Spillemyndigheden s Certification Programme Instructions on Penetration Testing

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Spillemyndigheden s Certification Programme Instructions on Penetration Testing"

Transcription

1 SCP EN.1.0

2 Table of contents Table of contents Introduction Spillemyndigheden s certification programme Objectives of the Scope of this document Definitions Legal basis for this document Version Document identifier Enquiries Certification Certification framework Certification requirements Certification frequency Transfer of certifications Inspections and tests conducted in accordance with Spillemyndigheden s certification programme Inspections and tests conducted in accordance with other standards Suppliers to the licence holder Supplier certification Integration into the gambling system of the licence holder Period deferment Compilation of the certifications Accredited testing organisations Requirements for accredited testing organisations Requirements for personnel at the accredited testing organisations Penetration Testing Framework Objective of the penetration testing Protected components Updating software and hardware Certification no longer valid due to significant changes Internal function with the licence holder Penetration Testing Process SCP EN.1.0 Side 2 af 11

3 1 Introduction Spillemyndigheden s certification programme is set out to ensure that the gambling system executes games in a correct way and that the security surrounding the gambling system is maintained. The requirements in the certification programme is adapted to the different types of games based on an evaluation of the type of game s significance and risk in relation to extent, prevalence, nature, size of the prize and the risk of the customers being deceived etc. Currently the following types of games are in use: Online betting Land-based betting Online casino Land-based casino Gaming machines with cash prizes Lottery games The accredited testing organisation performs testing, inspection and certification of the gambling system, business processes and business systems of the licence holder. The testing, inspection and certification must be adapted to the individual licence holder s offer of gambling products. 1.1 Spillemyndigheden s certification programme Spillemyndigheden s certification programme consists of a number of documents, which are continuously adapted to the development in technology. The licence holder must be certified at all times in accordance with those parts of the certification programme which apply to their specific offer of gambling products. Types of games not offered by the licence holder are not subject to certification. Each of the six types of games has a set of testing standards and a set of inspection standards associated. Furthermore, four documents apply across all types of games and cover information security management system, penetration testing, vulnerability scanning and change management. Each document sets out minimum requirements for the arrangement of the gambling system, business processes and business systems of the licence holder. Spillemyndigheden s certification programme supplements the gambling regulation, individual licence terms and the administrative practice set out by Spillemyndigheden. 1.2 Objectives of the The seeks to ensure that the gambling system and business systems of the licence holder are tested for vulnerabilities that could be exploited to gain access to sensitive information. SCP EN.1.0 Side 3 af 11

4 1.3 Scope of this document This document contains the requirements specifying how testing organisations obtain accreditation for conducting certification of the gambling system, business processes and business systems of the licence holder as well as instructions on how to conduct the certification. The accreditation will be undertaken by DANAK, the Danish Accreditation and Metrology Fund, or a similar accreditation body being covered by the multilateral agreement on reciprocal recognition of the European Co-operation for Accreditation or a member of the International Laboratory Accreditation Cooperation. The requirements concerning accreditation of the testing organisation and certification of the licence holder can be found in section 2 certification. The Penetration Test shall be conducted in such a way that exposes vulnerabilities in components. This is particularly relevant during system upgrades and updates. These requirements are set out in section 3 Penetration Testing Framework. Spillemyndigheden specify a number of mandatory penetration scenarios. These scenarios are set out in section 4 Penetration Testing Process. 1.4 Definitions Inspection: Sensitive information: Testing: Auditable log: Gambling system: The accredited testing organisation performs an assessment of the gambling system, business processes and business systems of the licence holder in relation to requirements set out by Spillemyndigheden and determines whether the requirements are met or not. Information of a sensitive nature related to either business or people. The accredited testing organisation performs in depth testing of the gambling system of the licence holder, analysis the comprised data and evaluates the results with regards to the requirements set out by Spillemyndigheden and determines whether the requirements are met or not. A log in which the recorded data cannot be manipulated after the initial recording. Any changes to the log shall happen through the recording of new data instead of changing or deleting existing records. Electronic or other equipment used by or on behalf of the licence holder for the offering of gambling, including equipment that: 1.5 Legal basis for this document 1. is used for the storage of information pertaining to a person s participation in gambling, including historical data and information concerning results, 2. produce and/or presents games to the gambler, or 3. determine the result of a game or calculate whether the gambler has won or lost a game. The Instruction on Penetration Testing (SCP EN.1.0) is issued by Spillemyndigheden pursuant to Act no. 848 of 1 July 2010 on Gambling section 41 and executive order no. 65 of 25 January 2012 on land-based SCP EN.1.0 Side 4 af 11

5 betting section 1, executive order no. 66 of 25 January 2012 on online betting section 26 and executive order nr. 67 of 25 January 2012 on online casino section Version Spillemyndigheden will continuously revise the certification programme, making the latest version and the version history accessible at Spillemyndigheden s website: Date Version Description Description If the certification programme is modified, as a rule, certifications already issued will remain in force. It is important to emphasise that only the Danish version is legally binding and that the English version holds the status of guidance only. 1.7 Document identifier Each document in Spillemyndigheden s Certification Programme has a unique identifier comprised of: SCP Which indicates Spillemyndigheden s Certification Programme. Two digits Which indicates the type of document. The identifiers are: "01" Testing standards "02" Inspection standards "03" Information Security Management System "04" Penetration Testing "05" Vulnerability Scanning "06" Change Management Programme Two digits Which indicates the type of game covered. The identifiers are: "00" All types of games "01" Online betting "02" Land-based betting "03" Online casino "04" Land-based casino "05" Gaming machines with cash prizes "06" Lottery games DK or EN Which indicates the language version. DK for Danish and EN for English. Version number Which is described in section 1.6 above. The document identifier SCP DK.1.0 would thus be version 1.0 of the inspection standards for landbased betting in Danish. A standard report with the identifier SCP.XX.XX.ST is associated with each document and must be used when submitting certifications to Spillemyndigheden. The document identifiers for the standard reports follow the methodology above and are language neutral. SCP EN.1.0 Side 5 af 11

