Security Control Standard - World Lottery Association

Comentarios

Transcripción

Security Control Standard - World Lottery Association
Security Control
Standard©
The security and risk management baseline
for the lottery sector worldwide
Updated by the WLA Security and Risk Management Committee
V1.0, November 2006
The WLA Security Control Standard© is the Property of the World Lottery Association
Table of contents
Table of contents
2
Foreword
5
1. Introduction
5
1.1 Purpose
5
1.2 Legal compliance
5
1.3 Disclaimer
6
1.4 Compatibility with Other Management Systems
6
1.5 How to Use This Document
6
2. The WLA SCS Framework and WLA Certification
7
2.1 Framework Components
7
2.2 Certification Requirements
7
2.2.1
Introduction
7
2.2.2
Part A – General Security Requirements
7
2.2.3
Part B – Lottery Specific Security Requirements (including Appendix 2)
8
Appendix 1 – General Security: WLA Basic Controls
9
G1 Organization of Security
9
G1.1
Allocation of security responsibilities
G2 Human Resources Security
9
10
G2.1
Implementation of a Code of Conduct
10
G2.2
Information Security awareness, education and training
10
G3 Physical and Environmental Security
G3.1
Secure areas
10
G4 Operations Management
G4.1
Protection against security vulnerabilities
G5 Access Control
G5.1
10
10
10
11
Remote user access management
G6 Information Systems Maintenance
11
11
G6.1
Cryptographic controls
11
G6.2
System testing
11
G7 Business Continuity Management
G7.1
Press media handling and availability
12
12
Appendix 2 – Lottery Specific Security Requirements
13
L1
Instant Tickets
13
L1.1
Instant game design
13
L1.2
Instant ticket printing
14
L1.3
Shipment of instant tickets
14
L1.4
Storage and distribution of instant tickets
15
L1.5
Retailer security – instant tickets
15
L1.6
Instant game closures
16
Security Control Standard
©
V1.0,
Page 2/21
Table of contents
L2
L3
L4
L5
L6
Lottery Draws
16
L2.1
Lottery draw management
16
L2.2
Conduct of the draw
17
L2.3
Physical drawing appliances and ball sets
18
Retailer Security
19
L3.1
Recruitment and set-up
19
L3.2
Retailer operations
19
L3.3
Gaming terminal security
19
Prize Money Protection
20
L4.1
Validation and payout of prizes
20
L4.2
Unclaimed prize money
20
Sales Staff and Customer Services
21
L5.1
Staff working outside organization premises
21
L5.2
Customer service areas
21
Internet Gaming Systems
21
L6.1
21
Internet-based sales of games
Security Control Standard
©
V1.0,
Page 3/21
Foreword
The World Lottery Association has recognized the need for adequate security
standards from its very beginning and further developed the work started by its
predecessor organizations. The first Security and Risk Management Committee was
established in 1989 and is currently known as the WLA Security & Risk Management
Committee (SRMC). Representatives and security specialists from lottery organizations
around the world are members of the Committee and actively participate in the
development of these standards. One of its most important areas of responsibility is the
WLA Security Control Standard© (WLA-SCS), the lottery sector's only internationally
recognized security standard. The Committee reviews security standards for use by the
lottery sector and acts as a focal point for the sector on security issues.
Its mission includes making recommendations to members on problems and solutions,
holding regular seminars for WLA members and overseeing the security standard
certification process.
All new or updated standards have to be approved and released by the WLA Executive
Committee to become formally applicable.
Any comments or suggestions regarding the WLA-SCS and the certification shall be
directed to the WLA Security & Risk Management Committee.
Security Control Standard
©
V1.0,
Page 4/21
1. Introduction
1.1 Purpose
Security is a key element in the successful operation of a lottery. A critical factor of the
operation is confidence both by the player and the principal stakeholders in those who
manage the operation themselves. It is essential, therefore, that a visible and
documented security environment is developed and maintained in order to achieve and
sustain public confidence in the operation.
The WLA Security Control Standard is designed to assist the lottery sector around the
globe in obtaining a level of controls in line with generally accepted practices to enable
an increased reliance on the integrity of lottery operations. The Standard prescribes the
existence of a security management process compliant with International Standards
and a common security baseline for lottery specific aspects that represent good
practice.
