Spillemyndigheden s Certification Programme Instructions on Penetration Testing

Transcription

1 SCP EN.1.0

2 Table of contents Table of contents Introduction Spillemyndigheden s certification programme Objectives of the Scope of this document Definitions Legal basis for this document Version Document identifier Enquiries Certification Certification framework Certification requirements Certification frequency Transfer of certifications Inspections and tests conducted in accordance with Spillemyndigheden s certification programme Inspections and tests conducted in accordance with other standards Suppliers to the licence holder Supplier certification Integration into the gambling system of the licence holder Period deferment Compilation of the certifications Accredited testing organisations Requirements for accredited testing organisations Requirements for personnel at the accredited testing organisations Penetration Testing Framework Objective of the penetration testing Protected components Updating software and hardware Certification no longer valid due to significant changes Internal function with the licence holder Penetration Testing Process SCP EN.1.0 Side 2 af 11

3 1 Introduction Spillemyndigheden s certification programme is set out to ensure that the gambling system executes games in a correct way and that the security surrounding the gambling system is maintained. The requirements in the certification programme is adapted to the different types of games based on an evaluation of the type of game s significance and risk in relation to extent, prevalence, nature, size of the prize and the risk of the customers being deceived etc. Currently the following types of games are in use: Online betting Land-based betting Online casino Land-based casino Gaming machines with cash prizes Lottery games The accredited testing organisation performs testing, inspection and certification of the gambling system, business processes and business systems of the licence holder. The testing, inspection and certification must be adapted to the individual licence holder s offer of gambling products. 1.1 Spillemyndigheden s certification programme Spillemyndigheden s certification programme consists of a number of documents, which are continuously adapted to the development in technology. The licence holder must be certified at all times in accordance with those parts of the certification programme which apply to their specific offer of gambling products. Types of games not offered by the licence holder are not subject to certification. Each of the six types of games has a set of testing standards and a set of inspection standards associated. Furthermore, four documents apply across all types of games and cover information security management system, penetration testing, vulnerability scanning and change management. Each document sets out minimum requirements for the arrangement of the gambling system, business processes and business systems of the licence holder. Spillemyndigheden s certification programme supplements the gambling regulation, individual licence terms and the administrative practice set out by Spillemyndigheden. 1.2 Objectives of the The seeks to ensure that the gambling system and business systems of the licence holder are tested for vulnerabilities that could be exploited to gain access to sensitive information. SCP EN.1.0 Side 3 af 11

4 1.3 Scope of this document This document contains the requirements specifying how testing organisations obtain accreditation for conducting certification of the gambling system, business processes and business systems of the licence holder as well as instructions on how to conduct the certification. The accreditation will be undertaken by DANAK, the Danish Accreditation and Metrology Fund, or a similar accreditation body being covered by the multilateral agreement on reciprocal recognition of the European Co-operation for Accreditation or a member of the International Laboratory Accreditation Cooperation. The requirements concerning accreditation of the testing organisation and certification of the licence holder can be found in section 2 certification. The Penetration Test shall be conducted in such a way that exposes vulnerabilities in components. This is particularly relevant during system upgrades and updates. These requirements are set out in section 3 Penetration Testing Framework. Spillemyndigheden specify a number of mandatory penetration scenarios. These scenarios are set out in section 4 Penetration Testing Process. 1.4 Definitions Inspection: Sensitive information: Testing: Auditable log: Gambling system: The accredited testing organisation performs an assessment of the gambling system, business processes and business systems of the licence holder in relation to requirements set out by Spillemyndigheden and determines whether the requirements are met or not. Information of a sensitive nature related to either business or people. The accredited testing organisation performs in depth testing of the gambling system of the licence holder, analysis the comprised data and evaluates the results with regards to the requirements set out by Spillemyndigheden and determines whether the requirements are met or not. A log in which the recorded data cannot be manipulated after the initial recording. Any changes to the log shall happen through the recording of new data instead of changing or deleting existing records. Electronic or other equipment used by or on behalf of the licence holder for the offering of gambling, including equipment that: 1.5 Legal basis for this document 1. is used for the storage of information pertaining to a person s participation in gambling, including historical data and information concerning results, 2. produce and/or presents games to the gambler, or 3. determine the result of a game or calculate whether the gambler has won or lost a game. The Instruction on Penetration Testing (SCP EN.1.0) is issued by Spillemyndigheden pursuant to Act no. 848 of 1 July 2010 on Gambling section 41 and executive order no. 65 of 25 January 2012 on land-based SCP EN.1.0 Side 4 af 11

