Skip to content

Security Policy Draft (FTC v. Wyndham Worldwide Corp.)

Use this to draft or update an enterprise security policy; defines required behavior and controls in policy language and supports consistency and auditability.

Purpose

This draft policy converts lessons and obligations from FTC v. Wyndham Worldwide Corp. into enforceable internal requirements, control expectations, and governance responsibilities. It is structured for review by security leadership, legal, and affected business owners before formal adoption.

Hallucinated writing examples

Scenario: In an illustrative period following the Third Circuit Wyndham decision and the stipulated injunction (time), the Security Director (role) prepares a security policy draft (type) for Franchise technology leadership and security operations (audience).

ENTERPRISE SECURITY POLICY — DRAFT

Policy title: Franchise Connectivity and Payment Security Governance Policy
Version: 1.0 (Draft)
Owner: Chief Information Security Officer
Effective date: Upon approval
Last reviewed: March 2016
Context: Stipulated injunction obligations and distributed hospitality risk

Purpose and Scope: This policy establishes enterprise requirements for connectivity governance, access controls, and monitoring across franchise and corporate environments handling payment-related data. It supports obligations under the stipulated order and related assessment expectations.

Policy Statement: The organization shall implement and maintain approved connectivity baselines, privileged-access controls, and evidence-producing monitoring for designated environments. Non-conforming deployments shall require formal exception governance.

Roles and Responsibilities: The CISO owns policy governance. Franchise technology leadership implements standards; internal audit validates adherence; legal/compliance oversee order-aligned reporting obligations.

Requirements: (1) Property-to-corporate connectivity shall follow documented baseline controls. (2) Privileged access paths shall be reviewed periodically and monitored. (3) Detection and retention controls shall support incident and assessment needs. (4) Exceptions shall include mitigating controls, owner, and revisit date. (5) Policy review occurs annually with material non-compliance escalated to governance committees.

Document-type guide: Security Policy Draft

Writing tips: Writing best practices — Security Policy Draft

© 2026 Yi Zhang. Licensed under the MIT License.
Last updated: 2026 April 17 9:37 AM