Spillemyndigheden s Certification Programme Instructions on Penetration Testing



Similar documents
Spillemyndigheden s Certification Programme Instructions on Penetration Testing

Spillemyndigheden s Certification Programme Instructions on Vulnerability Scanning

Spillemyndigheden s Certification Programme Change Management Programme

Spillemyndigheden s Certification Programme Information Security Management System

Spillemyndigheden s Certification Programme. General requirements SCP EN.1.1

Spillemyndigheden s Certification Programme Change Management Programme

Spillemyndigheden s Certification Programme. Testing Standards for Online Betting SCP EN.1.0

Spillemyndigheden s Certification Programme Information Security Management System

Spillemyndigheden s change management programme. Version of 1 July 2012

Schedule of Accreditation issued by United Kingdom Accreditation Service 2 Pine Trees, Chertsey Lane, Staines-upon-Thames, TW18 3HR, UK

Spillemyndigheden s Certification Programme Inspection Standards for Online Casino

Security audit advice For holders of all remote gambling operator licences including specified remote lottery licences

Schedule of Accreditation issued by United Kingdom Accreditation Service High Street, Feltham, Middlesex, TW13 4UN, UK

Procuring Penetration Testing Services

Cyber Security Consultancy Standard. Version 0.2 Crown Copyright 2015 All Rights Reserved. Page 1 of 13

Gaming Machine Type I Gaming Machine Type II

Aberdeen City Council IT Security (Network and perimeter)

A Decision Maker s Guide to Securing an IT Infrastructure

Change & configuration management

PCI DSS Compliance Information Pack for Merchants

Hackers are here. Where are you?

RAPTER Rapid Automated Pen TestER for web applications (Lot 4)

Introduction to the Danish Gambling market. Experiences from Denmark

Security Testing. Vulnerability Assessment vs Penetration Testing. Gabriel Mihai Tanase, Director KPMG Romania. 29 October 2014

ACT. on the amendment of the Gambling Law and some other Acts 1

ACT GAMBLING AND RACING COMMISSION

Testing strategy for compliance with remote gambling and software technical standards. First published August 2009

Penetration Testing in Romania

Certification Report

Penetration testing & Ethical Hacking. Security Week 2014

Hackers are here. Where are you?

Northern Territory. Code of Practice For Responsible Gambling

Northern Territory Code of Practice for Responsible Gambling

Westpac Merchant. A guide to meeting the new Payment Card Industry Security Standards

Guidelines for the Acceptance of Manufacturer's Quality Assurance Systems for Welding Consumables

Land based betting Annex 1. Technical requirements of the control system

Cyber Essentials Scheme. Summary

INFORMATION SECURITY TESTING

Operational Risk Publication Date: May Operational Risk... 3

ARTICLES OF ASSOCIATION NEUROSEARCH A/S. (CVR-no )

Smart Meters Programme Schedule 2.5. (Security Management Plan) (CSP South version)

Version September This is a translated document. The Danish version of the document is the only applicable and authentic version.

a) To achieve an effective Quality Assurance System complying with International Standard ISO9001 (Quality Systems).

Guide for Registration of Gaming Machine. I General Provisions

DCA metrics for the approval of Auditing Firms for Certifications Scheme VERSION 1.0

Information and Communications Technology Services Delivery Plan

Network Certification Body

Guideline about provision of guessing competitions

National Home Inspector Certification Council. Policy & Procedures Manual

Security Control Standard

Certification Report

Cloud computing and the legal framework

IAF Informative Document. IAF Informative Document for the Transition of Management System Accreditation to ISO/IEC 17021:2011 from ISO/IEC 17021:2006

Guidelines on sales promotion measures when providing gambling

Gambling Act. Part 1 Purpose and scope of the Act

Certification Report

Procurement Policy Note Use of Cyber Essentials Scheme certification

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

DOCUMENTED PROCEDURE MANUAL

DVC Product Certification - affiliated to the Danish Technological Institute

11th AMC Conference on Securely Connecting Communities for Improved Health

Graduate Project Engineer

Certification Report

ARTICLES OF ASSOCIATION NEUROSEARCH A/S. (CVR-no )

Certification Regulations and Requirements. International Certification Management GmbH

HKCAS Supplementary Criteria No. 8

NCC Group Managed Security Services Pricing

Protecting your business interests through intelligent IT security services, consultancy and training

Regulation for Establishing the Internal Control System of an Investment Management Company

Policy for the Management of Asbestos in the Workplace

Paul Vlissidis Group Technical Director NCC Group plc

The EFGCP Report on The Procedure for the Ethical Review of Protocols for Clinical Research Projects in Europe (Update: April 2011) Denmark