5 betting section 1, executive order no. 66 of 25 January 2012 on online betting section 26 and executive order nr. 67 of 25 January 2012 on online casino section Version Spillemyndigheden will continuously revise the certification programme, making the latest version and the version history accessible at Spillemyndigheden s website: Date Version Description Description If the certification programme is modified, as a rule, certifications already issued will remain in force. It is important to emphasise that only the Danish version is legally binding and that the English version holds the status of guidance only. 1.7 Document identifier Each document in Spillemyndigheden s Certification Programme has a unique identifier comprised of: SCP Which indicates Spillemyndigheden s Certification Programme. Two digits Which indicates the type of document. The identifiers are: "01" Testing standards "02" Inspection standards "03" Information Security Management System "04" Penetration Testing "05" Vulnerability Scanning "06" Change Management Programme Two digits Which indicates the type of game covered. The identifiers are: "00" All types of games "01" Online betting "02" Land-based betting "03" Online casino "04" Land-based casino "05" Gaming machines with cash prizes "06" Lottery games DK or EN Which indicates the language version. DK for Danish and EN for English. Version number Which is described in section 1.6 above. The document identifier SCP DK.1.0 would thus be version 1.0 of the inspection standards for landbased betting in Danish. A standard report with the identifier SCP.XX.XX.ST is associated with each document and must be used when submitting certifications to Spillemyndigheden. The document identifiers for the standard reports follow the methodology above and are language neutral. SCP EN.1.0 Side 5 af 11

6 1.8 Enquiries Enquiries concerning this document should be sent in writing to Spillemyndigheden at the following address: or Spillemyndigheden Helgeshøj Allé 9 DK-2630 Taastrup 2 Certification 2.1 Certification framework A certification consists of inspection and testing of the gambling system, business processes and business systems of a licence holder based on the requirements set out in Spillemyndigheden s certification programme. It is the responsibility of the licence holder to attain the required certifications and to organise the company s business activities in accordance with Spillemyndigheden s certification programme. The certifications shall be issued by an accredited testing organisation in accordance with Spillemyndigheden s certification programme. It is always the responsibility of the licence holder that the requirements of the certification programme are met at all times. 2.2 Certification requirements Certification carried out to the standards of this document shall be submitted using the standard report SCP ST. The accredited testing organisation shall attest that the gambling system, business processes and business systems of the licence holder adhere to the requirements set out in this document. As an extraordinary exception it may be accepted that the accredited testing organisation attests to the certification even if all requirements have not been met as described in this document. In this case the certifications must be substantiated by a risk assessment, taking into account the purpose of the Gambling Act and the associated executive orders. The risk assessment shall be based on ISO/IEC Risk management - Risk assessment techniques. The certification shall reflect whether this method has been used. SCP EN.1.0 Side 6 af 11

7 2.3 Certification frequency The gambling system, business processes and business systems of the licence holder shall be certified at all times. The licence holder shall ensure that the gambling system, business processes and business systems are subject to on-going certification to ensure adherence to the requirements of this document with an interval of no more than 12 months. The following instructions apply in relation to the renewal and submission of the certifications: The inspection shall have commenced before the lapse of the current certification and shall be concluded within two months of the lapse of the current certification. The certification shall be submitted with Spillemyndigheden within this time frame as well. The re-certification shall be dated with the date of the conclusion of the inspection unless the inspection continued after the lapse of the current certification in which case the new certification shall be dated with the date of the lapse of the current certification, as a certification period cannot exceed twelve months. 2.4 Transfer of certifications Inspections and tests conducted in accordance with Spillemyndigheden s certification programme When an accredited testing organisation has certified a given requirement in Spillemyndigheden s certification programme and this requirement is part of several separate documents of the programme e.g. SCP EN Testing Standards for online betting and SCP EN Testing Standards for land-based betting, it will not be necessary to repeat the certification of the requirement. In such cases there shall, instead, be a reference to the above-mentioned certification. This is also the case if the prior certification has been conducted by another accredited testing organisation Inspections and tests conducted in accordance with other standards It is allowed to base the certification on inspections and tests carried out on previous occasions and to similar criteria. When this option is utilised the actual time of the previous inspection or test shall be used when calculating the certification frequency. This means that if the certification is based on inspections or tests performed six months prior, then the renewal of said certification shall be performed six months earlier than ordinarily required. The above-mentioned option is also available if the prior certification has been conducted by another accredited testing organisation. When the accredited testing organisation is assessing whether to base the certification on inspections or tests carried out to similar criteria, this shall be substantiated by a risk assessment, taking into account the purpose of the Gambling Act and the associated executive orders. The risk assessment shall be based on ISO/IEC Risk management - Risk assessment techniques. The certification shall reflect whether this method has been used. SCP EN.1.0 Side 7 af 11

