You are on page 1of 4

Global Hyatt Corporation

Policy for the Use of Remote Access and VPN


Services
Introduction
Remote access facilities allow Authorized Users the ability to securely access computer systems and
resources located on our corporate network. Remote Access provides Users the ability to access the key
applications and data that they would normally use in their office while on the road or working from home.
Global Hyatt Corporation (“Hyatt”) is pleased to now extend the power of this service to authorized Users
on a limited basis as outlined in this Policy for the Use of Remote Access and VPN Services (this
“Policy”).

This Policy is supplemental to the Global Hyatt Corporation Policy for the Use of Information Technology
Resources, the terms and conditions of which are hereby incorporated into this Policy by this reference. All
capitalized terms that are used but not defined herein shall have the same meanings that are given to them
in the Global Hyatt Corporation Policy for the Use of Information Technology Resources (“IT Resource
Policy”). Each Connected Entity considering a deployment of Remote Access technology must comply
with this Policy in its entirety. Users that have been authorized (as described below) to use Remote Access
services to connect to the IT Resources must indicate their agreement to comply with the Policy in its
entirety by reviewing and executing the Acknowledgement and Consent form attached to this Policy and
returning it to their local Human Resources Department before they begin to use of remote access services.

Purpose
The purpose of this policy is to define standards, procedures, and restrictions for connecting to the IT
Resources from external hosts via remote access technology, and/or for utilizing the Internet for business
purposes via third-party wireless Internet service providers (also known as “hotspots”). All IT Resources
(i.e. corporate data, computer systems, networks, databases, etc.) must be protected from unauthorized use
and/or malicious attack that could result in loss of information, damage to critical applications, loss of
revenue, and damage to our public image. Therefore, all remote access and mobile privileges for Users to
enterprise resources – and for wireless Internet access via hotspots – must employ only methods previously
approved by the Corporate Office Information Technology Department.

Scope
This Policy applies to all Users that have been granted the right to remotely access the IT Resources.
Employment by a Connected Entity does not automatically guarantee the granting of Remote Access
privileges.

Remote Access is defined as any connection to the IT Resources from off-site locations, such as the User’s
home, a hotel room, airports, cafés, satellite office, wireless devices, etc. (“Remote Access”).

Supported Technology
All Remote Access will be centrally managed by the Corporate Office Information Technology Department
and will utilize encryption and strong authentication measures through either IPSEC or SSL VPN solutions.
Remote Access connections covered by this Policy include (but are not limited to) Internet dial-up modems,
frame relay, ISDN, DSL, VPN, SSH, cable modems, proprietary remote access/control software, etc.

© July 2006 Global Hyatt Corporation Page 1 of 4


Please consult with your local Information Technology Department for the minimum system requirements
for Remote Access and VPN connections to the IT Resources. Equipment that does not currently meet
minimum requirements will need to be upgraded before a Remote Access connection will be approved.
Any variation of these standards must be approved by the Director of Corporate Technology in Chicago.

Eligible Users
All Users requiring the use of Remote Access and VPN connections for business purposes must go through
an application process that clearly outlines why the access is required and what level of service the User
needs if his/her application be accepted. Application forms may be requested from your local Information
Technology Department. Application forms must be approved and signed by the User’s Department Head
before submission to their local Information Technology Department for approval. Where applicable, the
local Information Technology Department may need to forward the request to Global Hyatt’s IT Security
and/or Director of Corporate Technology in Chicago to provide final approval for a Remote Access
connection.

Users may use privately owned connections (See ‘Supported Technology’ above) for business purposes. In
those instances, the User’s local Information Technology Department must approve the connection as being
secure and protected. However, the User’s local Information Technology Department cannot and will not
technically support a third-party ISP connection or hotspot wireless ISP connection. All expense forms for
reimbursement of cost (if any) incurred due to Remote Access for business purposes (i.e. Internet
connectivity charges) must be submitted to the User’s Department Head. Financial reimbursement for
Remote Access is not the responsibility of the User’s Local Information Technology Department.

Policy and Appropriate Use


It is the responsibility of Users with Remote Access privileges to ensure that their Remote Access
connection remains as secure as his or her network access within the office. It is imperative that any
Remote Access connection used to conduct Hyatt business be utilized appropriately, responsibly and
ethically. Therefore, the following rules must be observed:

1. General access to the Internet by residential remote users through Hyatt’s network is not
permitted. Internet access must be provided by the User.