European Forum for Good Clinical Practice Audit Working Party

Small businesses: What you need to know about cyber security

Derbyshire Trading Standards Service Quality Manual

How To Amend The Casino Amendment Bill 2012

INSURANCE ACT 2008 CORPORATE GOVERNANCE CODE OF PRACTICE FOR REGULATED INSURANCE ENTITIES

Drinking Water Quality Management Plan Review and Audit Guideline

Acceptance Criteria for Penetration Tests According to PCI DSS

Cyber Essentials Scheme

low levels of compliance with the regulations and POCA by negligent HVD operators are enabling criminals to launder the proceeds of crime

Promoting society and local authority lotteries

EC-Council Certified Security Analyst (ECSA)

Unauthorised translation ARTICLES OF ASSOCIATION NEUROSEARCH A/S. (CVR-no )

University of Liverpool

IAF Mandatory Document for the Transfer of Accredited Certification of Management Systems

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

Certification Report

ETSI EN V2.2.2 ( )

Operating Licence Notification of Change

Occupational Health Management Systems No. : RL 18 Competence requirements for inspection and certification Date :

Certification Report

INTEROPERABILITY UNIT

Petfre (Gibraltar) Ltd t/a Betfred.com Settlement following a licence review - public statement June 2016

How To Test For Security On A Network Without Being Hacked

CP14 ISSUE 5 DATED 1 st OCTOBER 2015 BINDT Audit Procedure Conformity Assessment and Certification/Verification of Management Systems

ISO Information Security Management Services (Lot 4)

SCOTTISH CENSUS INDEPENDENT SECURITY REVIEW REPORT

G4 Responsible Casino Code of Practice Version G02/

National Accreditation Board for Certification Bodies. Accreditation Criteria

Transcription:

SCP.04.00.EN.1.0

Table of contents Table of contents... 2 1 Introduction... 3 1.1 Spillemyndigheden s certification programme... 3 1.2 Objectives of the... 3 1.3 Scope of this document... 4 1.4 Definitions... 4 1.5 Legal basis for this document... 4 1.6 Version... 5 1.7 Document identifier... 5 1.8 Enquiries... 6 2 Certification... 6 2.1 Certification framework... 6 2.2 Certification requirements... 6 2.3 Certification frequency... 7 2.4 Transfer of certifications... 7 2.4.1 Inspections and tests conducted in accordance with Spillemyndigheden s certification programme... 7 2.4.2 Inspections and tests conducted in accordance with other standards... 7 2.5 Suppliers to the licence holder... 8 2.5.1 Supplier certification... 8 2.5.2 Integration into the gambling system of the licence holder... 8 2.5.3 Period deferment... 8 2.5.4 Compilation of the certifications... 8 2.6 Accredited testing organisations... 8 2.6.1 Requirements for accredited testing organisations... 9 2.6.2 Requirements for personnel at the accredited testing organisations... 9 3 Penetration Testing Framework... 9 3.1 Objective of the penetration testing... 9 3.2 Protected components... 10 3.3 Updating software and hardware... 10 3.3.1 Certification no longer valid due to significant changes... 10 3.3.2 Internal function with the licence holder... 10 4 Penetration Testing Process... 10 SCP.04.00.EN.1.0 Side 2 af 11

1 Introduction Spillemyndigheden s certification programme is set out to ensure that the gambling system executes games in a correct way and that the security surrounding the gambling system is maintained. The requirements in the certification programme is adapted to the different types of games based on an evaluation of the type of game s significance and risk in relation to extent, prevalence, nature, size of the prize and the risk of the customers being deceived etc. Currently the following types of games are in use: Online betting Land-based betting Online casino Land-based casino Gaming machines with cash prizes Lottery games The accredited testing organisation performs testing, inspection and certification of the gambling system, business processes and business systems of the licence holder. The testing, inspection and certification must be adapted to the individual licence holder s offer of gambling products. 1.1 Spillemyndigheden s certification programme Spillemyndigheden s certification programme consists of a number of documents, which are continuously adapted to the development in technology. The licence holder must be certified at all times in accordance with those parts of the certification programme which apply to their specific offer of gambling products. Types of games not offered by the licence holder are not subject to certification. Each of the six types of games has a set of testing standards and a set of inspection standards associated. Furthermore, four documents apply across all types of games and cover information security management system, penetration testing, vulnerability scanning and change management. Each document sets out minimum requirements for the arrangement of the gambling system, business processes and business systems of the licence holder. Spillemyndigheden s certification programme supplements the gambling regulation, individual licence terms and the administrative practice set out by Spillemyndigheden. 1.2 Objectives of the The seeks to ensure that the gambling system and business systems of the licence holder are tested for vulnerabilities that could be exploited to gain access to sensitive information. SCP.04.00.EN.1.0 Side 3 af 11