8 2.5 Suppliers to the licence holder Supplier certification A supplier to a licence holder can have their products certified fully or partially in accordance with Spillemyndigheden s certification programme. In these situations the accredited testing organisation of the supplier issues a similar report as described in section 2.2. The accredited testing organisation of the licence holder shall, when testing the gambling system of the licence holder, only test the elements of the gambling system that have not been certified during the certification of the supplier. The accredited testing organisation of the licence holder is not required to assess the work done by the accredited testing organisation of the supplier and need only reference this work when issuing the certification Integration into the gambling system of the licence holder The accredited testing organisation shall be particularly aware of the fact that, even if the supplier s product has been certified already, it may be necessary to repeat parts of the certification, when the product is integrated into the licence holder s overall gambling system. This will be particular relevant when the implementation involves changes to the certified product Period deferment The period of the certification of the supplier and the period of the certification of the licence holder, as described in section 2.3, can differ with no more than one month. Guidance: This would been that a licence holder could be using the certification period from 1 May to 30 April while the supplier could be using the certification period from 1 April to 31 march Compilation of the certifications It is the task of the accredited testing organisation of the licence holder to ensure that all requirements in this document have been assessed. It shall be evident from the certification of the licence holder whether a given requirement has been inspected or tested by the accredited testing organisation of the licence holder, the accredited testing organisation of a supplier or is out of scope in relation to the games offered by the licence holder. 2.6 Accredited testing organisations Testing organisations shall attain ISO/IEC accreditation and/or ISO/IEC accreditation based on the criteria described in the following sections. The scope of the accreditation shall be extended to include Spillemyndigheden s certification programme SCP EN.1.0. To ensure that the necessary qualifications are in place during the certification the testing organisation and their staff shall fulfil the following requirements. Documentation that the requirements are fulfilled shall be enclosed with the certification. SCP EN.1.0 Side 8 af 11

9 2.6.1 Requirements for accredited testing organisations The accrediting testing organisation: a) Shall have at least to years experience in penetration testing of systems or a similar closely related subject area, b) Shall work on the basis of the ISO/IEC accreditation and/or ISO/IEC accreditation, which refers to the requirements of SCP EN.1.0, and c) Shall ensure that staff with sufficient qualifications will carry through the certification Requirements for personnel at the accredited testing organisations The certification shall be carried through by staff with sufficient qualifications cf. sections above. Work done in relation to the certification shall be supervised and the declaration of certification shall be attested by one or more persons who warrant(s) that the work has been carried out to adequate professional standards. These persons shall meet the following requirements: a) Five years of professional experience in penetration testing of systems or a similar closely related subject area, and b) Shall be certified as: International Council of E-Commerce (EC-Council) Certified Ethical Hacker (CEH), International Council of E-Commerce (EC-Council) Licensed Penetration Tester (LPT), Information Assurance Certification Review Board (IACRB) Certified Penetration Tester (CPT), Global Information Assurance Certification (GIAC) Certified Penetration Tester (GPEN), CESG CHECK Team Leader, CESG CHECK Team Member, CREST Infrastructure Certification, CREST Registered Tester, Tiger Scheme Senior Security Tester, eller Tiger Scheme Qualified Security Tester. Guidance: Certification and attestation can be carried out by staff who in conjunction fulfil the requirements. 3 Penetration Testing Framework Spillemyndigheden s is in part inspired by Payment Card Industry Data Security Standard (PCI-DSS). 3.1 Objective of the penetration testing When performing penetration testing the accredited testing organisation shall seek to exploit any vulnerabilities in the gambling system of the licence holder uncovered during the vulnerability scanning, cf. Spillemyndighedens Instructions on Vulnerability Scanning SCP EN. SCP EN.1.0 Side 9 af 11

10 3.2 Protected components The gambling system and business systems shall be protected against any attack from outsiders. The components containing sensitive information concerning customers in particular shall be protected. The definition of components and their relevance follows from Spillemyndigheden s Change Management Programme SCP EN, section The licence holder can minimise the risk of unauthorised access by segmenting the internal networks including which sub-systems communicates sensitive information by public networks. 3.3 Updating software and hardware It is the responsibility of the licence holder that the system components are updated to a degree that ensures the highest level of security possible and does not compromise the integrity of the systems. By doing so the risk of unauthorised access to sensitive information is minimised Certification no longer valid due to significant changes In the event of an update of components of the licence holder or a supplier, a new vulnerability test is recommended to ensure that existing internal controls are still effective and functional. It shall be indicated in the certification of penetration testing that it is no longer valid after significant updates or changes to infrastructure or the use of it (for example any installation of new system components, addition of a sub-network or addition of a web server). What will be considered to be significant changes will depend to a high degree on the set-up of a given environment and therefore it cannot be defined as such by Spillemyndigheden. It is, however, always considered significant if an upgrade or a change is capable of affecting or providing access to sensitive information and/or components cf. Spillemyndigheden s Change Management Programme SCP EN, section Internal function with the licence holder The accredited testing organisation can allow that the certification is upheld as an exception to section 3.3.1, if the licence holder has an internal function dedicated to undertaking penetration testing of the systems. This function shall be manned with appropriately skilled staff as well as being organisationally separated from the function implementing system changes. If the certification is postponed the accredited testing organisation shall assess, approve and certify these tests every three months. The certification shall clearly state whether this method has been used. The option to postpone certification to the interval of three months is only available to licence holders. The option to postpone certification is not available to suppliers without an individual licence to offer gambling in Denmark. 4 Penetration Testing Process When performing penetration testing the accredited testing organisation shall seek unauthorised access to the systems of the licence holder. The unauthorised access shall be attempted escalated to the highest access level possible. Through this access the following minimum list of scenarios shall be tested: SCP EN.1.0 Side 10 af 11

11 Manipulation of result generation Affecting the execution of games Fraud with customer funds Theft of customer funds Manipulation of audit logs Access to sensitive information Manipulation of sensitive information Manipulation of data transfer to SAFE SCP EN.1.0 Side 11 af 11