Testing strategy for compliance with remote gambling and software technical standards. First published August 2009

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Testing strategy for compliance with remote gambling and software technical standards. First published August 2009"

Transcription

1 Testing strategy for compliance with remote gambling and software technical standards First published August 2009 Updated July 2015

2 1 Introduction 1.1 Sections 89 and 97 of the Gambling Act 2005 enable the Commission to set technical standards for remote gambling systems and gambling software respectively, to make arrangements for the administration of tests of compliance with standards and to provide for the enforcement of standards and submission to tests by attaching conditions to operating licences. Condition 2.3 of the Commission s Licence conditions and codes of practice (LCCP) requires gambling software and remote operating licensees (including betting ancillary remote licensees) to comply with the Commission s technical standards and with requirements set by the Commission relating to the timing and procedures for testing. 1.2 This document sets out the Commission s current requirements for the timing and procedures for testing referred to in that Condition. It discusses the testing strategy for assessing compliance with the Remote gambling and software technical standards (RTS). 1.3 The Commission s approach to setting technical standards is outcome based to allow licensees flexibility as to the means of achieving the desired outcome. In a similar manner, the Commission takes a risk based approach to producing the testing strategy to ensure that its approach is reasonable, taking into account: the likelihood of non-compliance occurring the impact (on customers) of non-compliance the means available to assess compliance, and the likely burden imposed by the approach. 1.4 This document sets out: what the Commission would normally consider to be the types of testing required in order for it to be satisfied that the technical standards are being met who the Commission considers appropriate to carry out that testing the procedures for testing. 1.5 This is based on the potential impact of non-compliance on the customer and how obvious or easy it would be to determine whether a licensee and/or their systems are compliant. 1.6 There is scope for moderation or enhancement of the level of assurance required on these matters dependent on the Commission s view of the likelihood that any particular risk will crystallise for an individual licensee. The Commission will also have regard to a licensee s compliance record when determining if the current level of assurance is adequate. 2 Approach 2.1 In deciding what, and the level of, testing licensees are required to submit to we have categorised the visibility (vis) of compliance. That is, how easy it is to see whether a system or licensee is compliant. For example, it is easy to see whether an operator has mitigated the risk that a customer will not understand the rules of the game by providing easily accessible information, whereas the underlying fairness of the game is more difficult to observe. 2

3 Table 1: How visible is compliance? Visibility Description Low Visibility Moderate Compliance is difficult to determine by external observation functionality is within a technical solution rather than obvious procedural solution, eg do games operate fairly? Does the game correctly implement the rules? Description Moderately easy to spot non-compliance, eg does the operator have an internal policy and procedure that they follow or not? High Easy to spot non-compliance - it is obvious whether something is compliant or not, eg are terms and conditions accessible on a website? 2.2 We have also categorised the potential impact (imp) on the customer of non-compliance into three levels I, II, or III set out below. Table 2: Degree of potential customer impact Impact Description Unfair financial impact on customer(s). III Potentially significant negative impact on responsible gambling. Loss of personal data. II Easily rectifiable financial impact, eg incorrectly settled bets. Game rules misleading to the player. I Inconvenience to customer(s), eg disabled website hyperlink. Temporary loss of access. 2.3 Using these criteria we have categorised the risks and associated mitigating requirements and controls into three categories (cat). Table 3: Compliance assurance categories Category Assurance category description 3 Strongest degree of assurance required - normally requiring submission to a testing regime involving approved third parties. 2 Moderate amount of assurance required - normally requiring operator to present evidence that appropriate procedures are in place to assure compliance. 1 Lightest touch, compliance to be assessed by Commission, by for example, checking that operators have published the required information. 3

4 2.4 The individual technical requirements have been categorised into groups of requirements which can be treated in a similar way in terms of the category of assurance that is required and the timing of any testing or other assessment. For each group of requirements we set out the proposed type of assessment and timing of assessment. Table 4: Mapping of risk and visibility to assurance categories Impact III II I high moderate low visibility 2.5 The following table sets out the Commission s current requirements. These will be kept under review. 2.6 The table is divided into three colours, Green, Yellow and Red which determine the risk and therefore the extent of the testing required against the relevant standard. Green categories contain requirements which are capable of being tested and verified by the licensee Yellow categories contain requirements which are capable of being tested and verified by the licensee only where the licensee complies with the good practice guidelines (detailed in Section 6) and has provided the declaration of good practice as detailed in Section 3. Where licensees do not meet the good practice guidelines and/or have not provided a declaration to the Commission, testing of these categories must be carried out by an approved third party. Red categories contain requirements which must be tested and verified by an approved third party. 2.7 Evidence of all testing by the licensee for categories 1 and 2 must be retained. The Commission may require evidence of the testing upon request. Game/RNG test reports by external third parties must be submitted to the Commission prior to release of the game/rng as detailed in Section 3. 4

5 Table 5: General risk and compliance assurance activities General risk description Detailed risk examples (not exhaustive) Imp Vis Relevant standard Cat Testing required/ assurance activities Customers are not provided with sufficient information about their gambling activity, pertinent information about the site/operator's policies, and/or the rules of the gambling. Customers do not understand what they are betting on Customers are not aware of their previous betting activity Customers are not made aware of pertinent information about the site (eg the use of automated gambling software) Customers are not made aware of the likelihood of winning Customers not easily able to keep track of their current balance. II H RTS 1A, 1B, 2A, 2B, 3A, 3B, 3C, 3D, 9A IPA Licensee verifies presence of required material accompanying live* gambling products, eg on websites, mobile phones, or in printed material. Customers suffer financial loss because the results of virtual games or other virtual events are not generated fairly. Customers suffer unfair financial loss because the random number generator (RNG) is not random Customers suffer unfair financial loss because scaling/mapping components do not produce the expected ( random ) distribution of game outcomes. III L RTS 7A, 7B (except mechanical RNGs and lotteries that use external events) 3 Approved third party test house performs statistical analysis of RNG and game outputs, prior to release. Customers suffer financial loss because games or virtual events contain incorrect/malicious code components that do not operate in accordance with the published rules of the game. Customers suffer unfair financial loss because RNG contains incorrect/malicious code causing non-random output Customers suffer unfair financial loss because scaling and/or mapping components contain incorrect/malicious code that causes the game to operate outside the published rules Customers do not understand game operation due to the game not implementing the rules correctly. III L RTS 7A, 7B, 7C 3 Approved third party test house examines RNG, scaling and mapping components, source code and game play to assess whether they operate in accordance with the rules of the virtual game or event, prior to release. 5

6 Customers suffer financial loss because the results of the mechanical RNG is not fair and external events used to determine the result can be influenced. Customers suffer unfair financial loss because the RNG is not random Customers suffer unfair financial loss because the external event used to determine the result can be influenced. III M RTS 7A (only mechanical RNG and lotteries that use external events) 2 Licensee must satisfy themselves and provide evidence that the mechanical RNG meets the guidelines set out in the standards. Lotteries will need to retain evidence that the event is external and cannot be influenced. Customers are unfairly disadvantaged or misled by game design or functionality. Customers are not aware of the result of the game Customers do not know what rules apply because rules are changed during play Customers are misled about the likelihood of winning because games that appear to simulate real devices do not accurately reflect the probabilities of the real device Customers unfairly disadvantaged by games that are affected by network or end-user systems performance. III M RTS 4A, 7C, 7D, 7E 2 Where relevant (eg result display duration), product testing must be conducted prior to release by licensee**. Internal control procedures, for example, game configuration change control, release and performance management. Customers are able to exploit methods of cheating and collusion to disadvantage other customers. Customers experience unfair financial losses because other customers cheat or collude. III M RTS 11A 2 Where technical solutions are implemented, testing must be conducted prior to release by licensee**. Customer's gambles are not settled in accordance with the operator's rules, game rules and/or bet rules. Customer suffers financial loss because bets are settled incorrectly (and not identified) or Customer is temporarily inconvenienced where bets are settled incorrectly and have to be adjusted at a later time. III M RTS 5A 2 Product testing must be conducted prior to release by licensee**. 6