1.3 Scope of this document This document contains the requirements specifying how testing organisations obtain accreditation for conducting certification of the gambling system, business processes and business systems of the licence holder as well as instructions on how to conduct the certification. The accreditation will be undertaken by DANAK, the Danish Accreditation and Metrology Fund, or a similar accreditation body being covered by the multilateral agreement on reciprocal recognition of the European Co-operation for Accreditation or a member of the International Laboratory Accreditation Cooperation. The requirements concerning accreditation of the testing organisation and certification of the licence holder can be found in section 2 certification. The Penetration Test shall be conducted in such a way that exposes vulnerabilities in components. This is particularly relevant during system upgrades and updates. These requirements are set out in section 3 Penetration Testing Framework. Spillemyndigheden specify a number of mandatory penetration scenarios. These scenarios are set out in section 4 Penetration Testing Process. 1.4 Definitions Inspection: Sensitive information: Testing: Auditable log: Gambling system: The accredited testing organisation performs an assessment of the gambling system, business processes and business systems of the licence holder in relation to requirements set out by Spillemyndigheden and determines whether the requirements are met or not. Information of a sensitive nature related to either business or people. The accredited testing organisation performs in depth testing of the gambling system of the licence holder, analysis the comprised data and evaluates the results with regards to the requirements set out by Spillemyndigheden and determines whether the requirements are met or not. A log in which the recorded data cannot be manipulated after the initial recording. Any changes to the log shall happen through the recording of new data instead of changing or deleting existing records. Electronic or other equipment used by or on behalf of the licence holder for the offering of gambling, including equipment that: 1.5 Legal basis for this document 1. is used for the storage of information pertaining to a person s participation in gambling, including historical data and information concerning results, 2. produce and/or presents games to the gambler, or 3. determine the result of a game or calculate whether the gambler has won or lost a game. The Instruction on Penetration Testing (SCP.04.00.EN.1.0) is issued by Spillemyndigheden pursuant to Act no. 848 of 1 July 2010 on Gambling section 41 and executive order no. 65 of 25 January 2012 on land-based SCP.04.00.EN.1.0 Side 4 af 11

betting section 1, executive order no. 66 of 25 January 2012 on online betting section 26 and executive order nr. 67 of 25 January 2012 on online casino section 26. 1.6 Version Spillemyndigheden will continuously revise the certification programme, making the latest version and the version history accessible at Spillemyndigheden s website: https://spillemyndigheden.dk/en/certificationprogramme Date Version Description 2013.10.01 1.0 Description If the certification programme is modified, as a rule, certifications already issued will remain in force. It is important to emphasise that only the Danish version is legally binding and that the English version holds the status of guidance only. 1.7 Document identifier Each document in Spillemyndigheden s Certification Programme has a unique identifier comprised of: SCP Which indicates Spillemyndigheden s Certification Programme. Two digits Which indicates the type of document. The identifiers are: "01" Testing standards "02" Inspection standards "03" Information Security Management System "04" Penetration Testing "05" Vulnerability Scanning "06" Change Management Programme Two digits Which indicates the type of game covered. The identifiers are: "00" All types of games "01" Online betting "02" Land-based betting "03" Online casino "04" Land-based casino "05" Gaming machines with cash prizes "06" Lottery games DK or EN Which indicates the language version. DK for Danish and EN for English. Version number Which is described in section 1.6 above. The document identifier SCP.02.02.DK.1.0 would thus be version 1.0 of the inspection standards for landbased betting in Danish. A standard report with the identifier SCP.XX.XX.ST is associated with each document and must be used when submitting certifications to Spillemyndigheden. The document identifiers for the standard reports follow the methodology above and are language neutral. SCP.04.00.EN.1.0 Side 5 af 11

