Spillemyndigheden s Certification Programme Instructions on Vulnerability Scanning



Similar documents
Spillemyndigheden s Certification Programme Instructions on Penetration Testing

Spillemyndigheden s Certification Programme Instructions on Penetration Testing

Spillemyndigheden s Certification Programme. Testing Standards for Online Betting SCP EN.1.0

Spillemyndigheden s Certification Programme Change Management Programme

Spillemyndigheden s Certification Programme Change Management Programme

Spillemyndigheden s Certification Programme Information Security Management System

Spillemyndigheden s Certification Programme Information Security Management System

Spillemyndigheden s Certification Programme. General requirements SCP EN.1.1

Spillemyndigheden s change management programme. Version of 1 July 2012

Spillemyndigheden s Certification Programme Inspection Standards for Online Casino

INFORMATION SECURITY TESTING

PCI DSS Compliance Information Pack for Merchants

Procuring Penetration Testing Services

PCI DSS v3.0 Vulnerability & Penetration Testing

Penetration testing & Ethical Hacking. Security Week 2014

NCC Group Managed Security Services Pricing

Penetration Testing in Romania

Cyber Essentials Scheme. Summary

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)

Security audit advice For holders of all remote gambling operator licences including specified remote lottery licences

Hackers are here. Where are you?

Security Testing. Vulnerability Assessment vs Penetration Testing. Gabriel Mihai Tanase, Director KPMG Romania. 29 October 2014

Cyber Essentials Scheme

A Decision Maker s Guide to Securing an IT Infrastructure

Penetration Testing Guidelines For the Financial Industry in Singapore. 31 July 2015

PCI DSS and SSC what are these?

Schedule of Accreditation issued by United Kingdom Accreditation Service High Street, Feltham, Middlesex, TW13 4UN, UK

IT Heath Check Scoping guidance ALPHA DRAFT

Your guide to the Payment Card Industry Data Security Standard (PCI DSS) Merchant Business Solutions. Version 5.0 (April 2011)

Payment Card Industry (PCI) Executive Report 10/27/2015

encription IT Security and Forensic Services

Payment Card Industry (PCI) Data Security Standard

Guide to Penetration Testing

G-Cloud Service Definition. Atos infrastructure Vulnerability Scanning (Outpost24) SaaS

Penetration Testing Services Procurement Guide VERSION 1.

Hackers are here. Where are you?

G-Cloud Service Definition. Atos Information Security Wireless Scanning Service

Foregenix Incident Response Handbook. A comprehensive guide of what to do in the unfortunate event of a compromise

Cyber Security Consultancy Standard. Version 0.2 Crown Copyright 2015 All Rights Reserved. Page 1 of 13

E-SPIN PCI Compliancy Solution

PENETRATION TESTING AND VULNERABILITY ASSESSMENTS: A PROFESSIONAL APPROACH

INFORMATION SUPPLEMENT. Migrating from SSL and Early TLS. Version 1.0 Date: April 2015 Author: PCI Security Standards Council

Payment Card Industry (PCI) Executive Report 08/04/2014

Aberdeen City Council IT Security (Network and perimeter)

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

PCI-DSS Penetration Testing

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

ROLE PROFILE. Business Function: Software Operations Managed Cloud Services eg s Head Office, Dunston Business Village, Staffordshire

Testing strategy for compliance with remote gambling and software technical standards. First published August 2009

Australian Computer Society ANZSCO ICT Code descriptions v Further updates will be issued in

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

ISO Information Security Management Services (Lot 4)

MONITORING AND VULNERABILITY MANAGEMENT PCI COMPLIANCE JUNE 2014

PCI Compliance: How to ensure customer cardholder data is handled with care

Penetration Testing. Request for Proposal

Lot 1 Service Specification MANAGED SECURITY SERVICES

G-Cloud Service Definition. Atos infrastructure Vulnerability Scanning (Outpost24) SaaS

Paul Vlissidis Group Technical Director NCC Group plc

AUTOMATING AUDITS AND ENSURING CONTINUOUS COMPLIANCE WITH ALGOSEC

White Paper. Understanding NIST FISMA Requirements

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor January 23, 2014

ISSECO Syllabus Public Version v1.0

Acceptance Criteria for Penetration Tests According to PCI DSS

Penetration Testing Services. Demonstrate Real-World Risk

The PCI DSS Compliance Guide For Small Business

Australian Social Work Education and Accreditation Standards (ASWEAS) Guideline 1.3: Guidance on RPL, articulation and credit transfer

Merchant guide to PCI DSS

CITY OF SAN DIEGO ADMINISTRATIVE REGULATION Number PAYMENT CARD INDUSTRY (PCI) COMPLIANCE POLICY. Page 1 of 9.

