Security Control Standard - World Lottery Association
Transcripción
Security Control Standard - World Lottery Association
Security Control Standard© The security and risk management baseline for the lottery sector worldwide Updated by the WLA Security and Risk Management Committee V1.0, November 2006 The WLA Security Control Standard© is the Property of the World Lottery Association Table of contents Table of contents 2 Foreword 5 1. Introduction 5 1.1 Purpose 5 1.2 Legal compliance 5 1.3 Disclaimer 6 1.4 Compatibility with Other Management Systems 6 1.5 How to Use This Document 6 2. The WLA SCS Framework and WLA Certification 7 2.1 Framework Components 7 2.2 Certification Requirements 7 2.2.1 Introduction 7 2.2.2 Part A – General Security Requirements 7 2.2.3 Part B – Lottery Specific Security Requirements (including Appendix 2) 8 Appendix 1 – General Security: WLA Basic Controls 9 G1 Organization of Security 9 G1.1 Allocation of security responsibilities G2 Human Resources Security 9 10 G2.1 Implementation of a Code of Conduct 10 G2.2 Information Security awareness, education and training 10 G3 Physical and Environmental Security G3.1 Secure areas 10 G4 Operations Management G4.1 Protection against security vulnerabilities G5 Access Control G5.1 10 10 10 11 Remote user access management G6 Information Systems Maintenance 11 11 G6.1 Cryptographic controls 11 G6.2 System testing 11 G7 Business Continuity Management G7.1 Press media handling and availability 12 12 Appendix 2 – Lottery Specific Security Requirements 13 L1 Instant Tickets 13 L1.1 Instant game design 13 L1.2 Instant ticket printing 14 L1.3 Shipment of instant tickets 14 L1.4 Storage and distribution of instant tickets 15 L1.5 Retailer security – instant tickets 15 L1.6 Instant game closures 16 Security Control Standard © V1.0, Page 2/21 Table of contents L2 L3 L4 L5 L6 Lottery Draws 16 L2.1 Lottery draw management 16 L2.2 Conduct of the draw 17 L2.3 Physical drawing appliances and ball sets 18 Retailer Security 19 L3.1 Recruitment and set-up 19 L3.2 Retailer operations 19 L3.3 Gaming terminal security 19 Prize Money Protection 20 L4.1 Validation and payout of prizes 20 L4.2 Unclaimed prize money 20 Sales Staff and Customer Services 21 L5.1 Staff working outside organization premises 21 L5.2 Customer service areas 21 Internet Gaming Systems 21 L6.1 21 Internet-based sales of games Security Control Standard © V1.0, Page 3/21 Foreword The World Lottery Association has recognized the need for adequate security standards from its very beginning and further developed the work started by its predecessor organizations. The first Security and Risk Management Committee was established in 1989 and is currently known as the WLA Security & Risk Management Committee (SRMC). Representatives and security specialists from lottery organizations around the world are members of the Committee and actively participate in the development of these standards. One of its most important areas of responsibility is the WLA Security Control Standard© (WLA-SCS), the lottery sector's only internationally recognized security standard. The Committee reviews security standards for use by the lottery sector and acts as a focal point for the sector on security issues. Its mission includes making recommendations to members on problems and solutions, holding regular seminars for WLA members and overseeing the security standard certification process. All new or updated standards have to be approved and released by the WLA Executive Committee to become formally applicable. Any comments or suggestions regarding the WLA-SCS and the certification shall be directed to the WLA Security & Risk Management Committee. Security Control Standard © V1.0, Page 4/21 1. Introduction 1.1 Purpose Security is a key element in the successful operation of a lottery. A critical factor of the operation is confidence both by the player and the principal stakeholders in those who manage the operation themselves. It is essential, therefore, that a visible and documented security environment is developed and maintained in order to achieve and sustain public confidence in the operation. The WLA Security Control Standard is designed to assist the lottery sector around the globe in obtaining a level of controls in line with generally accepted practices to enable an increased reliance on the integrity of lottery operations. The Standard prescribes the existence of a security management process compliant with International Standards and a common security baseline for lottery specific aspects that represent good practice. It can be considered a first step towards building the necessary trust relationship with other lotteries, stakeholders and regulators for the purpose of conducting lottery operations or multi-jurisdictional games. Through experience, the WLA Security Control Standard has proven to be of substantial assistance by giving management an independent review to build increased confidence in an organization's security. WLA Members considering operating games together may