Security Control Standard

Transcription

1 Security Standard The security and risk management baseline for the lottery sector worldwide Updated by the WLA Security and Risk Management Committee V1.0, November 2006 The WLA Security Standard is the Property of the World Lottery Association

2 Table of contents Table of contents 2 Foreword 5 1. Introduction Purpose Legal compliance Disclaimer Compatibility with Other Management Systems How to Use This Document 6 2. The WLA SCS Framework and WLA Certification Framework Components Certification Requirements Introduction Part A General Security Requirements Part B Lottery Specific Security Requirements (including Appendix 2) 8 Appendix 1 General Security: WLA Basic s 9 G1 Organization of Security 9 G1.1 Allocation of security responsibilities 9 G2 Human Resources Security 10 G2.1 Implementation of a Code of Conduct 10 G2.2 Information Security awareness, education and training 10 G3 Physical and Environmental Security 10 G3.1 Secure areas 10 G4 Operations Management 10 G4.1 Protection against security vulnerabilities 10 G5 Access 11 G5.1 Remote user access management 11 G6 Information Systems Maintenance 11 G6.1 Cryptographic controls 11 G6.2 System testing 11 G7 Business Continuity Management 12 G7.1 Press media handling and availability 12 Appendix 2 Lottery Specific Security Requirements 13 L1 Instant Tickets 13 L1.1 Instant game design 13 L1.2 Instant ticket printing 14 L1.3 Shipment of instant tickets 14 L1.4 Storage and distribution of instant tickets 15 L1.5 Retailer security instant tickets 15 L1.6 Instant game closures 16 Security Standard V1.0, Page 2/21

3 Table of contents L2 Lottery Draws 16 L2.1 Lottery draw management 16 L2.2 Conduct of the draw 17 L2.3 Physical drawing appliances and ball sets 18 L3 Retailer Security 19 L3.1 Recruitment and set-up 19 L3.2 Retailer operations 19 L3.3 Gaming terminal security 19 L4 Prize Money Protection 20 L4.1 Validation and payout of prizes 20 L4.2 Unclaimed prize money 20 L5 Sales Staff and Customer Services 21 L5.1 Staff working outside organization premises 21 L5.2 Customer service areas 21 L6 Internet Gaming Systems 21 L6.1 Internet-based sales of games 21 Security Standard V1.0, Page 3/21

4 Foreword The World Lottery Association has recognized the need for adequate security standards from its very beginning and further developed the work started by its predecessor organizations. The first Security and Risk Management Committee was established in 1989 and is currently known as the WLA Security & Risk Management Committee (SRMC). Representatives and security specialists from lottery organizations around the world are members of the Committee and actively participate in the development of these standards. One of its most important areas of responsibility is the WLA Security Standard (WLA-SCS), the lottery sector's only internationally recognized security standard. The Committee reviews security standards for use by the lottery sector and acts as a focal point for the sector on security issues. Its mission includes making recommendations to members on problems and solutions, holding regular seminars for WLA members and overseeing the security standard certification process. All new or updated standards have to be approved and released by the WLA Executive Committee to become formally applicable. Any comments or suggestions regarding the WLA-SCS and the certification shall be directed to the WLA Security & Risk Management Committee. Security Standard V1.0, Page 4/21

5 1. Introduction 1.1 Purpose Security is a key element in the successful operation of a lottery. A critical factor of the operation is confidence both by the player and the principal stakeholders in those who manage the operation themselves. It is essential, therefore, that a visible and documented security environment is developed and maintained in order to achieve and sustain public confidence in the operation. The WLA Security Standard is designed to assist the lottery sector around the globe in obtaining a level of controls in line with generally accepted practices to enable an increased reliance on the integrity of lottery operations. The Standard prescribes the existence of a security management process compliant with International Standards and a common security baseline for lottery specific aspects that represent good practice. It can be considered a first step towards building the necessary trust relationship with other lotteries, stakeholders and regulators for the purpose of conducting lottery operations or multi-jurisdictional games. Through experience, the WLA Security Standard has proven to be of substantial assistance by giving management an independent review to build increased confidence in an organization's security. WLA Members considering operating games together may seek confirmation from the WLA that other members involved are certified as complying with the WLA Security Standard. Additional game-specific security requirements and procedures may need to be agreed between these members. The WLA Executive Committee has authorized specific third-party certifying bodies to perform reviews of WLA Members and Associate Members 1 wishing to certify their operations against this Standard. Certification can be obtained by conforming to the requirements of the Standard at the moment of the actual assessment. The WLA allows certified members to confirm their compliance to the Standard for a continuous period of three years following a certification as long as at least 12-monthly follow-up reviews occur by one of the designated certifying bodies. 1.2 Legal Compliance In cases where contradictions between applicable laws or regulation and the contents of this Standard exist, applicable laws and regulation shall always take precedence. 1 WLA Associate Members can achieve WLA-SCS certification through a formal assessment against the WLA-SCS Part A. Security Standard V1.0, Page 5/21

