Audit Packet Checklist (48-hour evidence readiness) — Marriott/Starwood (Delaware 2021)

If examined (regulator, auditor, litigation), you should be able to produce the following within 48 hours.

A) Architecture + boundaries

• Legacy-to-enterprise architecture diagrams and guest-data boundary documentation.
• Inventory of reservation and identity systems with accountable owners.
• Boundary exception register with compensating controls and approval trails.

B) Change control proof

• Change approvals for integration-security controls and identity hardening.
• Emergency change records tied to post-incident remediation actions.
• Deployment and validation artifacts for high-risk security changes.

C) IAM least privilege proof

• Privileged-access inventory across legacy and integrated hospitality systems.
• Access-review attestations and remediation evidence for stale/high-risk access.
• MFA and privileged-session governance records for administrative roles.

D) Logging + monitoring proof

• Log-source matrix (reservation access, admin actions, auth, network/security telemetry).
• Retention controls and policy artifacts for litigation-ready evidence storage.
• Detection and investigation tickets for suspicious access to guest data.

E) Risk management & governance

• Risk-register entries tied to oversight allegations and remediation commitments.
• Board and committee cyber-risk reporting packets and follow-up trackers.
• Independent testing/audit outputs with closure evidence for identified deficiencies.

F) Incident response readiness

• IR plans and runbooks for guest-data exposure and integration failures.
• Evidence preservation and chain-of-custody procedures for derivative-litigation support.
• Tabletop records focused on board-escalation and cross-functional incident governance.