6 1.8 Enquiries Enquiries concerning this document should be sent in writing to Spillemyndigheden at the following address: or Spillemyndigheden Helgeshøj Allé 9 DK-2630 Taastrup 2 Certification 2.1 Certification framework A certification consists of inspection and testing of the gambling system, business processes and business systems of a licence holder based on the requirements set out in Spillemyndigheden s certification programme. It is the responsibility of the licence holder to attain the required certifications and to organise the company s business activities in accordance with Spillemyndigheden s certification programme. The certifications shall be issued by an accredited testing organisation in accordance with Spillemyndigheden s certification programme. It is always the responsibility of the licence holder that the requirements of the certification programme are met at all times. 2.2 Certification requirements Certification carried out to the standards of this document shall be submitted using the standard report SCP ST. The accredited testing organisation shall attest that the gambling system, business processes and business systems of the licence holder adhere to the requirements set out in this document. As an extraordinary exception it may be accepted that the accredited testing organisation attests to the certification even if all requirements have not been met as described in this document. In this case the certifications must be substantiated by a risk assessment, taking into account the purpose of the Gambling Act and the associated executive orders. The risk assessment shall be based on ISO/IEC Risk management - Risk assessment techniques. The certification shall reflect whether this method has been used. SCP EN.1.0 Side 6 af 11

7 2.3 Certification frequency The gambling system, business processes and business systems of the licence holder shall be certified at all times. The licence holder shall ensure that the gambling system, business processes and business systems are subject to on-going certification to ensure adherence to the requirements of this document with an interval of no more than 12 months. The following instructions apply in relation to the renewal and submission of the certifications: The inspection shall have commenced before the lapse of the current certification and shall be concluded within two months of the lapse of the current certification. The certification shall be submitted with Spillemyndigheden within this time frame as well. The re-certification shall be dated with the date of the conclusion of the inspection unless the inspection continued after the lapse of the current certification in which case the new certification shall be dated with the date of the lapse of the current certification, as a certification period cannot exceed twelve months. 2.4 Transfer of certifications Inspections and tests conducted in accordance with Spillemyndigheden s certification programme When an accredited testing organisation has certified a given requirement in Spillemyndigheden s certification programme and this requirement is part of several separate documents of the programme e.g. SCP EN Testing Standards for online betting and SCP EN Testing Standards for land-based betting, it will not be necessary to repeat the certification of the requirement. In such cases there shall, instead, be a reference to the above-mentioned certification. This is also the case if the prior certification has been conducted by another accredited testing organisation Inspections and tests conducted in accordance with other standards It is allowed to base the certification on inspections and tests carried out on previous occasions and to similar criteria. When this option is utilised the actual time of the previous inspection or test shall be used when calculating the certification frequency. This means that if the certification is based on inspections or tests performed six months prior, then the renewal of said certification shall be performed six months earlier than ordinarily required. The above-mentioned option is also available if the prior certification has been conducted by another accredited testing organisation. When the accredited testing organisation is assessing whether to base the certification on inspections or tests carried out to similar criteria, this shall be substantiated by a risk assessment, taking into account the purpose of the Gambling Act and the associated executive orders. The risk assessment shall be based on ISO/IEC Risk management - Risk assessment techniques. The certification shall reflect whether this method has been used. SCP EN.1.0 Side 7 af 11

8 2.5 Suppliers to the licence holder Supplier certification A supplier to a licence holder can have their products certified fully or partially in accordance with Spillemyndigheden s certification programme. In these situations the accredited testing organisation of the supplier issues a similar report as described in section 2.2. The accredited testing organisation of the licence holder shall, when testing the gambling system of the licence holder, only test the elements of the gambling system that have not been certified during the certification of the supplier. The accredited testing organisation of the licence holder is not required to assess the work done by the accredited testing organisation of the supplier and need only reference this work when issuing the certification Integration into the gambling system of the licence holder The accredited testing organisation shall be particularly aware of the fact that, even if the supplier s product has been certified already, it may be necessary to repeat parts of the certification, when the product is integrated into the licence holder s overall gambling system. This will be particular relevant when the implementation involves changes to the certified product Period deferment The period of the certification of the supplier and the period of the certification of the licence holder, as described in section 2.3, can differ with no more than one month. Guidance: This would been that a licence holder could be using the certification period from 1 May to 30 April while the supplier could be using the certification period from 1 April to 31 march Compilation of the certifications It is the task of the accredited testing organisation of the licence holder to ensure that all requirements in this document have been assessed. It shall be evident from the certification of the licence holder whether a given requirement has been inspected or tested by the accredited testing organisation of the licence holder, the accredited testing organisation of a supplier or is out of scope in relation to the games offered by the licence holder. 2.6 Accredited testing organisations Testing organisations shall attain ISO/IEC accreditation and/or ISO/IEC accreditation based on the criteria described in the following sections. The scope of the accreditation shall be extended to include Spillemyndigheden s certification programme SCP EN.1.0. To ensure that the necessary qualifications are in place during the certification the testing organisation and their staff shall fulfil the following requirements. Documentation that the requirements are fulfilled shall be enclosed with the certification. SCP EN.1.0 Side 8 af 11

9 2.6.1 Requirements for accredited testing organisations The accrediting testing organisation: a) Shall have at least to years experience in penetration testing of systems or a similar closely related subject area, b) Shall work on the basis of the ISO/IEC accreditation and/or ISO/IEC accreditation, which refers to the requirements of SCP EN.1.0, and c) Shall ensure that staff with sufficient qualifications will carry through the certification Requirements for personnel at the accredited testing organisations The certification shall be carried through by staff with sufficient qualifications cf. sections above. Work done in relation to the certification shall be supervised and the declaration of certification shall be attested by one or more persons who warrant(s) that the work has been carried out to adequate professional standards. These persons shall meet the following requirements: a) Five years of professional experience in penetration testing of systems or a similar closely related subject area, and b) Shall be certified as: International Council of E-Commerce (EC-Council) Certified Ethical Hacker (CEH), International Council of E-Commerce (EC-Council) Licensed Penetration Tester (LPT), Information Assurance Certification Review Board (IACRB) Certified Penetration Tester (CPT), Global Information Assurance Certification (GIAC) Certified Penetration Tester (GPEN), CESG CHECK Team Leader, CESG CHECK Team Member, CREST Infrastructure Certification, CREST Registered Tester, Tiger Scheme Senior Security Tester, eller Tiger Scheme Qualified Security Tester. Guidance: Certification and attestation can be carried out by staff who in conjunction fulfil the requirements. 3 Penetration Testing Framework Spillemyndigheden s is in part inspired by Payment Card Industry Data Security Standard (PCI-DSS). 3.1 Objective of the penetration testing When performing penetration testing the accredited testing organisation shall seek to exploit any vulnerabilities in the gambling system of the licence holder uncovered during the vulnerability scanning, cf. Spillemyndighedens Instructions on Vulnerability Scanning SCP EN. SCP EN.1.0 Side 9 af 11