7 Customers are misled about the likelihood of winning due to behaviour of play-for-fun games. Play-for-fun games do not implement the same rules as the corresponding play-for-money games. III M RTS 6A 2 Product testing must be conducted prior to release by licensee**. Customers are placed at a higher risk from irresponsible gambling because responsible gambling facilities do not work correctly or are not provided. Customers suffer financial loss because systems are unable to adequately recover from or deal with the effects of service interruptions. Customers are treated unfairly in the event of a service interruption. Customers placed at greater degree of risk from irresponsible gambling because products are designed to exploit or encourage problem gambling behaviour. Customers who want to use some form of personal spending limit to control the amount that they gamble are unable to do so because they are not provided Customers using spending limits spend more than they intended because the limit is not properly enforced. Customers suffer unfair financial loss because they are unable to remove a bet offer when a betting market changes Customers suffer unfair financial loss because they are unable to complete a multi-state game due to insufficient data being appropriately stored. Customers are unable to make an informed choice about whether to gamble on multi-state games or events, because the operator s policies are not published Operator policy is systematically unfair in the event of a service interruption, that is, always operates in the operators favour. Irresponsible product design encourages customers to gamble more than they intended or to continue gambling after they have indicated that they wish to stop Customers spend more than they intended because auto-play restrictions not in place to limit the number of transactions that can take place without customer interaction. III H RTS 12A, 12B, 13A, 13B III M RTS 10A 2 II H RTS 10B 1 III H RTS 8A, 14A 2 2 Product testing must be conducted prior to release by licensee**. Product testing must be conducted prior to release by licensee**. Licensee verifies that policies are easily available and accompany live* gambling products. Licensee verifies performance management of system availability. Where appropriate (eg auto-play implementation), product testing must be conducted prior to release by licensee**. 7

8 Game integrity compromised because operators do not implement adequate security. Customers suffer unfair financial loss because weaknesses in game security are exploited. III L Security 3 Annual security audit carried out by qualified and independent third party***. Customer data or information is disclosed to unauthorised entities because system security is inadequate. Customer information is lost due to inadequate security, backup or recovery provisions. Confidential customer information is disclosed to unauthorised entities leading to criminal or inappropriate use of customer information. Customers suffer unfair financial loss where the content and/or value of customer transactions (gambles) is irrecoverably lost due to inadequate system security, backup and/or recovery provisions Customers suffer unfair financial loss where customer account information is irrecoverably lost, for example, the current value of their deposits with the operator, due to inadequate system security, backup and/or recovery provisions. III L Security 3 III L Security 3 Annual security audit carried out by qualified and independent third party***. Annual security audit carried out by qualified and independent third party***. * Remote gambling products that are available to customers. All licensees are responsible for meeting and verifying these requirements (in Green). ** Section 3 of this document sets out the circumstances in which operators will be permitted to carry out their own testing of gambling products (in Yellow). *** Section 5 of this document explains security auditor requirements. 8

9 3 Procedure for testing Third party test houses 3.1 The Commission has published a list of approved test houses that can perform third party testing. This will be updated as new test houses are approved. Licensees and their chosen test house will need to agree the scope of testing and this must be sufficient to ensure that testing will adequately assess compliance with the Commission s standards and meet the level of testing required under this strategy. 3.2 To assist in understanding what level of testing will be accepted by the Commission and what would require approved external third party testing, we have detailed these below: Level 1: Testing of RNG, including source code review, scaling where appropriate and where the digital signature taken on the test platform is the same as that taken on the live environment). This testing must be conducted by an approved external third party test house. Level 2: Review of game designs. This includes artwork, maths and theoretical RTP (no output testing). Level 3: Full testing of game operation integrated on platform. This involves verifying the software implementation of the game artwork, maths and theoretical RTP through testing of the game on the live environment (or development/staging environment which is essentially the same as the live environment), verification of game rules, actual RTP using simulation 1 and emulation 2 testing utilising the RNG tested under Level 1, and where the digital signatures taken on the test platform are the same as those taken on the live environment). This testing must be conducted by an approved external third party test house. 3.3 Additionally, section 3.17 of the testing strategy sets out the circumstances when additional testing by an approved test house will be required. Additional third party testing of a game is required where the operating environment is different from the original testing environment, so where changes to the operating environment have occurred, additional external testing is required. This could be due to the testing being conducted on the game running on a platform or RNG that is different to the one intended for live operation (eg it was originally tested for use by a different operator using a different platform/rng). It could also mean that since the game was tested the game/rng/platform or other environmental variables have changed in a way that renders the original testing invalid (as the differences may affect the fairness of the game or the game may no longer operate in accordance with the rules), hence testing under the new environment is required. 3.4 Where changes to a game or gambling system may affect game fairness and critical files and their relevant digital signatures change (including changes to games rules), these changes must be tested by an approved test house. 3.5 Licensees 3 must send the results of testing (ie a test house s game/rng report) to the Commission on completion of satisfactory testing (but prior to release). 1 Simulation (output) testing setting the game up to play automatically for a high number of games (actual number will depend on volatility of the game as per the game maths) to verify that the actual RTP is within an acceptable range of the expected RTP. Sample data should be tester generated, unless supervised in a controlled environment for the purposes of meeting specific regulatory requirements. Software modified from the original to enable rapid play is permitted provided the tester has confidence that the modifications do not impact on the assessment of game fairness. 2 Emulation testing is used to replicate certain rare game outcomes (such as jackpots, infrequent features and maximum prize). 3 The following categories of licences require games and RNG testing by an independent test house (subject to a best practice declaration): Remote betting general (but not telephone only or trading rooms), and pool, remote casino, remote bingo and remote lotteries (entries greater than 250,000 per year). Remote betting (if on virtual events) general (but not telephone only or trading rooms), pool, remote casino, remote bingo and remote lotteries (sales greater than 250,000 per year). 9

10 A new or updated game or RNG cannot be released until the testing has been completed and the report provided to the Commission. 3.6 For games, the report should include at least: test house details including the test supervisor that signed off the testing licensee name date of testing certificate reference game details including game name, return to player (RTP), software number and digital signature scope and approach to testing ie testing completed against the Gambling Commission s technical standards, for example, Level 3 testing of RTS 7B 7D, 5A, 10A, etc and a description of all tests applied platform supplier and platform version result of testing details of games/versions of games that the game supersedes where a limited scope of testing has occurred (such as testing changes to critical files/games rules) due to changes within a game, an updated games test report must be provided to the Commission, making reference to the original games test report, changes made, testing completed and new digital signatures. 3.7 For RNGs, the report should include: test house details including the test supervisor that signed off the testing licensee name date of testing certificate reference RNG details brief description of the RNG and its use including RNG version, whether it is hardware and/or software and digital signature scope and approach to testing ie testing completed against the Gambling Commission s technical standards, in particular Level 1 testing of RTS 7A, 7B and a description of all tests applied platform supplier and platform version result of testing. 3.8 The games/rng reports should be ed to: 3.9 We have developed a remote games information (RGI) spreadsheet. On this spreadsheet, licensees are required to provide specific details for the platform, the RNG and each game offered under their licence. It contains the game, the RNG, the name of the software provider, the level of testing completed and who conducted it, amongst other items. The games and products documented on the spreadsheet must comply with the RTS For each new game or RNG released or withdrawn, changes to the games, platform or further testing of existing games under the transitional provisions, the RGI spreadsheet, detailing the additions, deletions and/or changes in the relevant columns must be updated. Columns AB to AD have been added to the spreadsheet to identify and date the changes An updated RGI spreadsheet should be ed to the Commission at at least every three months The RGI spreadsheet version maintained by the licensee must at all times reflect the RNGs, the games (as well as the changes made to these) being offered to customers in reliance on the Commission licence. The version maintained by the licensee must be made available to the Commission upon request. 10

11 3.13 Once the testing certification report has been provided, the successfully tested product can be released into the live environment Licensees also need to make the full test and change control documentation available to the Commission on request. This would include all of the information required to complete the RGI spreadsheet along with the details of the test information and the internal change control process followed including management signoff to release the product If a licensee intends to run an off-the-shelf product (eg a game developed by a Commission licensed third party software developer) they must ensure that the product is tested to Level 3 to confirm it meets the Commission s requirements If a Commission licensed third party software developer has already obtained satisfactory testing for its product by a Commission approved test house the licensee can only rely on this testing if it is able to demonstrate that the testing conducted is sufficient for the environment the product or game will operate in. If the testing obtained by the Commission licensed software developer is sufficient for the environment the product will operate in, the licensee must send the test house report to the Commission prior to release and make available full results to the Commission on request In circumstances where the operating environment differs from the testing environment the licensee will be required to obtain further testing by an approved third party test house. The Commission must receive all relevant testing reports to show the testing is sufficient to cover the product or game in the operational environment prior to release. The licensee will also need to make the full test results available to the Commission on request Where the licensee contracts with another Commission licensed business which is providing facilities for gambling by managing or administering aspects of the gambling activity on behalf of the licensee then both licensees must provide an RGI spreadsheet detailing all the games each party is offering. A copy of the game or RNG report is required to be supplied to the Commission by each licensee prior to that licensee releasing a new product such as a new/changed game or RNG. An updated RGI spreadsheet clearly highlighting the additional/changed game(s)/rng must be provided to the Commission at least each quarter The licensee s overall compliance with the technical standards and testing requirements (including those aspects requiring test house testing as well as internal testing) is the responsibility of the licensee. Testing conducted by licensee 3.20 To be permitted to carry out their own testing of gambling products licensees will be required to provide a declaration to the Commission that they follow good practice in development, testing and release control of gambling products and/or systems. This declaration should be provided to the Commission prior to any internal testing taking place. More details on what the Commission considers to be good practice can be found in section Table 5 details what testing can be carried out by licensees where this declaration has been provided to the Commission. Where the declaration has not been provided, the required testing must be carried out by an approved third party test house The Commission may, on request, require evidence from the licensee that it complies with its good practice guidelines All results from licensee testing must be retained and made available to the Commission on request. 11

