ecogra GENERALLY ACCEPTED PRACTICES (egap) AFFILIATE PROGRAMS



Similar documents
THE FRAMEWORK, PRINCIPLES AND STANDARDS TO WHICH EGBA MEMBER OPERATIONS ANNUALLY SUBSCRIBE, COMMIT AND ADHERE TO. FEBRUARY 2011

FINRMFS9 Facilitate Business Continuity Planning and disaster recovery for a financial services organisation

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Security Control Standard

SECTION 15 INFORMATION TECHNOLOGY

Supplier Security Assessment Questionnaire

INFORMATION TECHNOLOGY SECURITY STANDARDS

Domain 1 The Process of Auditing Information Systems

Appendix X - CAJPA Standard Regarding Data

ESKITP6032 IT Disaster Recovery Level 2 Role

Mille Lacs Band of Ojibwe Indians Gaming Regulatory Authority Detailed Gaming Regulations

1. Perimeter Security Dealing with firewall, gateways and VPNs and technical entry points. Physical Access to your premises can also be reviewed.

Decision on adequate information system management. (Official Gazette 37/2010)

Our consultancy team will provide guidance throughout the process helping you to produce the necessary documentation and raise staff awareness.

BERMUDA MONETARY AUTHORITY

HIPAA Security Matrix

Information Security Policies. Version 6.1

How To Use A Court Record Electronically In Idaho

CHAPTER 11 COMPUTER SYSTEMS INFORMATION TECHNOLOGY SERVICES CONTROLS

Supplier Information Security Addendum for GE Restricted Data

Newcastle University Information Security Procedures Version 3

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

Spillemyndigheden s Certification Programme Information Security Management System

IBX Business Network Platform Information Security Controls Document Classification [Public]

Applications and Solutions Architecture Cloud Services

Supplement to Gaming Machine Technical Standards Consultation

CHAPTER 466b. SLOT COMPUTER SYSTEMS TECHNICAL STANDARD

Spillemyndigheden s Certification Programme Information Security Management System

Business Continuity Planning in IT

SEP AG and its affiliates offers different support levels for customers, partners and potential customers.

Information System Audit. Arkansas Administrative Statewide Information System (AASIS) General Controls

Protecting Official Records as Evidence in the Cloud Environment. Anne Thurston

Third Party Security Requirements Policy

Arizona Health Information Exchange Marketplace. Requirements and Specifications Health Information Service Provider (HISP)

RISK MANAGEMENT PLAN

Client Security Risk Assessment Questionnaire

Table of Contents. Introduction. Audience. At Course Completion

Course: 10174B: Configuring and Administering Microsoft SharePoint 2010

Disaster Recovery and Business Continuity Plan

NET ACCESS HIPAA COMPLIANT FLEXCloud

TELEFÓNICA UK LTD. Introduction to Security Policy

SCHEDULE 1 SERVICE DESCRIPTION

INFORMATION TECHNOLOGY CONTROLS

Intel Enhanced Data Security Assessment Form

Managing internet security

Tom J. Hull & Company Type 1 SSAE

Information Security Policy. Information Security Policy. Working Together. May Borders College 19/10/12. Uncontrolled Copy

Application Development within University. Security Checklist

COMMERCIALISM INTEGRITY STEWARDSHIP. Back-up Policy & Guidance

SAS 70 Exams Of EBT Controls And Processors

Summary of Information Technology General Control Environment Findings for the year ended 30 June 2015

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

Information Technology General Controls Review (ITGC) Audit Program Prepared by:

Client information note Assessment process Management systems service outline

SUPPLIER SECURITY STANDARD

Service Definition (Q-D1) Vulnerability Scan (LITE Test) Overview of Service. Functional and non-functional Detail. Q-D1: Service Definition

Encana Information Security Practice

NETWORK SERVICES WITH SOME CREDIT UNIONS PROCESSING 800,000 TRANSACTIONS ANNUALLY AND MOVING OVER 500 MILLION, SYSTEM UPTIME IS CRITICAL.

Security from a customer s perspective. Halogen s approach to security

Attachment E. RFP Requirements: Mandatory Requirements: Vendor must respond with Yes or No. A No response will render the vendor nonresponsive.

Planning a Backup Strategy

University of Aberdeen Information Security Policy

Security Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Web-based gambling and sports betting system Requirement specification

Upgrading Your SQL Server 2000 Database Administration (DBA) Skills to SQL Server 2008 DBA Skills Course 6317A: Three days; Instructor-Led

Enterprise Backup Overview Protecting Your Most Important Asset

Information Security Policy Schedule A - Roles, Standards and Operational Procedures

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

Sponsor Site Questionnaire FAQs Regarding Maestro Care

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

Security Policy JUNE 1, SalesNOW. Security Policy v v

B U S I N E S S C O N T I N U I T Y P L A N

Data Security and Privacy Principles for IBM SaaS How IBM Software as a Service is protected by IBM s security-driven culture

