Technology Policies for Hospitality Business: A Risk Management Perspective

In a highly competitive U.S. hospitality industry, hotel owners are increasingly focusing on proactive rather than reactive risk management. U.S. hotels are constantly automating operations and adding new guest technologies to make their hotels more competitive. 

This automation of hotel services & operations requires hotel management to clearly define a set of I.T. policies to proactively identify, analyse and assess risks while developing their business strategies. 

Technology & I.T. policy management remains one of the most overlooked aspects in hospitality. While hotel owners are now actively engaged with technology integrations, their technology management partners should recommend establishing policies to access, monitor, maintain, and upgrade these systems. 

Since we have already discussed the benefits of having robust I.T. policies at hotels, lets quickly go over the five basic technology policies every hotel should enact.  

Acceptable Use Policy 

The acceptable use policy is one of the most common documentation developed for in house hotel staff & employees. This general policy dictates the best practices and constraints if using hotel technology & I.T assets. 

This standardized policy also established the rules of the local intranet, and that of accessing the internet from the property. This policy should be given to the employee to read and sign once they have been provided access and an official network ID. The AUP is essentially the responsibility of senior management, the I.T. department, security, legal and human resource departments.  

Access Control Policy 

The access control policy is the foundation that establishes the management & handling of hotel guest data, databases, servers, and other information systems. This policy primarily addresses the access control standards for employees and authorization to guest data. 

The National Institute for Standards & Technology also offer their own standards for access control in organizations. Usually, hotels consider following the framework provided by the PCI Standards Council. The PCI standards are a set of 12 comprehensive rules that businesses can use as benchmarks. 

The access control policy defines the methods to monitor hotel systems & data, how they are accessed & utilized, how workstations are secured, and how access rights should be revoked for exiting employees. 

Information Security Policy

The information security policy is a priority high level policy usually established by hotel management, the I.T. department, human resources, and operations. Since this policy covers  vast areas of hotel technology hotel owners can also outsource this policy to a hotel technology provider.

This policy primarily defines that all employees, guests, partners, and other parties accessing hotel technology assets, its networks, and guest data should comply with defined hotel rules & policies. This policy lays down the responsibility of those authorized to access critical information systems, and the accountability of each party. 

The information security policy also establishes the mix of tools that must be implemented to protect local information systems. This includes a defined time for maintenance, and a timeline to upgrade technology for compliance. 

Remote Access Policy

Hotels that allow employees, technology partners, and vendors to access their information systems, or technology systems from outside the property should consider a remote access policy. 

This policy defines the correct process of remotely connecting to the hotel’s internal network. This policy is recommended for hotels that have dispersed touch points e.g. in gyms, spas, restaurants, hallways, lobbies etc. 

Although a simple policy to develop, it is highly recommended to have the policy validated by your hotel technology provider. Since hotel data breaches are becoming a popular trend, it is essential to assure 100% cybersecurity from partners, vendors, suppliers, and other stakeholders. 

Email & Communication Policy

Emails are the most popular way for hotel employees and management to interact on a daily basis. The email and communications policy dictate how staff should use the prescribed email software. Usually, this policy includes email, blogs, accessing social networks, and communication tools like Skype. 

The communication policy also dictates the transmission of critical data and how to share information over unsecured networks. Some hotels also provide information on encrypting emails and other software when communicating locally and with external contacts. 


I hope you will find our brief introduction to hospitality information security policies useful. There are several other areas like business continuity and disaster management policies that are essential for the success of technology powered hotels. Stay tuned and come back for more updates and new insights on the topic. 

For more interesting reads remember to bookmark our blog, until next time, see you again soon.