from coursework to real-world governance: building a hotel security policy manual

overview

While completing my cybersecurity coursework, I developed a comprehensive security policy manual for a hotel organization. Although the assignment used a formal business name, the project was intentionally grounded in the reality of the hospitality company I was working for at the time. That made the work much more than a classroom exercise. It became an opportunity to translate security concepts into policies shaped by real operational risk, real business workflows, and the kind of environment I was already familiar with.

project scope

The final manual was created for Hotel Collection LLC and included a structured set of policies designed to support both cybersecurity governance and day-to-day hotel operations. The manual covered acceptable use, access control, data classification, privacy, asset management, IT physical security, social media, business continuity, and version control documentation. Together, these areas reflected the overlap between digital systems, payment environments, employee access, guest privacy, and physical security in a hospitality setting.

access control and governance

One of the strongest aspects of this project was the way it connected policy development to practical access management. In a hospitality setting, access control extends beyond standard account provisioning. It also includes who can reach guest information, who can authorize overrides, who can enter restricted spaces, and how sensitive activity is monitored. In this manual, I built access control requirements around least privilege, separation of duties, multifactor authentication, logging, approval workflows, and timely deprovisioning after role changes or termination. I also aligned the policy language to recognized standards including NIST SP 800-53, ISO 27001, and PCI DSS v4.0.

business continuity planning

physical security and resilience

data protection and privacy

The project also required a thoughtful approach to data protection. Hotels process a wide range of sensitive information, including payment card data, personal identification details, loyalty program information, employee records, and in some cases health-related information. To address that, I created a data classification structure with handling requirements for restricted, confidential, and public information, then paired that with privacy-focused controls around data minimization, retention, and appropriate access. This helped frame security not only as a technical concern, but as a governance and trust issue tied directly to guest and employee data.

Another important dimension of the manual was physical and operational resilience. Because the environment was modeled after a functioning hotel business, the policy framework had to account for more than traditional IT concerns. Physical access to server rooms, network closets, building systems, and other operational infrastructure all needed to be addressed. I included controls for badge access, visitor management, CCTV monitoring, environmental safeguards, and response expectations for physical security incidents.

Business continuity was equally important. In hospitality, downtime affects not just systems but the guest experience, revenue flow, staff coordination, and compliance obligations. Building this manual pushed me to think about continuity in a broader way, including how a hotel would maintain critical operations during cyber incidents, facility disruptions, severe weather events, and hurricanes. Because hospitality operations are so dependent on both physical property and digital systems, this part of the project focused on how policy can support resilience before a crisis happens and help guide response and recovery when disruptions occur.

key takeaway

What makes this project especially meaningful to me is that it reflects how I approach cybersecurity work overall. I am most interested in security that is practical, operationally grounded, and aligned with the way organizations actually function. This assignment gave me hands-on experience turning governance concepts into clear policy language tailored to a specific business environment rather than relying on generic templates. It also strengthened my ability to think across compliance, risk, privacy, and operational security at the same time.

conclusion

Looking back, this project represents an important point where my academic work and professional experience started to meaningfully connect. By basing the assignment in the reality of the company I was working for while in school, I was able to produce something more practical, more relevant, and much closer to the kind of cybersecurity and governance work I want to continue doing.