seek confirmation from the WLA that other members involved are certified as complying with the WLA Security Control Standard. Additional game-specific security requirements and procedures may need to be agreed between these members. The WLA Executive Committee has authorized specific third-party certifying bodies to perform reviews of WLA Members and Associate Members1 wishing to certify their operations against this Standard. Certification can be obtained by conforming to the requirements of the Standard at the moment of the actual assessment. The WLA allows certified members to confirm their compliance to the Standard for a continuous period of three years following a certification as long as at least 12-monthly follow-up reviews occur by one of the designated certifying bodies. 1.2 Legal Compliance In cases where contradictions between applicable laws or regulation and the contents of this Standard exist, applicable laws and regulation shall always take precedence. 1 WLA Associate Members can achieve WLA-SCS certification through a formal assessment against the WLA-SCS Part A. Security Control Standard © V1.0, Page 5/21 1.3 Disclaimer WLA-SCS certification does not guarantee that a WLA Member or Associate Member will not be subject to a security incident, but it is rather intended to decrease the likelihood of such events. Therefore, certification cannot lead to any commercial liability on behalf of the WLA or the certifying body. 1.4 Compatibility with Other Management Systems The WLA Security Control Standard is based on the ISO 270012 standard in order to support consistent implementation and operation with other management standards (for example ISO 9001). 1.5 How to Use This Document The WLA Security Control Standard sets out the requirements for organizations that seek certification and is written for an audience with knowledge about security. The intention is not for the reader to be educated on lottery security as such; rather the document is to be used to determine which security measures need to be implemented in order to comply with the WLA Standard. Please contact WLA SRMC or one of the approved certifying bodies for more information if needed. This WLA Standard is separated into two parts. Part A includes requirements related to the International Standard for Information Security Management Systems ISO/IEC 27001, the Scope requirement and the WLA Basic Controls. Part B covers Lottery specific requirements. The WLA has no intent to remove the autonomy that organizations in the lottery sector enjoy. As such, although the controls environment specified will need to exist to achieve certification, the specific technologies, methodologies, or processes used to achieve compliance is left to individual organizations. 2 In the formally published version effective at the time of the WLA-SCS Standard release. Security Control Standard © V1.0, Page 6/21 2. The WLA SCS Framework and WLA Certification 2.1 Framework Components WLA Security Control Standard Introduction Part A Part B General Security Requirements Lottery Specific Security Requirements ISO/IEC 27001 – Requirements, Scope Requirements, WLA Basic Controls 2.2 Certification Requirements 2.2.1 Introduction WLA Members seeking WLA certification shall ensure compliance with Part A and Part B below. WLA Associate Members shall ensure compliance with Part A below. In order to become WLA certified, all organizations must seek certification by one of the WLA approved certifying bodies. 2.2.2 Part A – General Security Requirements ISO/IEC 27001 – ISMS Requirements Obtain the ISO/IEC 27001 (ISO 27001) standard document from a standardization body3 and ensure compliance of your organization. ISO 27001 requires that an Information Security Management System (ISMS) is established, implemented, operated, monitored and continuously improved. Important steps in order to implement an ISMS include defining the scope, developing a policy, performing risk assessment, the selection of controls, and producing a ‘Statement of Applicability’4. All parts of the ISMS shall be documented and the ISMS shall be formally approved and regularly reviewed by top management. 3 ISO/IEC 27001 (based on the earlier BS7799-2:2002) is a globally accepted certification standard for Information Security Management. The Standard is aligned with a Code of Practice for Information Security Management (also available via ISO). It is highly recommended to seek guidance in this Code of Practice. The WLA can assist members obtaining these documents. 