It can be considered a first step towards building the necessary trust relationship with
other lotteries, stakeholders and regulators for the purpose of conducting lottery
operations or multi-jurisdictional games. Through experience, the WLA Security Control
Standard has proven to be of substantial assistance by giving management an
independent review to build increased confidence in an organization's security.
WLA Members considering operating games together may seek confirmation from the
WLA that other members involved are certified as complying with the WLA Security
Control Standard. Additional game-specific security requirements and procedures may
need to be agreed between these members.
The WLA Executive Committee has authorized specific third-party certifying bodies to
perform reviews of WLA Members and Associate Members1 wishing to certify their
operations against this Standard. Certification can be obtained by conforming to the
requirements of the Standard at the moment of the actual assessment. The WLA
allows certified members to confirm their compliance to the Standard for a continuous
period of three years following a certification as long as at least 12-monthly follow-up
reviews occur by one of the designated certifying bodies.
1.2 Legal Compliance
In cases where contradictions between applicable laws or regulation and the contents
of this Standard exist, applicable laws and regulation shall always take precedence.
1
WLA Associate Members can achieve WLA-SCS certification through a formal assessment against the
WLA-SCS Part A.
Security Control Standard
©
V1.0,
Page 5/21
1.3 Disclaimer
WLA-SCS certification does not guarantee that a WLA Member or Associate Member
will not be subject to a security incident, but it is rather intended to decrease the
likelihood of such events. Therefore, certification cannot lead to any commercial liability
on behalf of the WLA or the certifying body.
1.4 Compatibility with Other Management Systems
The WLA Security Control Standard is based on the ISO 270012 standard in order to
support consistent implementation and operation with other management standards
(for example ISO 9001).
1.5 How to Use This Document
The WLA Security Control Standard sets out the requirements for organizations that
seek certification and is written for an audience with knowledge about security. The
intention is not for the reader to be educated on lottery security as such; rather the
document is to be used to determine which security measures need to be implemented
in order to comply with the WLA Standard. Please contact WLA SRMC or one of the
approved certifying bodies for more information if needed.
This WLA Standard is separated into two parts. Part A includes requirements related to
the International Standard for Information Security Management Systems ISO/IEC
27001, the Scope requirement and the WLA Basic Controls. Part B covers Lottery
specific requirements.
The WLA has no intent to remove the autonomy that organizations in the lottery sector
enjoy. As such, although the controls environment specified will need to exist to
achieve certification, the specific technologies, methodologies, or processes used to
achieve compliance is left to individual organizations.
2
In the formally published version effective at the time of the WLA-SCS Standard release.
Security Control Standard
©
V1.0,
Page 6/21
2. The WLA SCS Framework and WLA Certification
2.1 Framework Components
WLA Security Control Standard
Introduction
Part A
Part B
General Security Requirements
Lottery Specific
Security Requirements
ISO/IEC 27001 – Requirements,
Scope Requirements,
WLA Basic Controls
2.2 Certification Requirements
2.2.1 Introduction
WLA Members seeking WLA certification shall ensure compliance with Part A and Part
B below. WLA Associate Members shall ensure compliance with Part A below. In order
to become WLA certified, all organizations must seek certification by one of the WLA
approved certifying bodies.
2.2.2 Part A – General Security Requirements
ISO/IEC 27001 – ISMS Requirements
Obtain the ISO/IEC 27001 (ISO 27001) standard document from a standardization
body3 and ensure compliance of your organization.
ISO 27001 requires that an Information Security Management System (ISMS) is
established, implemented, operated, monitored and continuously improved. Important
steps in order to implement an ISMS include defining the scope, developing a policy,
performing risk assessment, the selection of controls, and producing a ‘Statement of
Applicability’4. All parts of the ISMS shall be documented and the ISMS shall be
formally approved and regularly reviewed by top management.
3
ISO/IEC 27001 (based on the earlier BS7799-2:2002) is a globally accepted certification standard for
Information Security Management. The Standard is aligned with a Code of Practice for Information
Security Management (also available via ISO). It is highly recommended to seek guidance in this Code of
Practice. The WLA can assist members obtaining these documents.
4
The Statement of Applicability is a documented statement describing the control objectives and
controls that are relevant and applicable to the organization’s ISMS.