Protecting your business interests through intelligent IT security services, consultancy and training

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

Westpac Merchant. A guide to meeting the new Payment Card Industry Security Standards

Digital Pathways. Penetration Testing

TECHNICAL VULNERABILITY & PATCH MANAGEMENT

International Laboratory Accreditation Cooperation. Laboratory Accreditation or ISO 9001 Certification? global trust. Testing Calibration Inspection

G-Cloud Pricing. Atos infrastructure Vulnerability Scanning (Outpost24) SaaS

EC-Council. Certified Ethical Hacker. Program Brochure

A Guide to the Cyber Essentials Scheme

IT Professional Standards. Information Security Discipline. Sub-discipline 605 Information Security Testing and Information Assurance Methodologies

CBEST FAQ February 2015

ASV Scan Report Attestation of Scan Compliance

Sample Vulnerability Management Policy

INFORMATION TECHNOLOGY SECURITY STANDARDS

What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:

PCI COMPLIANCE TO BUILD HIGHER CONFIDENCE FOR CARD HOLDER AND BOOST CASHLESS TRANSACTION. Suresh Dadlani, ControlCase

University of Sunderland Business Assurance PCI Security Policy

SPSP Phase III Recruiting, Selecting, and Developing Secure Power Systems Professionals: Job Profiles

Procurement Policy Note Use of Cyber Essentials Scheme certification

CESG Certified Professional

G-Cloud IV Framework Service Definition Accenture Web Application Security Scanning as a Service

Transcription:

SCP.05.00.EN.1.0

Table of contents Table of contents... 2 1 Objectives of the... 3 1.1 Scope of this document... 3 1.2 Version... 3 2 Certification... 3 2.1 Certification frequency... 3 2.1.1 Initial certification... 4 2.1.2 Renewed certification... 4 2.2 Accredited testing organisations... 4 2.2.1 Requirements for accredited testing organisations... 4 2.2.2 Requirements for personnel at the accredited testing organisations... 4 3 Vulnerability Scanning Framework... 5 3.1 Objective of the vulnerability scanning... 5 3.2 Protected components... 5 3.3 Updating software and hardware... 5 3.3.1 Component updates... 5 3.3.2 Internal function with the licence holder... 6 4 Vulnerability Scanning Process... 6 SCP.05.00.EN.1.0 Side 2 af 6

1 Objectives of the The Instructions on Penetration Testing seeks to ensure that the gambling system and business systems of the licence holder are scanned for vulnerabilities that could be exploited to gain access to sensitive information. 1.1 Scope of this document This document contains the requirements specifying how testing organisations obtain accreditation for conducting certification of the gambling system, business processes and business systems of the licence holder as well as instructions on how to conduct the certification. The requirements concerning accreditation of the testing organisation and certification of the licence holder can be found in section 2 certification. The vulnerability scan of the gambling system and business systems shall be conducted in such a way that exposes vulnerabilities in components. This is particularly relevant during system upgrades and updates. These requirements are set out in section 3 Vulnerability Scanning Framework. Spillemyndigheden propose a methodology for vulnerability scanning. This methodology is set out in section 4 vulnerability Scanning Process. 1.2 Version Spillemyndigheden will continuously revise the certification programme, making the latest version and the version history accessible at Spillemyndigheden s website: https://spillemyndigheden.dk/en/certificationprogramme Date Version Description 2014.07.04 1.0 A new document structure than the previous version 1.3 alongside with a range of updates in different areas. A new version 1.0 is therefore published. It is the intention to follow normal versioning for future changes. If the certification programme is modified, as a rule, certifications already issued will remain in force. It is important to emphasise that only the Danish version is legally binding and that the English version holds the status of guidance only. 2 Certification 2.1 Certification frequency The licence holder is responsible to ensure to be certified in accordance with the requirements in this document with an interval of maximum of 3 months. SCP.05.00.EN.1.0 Side 3 af 6