1.8 Enquiries Enquiries concerning this document should be sent in writing to Spillemyndigheden at the following address: mail@spillemyndigheden.dk or Spillemyndigheden Helgeshøj Allé 9 DK-2630 Taastrup 2 Certification 2.1 Certification framework A certification consists of inspection and testing of the gambling system, business processes and business systems of a licence holder based on the requirements set out in Spillemyndigheden s certification programme. It is the responsibility of the licence holder to attain the required certifications and to organise the company s business activities in accordance with Spillemyndigheden s certification programme. The certifications shall be issued by an accredited testing organisation in accordance with Spillemyndigheden s certification programme. It is always the responsibility of the licence holder that the requirements of the certification programme are met at all times. 2.2 Certification requirements Certification carried out to the standards of this document shall be submitted using the standard report SCP.04.00.ST. The accredited testing organisation shall attest that the gambling system, business processes and business systems of the licence holder adhere to the requirements set out in this document. As an extraordinary exception it may be accepted that the accredited testing organisation attests to the certification even if all requirements have not been met as described in this document. In this case the certifications must be substantiated by a risk assessment, taking into account the purpose of the Gambling Act and the associated executive orders. The risk assessment shall be based on ISO/IEC 31010 Risk management - Risk assessment techniques. The certification shall reflect whether this method has been used. SCP.04.00.EN.1.0 Side 6 af 11

2.3 Certification frequency The gambling system, business processes and business systems of the licence holder shall be certified at all times. The licence holder shall ensure that the gambling system, business processes and business systems are subject to on-going certification to ensure adherence to the requirements of this document with an interval of no more than 12 months. The following instructions apply in relation to the renewal and submission of the certifications: The inspection shall have commenced before the lapse of the current certification and shall be concluded within two months of the lapse of the current certification. The certification shall be submitted with Spillemyndigheden within this time frame as well. The re-certification shall be dated with the date of the conclusion of the inspection unless the inspection continued after the lapse of the current certification in which case the new certification shall be dated with the date of the lapse of the current certification, as a certification period cannot exceed twelve months. 2.4 Transfer of certifications 2.4.1 Inspections and tests conducted in accordance with Spillemyndigheden s certification programme When an accredited testing organisation has certified a given requirement in Spillemyndigheden s certification programme and this requirement is part of several separate documents of the programme e.g. SCP.01.01.EN Testing Standards for online betting and SCP.01.02.EN Testing Standards for land-based betting, it will not be necessary to repeat the certification of the requirement. In such cases there shall, instead, be a reference to the above-mentioned certification. This is also the case if the prior certification has been conducted by another accredited testing organisation. 2.4.2 Inspections and tests conducted in accordance with other standards It is allowed to base the certification on inspections and tests carried out on previous occasions and to similar criteria. When this option is utilised the actual time of the previous inspection or test shall be used when calculating the certification frequency. This means that if the certification is based on inspections or tests performed six months prior, then the renewal of said certification shall be performed six months earlier than ordinarily required. The above-mentioned option is also available if the prior certification has been conducted by another accredited testing organisation. When the accredited testing organisation is assessing whether to base the certification on inspections or tests carried out to similar criteria, this shall be substantiated by a risk assessment, taking into account the purpose of the Gambling Act and the associated executive orders. The risk assessment shall be based on ISO/IEC 31010 Risk management - Risk assessment techniques. The certification shall reflect whether this method has been used. SCP.04.00.EN.1.0 Side 7 af 11

2.5 Suppliers to the licence holder 2.5.1 Supplier certification A supplier to a licence holder can have their products certified fully or partially in accordance with Spillemyndigheden s certification programme. In these situations the accredited testing organisation of the supplier issues a similar report as described in section 2.2. The accredited testing organisation of the licence holder shall, when testing the gambling system of the licence holder, only test the elements of the gambling system that have not been certified during the certification of the supplier. The accredited testing organisation of the licence holder is not required to assess the work done by the accredited testing organisation of the supplier and need only reference this work when issuing the certification. 2.5.2 Integration into the gambling system of the licence holder The accredited testing organisation shall be particularly aware of the fact that, even if the supplier s product has been certified already, it may be necessary to repeat parts of the certification, when the product is integrated into the licence holder s overall gambling system. This will be particular relevant when the implementation involves changes to the certified product. 2.5.3 Period deferment The period of the certification of the supplier and the period of the certification of the licence holder, as described in section 2.3, can differ with no more than one month. Guidance: This would been that a licence holder could be using the certification period from 1 May to 30 April while the supplier could be using the certification period from 1 April to 31 march. 2.5.4 Compilation of the certifications It is the task of the accredited testing organisation of the licence holder to ensure that all requirements in this document have been assessed. It shall be evident from the certification of the licence holder whether a given requirement has been inspected or tested by the accredited testing organisation of the licence holder, the accredited testing organisation of a supplier or is out of scope in relation to the games offered by the licence holder. 2.6 Accredited testing organisations Testing organisations shall attain ISO/IEC 17020 accreditation and/or ISO/IEC 17025 accreditation based on the criteria described in the following sections. The scope of the accreditation shall be extended to include Spillemyndigheden s certification programme SCP.04.00.EN.1.0. To ensure that the necessary qualifications are in place during the certification the testing organisation and their staff shall fulfil the following requirements. Documentation that the requirements are fulfilled shall be enclosed with the certification. SCP.04.00.EN.1.0 Side 8 af 11