Security Control Standard
©
V1.0,
Page 7/21
The management system is based on the cyclic model of ‘Plan – Do –
Check - Act’, which is applied to structure all ISMS processes and ensuring
continual improvement based on objective measurement.
•
•
•
•
Plan – Establish the ISMS
Do – Implement and operate the ISMS
Check – Monitor and review the ISMS
Act – Maintain and improve the ISMS
ISO 27001 ensures that a mandatory risk based approach is in place and aims at
achieving effective information security through a continual improvement process.
Further details can be found in the ISO 27001 document.
Scope Requirements
The organization is required to include all lottery related activities of its operation,
including all related systems under the scope of certification. Any exclusion from the
scope or controls shall be justified in detail and challenged by the certifying bodies.
WLA Basic Controls (Appendix 1)
Additionally to those control objectives and controls required in ISO 27001 Annex A,
the WLA has defined additional controls which shall be implemented in order to
become WLA certified. These controls are listed in Appendix 1 and are to be reflected
in the Statement of Applicability. The list of controls in ISO 27001 and as defined by
WLA is not exhaustive and an organization may decide that additional controls are
necessary.
2.2.3 Part B – Lottery Specific Security Requirements (including Appendix 2)
The WLA Lottery Specific Security Controls are listed in Appendix 2. This part covers
lottery specific security aspects.
In order to obtain WLA certification, all these controls shall be applied if not entirely
inapplicable (e.g. if a WLA Member does not offer draw games, identified controls need
not be included) and must be reflected in the Statement of Applicability.
Security Control Standard
©
V1.0,
Page 8/21
Appendix 1 – General Security: WLA Basic Controls
The list below contains the required controls that shall be implemented in organizations
to become WLA certified. This is in addition to those controls defined in ISO 27001
Annex A and shall be part of the organization’s Information Security Management
System (ISMS).
G1 – Organization of Security
G1.1 – Allocation of security responsibilities
Objective: To ensure that security function responsibilities are effectively implemented.
G1.1.1
Security Forum
Control
A Security Forum or other organizational structure
comprised of senior managers shall be formally
established, monitor and review the ISMS, maintain
formal minutes of meetings and convene at least every
six months.
G1.1.2
Security Function
Control
A Security Function shall exist that will be responsible to
draft and implement security strategies and action plans.
It shall be involved in and review all processes regarding
security aspects of the organization, including, but not be
limited to, the protection of information, communications,
physical infrastructure, and game processes.
G1.1.3
Security Function
Control
reporting
The Security Function shall report to no lower than
executive level management and not reside within or
report to the IT Function.
G1.1.4
Security Function
Control
position
The Function shall be sufficiently empowered, and must
have access to all necessary corporate resources to
enable the adequate assessment, management, and
reduction of risk.
G1.1.5
Security Function
Control
responsibility
The head of the Security Function shall be a full member
of the Security Forum and be responsible for
recommending security policies and changes.
Security Control Standard
©
V1.0,
Page 9/21
G2 – Human Resources Security
G2.1 – Implementation of a Code of Conduct
Objective: To ensure that a suitable Code of Conduct is effectively implemented..
G2.1.1
Code of Conduct
Control
A Code of Conduct shall be issued to all personnel when
initially employed. All personnel shall formally
acknowledge acceptance of this Code.
G2.1.2
Adherence and
Control
disciplinary action
The Code of Conduct shall include statements that all
policies and procedures are adhered to and that
infringement or other breaches of the Code could lead to
a disciplinary action.
G2.1.3
Conflict of Interest
Control
The Code of Conduct shall include statements that
employees are required to declare conflicts of Interest on
employment as and when they occur. Specific examples
of Conflict of Interest shall be cited within the Code.
G2.1.4
Policy on hospitality
Control
or gifts
The Code of Conduct shall include a policy regarding
hospitality or gifts provided by persons or entities with
which the organization transacts business.
G2.2 – Information Security awareness, education and training
Objective: To ensure that all employees are aware of information security as implemented by the
organization as quickly as possible.
G2.2.1
Awareness Training
Control
All new hired employees and, where relevant, new
contractors and new third party users shall receive
appropriate awareness training within two weeks of work
commencement and regularly thereafter. Such training
shall be documented and formally acknowledged by staff.
G3 – Physical and Environmental Security
G3.1 – Secure areas
Objective: To ensure that areas providing access to production gaming data centers or other systems
effectively important for the gaming operations are adequately secured.