10 3.2 Protected components The gambling system and business systems shall be protected against any attack from outsiders. The components containing sensitive information concerning customers in particular shall be protected. The definition of components and their relevance follows from Spillemyndigheden s Change Management Programme SCP EN, section The licence holder can minimise the risk of unauthorised access by segmenting the internal networks including which sub-systems communicates sensitive information by public networks. 3.3 Updating software and hardware It is the responsibility of the licence holder that the system components are updated to a degree that ensures the highest level of security possible and does not compromise the integrity of the systems. By doing so the risk of unauthorised access to sensitive information is minimised Certification no longer valid due to significant changes In the event of an update of components of the licence holder or a supplier, a new vulnerability test is recommended to ensure that existing internal controls are still effective and functional. It shall be indicated in the certification of penetration testing that it is no longer valid after significant updates or changes to infrastructure or the use of it (for example any installation of new system components, addition of a sub-network or addition of a web server). What will be considered to be significant changes will depend to a high degree on the set-up of a given environment and therefore it cannot be defined as such by Spillemyndigheden. It is, however, always considered significant if an upgrade or a change is capable of affecting or providing access to sensitive information and/or components cf. Spillemyndigheden s Change Management Programme SCP EN, section Internal function with the licence holder The accredited testing organisation can allow that the certification is upheld as an exception to section 3.3.1, if the licence holder has an internal function dedicated to undertaking penetration testing of the systems. This function shall be manned with appropriately skilled staff as well as being organisationally separated from the function implementing system changes. If the certification is postponed the accredited testing organisation shall assess, approve and certify these tests every three months. The certification shall clearly state whether this method has been used. The option to postpone certification to the interval of three months is only available to licence holders. The option to postpone certification is not available to suppliers without an individual licence to offer gambling in Denmark. 4 Penetration Testing Process When performing penetration testing the accredited testing organisation shall seek unauthorised access to the systems of the licence holder. The unauthorised access shall be attempted escalated to the highest access level possible. Through this access the following minimum list of scenarios shall be tested: SCP EN.1.0 Side 10 af 11

11 Manipulation of result generation Affecting the execution of games Fraud with customer funds Theft of customer funds Manipulation of audit logs Access to sensitive information Manipulation of sensitive information Manipulation of data transfer to SAFE SCP EN.1.0 Side 11 af 11

Spillemyndigheden s Certification Programme Instructions on Penetration Testing

Spillemyndigheden s Certification Programme Instructions on Penetration Testing SCP.04.00.EN.1.0 Table of contents Table of contents... 2 1 Objectives of the... 3 1.1 Scope of this document... 3 1.2 Version... 3 2 Certification... 4 2.1 Certification frequency... 4 2.1.1 Initial certification...

More information

Spillemyndigheden s Certification Programme Instructions on Vulnerability Scanning

Spillemyndigheden s Certification Programme Instructions on Vulnerability Scanning SCP.05.00.EN.1.0 Table of contents Table of contents... 2 1 Objectives of the... 3 1.1 Scope of this document... 3 1.2 Version... 3 2 Certification... 3 2.1 Certification frequency... 3 2.1.1 Initial certification...

More information

Spillemyndigheden s Certification Programme Change Management Programme

Spillemyndigheden s Certification Programme Change Management Programme SCP.06.00.EN.2.0 Table of contents Table of contents... 2 1 Introduction... 4 1.1 Spillemyndigheden s certification programme... 4 1.2 Objectives of the change management programme... 4 1.3 Scope of this

More information

Spillemyndigheden s Certification Programme Information Security Management System

Spillemyndigheden s Certification Programme Information Security Management System SCP.03.00.EN.1.0 Table of contents Table of contents... 2 1 Introduction... 3 1.1 Spillemyndigheden s certification programme... 3 1.2 Objectives of the... 3 1.3 Scope of this document... 4 1.4 Definitions...

More information

Spillemyndigheden s Certification Programme Testing Standards for Online Casino

Spillemyndigheden s Certification Programme Testing Standards for Online Casino SCP.01.03.EN.1.0 Table of contents Table of contents... 2 1 Introduction... 3 1.1 Spillemyndigheden s certification programme... 3 1.2 Objectives of the testing standards... 3 1.3 Scope of this document...

More information

Spillemyndigheden s Certification Programme. General requirements SCP.00.00.EN.1.1

Spillemyndigheden s Certification Programme. General requirements SCP.00.00.EN.1.1 SCP.00.00.EN.1.1 Table of contents Table of contents... 2 1.1 Spillemyndigheden s certification programme... 3 1.2 Definitions... 3 1.3 Legal basis for the certification programme... 4 1.4 Version... 4

More information

Spillemyndigheden s Certification Programme Change Management Programme

Spillemyndigheden s Certification Programme Change Management Programme SCP.06.00.EN.1.0 Table of contents Table of contents... 2 1 Objectives of the change management programme... 3 1.1 Scope of this document... 3 1.2 Version... 3 2 Certification... 4 2.1 Certification frequency...

More information

Spillemyndigheden s Certification Programme. Testing Standards for Online Betting SCP.01.01.EN.1.0

Spillemyndigheden s Certification Programme. Testing Standards for Online Betting SCP.01.01.EN.1.0 SCP.01.01.EN.1.0 Table of contents Table of contents... 2 1 Objectives of the testing standards... 3 1.1 Scope of this document... 3 1.2 Version... 3 2 Certification... 3 2.1 Certification frequency...