12 Testing and audit requirements for remote lottery licensees It is the Commission s view that lotteries in general pose a relatively low risk to the licensing objectives. This section sets out the criteria that applies to remote lottery licensees 4 (including external lottery managers) when determining specific testing and audit requirements Holders of remote lottery licences 4 that accept no more than 250,000 worth of entries per year by means of remote communication will not be required to submit their RNG for testing by a Commission approved test house or undertake a third party annual security audit Instead, and in terms of RNG testing, such licensees will need to demonstrate that: their RNG has been tested or verified as being fair and random by an independent and suitably qualified third party. This must be supported by documentary evidence they have policies and procedures in place which set out how they ensure the lottery draw is fair and open and can produce evidence that these procedures are followed In terms of the third party security audit requirement, such lottery licensees will instead be required to demonstrate to the Commission on request that they comply with the RTS security requirements as set out in section 5 of the RTS Holders of such licences that accept more than 250,000 worth of entries by remote means per year will be required to meet the full RNG testing and third party security audit requirements as set out in table 5 above. 4 Transitional licensees - on-going testing and reporting - existing and new games 4.1 Licensees who have provided the Commission with the Remote Games Information (RGI) spreadsheet under the transitional provisions for operators with continuation rights will require further testing of their games or RNGs where the existing testing does not meet Level 3 (for games) or Level 1 (for RNGs), or because of subsequent changes which affect the digital signatures. 4.2 In these circumstances, licensees must provide a copy of the games or RNG test report to the Commission once that testing has been completed. 4.3 As the Commission expects licensees to have games currently available to customers in Great Britain tested over a period of time up to the permitted 12 months, we will require licensees to provide the Commission with updated RGI spreadsheets at least every three months. Where a licensee has a significant number of games that require further testing the Commission may require more regular updates and details of the licensee s plans to ensure all games are tested within the 12 months. The transitional arrangements are intended to allow time for games that will continue to be offered to consumers after 1 November 2015 to be tested. They were not intended to be used to allow games not tested to Level 3 to be offered for the duration of the transitional period and removed from the British market at the end of that time. 4 By lottery licensees we mean, remote lottery operating licensees, converted lottery operating licensees (but only those licensees that run remote lotteries themselves or via a lottery manager) or remote lottery managers operating licensees (also known as external lottery managers) licensed under the Gambling Act

13 4.4 Where licensees intend to deploy new games onto their gambling systems, they must provide a copy of the game test report(s) detailing compliance with the RTS to Level 3 prior to release of the game(s). An updated RGI spreadsheet clearly highlighting the additional game(s) must be provided to the Commission at least every quarter. 4.5 Where licensees remove games from their gambling systems, they must include this on an updated RGI spreadsheet clearly highlighting the game(s) removed. 5 Third party annual security audit 5.1 Table 5 sets out that an annual security audit must be carried out 5 to assess compliance against the security requirements of the RTS. The security requirements are based on relevant sections of ISO/IEC 27001:2013 and these are listed in section 5 of the RTS. The Commission does not intend to approve security audit firms to perform the security audit as many licensees already have arrangements with appropriate security auditors. 5.2 Licensees must satisfy themselves that the third party security auditor is reputable, is suitably qualified to test compliance with ISO/IEC 27001:2013 and that the auditor is independent from the licensee. 5.3 In the case of all new licensees (whether or not they were issued with continuation licences) or existing licensees who have not been audited against these specific sections, or have not been certified against the full standard, the Commission expects that a copy of the third party annual security audit against ISO/IEC 27001:2013, or a copy of full certification against ISO/IEC 27001:2013 will be provided within 6 months of the issue of their licence or continuation licence or variation of their existing licence as the case may be. 5.4 Operators who have previously been certified against the full standard of ISO/IEC 27001:2005 will be able to be certified against the new standard ISO/IEC 27001:2013 upon expiry of their certification. They will also be required to provide copies of the interim reports until certification expiry. Operators who have previously been audited only against the specific sections of ISO/IEC 27001:2005 and who do not obtain full ISO/IEC certification will be required to be audited against the specific sections of the new standard ISO/IEC 27001:2013 within 12 months of that audit or within 6 months of issue of their operating licence (including continuation licence), whichever is the later. 5.5 Licensees must provide to the Commission copies of the full report produced by the security auditor on completion of their audit. 5.6 The security audit reports should be ed to: 5.7 The security auditor s report must comply with our Security audit advice. 5.8 The Commission is aware that many operators are also subject to PCI DSS 6 and are audited for those purposes. The Commission considers its security standards to be sufficiently broad that audits conducted against other standards may meet some of the Commission s requirements. Operators will need to ensure that their audits cover the scope of the security requirements as set out in section 5 of the RTS. 5 The following categories of licences require the full security audit by an independent auditor: Remote betting general (but not telephone only or trading rooms), pool and intermediary, remote casino, remote bingo and remote lotteries (sales greater than 250,000 per year). 6 (PCI DSS) Payment Card Industry Data Security Standard. 13

14 5.9 The Commission has highlighted those systems that are most critical to achieving the Commission s aims and the security standards will apply to these critical systems: electronic systems that record, store, process, share, transmit or retrieve sensitive customer information, eg credit/debit card details, authentication information, customer account balances electronic systems that generate, transmit, or process random numbers used to determine the outcome of games or virtual events electronic systems that store results or the current state of a customer s gamble; points of entry to and exit from the above systems (other systems that are able to communicate directly with core critical systems) communication networks that transmit sensitive customer information. 6 In-house development, testing and release - good practice 6.1 Good practice gambling software development should possess the elements below. These specific controls would already exist in an organisation compliant with ISO Development process: source code should be held in a secure environment an audit log of all accesses to program source should be maintained old versions of source code and the dates they were retired should be retained access to source code by developers should be well controlled and based on a minimum access required for the job approach access to platform source code should not be granted to those working only on game specific development changes to critical modules need to be peer reviewed by appropriately skilled but independent developers to ensure all changes made are appropriate and in line with the change documentation. Any suspicious or unauthorised changes must be explained. 6.3 Testing process: logically separate development and testing environments separate staff to those that developed should perform the testing an independent assessment of changes made by the developers should be performed to verify all changes are documented in the change documentation. This may involve the use of file comparison programs to quickly identify all changes. 6.4 Policies and processes should be in place for control of changes to operational environments including version control for software upgrades. To minimise threats to the operational environment operators should consider but not limit activities to ensuring: adequate testing and change control mechanisms and authorisations are in place for the migration of new or modified software into the operational environment; and appropriate testing, planning and migration control measures should be carried out when upgrading patches or new software versions to ensure the overall security of the operational environment is not adversely impacted. 14

15 7 Transitional provisions: Gambling (Licensing and Advertising Act) Following implementation of the Gambling (Licensing and Advertising) Act 2014 operators providing facilities for gambling to British customers who previously did so in reliance on their Gibraltar, EEA or White List jurisdiction licences or other permissions will be subject to the Gambling Act s licensing regime for the first time. Under transitional provisions, such operators who made advance applications for appropriate Commission licences will be entitled to continuation licences pending determination of those applications. 7.2 Annexes A and B are retained in this version of the Testing strategy for reference only. Transitional licensees are expected to follow the requirements for testing and documentation for products that are subject to the transitional requirements that require testing, for any new games and the security audit as detailed in sections 3, 4, 5 and 6 of the main document. Related documents Remote gambling and software technical standards Security audit advice Remote games information spreadsheet Licence conditions and codes of practice Gambling Commission July