G3.1.1
Physical entry
Control
controls
Physical access to production gaming system data
centers, computer rooms, network operations centers
and other defined critical areas shall have a two-factor
authentication process. Single-factor electronic access
control methods are acceptable if the area is staffed at all
times.
G4 – Operations Management
G4.1 – Protection against security vulnerabilities
Objective: To ensure that important systems for gaming operations or the support thereof are adequately
secured against security vulnerabilities.
G4.1.1
Control against
Control
security vulnerabilities The IT function shall ensure that documented procedures
on important systems
are in place for the management of security vulnerability
for gaming operations patches on important systems for gaming operations and
that reviews with regards to patch level of all installed
software are regularly conducted
Security Control Standard
©
V1.0,
Page 10/21
G5 – Access Control
G5.1 – Remote user access management
Objective: To ensure authorized remote user access and to prevent unauthorized access to gaming
information systems.
G5.1.1
Remote user access
Control
to gaming systems
Gaming computer systems shall only be accessed from
locations outside organization controlled premises,
excluding player participation in organization-offered
games, in case of emergency situations.
G5.1.2
Remote user access
Control
functions
The range of functions available to the user shall be
defined in conjunction with the Process Owner, the IT
Function and the Security Function.
G5.1.3
Remote user access
Control
logging
All actions performed through remote user access shall
be logged and these logs shall be regularly reviewed.
G5.1.4
Remote user access
Control
reporting
For every remote user access a security incident report
shall be filed with the security function.
G6 – Information Systems Maintenance
G6.1 – Cryptographic controls
Objective: To protect the confidentiality, authenticity and integrity of important gaming and lottery related
information by cryptographic means.
G6.1.1
Cryptographic
Control
controls for data on
Encryption shall be applied for non public organization
portable systems
data on portable computer systems (Laptops, USB
devices, etc.)
G6.1.2
Cryptographic
Control
controls for networks
Encryption shall be applied for sensitive information
passed over networks which risk analysis has shown to
have an inadequate level of protection, including
validation or other important gaming information,
electronic mail, etc.
G6.1.3
Cryptographic
Control
controls for storage
Integrity measures must be applied for the storage of
winning information ticket data and validation information.
G6.1.4
Cryptographic
Control
controls for validation
Encryption shall be applied for instant ticket validation
numbers
numbers.
G6.1.5
Cryptographic
Control
controls for transfers
Encryption shall be applied for financial transactions
between the organization and a banking institution.
G6.2 – System testing
Objective: To maintain the security, confidentiality and integrity of test data.
G6.2.1
Test methodology
Control
policy and data
The test methodology policy shall include provisions to
prevent the use of data created in a live production
system for the current draw period and to prevent the use
of player personal information.
Security Control Standard
©
V1.0,
Page 11/21
G7 – Business Continuity Management
G7.1 – Press media handling and availability
Objective: To ensure the protection of organization image and reputation and to counteract interruptions
to business activities.
G7.1.1
Press Media and
Control
personnel handling
The business continuity plan shall include plans to
handle the media and personnel during crisis situations.
G7.1.2
Shareholder or Board Control
approval
The organization shall ensure that the Board or
shareholders of the organization agree to the decided
availability requirements.
Security Control Standard
©
V1.0,
Page 12/21
Appendix 2 – Lottery Specific Security Requirements
The list below contains the required controls that shall be implemented in lottery
organizations to become WLA certified. This is in addition to those controls defined in
ISO 27001 Annex A and Part A above and shall be part of the organization’s
Information Security Management System (ISMS).
L1 – Instant Tickets
L1.1 – Instant game design
Objective: To ensure that game designs meet legal and regulatory requirements and are authorized at the
appropriate level before going into production.
L1.1.1
Documented instant
Control
ticket procedures
Formal procedures shall be developed and documented
covering the design, development, production, and
release of Instant Games.
L1.1.2
Game design
Control
approval
Final game design shall be formally approved through a
process involving the Security Function.
L1.1.3
Supplier selection
Control
Printers/Suppliers of instant tickets shall be subject to a
selection and approval process. The approval shall
involve the Security Function.
L1.1.4
Security requirements Control
Specific security requirements relating to the game and
the physical instant ticket shall be documented and
formally part of the contract with the supplier/printer.