4 The Statement of Applicability is a documented statement describing the control objectives and controls that are relevant and applicable to the organization’s ISMS. Security Control Standard © V1.0, Page 7/21 The management system is based on the cyclic model of ‘Plan – Do – Check - Act’, which is applied to structure all ISMS processes and ensuring continual improvement based on objective measurement. • • • • Plan – Establish the ISMS Do – Implement and operate the ISMS Check – Monitor and review the ISMS Act – Maintain and improve the ISMS ISO 27001 ensures that a mandatory risk based approach is in place and aims at achieving effective information security through a continual improvement process. Further details can be found in the ISO 27001 document. Scope Requirements The organization is required to include all lottery related activities of its operation, including all related systems under the scope of certification. Any exclusion from the scope or controls shall be justified in detail and challenged by the certifying bodies. WLA Basic Controls (Appendix 1) Additionally to those control objectives and controls required in ISO 27001 Annex A, the WLA has defined additional controls which shall be implemented in order to become WLA certified. These controls are listed in Appendix 1 and are to be reflected in the Statement of Applicability. The list of controls in ISO 27001 and as defined by WLA is not exhaustive and an organization may decide that additional controls are necessary. 2.2.3 Part B – Lottery Specific Security Requirements (including Appendix 2) The WLA Lottery Specific Security Controls are listed in Appendix 2. This part covers lottery specific security aspects. In order to obtain WLA certification, all these controls shall be applied if not entirely inapplicable (e.g. if a WLA Member does not offer draw games, identified controls need not be included) and must be reflected in the Statement of Applicability. Security Control Standard © V1.0, Page 8/21 Appendix 1 – General Security: WLA Basic Controls The list below contains the required controls that shall be implemented in organizations to become WLA certified. This is in addition to those controls defined in ISO 27001 Annex A and shall be part of the organization’s Information Security Management System (ISMS). G1 – Organization of Security G1.1 – Allocation of security responsibilities Objective: To ensure that security function responsibilities are effectively implemented. G1.1.1 Security Forum Control A Security Forum or other organizational structure comprised of senior managers shall be formally established, monitor and review the ISMS, maintain formal minutes of meetings and convene at least every six months. G1.1.2 Security Function Control A Security Function shall exist that will be responsible to draft and implement security strategies and action plans. It shall be involved in and review all processes regarding security aspects of the organization, including, but not be limited to, the protection of information, communications, physical infrastructure, and game processes. G1.1.3 Security Function Control reporting The Security Function shall report to no lower than executive level management and not reside within or report to the IT Function. G1.1.4 Security Function Control position The Function shall be sufficiently empowered, and must have access to all necessary corporate resources to enable the adequate assessment, management, and reduction of risk. G1.1.5 Security Function Control responsibility The head of the Security Function shall be a full member of the Security Forum and be responsible for recommending security policies and changes. Security Control Standard © V1.0, Page 9/21 G2 – Human Resources Security G2.1 – Implementation of a Code of Conduct Objective: To ensure that a suitable Code of Conduct is effectively implemented.. G2.1.1 Code of Conduct Control A Code of Conduct shall be issued to all personnel when initially employed. All personnel shall formally acknowledge acceptance of this Code. G2.1.2 Adherence and Control disciplinary action The Code of Conduct shall include statements that all policies and procedures are adhered to and that infringement or other breaches of the Code could lead to a disciplinary action. G2.1.3 Conflict of Interest Control The Code of Conduct shall include statements that employees are required to declare conflicts of Interest on employment as and when they occur. Specific examples of Conflict of Interest shall be cited within the Code. G2.1.4 Policy on hospitality Control or gifts The Code of Conduct shall include a policy regarding hospitality or gifts provided by persons or entities with which the organization transacts business. G2.2 – Information Security awareness, education and training Objective: To ensure that all employees are aware of information security as implemented by the organization as quickly as possible. G2.2.1 Awareness Training Control All new hired employees and, where relevant, new contractors and new third party users shall receive appropriate awareness training within two weeks of work commencement and regularly thereafter. Such training shall be documented and formally acknowledged by staff. G3 – Physical and Environmental Security G3.1 – Secure areas Objective: To ensure that areas providing access to production gaming data centers or other systems effectively important for the gaming operations are adequately secured. G3.1.1 Physical entry Control controls Physical access to production gaming system data centers, computer