More information

Spillemyndigheden s Certification Programme Information Security Management System

Spillemyndigheden s Certification Programme Information Security Management System SCP.03.00.EN.1.0 Table of contents Table of contents... 2 1 Objectives of the... 3 1.1 Scope of this document... 3 1.2 Version... 3 2 Certification... 3 2.1 Certification frequency... 3 2.1.1 Initial certification...

More information

Spillemyndigheden s change management programme. Version 1.3.0 of 1 July 2012

Spillemyndigheden s change management programme. Version 1.3.0 of 1 July 2012 Version 1.3.0 of 1 July 2012 Contents 1 Introduction... 3 1.1 Authority... 3 1.2 Objective... 3 1.3 Target audience... 3 1.4 Version... 3 1.5 Enquiries... 3 2. Framework for managing system changes...

More information

Schedule of Accreditation issued by United Kingdom Accreditation Service 2 Pine Trees, Chertsey Lane, Staines-upon-Thames, TW18 3HR, UK

Schedule of Accreditation issued by United Kingdom Accreditation Service 2 Pine Trees, Chertsey Lane, Staines-upon-Thames, TW18 3HR, UK 2 Pine Trees, Chertsey Lane, Staines-upon-Thames, TW18 3HR, UK Unit 1-3 & 5 Llys Helyg Ffordd y Llyn Parc Menai Bangor LL57 4EZ Contact: Aled Hughes Tel: +44 (0) 1248 660550 E-Mail: aled@nmi.uk.com Website:

More information

Security audit advice For holders of all remote gambling operator licences including specified remote lottery licences

Security audit advice For holders of all remote gambling operator licences including specified remote lottery licences Security audit advice For holders of all remote gambling operator licences including specified remote lottery licences July 2015 1 Introduction 1.1 This July 2015 advice is updated from the previously

More information

Spillemyndigheden s Certification Programme Inspection Standards for Online Casino

Spillemyndigheden s Certification Programme Inspection Standards for Online Casino SCP.02.03.EN.1.0 Table of contents Table of contents... 2 1 Objectives of the inspection standards... 4 1.1 Scope of this document... 4 1.2 Version... 4 2 Certification... 5 2.1 Certification frequency...

More information

Schedule of Accreditation issued by United Kingdom Accreditation Service 21-47 High Street, Feltham, Middlesex, TW13 4UN, UK

Schedule of Accreditation issued by United Kingdom Accreditation Service 21-47 High Street, Feltham, Middlesex, TW13 4UN, UK 21-47 High Street, Feltham, Middlesex, TW13 4UN, UK Unit 1-3 Llys Helyg Ffordd y Llyn Parc Menai Bangor Gwynedd LL57 4EZ Contact: Andrew Rosewarne Tel: +44 (0) 1248 660550 E-Mail: andrew@nmi.uk.com Website:

More information

Unofficial translation of the Danish guidelines to the application form 2-06

Unofficial translation of the Danish guidelines to the application form 2-06 Unofficial translation of the Danish guidelines to the application form 2-06 Guidelines to form 2-06 application for renewal of a licence to provide betting and / or online casino Instruction Applications

More information

Procuring Penetration Testing Services

Procuring Penetration Testing Services Procuring Penetration Testing Services Introduction Organisations like yours have the evolving task of securing complex IT environments whilst delivering their business and brand objectives. The threat

More information

Gaming Machine Type I Gaming Machine Type II

Gaming Machine Type I Gaming Machine Type II Licence Conditions and Codes of Practice applicable to: Gaming Machine Type I Gaming Machine Type II February 2010 Your licence is subject to certain conditions and codes of practice, these are detailed

More information

Cyber Security Consultancy Standard. Version 0.2 Crown Copyright 2015 All Rights Reserved. Page 1 of 13

Cyber Security Consultancy Standard. Version 0.2 Crown Copyright 2015 All Rights Reserved. Page 1 of 13 Cyber Security Consultancy Standard Version 0.2 Crown Copyright 2015 All Rights Reserved Page 1 of 13 Contents 1. Overview... 3 2. Assessment approach... 4 3. Requirements... 5 3.1 Service description...

More information

Aberdeen City Council IT Security (Network and perimeter)

Aberdeen City Council IT Security (Network and perimeter) Aberdeen City Council IT Security (Network and perimeter) Internal Audit Report 2014/2015 for Aberdeen City Council August 2014 Internal Audit KPIs Target Dates Actual Dates Red/Amber/Green Commentary

More information

Security Testing. Vulnerability Assessment vs Penetration Testing. Gabriel Mihai Tanase, Director KPMG Romania. 29 October 2014

Security Testing. Vulnerability Assessment vs Penetration Testing. Gabriel Mihai Tanase, Director KPMG Romania. 29 October 2014 Security Testing Vulnerability Assessment vs Penetration Testing Gabriel Mihai Tanase, Director KPMG Romania 29 October 2014 Agenda What is? Vulnerability Assessment Penetration Testing Acting as Conclusion

More information

RAPTER Rapid Automated Pen TestER for web applications (Lot 4)

RAPTER Rapid Automated Pen TestER for web applications (Lot 4) RAPTER Rapid Automated Pen TestER for web applications (Lot 4) CONTENTS 1. WHY LEICESTERSHIRE HEALTH INFORMATICS SERVICE?... 3 2. LHIS TECHNICAL ASSURANCE SERVICES... 3 3. SERVICE OVERVIEW... 4 4. OUR

More information

Certification Report

Certification Report Certification Report EAL 4+ Evaluation of Netezza Performance Server v4.6.5 Issued by: Communications Security Establishment Canada Certification Body Canadian Common Criteria Evaluation and Certification

More information

Guidelines for the Acceptance of Manufacturer's Quality Assurance Systems for Welding Consumables

Guidelines for the Acceptance of Manufacturer's Quality Assurance Systems for Welding Consumables (1987) Guidelines for the Acceptance of Manufacturer's Quality Assurance Systems for Welding Consumables 1. General 1.1 Introduction 1.1.1 The present guidelines are to serve as a supplement to the IACS

More information

Change & configuration management

Change & configuration management 2008-01-18 12:42:00 G007_CHANGE_AND_CONFIGURATION_MANAGEMENT Change & configuration management Guidelines Page 1 of 11 1. Preliminary 1.1 Authority This document is issued by the (the Commission) pursuant

More information

Penetration Testing in Romania

Penetration Testing in Romania Penetration Testing in Romania Adrian Furtunǎ, Ph.D. 11 October 2011 Romanian IT&C Security Forum Agenda About penetration testing Examples Q & A 2 What is penetration testing? Method for evaluating the

More information

SAUDI ARABIAN STANDARDS ORGANIZATION (SASO)

SAUDI ARABIAN STANDARDS ORGANIZATION (SASO) SAUDI ARABIAN STANDARDS ORGANIZATION (SASO) TECHNICAL DIRECTIVE PART THREE: CONFORMITY ASSESSMENT PROCEDURES D13-19-7-2005 PART THREE: CONFORMITY ASSESSMENT PROCEDURES Introduction: By developing and applying

More information

Hackers are here. Where are you?