L1.1.5
Quality control
Control
Quality control requirements for printing instant tickets
shall be documented and part of the contract with the
supplier/printer.
L1.1.6
Policy on audits and
Control
laboratory testing
A policy shall be established describing required audits of
game design, ticket printing and at least once a year
laboratory testing.
Security Control Standard
©
V1.0,
Page 13/21
L1.2 – Instant ticket printing
Objective: To ensure that instant tickets comply with the organization’s security standards for production
and printing.
L1.2.1
Instant ticket printing
Control
requirements
The organization shall provide the printer/supplier with a
detailed game specification and detailed security
requirements.
L1.2.2
Printing quality
Control
assurance
Security requirements shall include a requirement for a
supplier/printer internal quality assurance function.
L1.2.3
Encrypted validation
Control
numbers
Security requirements shall include validation numbers
using encryption techniques.
L1.2.4
Encrypted validation
Control
and winner files
Security requirements shall include validation files and
winner information stored using encryption techniques.
L1.2.5
Ticket verification
Control
Checks of random samples of ticket packs for each game
shall be carried out to ensure that games conform to the
tolerances set out in the organization’s specification.
L1.2.6
Acceptance testing of Control
data
Security requirements shall include that after the first
print run and before launch, inventory and validation data
is provided to the appointed organization’s security or
quality assuring function for acceptance testing.
L1.3 – Shipment of instant tickets
Objective: To ensure the secure transportation of instant tickets from the printer/supplier to the
organization.
L1.3.1
Shipping manifest
Control
Shipping requirements shall specify that a complete
shipping manifest shall be sent to the organization before
a consignment is dispatched.
L1.3.2
Transportation
Control
method
The organization shall ensure that the shipment process
is according to an agreed (either through a direct
agreement or through an agreement with the supplier)
method of transportation that is not to be varied without
authority from the organization.
L1.3.3
Sealed transport
Control
containers
The agreement shall specify that containers must be
sealed and seal numbers recorded on manifests.
Security Control Standard
©
V1.0,
Page 14/21
L1.4 – Storage and distribution of instant tickets
Objective: To ensure that instant tickets are stored and distributed in a secure manner.
L1.4.1
Storage facility audits
Control
A procedure shall be established to provide for
authorized personnel inspecting instant ticket storage
facilities at least annually.
L1.4.2
Ticket transport
Control
verification
Each consignment of instant tickets shall be formally
verified on arrival
L1.4.3
Ticket verification
Control
procedure
An arrival verification procedure shall ensure that seal
numbers are correct and that the security of the container
has been maintained.
L1.4.4
Ticket verification
Control
outcome
The verification outcome shall be documented and in
case of non-conformities and/or irregularities action shall
be taken to determine whether the security of a
consignment has been compromised.
L1.4.5
Instant ticket control
Control
system
A control system shall be in place to account for packs of
instant tickets from the time they arrive at the
organization's storage facilities to the time they arrive at
the retailer.
L1.5 – Retailer security – instant tickets
Objective: To ensure that retailers conform to the security requirements applicable to the receipt, storage
and sale of instant tickets.
L1.5.1
Instant ticket receipt
Control
by retailers
The organization shall require retailers either via contract
or other means to validate the integrity of packages of
instant ticket on receipt and are to confirm that they have
received a particular consignment of tickets.
L1.5.2
Receipt confirmation
Control
Upon receipt confirmation, the tickets shall be formally
recorded as having been issued to that retailer.
L1.5.3
Retailer instructions
Control
The organization shall provide retailers with instructions
regarding prize claim payout, ticket validation, instant
ticket handling and storage, reporting of security issues
and the handling of lost and stolen tickets.
L1.5.4
Retailer security
Control
training
The organization shall provide and document training for
retailers to enable them to meet the security
requirements for handling instant tickets.
Security Control Standard
©
V1.0,
Page 15/21
L1.6 – Instant game closures
Objective: To ensure that security control and audit requirements are maintained when an Instant game is
closed.
L1.6.1
Game closure
Control
procedure
The organization shall produce and circulate a game
closure procedure to be used in the closure of an instant
game.
L1.6.2
Retailer information
Control
The method and timing of informing retailers of
a game closure and the collection of tickets
shall be established and documented.
L1.6.3
Balance of ticket
Control
stock
A method to be used to balance game tickets held in
storage and by retailers shall be established and
documented.