2. Users must use secure Remote Access procedures. This will be enforced through public/private
key encrypted strong passwords in accordance with Hyatt’s password policy (See the Global Hyatt
Corporation Policy for the Use of Information Technology Resources). Users must never disclose
their passwords to anyone, including family members, if work is conducted from home.

3. All remote computer equipment and devices used for business interests, whether owned by the
User or a Connected Entity, must display reasonable physical security measures. Computers will
have installed whatever antivirus software deemed necessary by the Corporate Office Information
Technology Department and ensure that it is current with the latest virus definitions and service
pack updates.

4. Remote users using public hotspots for wireless Internet access must employ for their devices an
approved personal firewall, VPN and any other security measure deemed necessary by the
Corporate Office Information Technology Department.

• Hotspot and remote users must disable (turn-off) wireless radios when not in use in order to
mitigate attacks by hackers, war-drivers (i.e., people who document wireless connections at
random) and eavesdroppers.
5. Any remote connection (i.e. hotspot, ISDN, frame relay, etc.) that is configured to access the IT
Resources must adhere to the authentication requirements of established from time to time by the

© July 2006 Global Hyatt Corporation Page 2 of 4


Corporate Office Information Technology Department. In addition, all hardware security
configurations (whether the hardware is owned by the User or a Connected Entity) must be
approved by the User’s local Information Technology Department.

6. Users shall not make modifications of any kind to the Remote Access connection without the
express approval of Director of Corporate Technology in Chicago. This includes, but is not
limited to, split tunneling (allowing access to both a local network and the corporate resources
simultaneously), dual homing (using multiple network connections by one device), non-standard
hardware or security configurations, etc.

7. Users with Remote Access privileges must ensure that their computers are not connected to any
other network while connected to the IT Resources via Remote Access, with the obvious exception
of Internet connectivity.

8. In order to avoid confusing official company business with personal communications, Users with
Remote Access privileges should refrain from using personnel e-mail accounts (e.g. Hotmail,
Yahoo, GMail, etc.) to conduct Hyatt business.

9. All Remote Access connections must include a “time-out” system. In accordance with Hyatt’s
security policies, Remote Access VPN sessions will time out after 30 minutes of inactivity,
meaning that there has been not activity noted from your keyboard or your mouse. The time-out
will require the User to reconnect and re-authenticate in order to re-access the IT Resources.

10. If computer or related equipment used for Remote Access is damaged, lost or stolen, regardless of
whether such equipment is owned by the User or a Connected Entity, the User will be responsible
for notifying their Department Head and their local Information Technology Department
immediately.

11. Users must immediately report any incident or suspected incidents of unauthorized access and/or
disclosure of company resources, databases, networks, etc. to their Department Head and their
local Information Technology Department.

12. A User’s access and/or connection to the IT Resources is subject to being monitored.

13. Connected Entities will not responsible for reimbursing Users for business-related Remote Access
connections made using the User’s personnel ISP access, even if such ISP services have previously
been approved by the User’s local Information Technology Department.

14. Any questions relating to this Policy should be directed to the Director of Corporate Technology in
Chicago.

Policy Non-Compliance
Failure to comply with the terms and conditions of this Policy may result in the suspension of Remote
Access privileges and other disciplinary action, up to and including the termination of a User’s
employment.

© July 2006 Global Hyatt Corporation Page 3 of 4


Employee Acknowledgement and Consent
By my signature below, I acknowledge that I have received a copy of the Global Hyatt Corporation Policy
for the Use of Information Technology Resources dated July 2006 and the Global Hyatt Corporation Policy
Remote Access Policy dated July 2006. I have read and hereby agree to comply with the terms of those
policies.

I understand that a violation of those policies may result in disciplinary action, including termination, as
well as civil and criminal liability.

Regardless of whether my use of the Remote Access is for business or for my incidental personal use, I
consent to the monitoring of my usage of the service in the manner described in the Global Hyatt
Corporation Policy for the Use of Information Technology Resources and I acknowledge and agree that I
have no expectation of privacy concerning anything that I do using the Remote Access service.

Employee Signature: Date:

Employee Printed Name:

Department:

Department Head Signature: Date:

Director of Finance Signature: Date:

IT Director/Manager Signature: Date:

© July 2006 Global Hyatt Corporation Page 4 of 4

You might also like