2.6.1 Requirements for accredited testing organisations The accrediting testing organisation: a) Shall have at least to years experience in penetration testing of systems or a similar closely related subject area, b) Shall work on the basis of the ISO/IEC 17020 accreditation and/or ISO/IEC 17025 accreditation, which refers to the requirements of SCP.04.00.EN.1.0, and c) Shall ensure that staff with sufficient qualifications will carry through the certification. 2.6.2 Requirements for personnel at the accredited testing organisations The certification shall be carried through by staff with sufficient qualifications cf. sections 2.6.1 above. Work done in relation to the certification shall be supervised and the declaration of certification shall be attested by one or more persons who warrant(s) that the work has been carried out to adequate professional standards. These persons shall meet the following requirements: a) Five years of professional experience in penetration testing of systems or a similar closely related subject area, and b) Shall be certified as: International Council of E-Commerce (EC-Council) Certified Ethical Hacker (CEH), International Council of E-Commerce (EC-Council) Licensed Penetration Tester (LPT), Information Assurance Certification Review Board (IACRB) Certified Penetration Tester (CPT), Global Information Assurance Certification (GIAC) Certified Penetration Tester (GPEN), CESG CHECK Team Leader, CESG CHECK Team Member, CREST Infrastructure Certification, CREST Registered Tester, Tiger Scheme Senior Security Tester, eller Tiger Scheme Qualified Security Tester. Guidance: Certification and attestation can be carried out by staff who in conjunction fulfil the requirements. 3 Penetration Testing Framework Spillemyndigheden s is in part inspired by Payment Card Industry Data Security Standard (PCI-DSS). 3.1 Objective of the penetration testing When performing penetration testing the accredited testing organisation shall seek to exploit any vulnerabilities in the gambling system of the licence holder uncovered during the vulnerability scanning, cf. Spillemyndighedens Instructions on Vulnerability Scanning SCP.05.00.EN. SCP.04.00.EN.1.0 Side 9 af 11

3.2 Protected components The gambling system and business systems shall be protected against any attack from outsiders. The components containing sensitive information concerning customers in particular shall be protected. The definition of components and their relevance follows from Spillemyndigheden s Change Management Programme SCP.06.00.EN, section 3.3.3. The licence holder can minimise the risk of unauthorised access by segmenting the internal networks including which sub-systems communicates sensitive information by public networks. 3.3 Updating software and hardware It is the responsibility of the licence holder that the system components are updated to a degree that ensures the highest level of security possible and does not compromise the integrity of the systems. By doing so the risk of unauthorised access to sensitive information is minimised. 3.3.1 Certification no longer valid due to significant changes In the event of an update of components of the licence holder or a supplier, a new vulnerability test is recommended to ensure that existing internal controls are still effective and functional. It shall be indicated in the certification of penetration testing that it is no longer valid after significant updates or changes to infrastructure or the use of it (for example any installation of new system components, addition of a sub-network or addition of a web server). What will be considered to be significant changes will depend to a high degree on the set-up of a given environment and therefore it cannot be defined as such by Spillemyndigheden. It is, however, always considered significant if an upgrade or a change is capable of affecting or providing access to sensitive information and/or components cf. Spillemyndigheden s Change Management Programme SCP.06.00.EN, section 3.3.3. 3.3.2 Internal function with the licence holder The accredited testing organisation can allow that the certification is upheld as an exception to section 3.3.1, if the licence holder has an internal function dedicated to undertaking penetration testing of the systems. This function shall be manned with appropriately skilled staff as well as being organisationally separated from the function implementing system changes. If the certification is postponed the accredited testing organisation shall assess, approve and certify these tests every three months. The certification shall clearly state whether this method has been used. The option to postpone certification to the interval of three months is only available to licence holders. The option to postpone certification is not available to suppliers without an individual licence to offer gambling in Denmark. 4 Penetration Testing Process When performing penetration testing the accredited testing organisation shall seek unauthorised access to the systems of the licence holder. The unauthorised access shall be attempted escalated to the highest access level possible. Through this access the following minimum list of scenarios shall be tested: SCP.04.00.EN.1.0 Side 10 af 11

Manipulation of result generation Affecting the execution of games Fraud with customer funds Theft of customer funds Manipulation of audit logs Access to sensitive information Manipulation of sensitive information Manipulation of data transfer to SAFE SCP.04.00.EN.1.0 Side 11 af 11

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information