6 1.3 Disclaimer WLA-SCS certification does not guarantee that a WLA Member or Associate Member will not be subject to a security incident, but it is rather intended to decrease the likelihood of such events. Therefore, certification cannot lead to any commercial liability on behalf of the WLA or the certifying body. 1.4 Compatibility with Other Management Systems The WLA Security Standard is based on the ISO standard in order to support consistent implementation and operation with other management standards (for example ISO 9001). 1.5 How to Use This Document The WLA Security Standard sets out the requirements for organizations that seek certification and is written for an audience with knowledge about security. The intention is not for the reader to be educated on lottery security as such; rather the document is to be used to determine which security measures need to be implemented in order to comply with the WLA Standard. Please contact WLA SRMC or one of the approved certifying bodies for more information if needed. This WLA Standard is separated into two parts. Part A includes requirements related to the International Standard for Information Security Management Systems ISO/IEC 27001, the Scope requirement and the WLA Basic s. Part B covers Lottery specific requirements. The WLA has no intent to remove the autonomy that organizations in the lottery sector enjoy. As such, although the controls environment specified will need to exist to achieve certification, the specific technologies, methodologies, or processes used to achieve compliance is left to individual organizations. 2 In the formally published version effective at the time of the WLA-SCS Standard release. Security Standard V1.0, Page 6/21

7 2. The WLA SCS Framework and WLA Certification 2.1 Framework Components Part A WLA Security Standard Introduction Part B General Security Requirements ISO/IEC Requirements, Scope Requirements, WLA Basic s Lottery Specific Security Requirements 2.2 Certification Requirements Introduction WLA Members seeking WLA certification shall ensure compliance with Part A and Part B below. WLA Associate Members shall ensure compliance with Part A below. In order to become WLA certified, all organizations must seek certification by one of the WLA approved certifying bodies Part A General Security Requirements ISO/IEC ISMS Requirements Obtain the ISO/IEC (ISO 27001) standard document from a standardization body 3 and ensure compliance of your organization. ISO requires that an Information Security Management System (ISMS) is established, implemented, operated, monitored and continuously improved. Important steps in order to implement an ISMS include defining the scope, developing a policy, performing risk assessment, the selection of controls, and producing a Statement of Applicability 4. All parts of the ISMS shall be documented and the ISMS shall be formally approved and regularly reviewed by top management. 3 ISO/IEC (based on the earlier BS7799-2:2002) is a globally accepted certification standard for Information Security Management. The Standard is aligned with a Code of Practice for Information Security Management (also available via ISO). It is highly recommended to seek guidance in this Code of Practice. The WLA can assist members obtaining these documents. 4 The Statement of Applicability is a documented statement describing the control objectives and controls that are relevant and applicable to the organization s ISMS. Security Standard V1.0, Page 7/21

8 The management system is based on the cyclic model of Plan Do Check - Act, which is applied to structure all ISMS processes and ensuring continual improvement based on objective measurement. Plan Establish the ISMS Do Implement and operate the ISMS Check Monitor and review the ISMS Act Maintain and improve the ISMS ISO ensures that a mandatory risk based approach is in place and aims at achieving effective information security through a continual improvement process. Further details can be found in the ISO document. Scope Requirements The organization is required to include all lottery related activities of its operation, including all related systems under the scope of certification. Any exclusion from the scope or controls shall be justified in detail and challenged by the certifying bodies. WLA Basic s (Appendix 1) Additionally to those control objectives and controls required in ISO Annex A, the WLA has defined additional controls which shall be implemented in order to become WLA certified. These controls are listed in Appendix 1 and are to be reflected in the Statement of Applicability. The list of controls in ISO and as defined by WLA is not exhaustive and an organization may decide that additional controls are necessary Part B Lottery Specific Security Requirements (including Appendix 2) The WLA Lottery Specific Security s are listed in Appendix 2. This part covers lottery specific security aspects. In order to obtain WLA certification, all these controls shall be applied if not entirely inapplicable (e.g. if a WLA Member does not offer draw games, identified controls need not be included) and must be reflected in the Statement of Applicability. Security Standard V1.0, Page 8/21