L1.6.4
Stock audit check
Control
Requirements for audit checks of instant ticket stock shall
be established and documented.
L1.6.5
Authorized parties
Control
Parties authorized to close a game and/or destroy tickets
shall be formally defined.
L1.6.6
Ticket destruction
Control
The method and control of ticket destruction shall be
formally established.
L2 – Lottery Draws
L2.1 – Lottery draw management
Objective: To ensure that draws are conducted at times required by regulation and in accordance with the
rules of the applicable lottery game.
L2.1.1
Draw event
Control
A policy shall be established to ensure that lottery draws
are conducted as a planned and controlled event and in
accordance with a clear working instruction.
L2.1.2
Draw working
Control
instructions
The organization shall publish a working instruction prior
to any draw including special instructions with respect to
the draw.
L2.1.3
Draw team members
Control
The working instruction shall include the composition of a
draw team including their contact telephone numbers.
L2.1.4
Draw team duties
Control
The working instruction shall include the duties of the
identified members of the draw team.
L2.1.5
Reserve draw team
Control
The working instruction shall nominate persons as
reserves and detail on the deployment of the reserve
team.
L2.1.6
Draw timing
Control
The working instruction shall include the detailed timings
of the draw operation from opening the draw location to
closing that location.
L2.1.7
Draw observers
Control
The working instruction shall include details of any
requirement under the Lottery Rules for independent
observers to be present during a draw.
Security Control Standard
©
V1.0,
Page 16/21
L2.2 – Conduct of the draw
Objective: To ensure that the conduct of draws is within regulatory requirements and the rules of the
applicable lottery game.
L2.2.1
Draw procedure
Control
The organization shall establish a detailed draw
procedure to ensure that all draw functions are
conducted in compliance with the rules of the applicable
lottery game and regulatory requirements.
L2.2.2
Draw step-by-step
Control
guide
The draw procedure shall include a step-by-step guide of
the draw process.
L2.2.3
Draw location
Control
The draw procedure shall include the definition of the
draw location.
L2.2.4
Draw attendance and
Control
responsibilities
The draw procedure shall include a definition of the
attendance at the draw and the responsibilities and
actions of all participants.
L2.2.5
Draw supervision
Control
The draw procedure shall define the policy regarding the
attendance of an (independent) compliance officer or an
auditor.
L2.2.6
Draw operation
Control
security
The draw procedure shall include adequate security
measures for the draw operation and all equipment used
during the draw process.
L2.2.7
Draw emergency
Control
The draw procedure shall include actions in the event of
an emergency occurring at any time during the course of
the draw.
Security Control Standard
©
V1.0,
Page 17/21
L2.3 – Physical drawing appliances and ball sets
Objective: To ensure that physical draw appliances and ball sets meet agreed security requirements
and/or regulatory specifications.
L2.3.1
Inspection procedure
Control
A procedure for inspection of draw appliances and ball
sets on delivery and thereafter in consultation with an
independent authority (to ensure compliance with
technical specifications and standards) on a regular basis
shall be established.
L2.3.2
Regular inspection
Control
and maintenance
Inspections and maintenance of the draw appliances
shall be carried out and documented at least annually to
retain the specified standards throughout the machine’s
working life.
L2.3.3
Compatible ball sets
Control
The organization shall establish a procedure that
provides for the use of ball sets manufactured to those
measurements and weight tolerances compatible with
the drawing machine to be used.
L2.3.4
Replacement draw
Control
appliance
The organization shall establish a procedure that
provides for the availability of a substitute draw appliance
and ball set(s) for use in the event of mechanical
problems or failure of any kind, if drawings are
broadcasted live.
L2.3.5
Draw appliance and
Control
ball set handling,
The organization shall establish a procedure that
storage and
provides for the secure storage, movement, and handling
movement
of draw appliances and ball sets.
Security Control Standard
©
V1.0,
Page 18/21
L3 – Retailer Security
L3.1 – Recruitment and set-up
Objective: To ensure that only approved people, operating in approved locations, are accepted as
retailers to sell the organization’s products on and off-line.
L3.1.1
Retailer contract
Control
Retailers shall be engaged under the terms of an agreed
contract.
L3.2 – Retailer operations
Objective: To ensure that retailer operations, on and off-line, conform to organization security
requirements.