rooms, network operations centers and other defined critical areas shall have a two-factor authentication process. Single-factor electronic access control methods are acceptable if the area is staffed at all times. G4 – Operations Management G4.1 – Protection against security vulnerabilities Objective: To ensure that important systems for gaming operations or the support thereof are adequately secured against security vulnerabilities. G4.1.1 Control against Control security vulnerabilities The IT function shall ensure that documented procedures on important systems are in place for the management of security vulnerability for gaming operations patches on important systems for gaming operations and that reviews with regards to patch level of all installed software are regularly conducted Security Control Standard © V1.0, Page 10/21 G5 – Access Control G5.1 – Remote user access management Objective: To ensure authorized remote user access and to prevent unauthorized access to gaming information systems. G5.1.1 Remote user access Control to gaming systems Gaming computer systems shall only be accessed from locations outside organization controlled premises, excluding player participation in organization-offered games, in case of emergency situations. G5.1.2 Remote user access Control functions The range of functions available to the user shall be defined in conjunction with the Process Owner, the IT Function and the Security Function. G5.1.3 Remote user access Control logging All actions performed through remote user access shall be logged and these logs shall be regularly reviewed. G5.1.4 Remote user access Control reporting For every remote user access a security incident report shall be filed with the security function. G6 – Information Systems Maintenance G6.1 – Cryptographic controls Objective: To protect the confidentiality, authenticity and integrity of important gaming and lottery related information by cryptographic means. G6.1.1 Cryptographic Control controls for data on Encryption shall be applied for non public organization portable systems data on portable computer systems (Laptops, USB devices, etc.) G6.1.2 Cryptographic Control controls for networks Encryption shall be applied for sensitive information passed over networks which risk analysis has shown to have an inadequate level of protection, including validation or other important gaming information, electronic mail, etc. G6.1.3 Cryptographic Control controls for storage Integrity measures must be applied for the storage of winning information ticket data and validation information. G6.1.4 Cryptographic Control controls for validation Encryption shall be applied for instant ticket validation numbers numbers. G6.1.5 Cryptographic Control controls for transfers Encryption shall be applied for financial transactions between the organization and a banking institution. G6.2 – System testing Objective: To maintain the security, confidentiality and integrity of test data. G6.2.1 Test methodology Control policy and data The test methodology policy shall include provisions to prevent the use of data created in a live production system for the current draw period and to prevent the use of player personal information. Security Control Standard © V1.0, Page 11/21 G7 – Business Continuity Management G7.1 – Press media handling and availability Objective: To ensure the protection of organization image and reputation and to counteract interruptions to business activities. G7.1.1 Press Media and Control personnel handling The business continuity plan shall include plans to handle the media and personnel during crisis situations. G7.1.2 Shareholder or Board Control approval The organization shall ensure that the Board or shareholders of the organization agree to the decided availability requirements. Security Control Standard © V1.0, Page 12/21 Appendix 2 – Lottery Specific Security Requirements The list below contains the required controls that shall be implemented in lottery organizations to become WLA certified. This is in addition to those controls defined in ISO 27001 Annex A and Part A above and shall be part of the organization’s Information Security Management System (ISMS). L1 – Instant Tickets L1.1 – Instant game design Objective: To ensure that game designs meet legal and regulatory requirements and are authorized at the appropriate level before going into production. L1.1.1 Documented instant Control ticket procedures Formal procedures shall be developed and documented covering the design, development, production, and release of Instant Games. L1.1.2 Game design Control approval Final game design shall be formally approved through a process involving the Security Function. L1.1.3 Supplier selection Control Printers/Suppliers of instant tickets shall be subject to a selection and approval process. The approval shall involve the Security Function. L1.1.4 Security requirements Control Specific security requirements relating to the game and the physical instant ticket shall be documented and formally part of