9 Appendix 1 General Security: WLA Basic s The list below contains the required controls that shall be implemented in organizations to become WLA certified. This is in addition to those controls defined in ISO Annex A and shall be part of the organization s Information Security Management System (ISMS). G1 Organization of Security G1.1 Allocation of security responsibilities Objective: To ensure that security function responsibilities are effectively implemented. G1.1.1 Security Forum A Security Forum or other organizational structure comprised of senior managers shall be formally established, monitor and review the ISMS, maintain formal minutes of meetings and convene at least every six months. G1.1.2 Security Function A Security Function shall exist that will be responsible to draft and implement security strategies and action plans. It shall be involved in and review all processes regarding security aspects of the organization, including, but not be limited to, the protection of information, communications, physical infrastructure, and game processes. G1.1.3 G1.1.4 G1.1.5 Security Function reporting Security Function position Security Function responsibility The Security Function shall report to no lower than executive level management and not reside within or report to the IT Function. The Function shall be sufficiently empowered, and must have access to all necessary corporate resources to enable the adequate assessment, management, and reduction of risk. The head of the Security Function shall be a full member of the Security Forum and be responsible for recommending security policies and changes. Security Standard V1.0, Page 9/21

10 G2 Human Resources Security G2.1 Implementation of a Code of Conduct Objective: To ensure that a suitable Code of Conduct is effectively implemented.. G2.1.1 Code of Conduct A Code of Conduct shall be issued to all personnel when initially employed. All personnel shall formally acknowledge acceptance of this Code. G2.1.2 Adherence and disciplinary action The Code of Conduct shall include statements that all policies and procedures are adhered to and that infringement or other breaches of the Code could lead to a disciplinary action. G2.1.3 Conflict of Interest The Code of Conduct shall include statements that employees are required to declare conflicts of Interest on employment as and when they occur. Specific examples of Conflict of Interest shall be cited within the Code. G2.1.4 Policy on hospitality or gifts The Code of Conduct shall include a policy regarding hospitality or gifts provided by persons or entities with which the organization transacts business. G2.2 Information Security awareness, education and training Objective: To ensure that all employees are aware of information security as implemented by the organization as quickly as possible. G2.2.1 Awareness Training All new hired employees and, where relevant, new contractors and new third party users shall receive appropriate awareness training within two weeks of work commencement and regularly thereafter. Such training shall be documented and formally acknowledged by staff. G3 Physical and Environmental Security G3.1 Secure areas Objective: To ensure that areas providing access to production gaming data centers or other systems effectively important for the gaming operations are adequately secured. G3.1.1 Physical entry controls Physical access to production gaming system data centers, computer rooms, network operations centers and other defined critical areas shall have a two-factor authentication process. Single-factor electronic access control methods are acceptable if the area is staffed at all times. G4 Operations Management G4.1 Protection against security vulnerabilities Objective: To ensure that important systems for gaming operations or the support thereof are adequately secured against security vulnerabilities. G4.1.1 against security vulnerabilities on important systems for gaming operations The IT function shall ensure that documented procedures are in place for the management of security vulnerability patches on important systems for gaming operations and that reviews with regards to patch level of all installed software are regularly conducted Security Standard V1.0, Page 10/21

