Skip to content

Security Policy Draft (Firemen’s v. Sorenson (Marriott derivative))

Use this to draft or update an enterprise security policy; defines required behavior and controls in policy language and supports consistency and auditability.

Purpose

This draft policy converts lessons and obligations from Firemen’s v. Sorenson (Marriott derivative) into enforceable internal requirements, control expectations, and governance responsibilities. It is structured for review by security leadership, legal, and affected business owners before formal adoption.

Hallucinated writing examples

Scenario: In an illustrative period during Delaware derivative litigation over Marriott-Starwood cyber oversight allegations (time), the Security Director (role) prepares a security policy draft (type) for Enterprise security and integration program teams (audience).

ENTERPRISE SECURITY POLICY — DRAFT

Policy title: Post-Acquisition Cyber Governance and Integration Control Policy
Version: 1.0 (Draft)
Owner: Chief Information Security Officer
Effective date: Upon approval
Last reviewed: July 2021
Context: Oversight and integration governance after Starwood-related incident scrutiny

Purpose and Scope: This policy establishes required governance and technical controls for post-acquisition cybersecurity integration, board reporting support, and exception management across legacy environments. It applies to integration workstreams managing guest and loyalty data systems.

Policy Statement: The organization shall implement integration control baselines, maintain governance evidence for board oversight, and enforce exception governance with accountable owners and review dates.

Roles and Responsibilities: The CISO owns this policy. Integration program leads execute controls; legal and compliance support oversight documentation; internal audit validates control operation.

Requirements: (1) Integration risk findings shall be tracked to closure with owner accountability. (2) Core identity, logging, and segmentation controls shall meet defined baseline standards. (3) Board metrics support artifacts shall be retained and reviewable. (4) Exceptions require formal approval and compensating controls. (5) Annual policy review and governance reporting are mandatory.

Document-type guide: Security Policy Draft

Writing tips: Writing best practices — Security Policy Draft

© 2026 Yi Zhang. Licensed under the MIT License.
Last updated: 2026 April 17 9:37 AM