L3.2.1
Retailer security
Control
To enable retailers to conform to organizational security
requirements, the organization shall specify a security
environment within the retailer is required to operate.
L3.3 – Gaming terminal security
Objective: To ensure the adequacy of gaming terminal security.
L3.3.1
Transaction security
Control
Gaming terminals shall include provisions for
authentication and encryption of the data traffic between
the terminal and the central computer gaming system.
L3.3.2
Terminal security
Control
testing
Thorough testing of terminal security functionality shall
be performed prior to production environment use. This
testing shall include provisions that the correct version of
software is in place.
L3.3.3
Self-service terminal
Control
security
Self service terminals shall have security mechanisms in
place to protect game integrity.
Security Control Standard
©
V1.0,
Page 19/21
L4 – Prize Money Protection
L4.1 – Validation and payout of prizes
Objective: To ensure that the organization has the necessary controls in place for validation and payment
of prizes.
L4.1.1
Validity of winning
Control
information
The organization shall implement procedures to ensure
the validity of winning transactions, claims and/or tickets.
L4.1.2
Validation processes
Control
The organization shall define and document validation
processes for different prize levels and types of games.
L4.1.3
Prize payout
Control
The organization shall define the process for payment or
transfer of prizes.
L4.2 – Unclaimed prize money
Objective: To secure unclaimed prize money before and after the end of the prize claim period.
L4.2.1
Unique ticket
Control
reference number
Provisions shall be made in the on-line production
system for each ticket issued to have a unique reference
number.
L4.2.2
Procedure for the
Control
protection of
The organization shall develop, circulate and maintain a
unclaimed prize
procedure specifically related to the protection of
money
unclaimed prize money and data files containing
information relating to the payout status of each game,
the specific transactions yet to be claimed and the
validation files.
L4.2.3
Prize payout period
Control
and auditing
The procedure shall cover the entire prize payout period
as well as the auditing of the final transfers upon game
settlement.
L4.2.4
Payout rules and
Control
inquiries
The procedure shall confirm the rules covering ticket
validity time, payout on lost and defaced tickets, inquiries
into the validity of claims and late or last minute payouts.
L4.2.5
Unclaimed prize
Control
information access
The procedure shall confirm that access control be strict
control
and limited to that required in respect of records of
unclaimed prizes.
L4.2.6
Access reporting
Control
The procedure shall confirm a reporting process in case
of unauthorized access attempts.
L4.2.7
Escalation process
Control
The procedure shall confirm an escalation process for
any incident or suspicious activity.
L4.2.8
Audits of access log
Control
information
The procedure shall confirm that access logs are subject
to regular and frequent audit at least every six months.
L4.2.9
Audit trails
Control
The procedure shall confirm audit trails able to identify
unusual patterns of late payouts.
Security Control Standard
©
V1.0,
Page 20/21
L5 – Sales Staff and Customer Services
L5.1 – Staff working outside organization premises
Objective: To ensure that sales representatives and technicians working outside of lottery premises are
receiving an adequate level of protection.
L5.1.1
Staff working outside
Control
of organization
A policy shall be established to ensure that staff working
premises
outside lottery premises are receiving and implementing
an adequate level of protection.
L5.2 – Customer service areas
Objective: To ensure that the customer service and prize claim areas are receiving an adequate level of
protection.
L5.2.1
Staff working in
Control
sensitive areas with
A policy shall be established to ensure that staff working
public access
in sensitive areas with public access is receiving an
adequate level of protection.
L6 – Internet Gaming Systems
L6.1 – Internet-based sales of games
Objective: In order to protect the Internet gaming system and player information, the confidentiality,
integrity and availability of Internet gaming systems shall be maintained.
L6.1.1
Layered systems
Control
architecture
The organization shall provide a layered approach within
the internet gaming systems architecture to ensure
secure storage and processing of information.
L6.1.2
Active and passive
Control
attacks
Appropriate measures shall be in place to minimize the
success and/or impact of common active and passive
attacks.
L6.1.3
Network segregation
Control
Production databases containing player or transaction
data shall reside on networks separated from the servers
hosting the web pages.
L6.1.4
Session information
Control
Session cookies shall always be created in memory, be
random and removed after the user’s session has ended.
Security Control Standard
©
V1.0,
Page 21/21

Documentos relacionados