Skip to content

Implementation Checklist (Marriott/Starwood (Delaware 2021))

A practical rollout plan with measurable proof for integration-era control consistency and board-oversight evidence quality.

0–30 days (stabilize + baseline)

  • Inventory legacy and integrated systems affecting guest data risk
  • Baseline boundary and identity controls across merged environments
  • Establish high-risk change approvals with board-reporting hooks

Deliverables - Integrated control baseline with system owners - Critical security change SOP and escalation workflow - Cross-platform telemetry coverage report

30–60 days (control effectiveness)

  • Deploy drift detection for identity, boundary, and monitoring controls
  • Run least-privilege reviews for legacy/integrated admin roles
  • Implement detections for abnormal guest-data access patterns

Deliverables - Drift metrics with owner accountability - IAM review pack and stale-access remediation evidence - Detection test results and investigation templates

60–90 days (evidence readiness)

  • Perform 48-hour evidence-pack drill for oversight and litigation requests
  • Add independent testing checkpoints for top integration risks
  • Issue quarterly committee report on remediation progress and residual risk

Deliverables - Evidence-pack index and custodians - Mock oversight drill findings and action plan - Quarterly board-level cyber governance template

Ongoing metrics (prove it's real)

  • % high-risk control changes reviewed and approved
  • Drift detection MTTR across integrated systems
  • Privileged-access recertification completion %
  • Coverage % for critical auth/access logs
  • Closure time for high-severity integration findings
© 2026 Yi Zhang. Licensed under the MIT License.
Last updated: 2026 April 17 9:37 AM