Hackers are here. Where are you? 1 2 What is EC-Council Certified Security Analyst Licensed Penetration Tester Program You are an ethical hacker. Your last name is Pwned. You dream about enumeration and you can scan networks in your sleep.

More information

Smart Meters Programme Schedule 2.5. (Security Management Plan) (CSP South version)

Smart Meters Programme Schedule 2.5. (Security Management Plan) (CSP South version) Smart Meters Programme Schedule 2.5 (Security Management Plan) (CSP South version) Schedule 2.5 (Security Management Plan) (CSP South version) Amendment History Version Date Author Status v.1 Signature

More information

A Decision Maker s Guide to Securing an IT Infrastructure

A Decision Maker s Guide to Securing an IT Infrastructure A Decision Maker s Guide to Securing an IT Infrastructure A Rackspace White Paper Spring 2010 Summary With so many malicious attacks taking place now, securing an IT infrastructure is vital. The purpose

More information

Procurement Policy Note Use of Cyber Essentials Scheme certification

Procurement Policy Note Use of Cyber Essentials Scheme certification Procurement Policy Note Use of Cyber Essentials Scheme certification Action Note 09/14 25 September 2014 Issue 1. Government is taking steps to further reduce the levels of cyber security risk in its supply

More information

Administrative systems, policies, and procedures

Administrative systems, policies, and procedures Alan Pedley 2008-01-15 03:28:00 G005_ADMINISTRATIVE_SYSTEMS Administrative systems, policies, and procedures Guidelines G 005 Page 1 of 12 Alan Pedley 1. Preliminary 1.1 Authority This document is issued

More information

ACT GAMBLING AND RACING COMMISSION

ACT GAMBLING AND RACING COMMISSION ACT GAMBLING AND RACING COMMISSION Discussion Paper Promotions & Inducements under the Gambling and Racing Control (Code of Practice) Regulation 2002 November 2015 Contents 1. Purpose... 3 2. Introduction...

More information

Westpac Merchant. A guide to meeting the new Payment Card Industry Security Standards

Westpac Merchant. A guide to meeting the new Payment Card Industry Security Standards Westpac Merchant A guide to meeting the new Payment Card Industry Security Standards Contents Introduction 01 What is PCIDSS? 02 Why does it concern you? 02 What benefits will you receive from PCIDSS?

More information

Guide for Registration of Gaming Machine. I General Provisions

Guide for Registration of Gaming Machine. I General Provisions Guide for Registration of Gaming Machine I General Provisions 1. This guide for registration of gaming machines (hereinafter referred to as guide ) shall govern assessment of a gaming machine used for

More information

Testing strategy for compliance with remote gambling and software technical standards. First published August 2009

Testing strategy for compliance with remote gambling and software technical standards. First published August 2009 Testing strategy for compliance with remote gambling and software technical standards First published August 2009 Updated July 2015 1 Introduction 1.1 Sections 89 and 97 of the Gambling Act 2005 enable

More information

Cyber Essentials Scheme. Summary

Cyber Essentials Scheme. Summary Cyber Essentials Scheme Summary June 2014 Introduction... 3 Background... 4 Scope... 4 Assurance Framework... 5 Next steps... 6 Questions about the scheme?... 7 2 Introduction The Cyber Essentials scheme

More information

PCI DSS Compliance. 2015 Information Pack for Merchants

PCI DSS Compliance. 2015 Information Pack for Merchants PCI DSS Compliance 2015 Information Pack for Merchants This pack contains general information regarding PCI DSS compliance and does not take into account your business' particular requirements. ANZ recommends

More information

IAF Informative Document. IAF Informative Document for the Transition of Management System Accreditation to ISO/IEC 17021:2011 from ISO/IEC 17021:2006

IAF Informative Document. IAF Informative Document for the Transition of Management System Accreditation to ISO/IEC 17021:2011 from ISO/IEC 17021:2006 IAF ID 2:2011 International Accreditation Forum, Inc. IAF Informative Document IAF Informative Document for the of Management System Accreditation to ISO/IEC 17021:2011 from (IAF ID 2:2011) The International

More information

Security Control Standard

Security Control Standard Security Standard The security and risk management baseline for the lottery sector worldwide Updated by the WLA Security and Risk Management Committee V1.0, November 2006 The WLA Security Standard is the

More information

a) To achieve an effective Quality Assurance System complying with International Standard ISO9001 (Quality Systems).

a) To achieve an effective Quality Assurance System complying with International Standard ISO9001 (Quality Systems). FAT MEDIA QUALITY ASSURANCE STATEMENT NOTE 1: This is a CONTROLLED Document as are all quality system files on this server. Any documents appearing in paper form are not controlled and should be checked

More information

Northern Territory. Code of Practice For Responsible Gambling

Northern Territory. Code of Practice For Responsible Gambling Northern Territory Code of Practice For Responsible Gambling 2 Statement This Code of Practice reflects a partnership between Northern Territory gambling providers, Government, regulators and counseling

More information

INFORMATION SECURITY TESTING

INFORMATION SECURITY TESTING INFORMATION SECURITY TESTING SERVICE DESCRIPTION Penetration testing identifies potential weaknesses in a technical infrastructure and provides a level of assurance in the security of that infrastructure.