the contract with the supplier/printer. L1.1.5 Quality control Control Quality control requirements for printing instant tickets shall be documented and part of the contract with the supplier/printer. L1.1.6 Policy on audits and Control laboratory testing A policy shall be established describing required audits of game design, ticket printing and at least once a year laboratory testing. Security Control Standard © V1.0, Page 13/21 L1.2 – Instant ticket printing Objective: To ensure that instant tickets comply with the organization’s security standards for production and printing. L1.2.1 Instant ticket printing Control requirements The organization shall provide the printer/supplier with a detailed game specification and detailed security requirements. L1.2.2 Printing quality Control assurance Security requirements shall include a requirement for a supplier/printer internal quality assurance function. L1.2.3 Encrypted validation Control numbers Security requirements shall include validation numbers using encryption techniques. L1.2.4 Encrypted validation Control and winner files Security requirements shall include validation files and winner information stored using encryption techniques. L1.2.5 Ticket verification Control Checks of random samples of ticket packs for each game shall be carried out to ensure that games conform to the tolerances set out in the organization’s specification. L1.2.6 Acceptance testing of Control data Security requirements shall include that after the first print run and before launch, inventory and validation data is provided to the appointed organization’s security or quality assuring function for acceptance testing. L1.3 – Shipment of instant tickets Objective: To ensure the secure transportation of instant tickets from the printer/supplier to the organization. L1.3.1 Shipping manifest Control Shipping requirements shall specify that a complete shipping manifest shall be sent to the organization before a consignment is dispatched. L1.3.2 Transportation Control method The organization shall ensure that the shipment process is according to an agreed (either through a direct agreement or through an agreement with the supplier) method of transportation that is not to be varied without authority from the organization. L1.3.3 Sealed transport Control containers The agreement shall specify that containers must be sealed and seal numbers recorded on manifests. Security Control Standard © V1.0, Page 14/21 L1.4 – Storage and distribution of instant tickets Objective: To ensure that instant tickets are stored and distributed in a secure manner. L1.4.1 Storage facility audits Control A procedure shall be established to provide for authorized personnel inspecting instant ticket storage facilities at least annually. L1.4.2 Ticket transport Control verification Each consignment of instant tickets shall be formally verified on arrival L1.4.3 Ticket verification Control procedure An arrival verification procedure shall ensure that seal numbers are correct and that the security of the container has been maintained. L1.4.4 Ticket verification Control outcome The verification outcome shall be documented and in case of non-conformities and/or irregularities action shall be taken to determine whether the security of a consignment has been compromised. L1.4.5 Instant ticket control Control system A control system shall be in place to account for packs of instant tickets from the time they arrive at the organization's storage facilities to the time they arrive at the retailer. L1.5 – Retailer security – instant tickets Objective: To ensure that retailers conform to the security requirements applicable to the receipt, storage and sale of instant tickets. L1.5.1 Instant ticket receipt Control by retailers The organization shall require retailers either via contract or other means to validate the integrity of packages of instant ticket on receipt and are to confirm that they have received a particular consignment of tickets. L1.5.2 Receipt confirmation Control Upon receipt confirmation, the tickets shall be formally recorded as having been issued to that retailer. L1.5.3 Retailer instructions Control The organization shall provide retailers with instructions regarding prize claim payout, ticket validation, instant ticket handling and storage, reporting of security issues and the handling of lost and stolen tickets. L1.5.4 Retailer security Control training The organization shall provide and document training for retailers to enable them to meet the security requirements for handling instant tickets. Security Control Standard © V1.0, Page 15/21 L1.6 – Instant game closures Objective: To ensure that security control and audit requirements are maintained when an Instant game is closed. L1.6.1 Game closure Control procedure The organization shall produce and circulate a game closure procedure to be used in the closure of an instant game. L1.6.2 Retailer information Control The method and timing of informing retailers of a game closure and the collection of tickets shall