11 G5 Access G5.1 Remote user access management Objective: To ensure authorized remote user access and to prevent unauthorized access to gaming information systems. G5.1.1 G5.1.2 G5.1.3 G5.1.4 Remote user access to gaming systems Remote user access functions Remote user access logging Remote user access reporting Gaming computer systems shall only be accessed from locations outside organization controlled premises, excluding player participation in organization-offered games, in case of emergency situations. The range of functions available to the user shall be defined in conjunction with the Process Owner, the IT Function and the Security Function. All actions performed through remote user access shall be logged and these logs shall be regularly reviewed. For every remote user access a security incident report shall be filed with the security function. G6 Information Systems Maintenance G6.1 Cryptographic controls Objective: To protect the confidentiality, authenticity and integrity of important gaming and lottery related information by cryptographic means. G6.1.1 G6.1.2 G6.1.3 G6.1.4 G6.1.5 Cryptographic controls for data on portable systems Cryptographic controls for networks Cryptographic controls for storage Cryptographic controls for validation numbers Cryptographic controls for transfers Encryption shall be applied for non public organization data on portable computer systems (Laptops, USB devices, etc.) Encryption shall be applied for sensitive information passed over networks which risk analysis has shown to have an inadequate level of protection, including validation or other important gaming information, electronic mail, etc. Integrity measures must be applied for the storage of winning information ticket data and validation information. Encryption shall be applied for instant ticket validation numbers. Encryption shall be applied for financial transactions between the organization and a banking institution. G6.2 System testing Objective: To maintain the security, confidentiality and integrity of test data. G6.2.1 Test methodology policy and data The test methodology policy shall include provisions to prevent the use of data created in a live production system for the current draw period and to prevent the use of player personal information. Security Standard V1.0, Page 11/21

12 G7 Business Continuity Management G7.1 Press media handling and availability Objective: To ensure the protection of organization image and reputation and to counteract interruptions to business activities. G7.1.1 G7.1.2 Press Media and personnel handling Shareholder or Board approval The business continuity plan shall include plans to handle the media and personnel during crisis situations. The organization shall ensure that the Board or shareholders of the organization agree to the decided availability requirements. Security Standard V1.0, Page 12/21

13 Appendix 2 Lottery Specific Security Requirements The list below contains the required controls that shall be implemented in lottery organizations to become WLA certified. This is in addition to those controls defined in ISO Annex A and Part A above and shall be part of the organization s Information Security Management System (ISMS). L1 Instant Tickets L1.1 Instant game design Objective: To ensure that game designs meet legal and regulatory requirements and are authorized at the appropriate level before going into production. L1.1.1 L1.1.2 Documented instant ticket procedures Game design approval Formal procedures shall be developed and documented covering the design, development, production, and release of Instant Games. Final game design shall be formally approved through a process involving the Security Function. L1.1.3 Supplier selection Printers/Suppliers of instant tickets shall be subject to a selection and approval process. The approval shall involve the Security Function. L1.1.4 Security requirements Specific security requirements relating to the game and the physical instant ticket shall be documented and formally part of the contract with the supplier/printer. L1.1.5 Quality control Quality control requirements for printing instant tickets shall be documented and part of the contract with the supplier/printer. L1.1.6 Policy on audits and laboratory testing A policy shall be established describing required audits of game design, ticket printing and at least once a year laboratory testing. Security Standard V1.0, Page 13/21

14 L1.2 Instant ticket printing Objective: To ensure that instant tickets comply with the organization s security standards for production and printing. L1.2.1 L1.2.2 L1.2.3 L1.2.4 Instant ticket printing requirements Printing quality assurance Encrypted validation numbers Encrypted validation and winner files The organization shall provide the printer/supplier with a detailed game specification and detailed security requirements. Security requirements shall include a requirement for a supplier/printer internal quality assurance function. Security requirements shall include validation numbers using encryption techniques. Security requirements shall include validation files and winner information stored using encryption techniques. L1.2.5 Ticket verification Checks of random samples of ticket packs for each game shall be carried out to ensure that games conform to the tolerances set out in the organization s specification. L1.2.6 Acceptance testing of data Security requirements shall include that after the first print run and before launch, inventory and validation data is provided to the appointed organization s security or quality assuring function for acceptance testing. L1.3 Shipment of instant tickets Objective: To ensure the secure transportation of instant tickets from the printer/supplier to the organization. L1.3.1 Shipping manifest Shipping requirements shall specify that a complete shipping manifest shall be sent to the organization before a consignment is dispatched. L1.3.2 L1.3.3 Transportation method Sealed transport containers The organization shall ensure that the shipment process is according to an agreed (either through a direct agreement or through an agreement with the supplier) method of transportation that is not to be varied without authority from the organization. The agreement shall specify that containers must be sealed and seal numbers recorded on manifests. Security Standard V1.0, Page 14/21