16 1 Annex A: Implementation guidance for testing - new licensees issued with continuation licences 1.1 The Commission s testing strategy provides that specific RTS requirements with high impact and low visibility (red category 3 in Table 4) be subject to approved third party test house examination and verification. 1.2 Additionally, section 3.17 of the testing strategy requires additional testing by an approved test house where the operating environment is different from the original testing environment, so where changes to the operating environment have occurred, additional external testing is required. This could be due to the testing being conducted on the game running on a platform or RNG that is different to the one intended for live operation (eg it was originally tested for use by a different operator using a different platform/rng). Or it could mean that since the game was tested the RNG/platform or other environmental variables have changed in a way that renders the original testing invalid (as the differences may affect the fairness of the game), hence testing under the new environment is required. 2 Test houses 2.1 Each EEA 7 or White List remote gambling regulatory jurisdiction has established proprietary technical standards and while much of the content is similar between jurisdictions, particularly in relation to the core components and operation of games, there are differences in some aspects between jurisdictions. This means that independent third party test houses are often required to test games against multiple sets of standards or undertake gap analysis to test what can be minor differences. Test houses usually must obtain approval to test against each jurisdiction s standards. 2.3 Those test houses who are accredited to BS/EN ISO and wish to test against the Commission s RTS in future need to obtain confirmation, following an extension of scope where necessary, that the scope of their accreditation is sufficient to allow them to test to the Commission s standards. This should be obtained from either UKAS or an equivalent recognised international organisation. The independent third party test houses also require the extension of scope to the other jurisdictions they are accepted to be able to test against. 3 Transition requirements 3.1 The Commission is aware that many games currently available to British consumers via EEA or White List regulated operators have not been tested against the RTS and, in keeping with the intent to reduce the regulatory burden on the gambling industry where appropriate and justified, we have looked on a risk basis at ways to manage the transition of these games and products into the regulated British market. 3.2 We have taken into account the current requirements for testing under the RTS, examples of other jurisdictions practice when introducing legislation, and the risk to players and to the Commission of games currently available to players to which our standards do not apply. 3.3 On the basis of this assessment, we consider it appropriate that, under certain circumstances, some testing of games against other jurisdictional standards should be regarded by us as acceptable without the need for further testing. 7 For the purposes of this document, Gibraltar is included in this category. 16

17 3.4 Previous certification of products or games against other EEA or White list jurisdictions by independent test houses, including those that have not been approved by the Commission to test against the RTS, will be accepted (subject to conditions detailed below) where the testing and certifications have been conducted prior to implementation of the Gambling (Licensing and Advertising) Act. 3.5 Where testing is necessary, a transitional period of up to one year will be permitted to allow the industry and the independent test houses time to complete the testing. This should allow both operators and test houses adequate time to arrange for and undertake the required testing. 3.6 We have developed a spreadsheet (remote games information) that those operators with continuation rights will be required to complete and supply to the Commission as part of their advance application under the Gambling (Licensing and Advertising) Act This will document each RNG and each game they currently offer to, and intend to continue to provide to, British consumers, the name of the software provider, the level of testing completed and who conducted it, amongst other items. The games and products documented on the spreadsheet must comply with the RTS 8. Games and products that do not comply must be withdrawn from the British market and not included in the spreadsheet. We will require a declaration on the spreadsheet by a PML holder 9 or qualified person that each RNG and each game documented and offered complies with the RTS. 3.7 New licensees who have continuation rights and currently offer games into Britain will be able to continue to do so without further testing or certification if: the games meet the Commission s RTS the games have been independently tested on a platform which is materially the same as the production environment (Level 3 see below) they have evidence of this through test reports and matching digital signatures. 3.8 Whilst we make no specific reference in the RTS or the testing strategy to Levels 1, 2 and 3 of testing, we do refer to the testing of RNGs, scaling and mapping, game operation and the environment the product or game operates in. To assist in understanding what level of testing will be accepted by the Commission and what would require external third party testing, we have detailed these below: I. Level 1: External third party testing of RNG, including source code review, scaling where appropriate and where the digital signature taken on the test platform is the same as that taken on the live environment). II. Level 2: Review of game designs. This includes artwork, maths and theoretical RTP (no output testing). III. Level 3: Full testing of game operation integrated on platform. This involves verifying the software implementation of the game artwork, maths and theoretical RTP through testing of the game on the live environment (or development/staging environment which is essentially the same as the live environment), verification of game rules, actual RTP using simulation 10 and emulation 11 testing utilising the RNG tested under Level 1, and where the digital signatures taken on the test platform are the same as those taken on the live environment). This testing must be conducted by an approved external third party test house. 8 RTS 8A, and RTS 13B have been amended/added and come into force on 30 April RTS12 has been amended and comes into force on 31 October Personal Management Licence. Also includes someone who has applied for a PML 10 Simulation (output) testing setting the game up to play automatically for a high number of games (actual number will depend on volatility of the game as per the maths) to then verify that the actual RTP is within acceptable range of the expected RTP. Sample data should be tester generated, unless supervised in a controlled environment for the purposes of meeting specific regulatory requirements. Software modified from the original to enable rapid play is permitted provided the tester has confidence that the modifications do not impact on the assessment of game fairness. 11 Emulation testing is used to replicate certain rare game outcomes (such as jackpots, infrequent features and maximum prize). 17

18 3.9 The Commission requires full Level 3 testing by an independent third party test house and for the digital signatures of the RNGs and games to be valid in order to accept the certifications for other jurisdictions and therefore not require re-testing under the RTS As stated in paragraph 3.6 of Annex A, the Commission will also require a declaration from the relevant PML holder or qualified person that they have assessed and confirm that each of the RNGs and games meet the Commission s RTS. This declaration is attached to the Remote Games Information spreadsheet Where test reports from independent test houses are not available, or where digital signatures have changed, new licensees who receive continuation rights will have up to 12 months from the date of implementation to ensure completion of testing against the Commission s RTS by a Commission approved independent third party test house and provide a copy of the test report. Where changes to the digital signatures of the RNGs and/or games are due to subsequent changes to the platform which has created new digital signatures, the independent third party test houses will be required to verify the changes and certify that the changes have not affected the integrity of the RNGs and/or games The Commission is aware that some gambling software developers undertake inhouse testing and provide games to operators in jurisdictions that do not require independent third party test houses to test against their regulatory standards. By providing the period of up to one year for those games to be tested against the Commission s standards by a Commission approved test house, we anticipate minimal impact on such new licensees ability to continue to offer those games to British consumers where they comply with the Commission s RTS Games that have not been tested by an independent third party test house but meet the RTS and continue to be offered to British customers under these transitional provisions must be independently tested within 12 months; otherwise they must be removed from the licensee s British facing offerings. Games not compliant with the RTS, or those which the licensee does not intend to obtain the required independent third party testing, must not be offered under a Commission licence Where those games have been provided to a number of operators, the Commission does not require test reports from each licensee, but a single report for each individual game. The Commission does not determine who should provide the reports but would expect that software providers and operators would make arrangements between themselves for the testing and provision of the reports. Each licence applicant, when completing the spreadsheet of games mentioned earlier in the document, must provide the appropriate details of the test report. 4 Self testing 4.1 The Commission s current requirements in the testing strategy detail specific RTS requirements with moderate to high impact (category 2 in Table 4) and allow certain operators the flexibility to carry out their own testing of gambling products against those specific requirements. 4.2 The Commission intends to allow those operators who can demonstrate they meet the Commission s good practice policies and processes detailed in Section 4 of the testing strategy to be able to carry out their own testing against those specific requirements. The Commission will require a declaration (as detailed in section 3.20 of the testing strategy) that they follow this good practice to accompany the advance application under the 2014 Act. 18

19 4.3 Operators who do not meet this standard or who do not provide the declaration will be expected to obtain independent third party testing for the relevant sections of the requirements. 19

