NIST SPECIAL PUBLICATION 1800 -27 Securing Property Management Systems Includes Executive Summary (A); Approach, Architecture, and Security Characteristics (B); and How -To Guides (C) William Newhouse Michael Ekstrom Jeff Finke Marisa Harriston FINAL This publication is available free of charge from : https://doi.org/10.6028/NIST.SP.1800 -27 The first draft of this publication is available free of charge from: https://www.nccoe.nist.gov/projects/use -cases/securing- property -management -systems NIST SPECIAL PUBLICATION 1800 -27 Securing Property Management Systems Includes Executive Summary (A); Approach, Architecture, and Security Characteristics (B) ; and How -To Guides (C) William Newhouse Information Technology Laboratory National Institute of Standards and Technology Michael Ekstrom Jeff Finke Marisa Harriston The MITRE Corporation McLean, VA FINAL March 2021 U.S. Department of Commerce Gina M. Raimondo, Secretary National Institute of Standards and Technology James K. Olthoff, Acting NIST Director and Acting Under Secretary of Commerce f or Standards and Technology NIST SPECIAL PUBLICATION 1800 -27A Securing Property Management Systems V olume A: Executive Summary W illiam Newhouse Information Technology Laboratory National Institute of Standards and Technology Michael Ekstrom Jeff Finke Marisa Harriston The MITRE Corporation McLean, Virginia Ma rch 2021 F INAL This publication is available free of charge from https://doi.org/10.6028/NIST.SP.1800 -27 The first draft of this public ation is available free of charge from https://www.nccoe.nist.gov/projects/use -cases/securing- property -management -systems NIST SP 1800-27A : Securing Property Management Systems 1 Executive Summary In recent years criminals and other attackers have compromised the networks of s everal major ho tel chains , exposing the information of hundreds of millions of guests . Breaches like these can result in huge financial loss, operational disruption, and reputational harm, along with lengthy regulatory investigations and litigation. Ho spitality organizations can reduce the likelihood of a hotel data breach by strengthening the cybersecurity of their property management system (PMS) . The PMS is an attractive target for attackers because it serves as the information technology ( IT) operations and data management hub of a hotel . This cybersecurity practice guide shows an approach to securing a PMS and the system of guest services it supports. It offers how -to guidance for building a refere nce design using commercially available products within a zero trust architecture to mitigate cybersecurity risk that includes role-based access control, privileged access management , network segmentation, moving target defense, and d ata protection . CHALLENGE Hospitality organizations rely on a PMS for daily tasks, planning, and record keeping. As the operations hub, the PMS interfaces with several services and components within a hotel’s IT systems, such as point-of-sale (POS) systems, physical access control system s, Wi-Fi networks, and other gues t service applications. A PMS and its extended system s store, process, and transmit a variety of sensitive guest information, including payment card information and personally identifiable information. An unsecured or poorly secured PMS could expose a hotel –and the larger hospitality organization of which the hotel is a part –to a significant and costly data breach , which may result in financial penalties for violating state, federal, and international privacy and other regulatory regimes . An unsecured or poorly secured PMS could expose a hotel —and the larger hospitality organization of which the hotel is a part —to a significant and costly data breach… This practice g uide can he