15 L1.4 Storage and distribution of instant tickets Objective: To ensure that instant tickets are stored and distributed in a secure manner. L1.4.1 Storage facility audits A procedure shall be established to provide for authorized personnel inspecting instant ticket storage facilities at least annually. L1.4.2 L1.4.3 L1.4.4 L1.4.5 Ticket transport verification Ticket verification procedure Ticket verification outcome Instant ticket control system Each consignment of instant tickets shall be formally verified on arrival An arrival verification procedure shall ensure that seal numbers are correct and that the security of the container has been maintained. The verification outcome shall be documented and in case of non-conformities and/or irregularities action shall be taken to determine whether the security of a consignment has been compromised. A control system shall be in place to account for packs of instant tickets from the time they arrive at the organization's storage facilities to the time they arrive at the retailer. L1.5 Retailer security instant tickets Objective: To ensure that retailers conform to the security requirements applicable to the receipt, storage and sale of instant tickets. L1.5.1 Instant ticket receipt by retailers The organization shall require retailers either via contract or other means to validate the integrity of packages of instant ticket on receipt and are to confirm that they have received a particular consignment of tickets. L1.5.2 Receipt confirmation Upon receipt confirmation, the tickets shall be formally recorded as having been issued to that retailer. L1.5.3 Retailer instructions The organization shall provide retailers with instructions regarding prize claim payout, ticket validation, instant ticket handling and storage, reporting of security issues and the handling of lost and stolen tickets. L1.5.4 Retailer security training The organization shall provide and document training for retailers to enable them to meet the security requirements for handling instant tickets. Security Standard V1.0, Page 15/21

16 L1.6 Instant game closures Objective: To ensure that security control and audit requirements are maintained when an Instant game is closed. L1.6.1 Game closure procedure The organization shall produce and circulate a game closure procedure to be used in the closure of an instant game. L1.6.2 Retailer information The method and timing of informing retailers of a game closure and the collection of tickets shall be established and documented. L1.6.3 Balance of ticket stock A method to be used to balance game tickets held in storage and by retailers shall be established and documented. L1.6.4 Stock audit check Requirements for audit checks of instant ticket stock shall be established and documented. L1.6.5 Authorized parties Parties authorized to close a game and/or destroy tickets shall be formally defined. L1.6.6 Ticket destruction The method and control of ticket destruction shall be formally established. L2 Lottery Draws L2.1 Lottery draw management Objective: To ensure that draws are conducted at times required by regulation and in accordance with the rules of the applicable lottery game. L2.1.1 Draw event A policy shall be established to ensure that lottery draws are conducted as a planned and controlled event and in accordance with a clear working instruction. L2.1.2 Draw working instructions The organization shall publish a working instruction prior to any draw including special instructions with respect to the draw. L2.1.3 Draw team members The working instruction shall include the composition of a draw team including their contact telephone numbers. L2.1.4 Draw team duties The working instruction shall include the duties of the identified members of the draw team. L2.1.5 Reserve draw team The working instruction shall nominate persons as reserves and detail on the deployment of the reserve team. L2.1.6 Draw timing The working instruction shall include the detailed timings of the draw operation from opening the draw location to closing that location. L2.1.7 Draw observers The working instruction shall include details of any requirement under the Lottery Rules for independent observers to be present during a draw. Security Standard V1.0, Page 16/21

17 L2.2 Conduct of the draw Objective: To ensure that the conduct of draws is within regulatory requirements and the rules of the applicable lottery game. L2.2.1 Draw procedure The organization shall establish a detailed draw procedure to ensure that all draw functions are conducted in compliance with the rules of the applicable lottery game and regulatory requirements. L2.2.2 Draw step-by-step guide The draw procedure shall include a step-by-step guide of the draw process. L2.2.3 Draw location The draw procedure shall include the definition of the draw location. L2.2.4 Draw attendance and responsibilities The draw procedure shall include a definition of the attendance at the draw and the responsibilities and actions of all participants. L2.2.5 Draw supervision The draw procedure shall define the policy regarding the attendance of an (independent) compliance officer or an auditor. L2.2.6 Draw operation security The draw procedure shall include adequate security measures for the draw operation and all equipment used during the draw process. L2.2.7 Draw emergency The draw procedure shall include actions in the event of an emergency occurring at any time during the course of the draw. Security Standard V1.0, Page 17/21