2.1.1 Initial certification The licence holder must, as a rule, be certified before a licence to offer games can be issued, unless Spillemyndigheden has informed otherwise. 2.1.2 Renewed certification The licence holder must, as a rule, have completed a new certification within 3 months of the latest certification. The standard report must reflect, when the certification has been renewed. 2.2 Accredited testing organisations Testing organisations shall attain ISO/IEC 17020 accreditation and/or ISO/IEC 17025 accreditation based on the criteria described in the following sections. The scope of the accreditation shall be extended to include Spillemyndigheden s certification programme SCP.05.00.EN.1.0. The accreditation will be undertaken by DANAK, the Danish Accreditation and Metrology Fund, or a similar accreditation body being covered by the multilateral agreement on reciprocal recognition of the European Co-operation for Accreditation or a member of the International Laboratory Accreditation Cooperation. To ensure that the necessary qualifications are in place during the certification the testing organisation and their staff shall fulfil the following requirements. Documentation that the requirements are fulfilled shall be enclosed with the certification. 2.2.1 Requirements for accredited testing organisations The accrediting testing organisation: a) Shall have at least two years experience in vulnerability scanning of systems or a similar closely related subject area, b) Shall be accredited as Payment Card Industry (PCI) Approved Scanning Vendor (ASV) c) Shall work on the basis of the ISO/IEC 17020 accreditation and/or ISO/IEC 17025 accreditation, which refers to the requirements of SCP.05.00.EN.1.0, and d) Shall ensure that staff with sufficient qualifications will carry through the certification. 2.2.2 Requirements for personnel at the accredited testing organisations The certification shall be carried through by staff with sufficient qualifications cf. sections 2.6.1 above. Work done in relation to the certification shall be supervised and the declaration of certification shall be attested by one or more persons who warrant(s) that the work has been carried out to adequate professional standards. These persons shall meet the following requirements: a) Five years of professional experience in vulnerability scanning of systems or a similar closely related subject area, and b) Shall be certified as: International Council of E-Commerce (EC-Council) Certified Ethical Hacker (CEH), International Council of E-Commerce (EC-Council) Licensed Penetration Tester (LPT), Information Assurance Certification Review Board (IACRB) Certified Penetration Tester (CPT), Global Information Assurance Certification (GIAC) Certified Penetration Tester (GPEN), SCP.05.00.EN.1.0 Side 4 af 6

CESG CHECK Team Leader, CESG CHECK Team Member, CREST Infrastructure Certification, CREST Registered Tester, Tiger Scheme Senior Security Tester, eller Tiger Scheme Qualified Security Tester. Guidance: Testing, supervision and attestation can be carried out by staff who in conjunction fulfil the requirements. 3 Vulnerability Scanning Framework Spillemyndigheden s is in part inspired by Payment Card Industry Data Security Standard (PCI-DSS). 3.1 Objective of the vulnerability scanning When performing vulnerability scanning the accredited testing organisation shall uncover vulnerabilities in the technical infrastructure of the licence holder, which could potentially be exploited to obtain unauthorised access through public interfaces. 3.2 Protected components The gambling system and business systems in the licence holders production environment shall be protected against any attack from outsiders. The components containing sensitive information concerning customers in particular shall be protected. The definition of components and their relevance follows from Spillemyndigheden s Change Management Programme SCP.06.00.EN, section 3.3.3. The licence holder can minimise the risk of unauthorised access by segmenting the internal networks including which sub-systems communicates sensitive information by public networks. 3.3 Updating software and hardware It is the responsibility of the licence holder that the system components are updated to a degree that ensures the highest level of security possible and does not compromise the integrity of the systems. By doing so the risk of unauthorised access to sensitive information is minimised. 3.3.1 Component updates In the event of an update of components of the licence holder or a supplier, a new vulnerability test must be performed to ensure the systems integrity is intact/uncompromised. Vulnerability scanning is necessary after significant updates or changes to infrastructure or the use of it (for example any installation of new system components, addition of a sub-network or addition of a web server). What will be considered to be significant changes will depend to a high degree on the set-up of a given environment and therefore it cannot be defined as such by Spillemyndigheden. It is, however, always considered significant if an upgrade or a change is capable of affecting or providing access to sensitive information and/or components cf. Spillemyndigheden s Change Management Programme SCP.06.00.EN, section 3.3.3. SCP.05.00.EN.1.0 Side 5 af 6

3.3.2 Internal function with the licence holder The accredited testing organisation can allow that vulnerability scans as described in section 3.3.1, is conducted by a dedicated internal function at the licence holder, that undertakes vulnerability scanning of the systems. This function shall be manned with appropriately skilled staff as well as being organisationally separated from the function implementing system changes. If the the vulnerability scan is conducted by a dedicated internal function the accredited testing organisation shall assess, approve and certify these tests every three months. The certification shall clearly state whether this method has been used. This option is only available to licence holders. The option cannot be used by suppliers without an individual licence to offer gambling in Denmark. 4 Vulnerability Scanning Process The accredited testing organisation can use the National Vulnerability Database Common Vulnerability Scoring System scale (NVD CVSS) or a similar scoring system of equal quality when evaluating whether the systems of the licence holder has an adequate level of security. If any elements in the licence holders vulnerability scan scores 4 or higher on the NVD CVSS scale, the licence holder must remedy the uncovered vulnerabilities and get scanned again. If the scan uncovers vulnerabilities in the licence holders system that cannot be remedied within the expiration of the previous scan, the certification must be accompanied with a remedial plan and compensating controls must be in place. These vulnerabilities must be fixed for the next quarterly scan. SCP.05.00.EN.1.0 Side 6 af 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information