More information

National Home Inspector Certification Council. Policy & Procedures Manual

National Home Inspector Certification Council. Policy & Procedures Manual National Home Inspector Certification Council Policy & Procedures Manual INTRODUCTION The National Home Inspector Certification Council (NHICC) accreditation is an objective and reliable verification.

More information

Northern Territory Code of Practice for Responsible Gambling

Northern Territory Code of Practice for Responsible Gambling Northern Territory Code of Practice for Responsible Gambling Table of contents Statement... 1 Objective... 1 What is responsible gambling?... 1 What is problem gambling?... 1 Expected outcomes... 1 The

More information

CARD PAYMENT POLICY May 2016

CARD PAYMENT POLICY May 2016 CARD PAYMENT POLICY May 2016 1. Introduction All businesses that handle card payment data are required to comply with industry rules aimed at increasing data security. These are set out in the Payment

More information

12 August Our ref.: G U I D A N C E

12 August Our ref.: G U I D A N C E 12 August 2011 Our ref.: 243300 G U I D A N C E 1. Contents 1. Contents 2 2. Preface 4 3. Practical Information 4 4. What does the Guidance include? 5 4.1 Games for which a License may be granted 5 4.1.1

More information

Hackers are here. Where are you?

Hackers are here. Where are you? 1 2 What is EC-Council Certified Security Analyst Licensed Penetration Tester Program You are an ethical hacker. Your last name is Pwned. You dream about enumeration and you can scan networks in your sleep.

More information

Introduction to the Danish Gambling market. Experiences from Denmark

Introduction to the Danish Gambling market. Experiences from Denmark Introduction to the Danish Gambling market Experiences from Denmark The Danish Gambling Authority Placed within the Ministry of Taxation Ministerial counselling, administration and law interpretation Monitoring

More information

Certification Report

Certification Report Certification Report EAL 4+ Evaluation of WatchGuard Issued by: Communications Security Establishment Canada Certification Body Canadian Common Criteria Evaluation and Certification Scheme Government of

More information

Certification Report

Certification Report Certification Report Symantec Network Access Control Version 12.1.2 Issued by: Communications Security Establishment Canada Certification Body Canadian Common Criteria Evaluation and Certification Scheme

More information

Network Certification Body

Network Certification Body Network Certification Body Scheme rules for assessment of railway projects to requirements of the Railways Interoperability Regulations as a Notified and Designated Body 1 NCB_MS_56 Contents 1 Normative

More information

Certification Report

Certification Report Certification Report EAL 3+ Evaluation of Extreme Networks ExtremeXOS Network Operating System v12.3.6.2 Issued by: Communications Security Establishment Canada Certification Body Canadian Common Criteria

More information

Certification Report

Certification Report Certification Report EAL 3+ Evaluation of AccessData Cyber Intelligence and Response Technology v2.1.2 Issued by: Communications Security Establishment Canada Certification Body Canadian Common Criteria

More information

DOCUMENTED PROCEDURE MANUAL

DOCUMENTED PROCEDURE MANUAL NAPIT REGISTERED INSTALLERS DOCUMENTED PROCEDURE MANUAL CONTENTS 1. INTRODUCTION 2. DEFINITIONS 3. RESPONSIBILITY FOR QUALITY 4. DOCUMENT AND DATA CONTROL 5. CUSTOMER ENQUIRIES AND QUOTATIONS 6. CONTRACTS

More information

Graduate Project Engineer

Graduate Project Engineer Position Information Package Graduate Project Engineer POSITION NUMBER: R15/16.15 APPLICATIONS CLOSE: 5:00pm Friday 2 nd October 2015 POSITION INFORMATION Salary: $52 344 - $60 501 (Band 5) Hours: Location:

More information

DCA metrics for the approval of Auditing Firms for Certifications Scheme VERSION 1.0

DCA metrics for the approval of Auditing Firms for Certifications Scheme VERSION 1.0 DCA metrics for the approval of Auditing Firms for Certifications Scheme VERSION 1.0 2013, Data Centre Alliance Limited (www.datacentrealliance.org). All rights reserved. This publication may not be reproduced

More information

DVC Product Certification - affiliated to the Danish Technological Institute

DVC Product Certification - affiliated to the Danish Technological Institute PROD Reg. No. 7002 DVC Product Certification DVC Product Certification - affiliated to the Danish Technological Institute Requirements concerning Certification of Products and their Compliance with the

More information

NCC Group Managed Security Services Pricing

NCC Group Managed Security Services Pricing NCC Group Managed Security Services Pricing G-Cloud Version 1.0 Contact Name: Shakeel Hassan Email: gcloud@nccgroup.com Telephone: +44 (0)7792 149 697 NCC Group Manchester Technology Centre Oxford Road

More information

IAF Mandatory Document for the Transfer of Accredited Certification of Management Systems

IAF Mandatory Document for the Transfer of Accredited Certification of Management Systems IAF MD 2:2007. International Accreditation Forum, Inc. IAF Mandatory Document IAF Mandatory Document for the Transfer of Accredited Certification of Management Systems (IAF MD 2:2007) IAF MD2:2007 International

More information

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed

More information

Penetration testing & Ethical Hacking. Security Week 2014

Penetration testing & Ethical Hacking. Security Week 2014 Penetration testing & Ethical Hacking Security Week 2014 Agenda Penetration Testing Vulnerability Scanning Social engineering Security Services offered by Endava 2 3 Who I am Catanoi Maxim Information

More information

A Rackspace White Paper Spring 2010

A Rackspace White Paper Spring 2010 Achieving PCI DSS Compliance with A White Paper Spring 2010 Summary The Payment Card Industry Data Security Standard (PCI DSS) is a global information security standard defined by the Payment Card Industry

More information

ARTICLES OF ASSOCIATION NEUROSEARCH A/S. (CVR-no. 12546106)

ARTICLES OF ASSOCIATION NEUROSEARCH A/S. (CVR-no. 12546106) Unauthorised translation ARTICLES OF ASSOCIATION OF NEUROSEARCH A/S (CVR-no. 12546106) Name, registered office and objects Article 1. The name of the company is NeuroSearch A/S. Article 2. The objects

More information

Information and Communications Technology Services Delivery Plan 2015-2016

Information and Communications Technology Services Delivery Plan 2015-2016 1 Information and Communications Technology Services Delivery Plan 2015-2016 Overview of Information and Communications Technology Services Delivery Plan Service Resources: Staffing Resources allocated

More information

Drinking Water Quality Management Plan Review and Audit Guideline

Drinking Water Quality Management Plan Review and Audit Guideline Drinking Water Quality Management Plan Review and Audit Guideline This publication has been compiled by Queensland Water Supply Regulator, Department of Energy and Water Supply. State of Queensland, 2013.