18 L2.3 Physical drawing appliances and ball sets Objective: To ensure that physical draw appliances and ball sets meet agreed security requirements and/or regulatory specifications. L2.3.1 Inspection procedure A procedure for inspection of draw appliances and ball sets on delivery and thereafter in consultation with an independent authority (to ensure compliance with technical specifications and standards) on a regular basis shall be established. L2.3.2 Regular inspection and maintenance Inspections and maintenance of the draw appliances shall be carried out and documented at least annually to retain the specified standards throughout the machine s working life. L2.3.3 Compatible ball sets The organization shall establish a procedure that provides for the use of ball sets manufactured to those measurements and weight tolerances compatible with the drawing machine to be used. L2.3.4 L2.3.5 Replacement draw appliance Draw appliance and ball set handling, storage and movement The organization shall establish a procedure that provides for the availability of a substitute draw appliance and ball set(s) for use in the event of mechanical problems or failure of any kind, if drawings are broadcasted live. The organization shall establish a procedure that provides for the secure storage, movement, and handling of draw appliances and ball sets. Security Standard V1.0, Page 18/21

19 L3 Retailer Security L3.1 Recruitment and set-up Objective: To ensure that only approved people, operating in approved locations, are accepted as retailers to sell the organization s products on and off-line. L3.1.1 Retailer contract Retailers shall be engaged under the terms of an agreed contract. L3.2 Retailer operations Objective: To ensure that retailer operations, on and off-line, conform to organization security requirements. L3.2.1 Retailer security To enable retailers to conform to organizational security requirements, the organization shall specify a security environment within the retailer is required to operate. L3.3 Gaming terminal security Objective: To ensure the adequacy of gaming terminal security. L3.3.1 Transaction security Gaming terminals shall include provisions for authentication and encryption of the data traffic between the terminal and the central computer gaming system. L3.3.2 L3.3.3 Terminal security testing Self-service terminal security Thorough testing of terminal security functionality shall be performed prior to production environment use. This testing shall include provisions that the correct version of software is in place. Self service terminals shall have security mechanisms in place to protect game integrity. Security Standard V1.0, Page 19/21

20 L4 Prize Money Protection L4.1 Validation and payout of prizes Objective: To ensure that the organization has the necessary controls in place for validation and payment of prizes. L4.1.1 Validity of winning information The organization shall implement procedures to ensure the validity of winning transactions, claims and/or tickets. L4.1.2 Validation processes The organization shall define and document validation processes for different prize levels and types of games. L4.1.3 Prize payout The organization shall define the process for payment or transfer of prizes. L4.2 Unclaimed prize money Objective: To secure unclaimed prize money before and after the end of the prize claim period. L4.2.1 L4.2.2 L4.2.3 L4.2.4 L4.2.5 Unique ticket reference number Procedure for the protection of unclaimed prize money Prize payout period and auditing Payout rules and inquiries Unclaimed prize information access control Provisions shall be made in the on-line production system for each ticket issued to have a unique reference number. The organization shall develop, circulate and maintain a procedure specifically related to the protection of unclaimed prize money and data files containing information relating to the payout status of each game, the specific transactions yet to be claimed and the validation files. The procedure shall cover the entire prize payout period as well as the auditing of the final transfers upon game settlement. The procedure shall confirm the rules covering ticket validity time, payout on lost and defaced tickets, inquiries into the validity of claims and late or last minute payouts. The procedure shall confirm that access control be strict and limited to that required in respect of records of unclaimed prizes. L4.2.6 Access reporting The procedure shall confirm a reporting process in case of unauthorized access attempts. L4.2.7 Escalation process The procedure shall confirm an escalation process for any incident or suspicious activity. L4.2.8 Audits of access log information The procedure shall confirm that access logs are subject to regular and frequent audit at least every six months. L4.2.9 Audit trails The procedure shall confirm audit trails able to identify unusual patterns of late payouts. Security Standard V1.0, Page 20/21