20 1 Annex B: Implementation guidance for security audits new licensees issued with continuation licences The Commission s testing strategy currently requires a third party annual security audit against particular sections of ISO/IEC 27001:2005. More information is available in section 5 of the RTS. 1.2 The Commission is aware that ISO/IEC 27001:2005 has been amended and updated to ISO/IEC 27001:2013 and that sections listed in section 5 of the RTS have been superseded with new sections. We are currently reviewing the impact of those changes and intend to update the RTS as soon as possible with the appropriate sections under ISO/IEC 27001: Meanwhile, in the case of all new licensees (whether or not they were issued with continuation licences) who have not been audited against these specific sections, or have not been certified against the full standard, the Commission expects that a copy of the third party annual security audit against ISO/IEC 27001:2005 or a copy of full certification against ISO/IEC 27001:2005 or ISO/IEC 27001:2013 will be provided within six months of the issue of their licence or continuation licence as the case may be. 1.4 Operators who have been certified against the full standard of ISO/IEC 27001:2005 will be able to be re-certified against this standard or against the new standard ISO/IEC 27001:2013 upon expiry of the certification. They will be required to provide copies of the interim reports until certification expiry. Operators who have been audited only against the specific sections of ISO/IEC 27001:2005 and who do not obtain full ISO/IEC certification will be required to be audited against the specific sections of the existing standard ISO/IEC 27001:2005 within 12 months of the audit or within 6 months of issue of their operating licence (including continuation licence), whichever is the later. 1.5 The Commission intends to undertake a consultation with the industry in the near future to review the scope of the existing security audit under ISO/IEC 27001:2005 with a view to enhancing the requirements for security and change management in conjunction with the move to the new standard ISO/IEC 27001:2013. Keeping gambling fair and safe for all For further information or to register your interest in the Commission please visit our website at: Copies of this document are available in alternative formats on request. Gambling Commission Victoria Square House Victoria Square Birmingham B2 4BP T F E ADV 15/04 12 This section has been updated as detailed in Section 5 of the RTS. 20

Security audit advice For holders of all remote gambling operator licences including specified remote lottery licences

Security audit advice For holders of all remote gambling operator licences including specified remote lottery licences Security audit advice For holders of all remote gambling operator licences including specified remote lottery licences July 2015 1 Introduction 1.1 This July 2015 advice is updated from the previously

More information

Betting: advice for remote, non-remote and betting intermediaries Advice note

Betting: advice for remote, non-remote and betting intermediaries Advice note Betting: advice for remote, non-remote and betting intermediaries Advice note October 2013 (updated October 2014) 1 Summary 1.1 This advice note explains the approach adopted by the Gambling Commission

More information

Supplement to Gaming Machine Technical Standards Consultation

Supplement to Gaming Machine Technical Standards Consultation Supplement to Gaming Machine Technical Standards Consultation Downloadable, Wireless and Cashless Gaming Machine Systems Consultation paper, September 2006 Introduction 1. This paper is a supplement to

More information

What is gambling software?

What is gambling software? What is gambling software? Advice, June 2014 1 Introduction/background 1.1 The Gambling Commission (the Commission) recently published Licence conditions and codes of practice (consolidated version) May

More information

Licence conditions and codes of practice (LCCP) for 2005 Act casinos. Consultation

Licence conditions and codes of practice (LCCP) for 2005 Act casinos. Consultation Licence conditions and codes of practice (LCCP) for 2005 Act casinos Consultation September 2011 Contents 1 Introduction 3 2 Background 4 3 Proposed changes to the licence conditions 6 4 Proposed changes

More information

Machine Standards Server Networked and Downloadable

Machine Standards Server Networked and Downloadable Machine Standards Server Networked and Downloadable June 2007 Contents Introduction 3 Other relevant gaming machine technical standards 3 Server networked and downloadable game requirements 4 Communication

More information

1.3 If you are responding on behalf of an organisation, please indicate which type of organisation:

1.3 If you are responding on behalf of an organisation, please indicate which type of organisation: Proposed amendments to the social responsibility provisions in the licence conditions and codes of practice for all operators (the LCCP) Consultation responses template: summer 2014 LCCP 14/20 1.1 This

More information

Remote gambling and software technical standards

Remote gambling and software technical standards Remote gambling and software technical standards July 2015 Contents 1. Introduction 3 2. Definition of terms 5 3. Remote gambling and software technical standards 6 RTS 1 Customer account information 6

More information

Customer funds: segregation, disclosure to customers and reporting requirements

Customer funds: segregation, disclosure to customers and reporting requirements Customer funds: segregation, disclosure to customers and reporting requirements Ratings system and advice note for operators January 2016 * 1 Introduction 1.1 This note: sets out the Gambling Commission

More information

Spillemyndigheden s Certification Programme Change Management Programme

Spillemyndigheden s Certification Programme Change Management Programme SCP.06.00.EN.1.0 Table of contents Table of contents... 2 1 Objectives of the change management programme... 3 1.1 Scope of this document... 3 1.2 Version... 3 2 Certification... 4 2.1 Certification frequency...

More information

Review of remote casino, betting and bingo regulatory return and gambling software regulatory return. Consultation document

Review of remote casino, betting and bingo regulatory return and gambling software regulatory return. Consultation document Review of remote casino, betting and bingo regulatory return and gambling software regulatory return Consultation document October 2013 Contents 1 Introduction 3 2 Background and context 5 3 Reasons for

More information

What constitutes bingo? Advice note, January 2014

What constitutes bingo? Advice note, January 2014 What constitutes bingo? Advice note, January 2014 1 Summary 1.1 Bingo is a traditional form of gambling that has seen considerable innovation in recent years. It is also the only form of gambling recognised

More information

Bingo and Casino Equipment Technical Requirements

Bingo and Casino Equipment Technical Requirements Bingo and Casino Equipment Technical Requirements July 2008 Contents Introduction 4 PART I - Casino Equipment Technical Requirements Game requirements 5 Speed of play Display of information on players

More information

Licence conditions and codes of practice. February 2015 (Updated April 2015)

Licence conditions and codes of practice. February 2015 (Updated April 2015) Licence conditions and codes of practice February 2015 (Updated April 2015) Contents If using an electronic version of this document, please click on the headings to move to the relevant section or provision.

More information

Spillemyndigheden s Certification Programme Change Management Programme

Spillemyndigheden s Certification Programme Change Management Programme SCP.06.00.EN.2.0 Table of contents Table of contents... 2 1 Introduction... 4 1.1 Spillemyndigheden s certification programme... 4 1.2 Objectives of the change management programme... 4 1.3 Scope of this

More information

Operating Licence Notification of Change

Operating Licence Notification of Change Operating Licence Notification of Change Please read the Operating Licence Notification of Change Guidance Notes before completing this application form. This form will be scanned. Therefore please complete

More information

Casino gaming reserve

Casino gaming reserve Casino gaming reserve Consultation, May 2009 1 Introduction 1.1 The Gambling Commission (the Commission) included in its Licence Conditions and Codes of Practice (LCCP) a requirement that all casino operators

More information

Spillemyndigheden s change management programme. Version 1.3.0 of 1 July 2012

Spillemyndigheden s change management programme. Version 1.3.0 of 1 July 2012 Version 1.3.0 of 1 July 2012 Contents 1 Introduction... 3 1.1 Authority... 3 1.2 Objective... 3 1.3 Target audience... 3 1.4 Version... 3 1.5 Enquiries... 3 2. Framework for managing system changes...

More information

Spillemyndigheden s Certification Programme Information Security Management System

Spillemyndigheden s Certification Programme Information Security Management System SCP.03.00.EN.1.0 Table of contents Table of contents... 2 1 Introduction... 3 1.1 Spillemyndigheden s certification programme... 3 1.2 Objectives of the... 3 1.3 Scope of this document... 4 1.4 Definitions...

More information

Gaming Machine Type I Gaming Machine Type II

Gaming Machine Type I Gaming Machine Type II Licence Conditions and Codes of Practice applicable to: Gaming Machine Type I Gaming Machine Type II February 2010 Your licence is subject to certain conditions and codes of practice, these are detailed

More information

Promoting society and local authority lotteries

Promoting society and local authority lotteries Promoting society and local authority lotteries Advice for society and local authority lotteries which require a licence or registration September 2014 1 Introduction 1.1 Lotteries are illegal unless they

More information

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4

More information

Approval of test houses Application form guidance notes

Approval of test houses Application form guidance notes Approval of test houses Application form guidance notes Introduction This guidance has been written to help you complete the application form GCTHA and the annex GCTHA/AA. Please read this document carefully

More information

REMOTE OPERATING LICENCE Number: 000-040099-R-320163-002

REMOTE OPERATING LICENCE Number: 000-040099-R-320163-002 REMOTE OPERATING LICENCE Number: 000-040099-R-320163-002 This licence issued under Part 5 of the Gambling Act on 3 February 2015 is amended under section 104 of the Act. The effective date of the amendment

More information

Change & configuration management

Change & configuration management 2008-01-18 12:42:00 G007_CHANGE_AND_CONFIGURATION_MANAGEMENT Change & configuration management Guidelines Page 1 of 11 1. Preliminary 1.1 Authority This document is issued by the (the Commission) pursuant

