses. During the software development lifecycle it is advantageous to use proven security methods and models available in libraries. This prevents re-inventing a framework that has failed in the past, or introducing even more vulnerabilities (CWE, 2010). The Conclusion for Step Eight begins on the next page. Marriott International 16 Step Eight – Conclusion: Control Recommendations and Alternative Solutions to Mitigate Risk Threat Control Alternative Terrorist Attack In high risk areas, implement stricter security checkpoints. Security education for employees. Limited open spaces, such as lobbies and other common areas. Offsite data storage. Secured Wi Fi which enables the network provider to identify users on the network. In high risk areas develop a business continuity and disaster recovery plan. Marriott has evidence of recognizing and preparing for imminent disasters. Offsite data storage. Response teams specializing in data security and recovery. A dedicated commitment to educating employees on proper handling, transportation, and storage of secured data. Spot checks by the CSO and CPO to ensure compliance. Disciplinary action for non-compliance. Marriott uses its own award-winning data encryption model. Implement secure firewalls and stricter password requirements. Increase authentication to include two or three factors. Require users to change their passwords to a unique password regularly. Ensure only active employees have access and access is granted on a need to know basis. Marriott may want to employ its on security personnel in third-world or other vulnerable sites. Their ―own‖ personnel may be more diligent and must respond to Marriott standards, rather than local standards. Involves extensive training and development programs which Marriott may not be able to support. Natural Disaster Data Theft Network Hackers Isolated, regional data centers which monitor and physically control data residing in high risk areas. This is a segmented, or layered, approach. Data would be transported to safer ground. Engage the services of a reputable company specializing in secured data transport and storage. Marriott would relinquish physical control of the data and would need to evaluate the integrity and reliability of the provider. Outsourcing or employing a service to scan and monitor Internet and network activity. Based on the evidence gathered, Marriott’s organizational structure, coupled with its ability to design software solutions, indicates that the Company is IT savvy. Although, the scope of their operations may be a challenge even to Marriott International Continuous server monitoring for hackers and any unusual activities. Put in place procedures for securing the server if unusual activity is spotted. Implement performance assessment criteria that Internal Attacks include employee compliance with Company IT policies and procedures. Employees should be required to change passwords regularly, abide by acceptable computing standards, refrain from visiting questionable websites, and access should be granted on a need to know basis. Additionally, the security access matrix should be reviewed regularly and updated to ensure terminated employees no longer have access. Educate employees on safe computing practices and recognizing viruses, worms, and Trojan horses. Table 7: Control Recommendations and Alternative Solutions 17 their knowledge base. Restrict remote access to only a select group of users. This may inhibit productivity and employee resourcefulness. Disallow the use of personally-owned mobile devices. Marriott International 18 Step Nine – Risk Assessment Report: Summary The information gathered throughout this report is a high-level assessment of Marriott International, Inc. using information available to the public. Based on the evidence gained, Marriott appears to be subject to serious physical attacks. Although, in the scope of their business operations, the probability and impact of these attacks would not immediately jeopardize its financial position. However, Marriott’s image and business practices would suffer damages. Marriott appears to be proactive in developing and implementing controls to guard against attacks. Due to the limited information available, it is difficult to determine system vulnerability. However, there are inherent risks associated with in-house developed solutions. For example, an in-house solution may not contain sufficient security and audit controls. Moreover, employees who develop solutions may leave the company for more lucrative offers elsewhere. Thus, system support may suffer. This risk assessment report on Marriott International, Inc. provides a basis for identifying