be established and documented. L1.6.3 Balance of ticket Control stock A method to be used to balance game tickets held in storage and by retailers shall be established and documented. L1.6.4 Stock audit check Control Requirements for audit checks of instant ticket stock shall be established and documented. L1.6.5 Authorized parties Control Parties authorized to close a game and/or destroy tickets shall be formally defined. L1.6.6 Ticket destruction Control The method and control of ticket destruction shall be formally established. L2 – Lottery Draws L2.1 – Lottery draw management Objective: To ensure that draws are conducted at times required by regulation and in accordance with the rules of the applicable lottery game. L2.1.1 Draw event Control A policy shall be established to ensure that lottery draws are conducted as a planned and controlled event and in accordance with a clear working instruction. L2.1.2 Draw working Control instructions The organization shall publish a working instruction prior to any draw including special instructions with respect to the draw. L2.1.3 Draw team members Control The working instruction shall include the composition of a draw team including their contact telephone numbers. L2.1.4 Draw team duties Control The working instruction shall include the duties of the identified members of the draw team. L2.1.5 Reserve draw team Control The working instruction shall nominate persons as reserves and detail on the deployment of the reserve team. L2.1.6 Draw timing Control The working instruction shall include the detailed timings of the draw operation from opening the draw location to closing that location. L2.1.7 Draw observers Control The working instruction shall include details of any requirement under the Lottery Rules for independent observers to be present during a draw. Security Control Standard © V1.0, Page 16/21 L2.2 – Conduct of the draw Objective: To ensure that the conduct of draws is within regulatory requirements and the rules of the applicable lottery game. L2.2.1 Draw procedure Control The organization shall establish a detailed draw procedure to ensure that all draw functions are conducted in compliance with the rules of the applicable lottery game and regulatory requirements. L2.2.2 Draw step-by-step Control guide The draw procedure shall include a step-by-step guide of the draw process. L2.2.3 Draw location Control The draw procedure shall include the definition of the draw location. L2.2.4 Draw attendance and Control responsibilities The draw procedure shall include a definition of the attendance at the draw and the responsibilities and actions of all participants. L2.2.5 Draw supervision Control The draw procedure shall define the policy regarding the attendance of an (independent) compliance officer or an auditor. L2.2.6 Draw operation Control security The draw procedure shall include adequate security measures for the draw operation and all equipment used during the draw process. L2.2.7 Draw emergency Control The draw procedure shall include actions in the event of an emergency occurring at any time during the course of the draw. Security Control Standard © V1.0, Page 17/21 L2.3 – Physical drawing appliances and ball sets Objective: To ensure that physical draw appliances and ball sets meet agreed security requirements and/or regulatory specifications. L2.3.1 Inspection procedure Control A procedure for inspection of draw appliances and ball sets on delivery and thereafter in consultation with an independent authority (to ensure compliance with technical specifications and standards) on a regular basis shall be established. L2.3.2 Regular inspection Control and maintenance Inspections and maintenance of the draw appliances shall be carried out and documented at least annually to retain the specified standards throughout the machine’s working life. L2.3.3 Compatible ball sets Control The organization shall establish a procedure that provides for the use of ball sets manufactured to those measurements and weight tolerances compatible with the drawing machine to be used. L2.3.4 Replacement draw Control appliance The organization shall establish a procedure that provides for the availability of a substitute draw appliance and ball set(s) for use in the event of mechanical problems or failure of any kind, if drawings are broadcasted live. L2.3.5 Draw appliance and Control ball set handling, The organization shall establish a procedure that storage and provides for the secure storage, movement, and handling movement of draw appliances and ball sets. Security Control Standard © V1.0, Page 18/21 L3 – Retailer Security L3.1 – Recruitment and set-up Objective: To ensure that only approved people, operating in approved locations, are accepted as retailers to sell the organization’s products on and off-line. L3.1.1 Retailer contract Control Retailers shall be engaged under the terms of an agreed contract. L3.2 – Retailer operations Objective: To ensure that retailer operations, on and off-line, conform to organization security