More information

IAGR egambling guidelines September 2008

IAGR egambling guidelines September 2008 IAGR egambling guidelines September 2008 Note: the egambling working group recognises that many jurisdictions prohibit egambling. This report provides good practice guidance to those jurisdictions which

More information

Gambling Tax Reform 2014

Gambling Tax Reform 2014 Gambling Tax Reform 2014 Information Note December 2013 1. Contents Page Foreword 3 Section 1 Introduction 4 Section 2 Liability for the Duties 6 Section 3 Regulatory Matters 9 Section 4 Definition of

More information

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2 Policy Procedure Information security policy Policy number: 442 Old instruction number: MAN:F005:a1 Issue date: 24 August 2006 Reviewed as current: 11 July 2014 Owner: Head of Information & Communications

More information

Commercial-In-Confidence. Report to Football1x2.com. Football Frenzy

Commercial-In-Confidence. Report to Football1x2.com. Football Frenzy Gambling Commission approved Test House Accredited to ISO/IEC 17025:2005 NMi Metrology & Gaming Ltd Intec Ffordd y Parc Parc Menai Bangor Gwynedd LL57 4FG United Kingdom Tel: +44 (0)1248 672665 http://www.nmi.uk.com

More information

Executive Order No. 67 of 25. January 2012 on online casinos 1

Executive Order No. 67 of 25. January 2012 on online casinos 1 Executive Order No. 67 of 25. January 2012 on online casinos 1 The following is hereby laid down pursuant to Sections 36(2), 41(1) and 60 of Act No. 848 of 1 July 2010 on gambling, and Sections 17(2),

More information

Spillemyndigheden s Certification Programme Information Security Management System

Spillemyndigheden s Certification Programme Information Security Management System SCP.03.00.EN.1.0 Table of contents Table of contents... 2 1 Objectives of the... 3 1.1 Scope of this document... 3 1.2 Version... 3 2 Certification... 3 2.1 Certification frequency... 3 2.1.1 Initial certification...

More information

Security Control Standard

Security Control Standard Security Standard The security and risk management baseline for the lottery sector worldwide Updated by the WLA Security and Risk Management Committee V1.0, November 2006 The WLA Security Standard is the

More information

Testing strategy for compliance with remote gambling and software technical standards: responses April 2016

Testing strategy for compliance with remote gambling and software technical standards: responses April 2016 Testing strategy for compliance with remote gambling and software technical standards: responses April 2016 Contents 1 Introduction 3 2 General revisions 3 3 Consultation 4 4 General risk and compliance

More information

UK - legal overview by John Hagan and Melanie Ellis

UK - legal overview by John Hagan and Melanie Ellis The Gambling Act 2005 ( the 2005 Act ), which came into force on 1 September 2007, regulates all forms of gambling in the UK with the exception of the National Lottery and spread betting. This legislation

More information

G4 Responsible Casino Code of Practice Version G02/20130214

G4 Responsible Casino Code of Practice Version G02/20130214 G4 Responsible Casino Code of Practice Version G02/20130214 1 Index Introduction 1. Casino Code of Practice page 3 2. Casino Company s Mission Statement page 3 3. Corporate Standards page 4 3.1 Licensing

More information

COMPLIANCE FRAMEWORK AND REPORTING GUIDELINES

COMPLIANCE FRAMEWORK AND REPORTING GUIDELINES COMPLIANCE FRAMEWORK AND REPORTING GUIDELINES DRAFT FOR CONSULTATION June 2015 38 Cavenagh Street DARWIN NT 0800 Postal Address GPO Box 915 DARWIN NT 0801 Email: utilities.commission@nt.gov.au Website:

More information

INFORMATION TECHNOLOGY SECURITY STANDARDS

INFORMATION TECHNOLOGY SECURITY STANDARDS INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL

More information

Spillemyndigheden s Certification Programme Testing Standards for Online Casino

Spillemyndigheden s Certification Programme Testing Standards for Online Casino SCP.01.03.EN.1.0 Table of contents Table of contents... 2 1 Introduction... 3 1.1 Spillemyndigheden s certification programme... 3 1.2 Objectives of the testing standards... 3 1.3 Scope of this document...

More information

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms

More information

Briefing note on the national online self-exclusion scheme

Briefing note on the national online self-exclusion scheme Briefing note on the national online self-exclusion scheme May 2015 Contents 1 Introduction 2 Background 3 Draft architecture 4 Costs and funding 5 Next steps 2 2 5 11 12 Annex A Working group membership/attendees

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

Remote gambling equipment Guidance note

Remote gambling equipment Guidance note Remote gambling equipment Guidance note March 2008 (updated October 2014) 1 Introduction 1.1 This document sets out our interpretation of which elements of a gambling system will meet the definition of

More information

I Gaming in Malta. Classes of Licenses

I Gaming in Malta. Classes of Licenses I Gaming in Malta Malta has been a full member of the European Union since 2004 and is therefore compliant with EU legislation on the acceptance and regulation of remote gaming. Furthermore, Malta is the

More information

LOTTERY TERMS AND CONDITIONS

LOTTERY TERMS AND CONDITIONS LOTTERY TERMS AND CONDITIONS THE FOLLOWING ARE THE TERMS AND CONDITIONS OF SCOTLAND CHARITY AIR AMBULANCE LOTTERY. BY COMPLETING THE PLAYER APPLICATION FORM AND/OR RENEWAL FORM, YOU AGREE THAT YOU HAVE

More information

Financial Services Guidance Note Outsourcing

Financial Services Guidance Note Outsourcing Financial Services Guidance Note Issued: April 2005 Revised: August 2007 Table of Contents 1. Introduction... 3 1.1 Background... 3 1.2 Definitions... 3 2. Guiding Principles... 5 3. Key Risks of... 14

More information

GUIDELINE ON THE APPLICATION OF THE OUTSOURCING REQUIREMENTS UNDER THE FSA RULES IMPLEMENTING MIFID AND THE CRD IN THE UK

GUIDELINE ON THE APPLICATION OF THE OUTSOURCING REQUIREMENTS UNDER THE FSA RULES IMPLEMENTING MIFID AND THE CRD IN THE UK GUIDELINE ON THE APPLICATION OF THE OUTSOURCING REQUIREMENTS UNDER THE FSA RULES IMPLEMENTING MIFID AND THE CRD IN THE UK This Guideline does not purport to be a definitive guide, but is instead a non-exhaustive

More information

CHECKLIST ISO/IEC 17021:2011 Conformity Assessment Requirements for Bodies Providing Audit and Certification of Management Systems

CHECKLIST ISO/IEC 17021:2011 Conformity Assessment Requirements for Bodies Providing Audit and Certification of Management Systems Date(s) of Evaluation: CHECKLIST ISO/IEC 17021:2011 Conformity Assessment Requirements for Bodies Providing Audit and Certification of Management Systems Assessor(s) & Observer(s): Organization: Area/Field

More information

Third Party Security Requirements Policy

Third Party Security Requirements Policy Overview This policy sets out the requirements expected of third parties to effectively protect BBC information. Audience Owner Contacts This policy applies to all third parties and staff, including contractors,

More information

low levels of compliance with the regulations and POCA by negligent HVD operators are enabling criminals to launder the proceeds of crime

low levels of compliance with the regulations and POCA by negligent HVD operators are enabling criminals to launder the proceeds of crime 6.185 Under the regulations HMRC must maintain a registry of HVDs. However the regulations do not enable HMRC to conduct a fit and proper person test on those who seek to register as an HVD. From 2004

More information

NSW Government Digital Information Security Policy

NSW Government Digital Information Security Policy NSW Government Digital Information Security Policy Version: 2.0 Date: April 2015 CONTENTS PART 1 PRELIMINARY... 3 1.1 Scope... 3 1.2 Application... 3 1.3 Objectives... 3 PART 2 POLICY STATEMENT... 4 Core

More information

Chairman Frank, Members of the Committee, the Isle of Man Government welcomes the opportunity to submit written testimony to your Committee.

