Security Policy

Security and Password requirements for theSabre® Community Portal 

Many businesses are continually assessing their level of security to help ensure a safe environment for their employees, customers and overall business operations.  Sabre® is among them, especially in regard to the Sabre® Community Portal.

The Sabre® Community Portal is a one-of-a-kind Web environment that provides access to profile-driven information. This means you only have access to applications, information, training, news and alerts that are applicable for the solutions you use. Therefore, during the last few years, security enhancements have been and will continue to be a key part of our Sabre® Community Portal releases and updates.

Some of the PCI-compliant security features we have employed to help keep the Sabre® Community Portal a safe environment for everyone include:

Users

  • Two-step registration process: Registration for the Sabre® Community Portal requires two steps, including having and validating company e-mail domains to help certify registration requests.
  • Security questions: Upon registration, you must select and provide answers to unique security questions that you can answer whenever you need to reset your password.
  • For data security purposes, the Sabre® Community Portal customers are required to configure any connecting devices with an idle session screen lock of 15 minutes or less, with re-entry of the user’s device password required to resume the session.
  • Account/access approval process: All user requests for product access are reviewed by the Sabre® in conjunction with our customers. Requests are approved or denied based on your job function and access needs.
  • User email validation can be done either manually at the Administrator's discretion or can be automated to be validated every configurable number of days. The number of days can be configured per customer. If user does not respond within 21 days, then their account will be locked.
  • Login, account and password management (does not apply to Single Sign-On accounts): Along with your unique account, you must create unique passwords that meet best-practice security standards, and you must update your passwords every 30 days (if you are an administrator) or 60 days (if you are a regular user). User accounts expire after 60 days of inactivity and require you to contact your local administrator to reactivate your account. User will be notified to change the password, during the 10 days before the password will be expired. The user will be forced to reset the password after these 10 days; in case the user ignores the notifications.
  • Users are forced to change password if the password was changed by an Administrator.
  • Delegated administration – For airlines electing delegated administration, designated personnel are granted authority to manage their airline users’ accounts and regularly audit users for the products the customer delegated administrators have been given access to approve.
  • Terms and conditions: You must review and accept the terms and conditions of the Sabre® Community Portal use to gain access. Terms and conditions need to be accepted every 365 days or whenever user gets access to new applications or there is a change in user access level.

Sabre Administration

  • Logging and tracking user activities by event: Detailed user activity on the Sabre® Community Portal is tracked and stored. We monitor and address unusual activity via standardized and customized reports, which are only for internal use.
  • Automated account on- and off-boarding: For airlines electing to integrate their personnel systems with the Sabre® Community Portal, user accounts can be created, modified and disabled automatically as employees join or leave an airline.
  • Bulk account provisioning: When requested and confirmed by an airline, user accounts can be added, modified, provisioned or disabled quickly in large batches by the Sabre® Community Portal team. This method is recommended for customer initial product implementation.
  • Single-sign-on federation: For airlines electing to integrate their systems with the Sabre Community Portal, users can gain direct and seamless access to the Sabre® Community Portal and their hosted applications by logging into their airline website.
  • Account disabling: Accounts can be disabled so users can no longer access the Sabre® Community Portal. This feature is automatically employed if there is no activity for 360 days and/or by request when employees are off-boarded. The user's account data and history are stored for a maximum of 13 months.
  • Security scans: The Sabre® Community Portal runs several different security scans throughout the year to detect and report vulnerabilities and potential holes, including:
    • Monthly TrustWave external network security scan.
    • Quarterly penetration scans run from in/outside the network.
    • Security vulnerability scans run at application level with each release.
    • Additional security measures are:
      • PCI-compliant password authentication.
      • Multi-Factor Authentication (PC and Mobile).
      • Fine-grained product-level authorization for content and Sabre®-hosted access.
      • Pages built using frameworks that guard against Web app vulnerabilities (SQL Injection, CSRF, XSS, etc.)
      • Changes to code are reviewed with security in mind.
  • Secure infrastructure/architecture design and development practices: Various security steps are built in and/or taken to prevent vulnerabilities and help ensure user authorization.

We continually add more security features, so look for more information in future the Sabre® Community Portal updates. It's our commitment to help ensure a maximum level of security is in place for you and us.


Password Requirement/Policy

  • Password must be at least 12, no more than 100 characters in length.
  • Password must consist of the following: lower case letters, upper case letters, digits and special characters.
  • Password must be different than last 8 passwords.
  • Password cannot contain the part of username.
  • Password cannot contain the whitespace characters.
  • Password cannot contain the user's email.
  • Password cannot contain the user's first name.
  • Password cannot contain the user's last name.