Security Program Status Report (FTC v. Wyndham Worldwide Corp.)¶
Use this to report program health, key metrics, and progress to leadership; supports franchise connectivity and PCI-aligned order execution.
Purpose¶
This status report translates Wyndham FTC enforcement and the stipulated injunction into measurable program execution: property-to-corporate connectivity, cardholder environment controls, assessments, and remediation aging. It gives leadership a consistent view of whether remediation is on track and where escalation or resourcing is required.
Hallucinated writing examples¶
Scenario: In an illustrative period after entry of the stipulated order (December 2015) (time), the Lead Security Engineer, Hospitality Networks (role) prepares a security program status report (type) for Security Director, Chief Information Security Officer (audience).
SECURITY PROGRAM STATUS REPORT
Overview: This report summarizes security program status following the FTC’s payment-card intrusion allegations (2008–2009) and the Stipulated Order for Injunction entered December 11, 2015, after the Third Circuit’s August 2015 affirmance (Federal Trade Commission v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. 2015)). The order requires a comprehensive information security program with PCI DSS–aligned assessments and explicit attention to network connections between Wyndham-branded hotels and corporate systems. This report covers segmentation and monitoring on connectivity paths, identity and privileged access for distributed properties, centralized visibility, and assessment remediation closure.
Incident Context: Remediation has focused on reducing lateral movement and bulk export risk across franchise-heavy footprints, tightening vendor remote access into payment environments, and ensuring consistent technical baselines with auditable evidence for franchise variability.
Metrics and Progress: During the reporting period we have: (1) Documented approximately 94% of property-to-corporate connectivity paths in the inventory with named owners (target 100% by June 30, 2016). (2) Reduced roles with over-broad payment-environment permissions by roughly 30% versus the prior baseline. (3) Expanded centralized logging coverage for in-scope segments to about 77% by transaction volume (target 90%). (4) Closed 58% of open PCI-related assessment findings from the prior cycle; 14 items remain past due with executive owners assigned. (5) Deployed additional detection content for bulk card-data movement patterns in pilot properties.
Issues and Next Period: Residual gaps include a subset of legacy properties on exception-based connectivity and delayed completion of monitoring rollouts in two regions. Priorities: finish connectivity inventory closure, drive logging coverage to plan, clear aging assessment findings with board escalation for repeats, and maintain quarterly executive metrics on franchise conformance. This report supports internal oversight and order execution.
Document-type guide: Security Program Status Report
Writing tips: Writing best practices — Security Program Status Report