Chairman Frank, Members of the Committee, the Isle of Man Government welcomes the opportunity to submit written testimony to your Committee. House Financial Services Committee Hearing Can Internet Gambling be Effectively Regulated to Protect Consumers and the Payments Systems June 8, 2007 Statement for the Hearing Record Submitted by Mary Williams,

More information

Binary Options 14.07.2015 1

Binary Options 14.07.2015 1 Notice to applicants for a Category 3 Investment Services Licence that would like to carry out binary options trading in terms of the Investment Services Act, Cap. 370 The Malta Financial Services Authority

More information

Management of Official Records in a Business System

Management of Official Records in a Business System GPO Box 2343 ADELAIDE SA 5001 Tel (08) 8204 8773 Fax (08) 8204 8777 DX:467 srsarecordsmanagement@sa.gov.au www.archives.sa.gov.au Management of Official Records in a Business System October 2011 Version

More information

Data Protection Act 1998. Guidance on the use of cloud computing

Data Protection Act 1998. Guidance on the use of cloud computing Data Protection Act 1998 Guidance on the use of cloud computing Contents Overview... 2 Introduction... 2 What is cloud computing?... 3 Definitions... 3 Deployment models... 4 Service models... 5 Layered

More information

Procurement Policy Note Taking Account of Suppliers Past Performance

Procurement Policy Note Taking Account of Suppliers Past Performance Procurement Policy Note Taking Account of Suppliers Past Performance Action Note 04/15 25 th March 2015 Issue 1. To ensure good delivery of public services and value for money, it is important that suppliers

More information

University of Sunderland Business Assurance Information Security Policy

University of Sunderland Business Assurance Information Security Policy University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant

More information

Sports Betting in the United Kingdom

Sports Betting in the United Kingdom Sports Betting in the United Kingdom Symposium Glücksspiel 2010 Forschungsstelle Glücksspiel, Universität Hohenheim, Stuttgart 11 und 12 März 2010 Alan Littler a.d.littler@uvt.nl Tilburg Law and Economics

More information

TELEFÓNICA UK LTD. Introduction to Security Policy

TELEFÓNICA UK LTD. Introduction to Security Policy TELEFÓNICA UK LTD Introduction to Security Policy Page 1 of 7 CHANGE HISTORY Version No Date Details Authors/Editor 7.0 1/11/14 Annual review including change control added. Julian Jeffery 8.0 1/11/15

More information

ISO27001 Controls and Objectives

ISO27001 Controls and Objectives Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the

More information

Petfre (Gibraltar) Ltd t/a Betfred.com Settlement following a licence review - public statement June 2016

Petfre (Gibraltar) Ltd t/a Betfred.com Settlement following a licence review - public statement June 2016 Petfre (Gibraltar) Ltd t/a Betfred.com Settlement following a licence review - public statement June 2016 The issues identified in this statement are likely to form the basis for future compliance assessments

More information

Technical issues Good practice guidelines for the remote gambling industry

Technical issues Good practice guidelines for the remote gambling industry Technical issues Good practice guidelines for the remote gambling industry www.rga.eu.com Remote Gambling Association Contents Introduction 1-7 Objectives 8-9 Customer registration and accounts 10-51 Display

More information

Cloud (educational apps) software services and the Data Protection Act

Cloud (educational apps) software services and the Data Protection Act Cloud (educational apps) software services and the Data Protection Act Departmental advice for local authorities, school leaders, school staff and governing bodies October 2014 Contents 1. Summary 3 About

More information

Betting integrity Policy position paper, March 2009

Betting integrity Policy position paper, March 2009 Betting integrity Policy position paper, March 2009 1 Introduction and definition 1.1 In October 2007, the Gambling Commission (the Commission) published a paper on its approach to integrity in sports

More information

Information Security Policy

Information Security Policy Information Security Policy Revised: September 2015 Review Date: September 2020 New College Durham is committed to safeguarding and promoting the welfare of children and young people, as well as vulnerable

More information

Newcastle University Information Security Procedures Version 3

Newcastle University Information Security Procedures Version 3 Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations

More information

Lottery and Gaming Regulations 2008

Lottery and Gaming Regulations 2008 Version: 1.7.2015 South Australia Lottery and Gaming Regulations 2008 under the Lottery and Gaming Act 1936 Contents Part 1 Preliminary 1 Short title 3 Interpretation 4 Prohibited goods and services 4A

More information

Social Responsibility in Gambling

Social Responsibility in Gambling Social Responsibility in Gambling Introduction The Air Ambulance Service (TAAS) operates a lottery to help raise funds to support its Hems Operations. The charity is committed to ensuring that each lottery

More information

THE FRAMEWORK, PRINCIPLES AND STANDARDS TO WHICH EGBA MEMBER OPERATIONS ANNUALLY SUBSCRIBE, COMMIT AND ADHERE TO. FEBRUARY 2011

THE FRAMEWORK, PRINCIPLES AND STANDARDS TO WHICH EGBA MEMBER OPERATIONS ANNUALLY SUBSCRIBE, COMMIT AND ADHERE TO. FEBRUARY 2011 EGBA STANDARDS THE FRAMEWORK, PRINCIPLES AND STANDARDS TO WHICH EGBA MEMBER OPERATIONS ANNUALLY SUBSCRIBE, COMMIT AND ADHERE TO. FEBRUARY 2011 EGBA 2011 1 FOREWORD ABOUT THE EGBA STANDARDS The European

More information

Dean Bank Primary and Nursery School. Secure Storage of Data and Cloud Storage

Dean Bank Primary and Nursery School. Secure Storage of Data and Cloud Storage Dean Bank Primary and Nursery School Secure Storage of Data and Cloud Storage January 2015 All school e-mail is disclosable under Freedom of Information and Data Protection legislation. Be aware that anything

More information

ISO/IEC 17021:2011 Conformity assessment Requirements for bodies providing audit and certification of management systems

ISO/IEC 17021:2011 Conformity assessment Requirements for bodies providing audit and certification of management systems ISO/IEC 17021:2011 Conformity assessment Requirements for bodies providing audit and certification of management systems The publication of ISO/IEC 17021:2011 introduces some important new requirements

More information

Information Security Policies. Version 6.1

Information Security Policies. Version 6.1 Information Security Policies Version 6.1 Information Security Policies Contents: 1. Information Security page 3 2. Business Continuity page 5 3. Compliance page 6 4. Outsourcing and Third Party Access

More information

Interim Audit Report. Borough of Broxbourne Audit 2010/11

Interim Audit Report. Borough of Broxbourne Audit 2010/11 Interim Audit Report Borough of Broxbourne Audit 2010/11 The Audit Commission is an independent watchdog, driving economy, efficiency and effectiveness in local public services to deliver better outcomes

More information

Guideline. for Credit Providers. Compliance Report. Number 2 September 2010

Guideline. for Credit Providers. Compliance Report. Number 2 September 2010 Number 2 September 2010 Guideline for Credit Providers Compliance Report Summary This document constitutes guidelines issued by the National Credit Regulator in terms of section 16 (1)(b) of the National

More information

Polish Financial Supervision Authority. Guidelines

Polish Financial Supervision Authority. Guidelines Polish Financial Supervision Authority Guidelines on the Management of Information Technology and ICT Environment Security for Insurance and Reinsurance Undertakings Warsaw, 16 December 2014 Table of Contents

More information

Office of Liquor Gaming and Regulation Random Number Generators Minimum Technical Requirements Version 1.4

Office of Liquor Gaming and Regulation Random Number Generators Minimum Technical Requirements Version 1.4 Department of Employment, Economic Development and Innovation Office of Liquor Gaming and Regulation Random Number Generators Minimum Technical Requirements Version 1.4 The State of Queensland, Department

More information

Gambling codes of practice. Consolidated for all forms of gambling

Gambling codes of practice. Consolidated for all forms of gambling Gambling codes of practice Consolidated for all forms of gambling May 2015 Gambling codes of practice Contents Introduction 3 Section A Code provisions applicable to Commission licensed operators 5 1 Code

More information

Spillemyndigheden s Certification Programme Inspection Standards for Online Casino

Spillemyndigheden s Certification Programme Inspection Standards for Online Casino SCP.02.03.EN.1.0 Table of contents Table of contents... 2 1 Objectives of the inspection standards... 4 1.1 Scope of this document... 4 1.2 Version... 4 2 Certification... 5 2.1 Certification frequency...

More information

G4 Responsible e-gambling Code of Practice Version G02/20130214

G4 Responsible e-gambling Code of Practice Version G02/20130214 G4 Responsible e-gambling Code of Practice Version G02/20130214 1 Index Introduction 1. Responsible e-gambling Code of Practice page 3 2. e-gambling Company s Mission Statement page 3 3. Corporate Standards

More information

Betting Existing Operators

Betting Existing Operators Gambling Act 2005: Betting Guidance To operate a betting shop after 1 September 2007 you will need: an operating licence apply to the Gambling Commission between 1 January and 27 April 2007; a premises

More information

Authentication of Hardcopy and Electronic Professional Documents

Authentication of Hardcopy and Electronic Professional Documents Authentication of Hardcopy and Electronic Professional Documents Approved by Council May 12, 2011 Table of Contents Introduction... 1 Requirements of the Act, By-laws, and Code of Ethics... 2 Definitions...