More information

ACT. on the amendment of the Gambling Law and some other Acts 1

ACT. on the amendment of the Gambling Law and some other Acts 1 Journal of Laws No. 134, item 779 ACT of 26 May 2011 on the amendment of the Gambling Law and some other Acts 1 Article 1 The following amendments are made to the Gambling Law of 19 November 2009 (Journal

More information

Version 1.1 23 September 2011 - This is a translated document. The Danish version of the document is the only applicable and authentic version.

Version 1.1 23 September 2011 - This is a translated document. The Danish version of the document is the only applicable and authentic version. 1 Contents 1 Contents... 1 2 Foreword... 3 3 Practical information... 4 4 What do the guidelines comprise?... 5 4.1 Games for which a licence may be obtained... 5 4.2 Games for which a licence cannot be

More information

Cloud computing and the legal framework

Cloud computing and the legal framework Cloud computing and the legal framework - Guidance on legislative requirement and the contractual environment related to cloud computing Content 1. Introduction 3 2. The Danish Act on Processing of Personal

More information

Land based betting Annex 1. Technical requirements of the control system

Land based betting Annex 1. Technical requirements of the control system Land based betting Annex 1. Technical requirements of the control system A Introduction This document describes the technical requirements that must be met by a licence holder, including securing the data-basis

More information

HKCAS Supplementary Criteria No. 8

HKCAS Supplementary Criteria No. 8 Page 1 of 12 HKCAS Supplementary Criteria No. 8 Accreditation Programme for Information Security Management System (ISMS) Certification 1 INTRODUCTION 1.1 HKAS accreditation for information security management

More information

Regulation for Establishing the Internal Control System of an Investment Management Company

Regulation for Establishing the Internal Control System of an Investment Management Company Unofficial translation Riga, 11 November 2011 Regulation No. 246 (Minutes No. 43 of the meeting of the Board of the Financial and Capital Market Commission, item 8) Regulation for Establishing the Internal

More information

Paul Vlissidis Group Technical Director NCC Group plc paulv@nccgroup.com

Paul Vlissidis Group Technical Director NCC Group plc paulv@nccgroup.com Managing IT Fraud Using Ethical Hacking Paul Vlissidis Group Technical Director NCC Group plc paulv@nccgroup.com Agenda Introductions Context for Ethical Hacking Effective use of ethical hacking in fraud

More information

IBF Certification: Terms and Conditions

IBF Certification: Terms and Conditions IBF Certification: Terms and Conditions The Institute of Banking and Finance 10 Shenton Way, #13-07/08, MAS Building S(079117) T: +65 6220 8566 l F: +65 6224 4947 www.ibf.org.sg 1 Introduction 1.1 The

More information

INTEROPERABILITY UNIT

INTEROPERABILITY UNIT INTEROPERABILITY UNIT MODULES FOR THE PROCEDURES FOR ASSESSMENT OF CONFORMITY, SUITABILITY FOR USE AND EC VERIFICATION TO BE USED IN THE TECHNICAL SPECIFICATIONS FOR INTEROPERABILITY Reference: Version

More information

Certification Report

Certification Report Certification Report EAL 3+ Evaluation of Rapid7 Nexpose Vulnerability Management and Penetration Testing System V5.1 Issued by: Communications Security Establishment Canada Certification Body Canadian

More information

Cyber Essentials Scheme

Cyber Essentials Scheme Cyber Essentials Scheme Requirements for basic technical protection from cyber attacks June 2014 December 2013 Contents Contents... 2 Introduction... 3 Who should use this document?... 3 What can these

More information

Reporting on Control Procedures at Outsourcing Entities

Reporting on Control Procedures at Outsourcing Entities Auditing Guidance Statement AGS 1042 (July 2002) Reporting on Control Procedures at Outsourcing Entities Prepared by the Auditing & Assurance Standards Board of the Australian Accounting Research Foundation

More information

Allerdale Borough Council Internal Audit Charter

Allerdale Borough Council Internal Audit Charter Allerdale Borough Council Internal Audit Charter Appendix A Document prepared by Document reviewed by Document replaces Document approved by Document due for annual review Internal Audit Manager Date July

More information

IAF Informative Document for the Transition of Food Safety Management System Accreditation to ISO/TS 22003:2013 from ISO/TS 22003:2007

IAF Informative Document for the Transition of Food Safety Management System Accreditation to ISO/TS 22003:2013 from ISO/TS 22003:2007 IAF Informative Document IAF Informative Document for the Transition of Food Safety Management System Accreditation to ISO/TS 22003:2013 from ISO/TS 22003:2007 (IAF ID 8:2014) Page 2 of 6 The (IAF) details

More information

low levels of compliance with the regulations and POCA by negligent HVD operators are enabling criminals to launder the proceeds of crime

low levels of compliance with the regulations and POCA by negligent HVD operators are enabling criminals to launder the proceeds of crime 6.185 Under the regulations HMRC must maintain a registry of HVDs. However the regulations do not enable HMRC to conduct a fit and proper person test on those who seek to register as an HVD. From 2004

More information

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures 1. Introduction 1.1. Purpose and Background 1.2. Central Coordinator Contact 1.3. Payment Card Industry Data Security Standards (PCI-DSS) High Level Overview 2. PCI-DSS Guidelines - Division of Responsibilities

More information

The EFGCP Report on The Procedure for the Ethical Review of Protocols for Clinical Research Projects in Europe (Update: April 2011) Denmark

The EFGCP Report on The Procedure for the Ethical Review of Protocols for Clinical Research Projects in Europe (Update: April 2011) Denmark The Procedure for the Ethical Review of Protocols for Clinical Research Projects in Europe (Update: April 2011) Denmark Question 1: What laws or regulations apply to an application for conducting a clinical