requirements. L3.2.1 Retailer security Control To enable retailers to conform to organizational security requirements, the organization shall specify a security environment within the retailer is required to operate. L3.3 – Gaming terminal security Objective: To ensure the adequacy of gaming terminal security. L3.3.1 Transaction security Control Gaming terminals shall include provisions for authentication and encryption of the data traffic between the terminal and the central computer gaming system. L3.3.2 Terminal security Control testing Thorough testing of terminal security functionality shall be performed prior to production environment use. This testing shall include provisions that the correct version of software is in place. L3.3.3 Self-service terminal Control security Self service terminals shall have security mechanisms in place to protect game integrity. Security Control Standard © V1.0, Page 19/21 L4 – Prize Money Protection L4.1 – Validation and payout of prizes Objective: To ensure that the organization has the necessary controls in place for validation and payment of prizes. L4.1.1 Validity of winning Control information The organization shall implement procedures to ensure the validity of winning transactions, claims and/or tickets. L4.1.2 Validation processes Control The organization shall define and document validation processes for different prize levels and types of games. L4.1.3 Prize payout Control The organization shall define the process for payment or transfer of prizes. L4.2 – Unclaimed prize money Objective: To secure unclaimed prize money before and after the end of the prize claim period. L4.2.1 Unique ticket Control reference number Provisions shall be made in the on-line production system for each ticket issued to have a unique reference number. L4.2.2 Procedure for the Control protection of The organization shall develop, circulate and maintain a unclaimed prize procedure specifically related to the protection of money unclaimed prize money and data files containing information relating to the payout status of each game, the specific transactions yet to be claimed and the validation files. L4.2.3 Prize payout period Control and auditing The procedure shall cover the entire prize payout period as well as the auditing of the final transfers upon game settlement. L4.2.4 Payout rules and Control inquiries The procedure shall confirm the rules covering ticket validity time, payout on lost and defaced tickets, inquiries into the validity of claims and late or last minute payouts. L4.2.5 Unclaimed prize Control information access The procedure shall confirm that access control be strict control and limited to that required in respect of records of unclaimed prizes. L4.2.6 Access reporting Control The procedure shall confirm a reporting process in case of unauthorized access attempts. L4.2.7 Escalation process Control The procedure shall confirm an escalation process for any incident or suspicious activity. L4.2.8 Audits of access log Control information The procedure shall confirm that access logs are subject to regular and frequent audit at least every six months. L4.2.9 Audit trails Control The procedure shall confirm audit trails able to identify unusual patterns of late payouts. Security Control Standard © V1.0, Page 20/21 L5 – Sales Staff and Customer Services L5.1 – Staff working outside organization premises Objective: To ensure that sales representatives and technicians working outside of lottery premises are receiving an adequate level of protection. L5.1.1 Staff working outside Control of organization A policy shall be established to ensure that staff working premises outside lottery premises are receiving and implementing an adequate level of protection. L5.2 – Customer service areas Objective: To ensure that the customer service and prize claim areas are receiving an adequate level of protection. L5.2.1 Staff working in Control sensitive areas with A policy shall be established to ensure that staff working public access in sensitive areas with public access is receiving an adequate level of protection. L6 – Internet Gaming Systems L6.1 – Internet-based sales of games Objective: In order to protect the Internet gaming system and player information, the confidentiality, integrity and availability of Internet gaming systems shall be maintained. L6.1.1 Layered systems Control architecture The organization shall provide a layered approach within the internet gaming systems architecture to ensure secure storage and processing of information. L6.1.2 Active and passive Control attacks Appropriate measures shall be in place to minimize the success and/or impact of common active and passive attacks. L6.1.3 Network segregation Control Production databases containing player or transaction data shall reside on networks separated from the servers hosting the web pages. L6.1.4 Session information Control Session cookies shall always be created in memory, be random and removed after the user’s session has ended. Security Control Standard © V1.0, Page 21/21