More information

ELECTRONIC COMMERCE AND ELECTRONIC SIGNATURE ACT (ZEPEP-UPB1) (Official consolidated text)

ELECTRONIC COMMERCE AND ELECTRONIC SIGNATURE ACT (ZEPEP-UPB1) (Official consolidated text) ELECTRONIC COMMERCE AND ELECTRONIC SIGNATURE ACT (ZEPEP-UPB1) (Official consolidated text) On basis of article 153 of the National Assembly of Slovenia Rules of Procedure the National Assembly of the Republic

More information

Social Responsibility in Gambling

Social Responsibility in Gambling Social Responsibility in Gambling Introduction Wiltshire Air Ambulance Charitable Trust operates a lottery to help raise funds to support its Hems Operations. The charity is committed to ensuring that

More information

GUIDANCE NOTE OUTSOURCING OF FUNCTIONS BY ENTITIES LICENSED UNDER THE PROTECTION OF INVESTORS (BAILIWICK OF GUERNSEY) LAW, 1987

GUIDANCE NOTE OUTSOURCING OF FUNCTIONS BY ENTITIES LICENSED UNDER THE PROTECTION OF INVESTORS (BAILIWICK OF GUERNSEY) LAW, 1987 GUIDANCE NOTE OUTSOURCING OF FUNCTIONS BY ENTITIES LICENSED UNDER THE PROTECTION OF INVESTORS (BAILIWICK OF GUERNSEY) LAW, 1987 CONTENTS Page 1. Introduction 3-4 2. The Commission s Policy 5 3. Outsourcing

More information

BANKING UNIT BANKING RULES OUTSOURCING BY CREDIT INSTITUTIONS AUTHORISED UNDER THE BANKING ACT 1994

BANKING UNIT BANKING RULES OUTSOURCING BY CREDIT INSTITUTIONS AUTHORISED UNDER THE BANKING ACT 1994 BANKING UNIT BANKING RULES OUTSOURCING BY CREDIT INSTITUTIONS AUTHORISED UNDER THE BANKING ACT 1994 Ref: BR/14/2009 OUTSOURCING BY CREDIT INSTITUTIONS AUTHORISED UNDER THE BANKING ACT 1994 INTRODUCTION

More information

Michigan Progressive Jackpot Electronically Linked Bingo Game

Michigan Progressive Jackpot Electronically Linked Bingo Game Charitable Gaming Directive No. 3.08.04 Michigan Progressive Jackpot Electronically Linked Bingo Game BACKGROUND Section 3a (7) of Act 382 of the Public Acts of 1972 as amended, states in part, Michigan

More information

Western Australian Auditor General s Report. Information Systems Audit Report

Western Australian Auditor General s Report. Information Systems Audit Report Western Australian Auditor General s Report Information Systems Audit Report Report 10 June 2012 Auditor General s Overview The Information Systems Audit Report is tabled each year by my Office. It summarises

More information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1

More information

Conditions and codes of practice applicable to Non-remote bingo licences

Conditions and codes of practice applicable to Non-remote bingo licences Conditions and codes of practice applicable to Non-remote bingo licences Including sector-specific extract of LCCP February 2015 (updated April 2015) 1 Contents If using an electronic version of this document,

More information

For the Design, Installation, Commissioning & Maintenance of Fixed Gaseous Fire Suppression Systems

For the Design, Installation, Commissioning & Maintenance of Fixed Gaseous Fire Suppression Systems BAFE Scheme: SP203-3 Version 1: July 2008 Amendment No: 1 Fire Protection Industry Scheme, Reference SP203 Part 3 For the Design, Installation, Commissioning & Maintenance of Fixed Gaseous Fire Suppression

More information

ACT. on the amendment of the Gambling Law and some other Acts 1

ACT. on the amendment of the Gambling Law and some other Acts 1 Journal of Laws No. 134, item 779 ACT of 26 May 2011 on the amendment of the Gambling Law and some other Acts 1 Article 1 The following amendments are made to the Gambling Law of 19 November 2009 (Journal

More information

Advice on non-commercial and private gaming and betting

Advice on non-commercial and private gaming and betting Advice on non-commercial and private gaming and betting November 2012 Contents 1 Introduction 3 2 Defining non-commercial and private gaming and betting 3 3 Non-commercial prize gaming 4 4 Non-commercial

More information

Full Compliance Contents

Full Compliance Contents Full Compliance for and EU Annex 11 With the regulation support of Contents 1. Introduction 2 2. The regulations 2 3. FDA 3 Subpart B Electronic records 3 Subpart C Electronic Signatures 9 4. EU GMP Annex

More information

NSW Government Digital Information Security Policy

NSW Government Digital Information Security Policy NSW Government Digital Information Security Policy Version: 1.0 Date: November 2012 CONTENTS PART 1 PRELIMINARY... 3 1.1 Scope... 3 1.2 Application... 3 1.3 Objectives... 3 PART 2 CORE REQUIREMENTS...

More information

WESTERN AUSTRALIA HEAVY VEHICLE ACCREDITATION SCHEME (WAHVAS) BUSINESS RULES (DRAFT)

WESTERN AUSTRALIA HEAVY VEHICLE ACCREDITATION SCHEME (WAHVAS) BUSINESS RULES (DRAFT) WESTERN AUSTRALIA HEAVY VEHICLE ACCREDITATION SCHEME (WAHVAS) BUSINESS RULES (DRAFT) June 2015 DRAFT v1.3 Remove on final Contents 1. BUSINESS RULES OVERVIEW 3 1.1 Purpose 3 1.2 Legal Status of the Business

More information

The Gambling Act 2005 received Royal Assent in April 2005.

The Gambling Act 2005 received Royal Assent in April 2005. Gambling Act 2005 and the Gambling Commission The questions, answers and notes below attempt to address potential concerns that may arise from the change in legislation. A great deal of the details of

More information

Cloud Software Services for Schools

Cloud Software Services for Schools Cloud Software Services for Schools Supplier self-certification statements with service and support commitments Supplier name Address Contact name Contact email Contact telephone Parent Teacher Online

More information

NOTICE TO BANKS MONETARY AUTHORITY OF SINGAPORE ACT, CAP. 186 PREVENTION OF MONEY LAUNDERING AND COUNTERING THE FINANCING OF TERRORISM - BANKS

NOTICE TO BANKS MONETARY AUTHORITY OF SINGAPORE ACT, CAP. 186 PREVENTION OF MONEY LAUNDERING AND COUNTERING THE FINANCING OF TERRORISM - BANKS MAS 626 2 July 2007 Last revised on 1 July 2014 (Refer to endnotes for history of amendments) NOTICE TO BANKS MONETARY AUTHORITY OF SINGAPORE ACT, CAP. 186 PREVENTION OF MONEY LAUNDERING AND COUNTERING

More information

GSA PRODUCT CERTIFICATION PROGRAM POLICY GUIDE RELEASE 5

GSA PRODUCT CERTIFICATION PROGRAM POLICY GUIDE RELEASE 5 GSA PRODUCT CERTIFICATION PROGRAM POLICY GUIDE RELEASE 5 Gaming Standards Association GSA Certification Authority Released: 2012/04/20 GAMINGSTANDARDS.COM GSA Product Certification Program Policy Guide

More information

TERRITORY RECORDS OFFICE BUSINESS SYSTEMS AND DIGITAL RECORDKEEPING FUNCTIONALITY ASSESSMENT TOOL

TERRITORY RECORDS OFFICE BUSINESS SYSTEMS AND DIGITAL RECORDKEEPING FUNCTIONALITY ASSESSMENT TOOL TERRITORY RECORDS OFFICE BUSINESS SYSTEMS AND DIGITAL RECORDKEEPING FUNCTIONALITY ASSESSMENT TOOL INTRODUCTION WHAT IS A RECORD? AS ISO 15489-2002 Records Management defines a record as information created,

More information

STATUTORY INSTRUMENTS 2012 No. _

STATUTORY INSTRUMENTS 2012 No. _ STATUTORY INSTRUMENTS 2012 No. _ THE ELECTRONIC SIGNATURES REGULATIONS 2012 ARRANGEMENT OF REGULATIONS Regulation PART I-PRELIMINARY 1. Title. 2. Interpretation PART II - LICENSING AND RECOGNITION OF CERTIFICATION

More information