More information

11th AMC Conference on Securely Connecting Communities for Improved Health

11th AMC Conference on Securely Connecting Communities for Improved Health 11th AMC Conference on Securely Connecting Communities for Improved Health Information Security Testing How Do AMCs Ensure Your Networks are Secure June 22, 2015 Ray Hillen, Dennis Schmidt, Adam Bennett

More information

National Accreditation Board for Certification Bodies. Accreditation Criteria

National Accreditation Board for Certification Bodies. Accreditation Criteria Accreditation Criteria for Medical devices - Quality management systems - for regulatory purposes Certification BCB 135 October 2012 Contents 0.0 Foreword 2 1.0 Scope 2 2.0 Criteria 2 3.0 Guidance on the

More information

Derbyshire Trading Standards Service Quality Manual

Derbyshire Trading Standards Service Quality Manual Derbyshire Trading Standards Service Quality Manual This Quality Manual has been developed to give a broad outline of how the Trading Standards Division s range of services comply with the requirements

More information

Gambling Act. Part 1 Purpose and scope of the Act

Gambling Act. Part 1 Purpose and scope of the Act Gambling Act Part 1 Purpose and scope of the Act 1. The purpose of the Act is i) to maintain the consumption of gambling services at a moderate level; ii) to protect young people and other vulnerable people

More information

ISO 27001 Information Security Management Services (Lot 4)

ISO 27001 Information Security Management Services (Lot 4) ISO 27001 Information Security Management Services (Lot 4) CONTENTS 1. WHY LEICESTERSHIRE HEALTH INFORMATICS SERVICE?... 3 2. LHIS TECHNICAL ASSURANCE SERVICES... 3 3. SERVICE OVERVIEW... 4 4. EXPERIENCE...

More information

QSS 0: Products and Services without Bespoke Contracts.

QSS 0: Products and Services without Bespoke Contracts. QSS 0: Products and Services without Bespoke Contracts. Amendment History Version Date Status v.1 Dec 2014 Updated For 2015 deployment Table of Contents 1. DEFINITIONS 3 2. INTRODUCTION 3 3. WORKING WITH

More information

Acceptance Criteria for Penetration Tests According to PCI DSS

Acceptance Criteria for Penetration Tests According to PCI DSS Acceptance Criteria for Penetration Tests According to PCI DSS Requirement 11.3 of the PCI DSS (Version 1.2.1, July 2009) defines the regular performance of penetration tests for all systems in scope as

More information

ARTICLES OF ASSOCIATION NEUROSEARCH A/S. (CVR-no. 12546106)

ARTICLES OF ASSOCIATION NEUROSEARCH A/S. (CVR-no. 12546106) Unauthorised translation ARTICLES OF ASSOCIATION OF NEUROSEARCH A/S (CVR-no. 12546106) Name, registered office and objects Article 1. The name of the company is NeuroSearch A/S. Article 2. The objects

More information

REQUIREMENTS FOR CERTIFICATION BODIES TO DETERMINE COMPLIANCE OF APPLICANT ORGANIZATIONS TO THE MAGEN TZEDEK SERVICE MARK STANDARD

REQUIREMENTS FOR CERTIFICATION BODIES TO DETERMINE COMPLIANCE OF APPLICANT ORGANIZATIONS TO THE MAGEN TZEDEK SERVICE MARK STANDARD REQUIREMENTS FOR CERTIFICATION BODIES TO DETERMINE COMPLIANCE OF APPLICANT ORGANIZATIONS TO THE MAGEN TZEDEK SERVICE MARK STANDARD Foreword The Magen Tzedek Commission has established a standards and certification

More information

Guideline about provision of guessing competitions

Guideline about provision of guessing competitions about provision of guessing competitions This guideline is intended for citizens and companies who are interested in providing guessing competitions in Denmark Guideline 30. oktober 2014 Guideline about

More information

BAND: 5. 37½ hours per week 1. JOB SUMMARY

BAND: 5. 37½ hours per week 1. JOB SUMMARY POST TITLE: Software Developer BAND: 5 HOURS: ACCOUNTABLE TO: LOCATION: 37½ hours per week Head of Informatics Programme Mamhilad 1. JOB SUMMARY Reporting to Software Development Manager, the post holder

More information

TRANSLATION ARTICLES OF ASSOCIATION. ALK-Abelló A/S (Company registration (CVR) no. 63 71 79 16) (the Company") March 20142016

TRANSLATION ARTICLES OF ASSOCIATION. ALK-Abelló A/S (Company registration (CVR) no. 63 71 79 16) (the Company) March 20142016 TRANSLATION ARTICLES OF ASSOCIATION of ALK-Abelló A/S (Company registration (CVR) no. 63 71 79 16) (the Company") March 20142016 1. Name 1.1 The name of the company is ALK-Abelló A/S. 1.2 The Company also

More information

Small businesses: What you need to know about cyber security

Small businesses: What you need to know about cyber security Small businesses: What you need to know about cyber security March 2015 Contents page What you need to know about cyber security... 3 Why you need to know about cyber security... 4 Getting the basics right...

More information

Operating Licence Notification of Change

Operating Licence Notification of Change Operating Licence Notification of Change Please read the Operating Licence Notification of Change Guidance Notes before completing this application form. This form will be scanned. Therefore please complete

More information

Promoting society and local authority lotteries

Promoting society and local authority lotteries Promoting society and local authority lotteries Advice for society and local authority lotteries which require a licence or registration September 2014 1 Introduction 1.1 Lotteries are illegal unless they

More information

Certification Report

Certification Report Certification Report EAL 4 Evaluation of SecureDoc Disk Encryption Version 4.3C Issued by: Communications Security Establishment Certification Body Canadian Common Criteria Evaluation and Certification

More information

Protecting your business interests through intelligent IT security services, consultancy and training

Protecting your business interests through intelligent IT security services, consultancy and training Protecting your business interests through intelligent IT security services, consultancy and training The openness and connectivity of the digital economy today provides huge opportunities but also creates

More information

Certification Report

Certification Report Certification Report HP Network Automation Ultimate Edition 10.10 Issued by: Communications Security Establishment Certification Body Canadian Common Criteria Evaluation and Certification Scheme Government

More information