Hoiana Resort & Golf is a five-star luxury resort, tucked between Hoi An and Da Nang on Vietnam’s scenic central coast. Hoiana Resort & Golf offers world class gaming, hospitality, golf, beachfront and entertainment facilities as part of the phase one offering. It’s the perfect curated experience for guests wanting to escape the rush, enjoy the thrills or simply kick back and relax.

Hoiana Resort & Golf’s IT Director, Virgil Michael, has over 20 years’ experience in the gaming, entertainment and hospitality industry and was involved in the project development since 2017. To architect the IT framework for such a large resort during the first phase, our IT strategy factored, compliance, trust models, digital ethics, cybersecurity and privacy to share technologies between multiple operators to reduce overall operating expenses.

The gaming and hospitality industry is heavily regulated and in todays ever evolving cyber threat landscape some of our main concerns from business partners and executives were to ensure that our business is protected when using shared resources. When designing safeguards, we considered both local and international legislation for information asset protection. We researched on local IT laws, by partnering with our legal teams to design IT controls that enforces compliance. Part of this includes, data retention policies, data protection policies and overall IT governance.

Corporate governance and IT security policies are only effective if people, processes and technology are aligned with the controls. We ensure that polices are enforced by applying technical controls to compliment IT governance. For example, password complexity policy is enforced by a credential provider that aligns modern day safeguards for identity protection and prevents weak passwords.

There are always growing concerns on personal data protection and new laws are being ratified to protect citizens. Personal data protection is a challenge in any organization and we factor for cross-border data flows, processes when collecting personal data, encrypting data in transit with modern day strong ciphers and evolving controls to enhance the way we process personal data. The personal data protection program involves collaboration and IT has partnered with key stakeholders to ensure that the organization maintains compliance in the way we conduct business.

User awareness is part and parcel of ensuring adoption to security techniques. For example, staff may perceive jumping through hurdles to access corporate resources such as not able to access certain websites, complexity in multifactor authentication and privacy concerns when using personal devices. We describe the need to protect corporate data in the policies so that staff buy-in to controls and understand that the protection of information assets is a shared responsibility.

“In today’s ever evolving cyber threat landscape some of our main concerns from business partners and executives were to ensure that our business is protected when using shared resources”

To create a balance, we always consider the cost of the asset vs the safeguard. This enables us to allow adequate protection for data assets. There are many technologies in todays market to safe guard information assets. When choosing safeguards, we opted for market leaders as modernday attacks are so sophisticated, making use of obfuscating techniques to bypass security controls, not to mention the risk of nation state-sponsored attacks. Safeguards are configured for automation in defence, least privilege, monitoring, alerts and transparent auditing that enforces non-repudiation that allows us real time management on security events.

Using personal devices to access corporate resources is a growing concern for IT security professionals, and we have again opted for a market leading solution in securing corporate data on BYOD devices. Using a mobile device management solution ensures that corporate data has strong encryption and that personal data is separated from corporate data that aligns with privacy concerns. The solution allows IT to enforce compliance for corporate data on BYOD devices and enables us to automatically disconnect the device from corporate resources if the device is compromised or remotely erase corporate data if the device is lost or stolen.

You can only protect what you can see and as security gatekeepers, we only allow trusted devices to connect to our environment by enforcing 802.1x network access control and apply least privilege to networks and devices. Application and device control policies are key to end-point security. We invested in technology that consolidates the end-point host protection, to cater for IPS/ IDS, antimalware, application and device control that mitigates cyber-attacks and data leakage.

The network infrastructure and solutions at Hoiana Resort & Golf is complex and integrations between interoperable systems ensures that business processes are optimized so that staff can focus on customer service. When deploying complex integrations, stringent controls and least privilege are applied to ensure that data is not overexposed or compromised. The implementation of international standards such as ISO27000 series, NIST 800, CIS Controls, PCIDSS, ITILv4 and other best practices help to improve IT compliance and mitigates business risks.

IT partnered with our HR team to build a strong workforce and culture that promotes awareness on IT security techniques to thwart cyber-attacks. IT also partnered with the facilities management team to address physical controls to protect IT datacentre dependencies, such as strong security access control to the data center, structured cabling, crac units, ups, fire suppression, generators and environmental monitoring to help support 24-hour business operations.

At Hoiana Resort & Golf we celebrate shared success and none of this would possible without the support from our board, executive leadership, business partners, vendors and most all…the highly skilled, passionate and dedicated staff that make IT possible.