risks and developing controls. Marriott’s ample resources and dedication to customer satisfaction promote rapid responses to attacks. Finally, published acknowledgements of Marriott’s success in information technology and their innovative approaches to disaster recovery and credit card data encryption make Marriott a reputable leader in the hospitality industry. Marriott International 19 References Beaver, K. (2009). Expert tips for eliminating linux security risks. TechTarget. Retrieved March 22, 2010 from http://viewer.media.bitpipe.com/978030848_42/1257194670_442/sElinuxPocketEguide_ Security.pdf Bremner, K. (2005). Marriott notifies 206,000 of data breach. DMNews. Retrieved February 28, 2010 from http://www.dmnews.com/marriott-notifies-206000-of-databreach/article/89808/ Brenner, B. (2007). Experts: Privacy and security officers living in silos. SearchSecurity.com. Retrieved February 10, 2010 from http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1282982,00.html CIO.com (2007). 2007 Winner profile Marriott International. CIO. Retrieved February 16, 2010 from http://www.cio.com/cio100/detail/1717 Collett, S. (2008). Disaster survivor: Marriott tested by tragic events. Computerworld. Retrieved March 26, 2010 from http://www.computerworld.com/s/article/314240/Marriott_International Common Weakness Enumeration.. (2010). 2010 CWE/SANS Top 25: Monster mitigations. Retrieved February 17, 2010 from http://cwe.mitre.org/top25/mitigations.html Effgen, C. (2002). Mitigating risk/threat of terrorism and other risks. Retrieved March 1, 2010 from http://www.disastercenter.com/terror/0_risk.htm#Risk Mitigation Goldman, R. (2009). Are U.S.-owned hotels terror targets? ABC/News. Retrieved March 26, 2010 from http://abcnews.go.com/Business/story?id=8112518&page=1 Marriott International 20 Higgins, K.J. (2010). Hospitality industry hit hardest by hacks. DarkReading. Retrieved March 11, 2010 from http://www.darkreading.com/database_security/security/attacks/showArticle.jhtml?article ID=222601178 Hoovers, (2010). Marriott International, Inc. retrieved February 28, 2010 from http://www.hoovers.com/company/Marriott_International_Inc/hjfkxi-1-1njea5.html Marriott International, Inc. (2010). Marriott.com. Retrieved February 6, 2010 – March 30, 2010 from http://www.marriott.com/marriott/aboutmarriott.mi Mimoso, M.S. (2003). Enterprise linux news: Don’t dismiss possibility of malicious code on Linux. TechTarget. Retrieved March 21, 2010 from http://searchenterpriselinux.techtarget.com/news/article/0,289142,sid39_gci890925,00.ht ml Netcraft, (2010). www.marriott.com. Netcraft. Retrieved February 5, 2010 from http://searchdns.netcraft.com/?position=limited&host=marriott.com Network Solutions. (2010). Marriott.com. Retrieved February 4, 2010 from http://www.networksolutions.com/whois-search/marriott.com Overby, S. (2003). The keys to Marriott’s success. CIO.com. Retrieved March 11, 2010 from http://www.cio.com/article/29617/The_Keys_to_Marriott_s_Success Pariseau, B. (2006a). Marriott breach spotlights internal data security. SearchStorage.com. Retrieved February 8, 2010 from http://searchstorage.techtarget.com/news/article/0,289142,sid5_gci1155825,00.html Marriott International 21 Pariseau, B. (2006b). Marriott timeshare unit reports lost tapes. SearchStorage.com. Retrieved March 1, 2010 from http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1155398,00.html Public Intelligence (2010). (U//FOUO) Jakarta hotel bombings: A look at insider threats and the targeting of western executives. Retrieved March 29, 2010 from http://publicintelligence.net/ufouo-jakarta-hotel-bombings-a-look-at-insider-threats-andthe-targeting-of-western-executives/ Sliwa, C. (2008). Marriott goes underground with disaster recovery, virtualization effort. CIO.com. Retrieved February 8, 2010 from http://www.cio.com/article/433665/Marriott_Goes_Underground_With_Disaster_Recove ry_Virtualization_Effort Stoneburner, G., Goguen, A., & Feringa, A. (2001). Risk management guide for information technology systems [pdf format]. National Institute of Standards and Technology. Retrieved from Lecture Notes Online web site: http://nova.umuc.edu/~jtray/infa610/sp800-30_risk.pdf Thibodeau, P. (2005). Marriott links two data streams with revenue management system. Computerworld. Retrieved March 26, 2010 from http://www.computerworld.com/s/article/99963/Marriott_Links_Two_Data_Streams_Wit h_Revenue_Management_System?taxonomyId=9 Windle, L.P. (2005). Marriott: No time to rest. Facilitiesnet. Retrieved March 5, 2010 from http://www.facilitiesnet.com/emergencypreparedness/article/Disaster-ResponseHurricane-Katrina-Puts-Five-Organizations-Plans-to-the-Ultimate-Test—3513