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

Improving Business for SMEs with Online Backup Improving Business for SMEs with Online Backup

GENERAL APPLICATION FOR ELECTRONIC COMMUNICATION SYSTEM ( ECS ) INSURANCE

ICT Policy. Executive Summary. Date of ratification Executive Team Committee 22nd October Document Author(s) Collette McQueen

Testing strategy for compliance with remote gambling and software technical standards. First published August 2009

Music Recording Studio Security Program Security Assessment Version 1.1

Supplier IT Security Guide

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0

Microsoft SharePoint 2010 Overview

How To Recover From A Disaster

Time to Value: Successful Cloud Software Implementation

OIG. Improvements Are Needed for Information Technology Controls at the Las Vegas Finance Center. Audit Report OFFICE OF INSPECTOR GENERAL

How To Protect Decd Information From Harm

SYLOGENT DEDICATED HOSTING

Company Profile. First Page. Previous Page. Next Page. Last Page. A Member of Harel Mallac Group

ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

Certified Information Systems Auditor (CISA)

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

Memorandum. Audit Report No.: OAS-L REPLY TO ATTN OF: Chief Financial Officer, CF-1 TO: INTRODUCTION AND OBJECTIVE

ITIL A guide to service asset and configuration management

Course Outline: Course 6317: Upgrading Your SQL Server 2000 Database Administration (DBA) Skills to SQL Server 2008 DBA Skills

General IT Controls Audit Program

המרכז ללימודי חוץ המכללה האקדמית ספיר. ד.נ חוף אשקלון טל' פקס בשיתוף עם מכללת הנגב ע"ש ספיר

Measuring your capabilities in Workplace Safety Management

Backup and Restore with 3 rd Party Applications

Transcription:

ecogra GENERALLY ACCEPTED PRACTICES (egap) AFFILIATE PROGRAMS Approved 26 April 2012

1 INTRODUCTION The underlying philosophy of ecogra is based on the achievement of the objectives of player protection, fair gaming and responsible conduct by operators. Operators can opt to provide a similar level of comfort to affiliates that participate in the operator s affiliate program. For purposes of this document an affiliate program is defined as an Internet-based marketing service, that rewards the marketers (affiliates) for driving traffic (players) to the online gambling operators and for subsequent transactions made by players. Ultimately, this document aims to set out the most appropriate requirements to provide a high level of comfort to the affiliate that revenue is calculated accurately and deductions are correctly allocated, payments are completely and accurately processed, preventative and detective controls are in place to ensure accurate and correct linking of players to affiliates, and program software applications are developed, implemented, maintained and secured in a manner representative of best practice standards. This document is intended primarily, as a guideline, to define and communicate the requirements to which potential ecogra affiliate program trust seal holders must comply. In addition, this document will be used as a guideline by the ecogra Regulatory Compliance Services Department, when conducting on-site and remote inspections of the operator s affiliate program. The ecogra requirements are documented as Generally Accepted Practices (egap) and the following has been indicated for each of the egap areas: 1) The objectives outline the expected results of having adequately implemented the underlying requirements and practice guidelines. 2) Methodology describes the approach, timing and techniques adopted by the ecogra Regulatory Compliance Services Department, to obtain sufficient assurance that the seal holder adheres to the requirements and practice guidelines. 3) Minimum requirements (R) dictates the mandatory policies and procedures, which must be adhered to for the achievement of the ecogra affiliate program trust seal. 4) Suggested practices (P) define the practices that will contribute to a controlled environment but which are not necessarily required for the achievement of the ecogra affiliate program trust seal. The requirements that may be applicable to software providers and operators have been indicated, within each egap area, as follows: 1) For software providers with a in the SP column. 2) For operators with a in the O column. Where possible testing will be conducted remotely, however it may also be necessary to conduct certain tests at the software supplier and operator premises. Where necessary, additional testing will be performed should services be provided by third parties. Recent changes to the egap requirements may not yet be operative at all programs as software suppliers and operators are provided with a period in which to implement updates which are reviewed at their next assessment date. - 1 -

2 ECOGRA GENERALLY ACCEPTED PRACTICES The Generally Accepted Practices of ecogra are documented below. The term practice is used in the widest sense incorporating not just the computer systems, but also all the processes around it. AFFILIATE TRUST 200 Payments to and Affiliate Revenue Calculation 201 Affiliate Tracking Requirements 202 Affiliate System and Security Requirements 203 Disaster Recovery - 2 -

200 PAYMENTS TO AFFILIATES AND AFFILIATE REVENUE CALCULATION Affiliate revenue shall be calculated accurately and deductions correctly allocated. Payments shall be promptly attended to and shall be completely and accurately processed. The ecogra Regulatory Compliance Services Department shall ensure acceptable financial process, information, technology and monitoring controls are in place, at a point-in-time and over a period-of-time, to meet this objective. Payment to SP O 200.R.1 All payments to affiliates shall be paid out within a reasonable timeframe and in accordance with published payment terms and conditions. 200.R.2 All payments to affiliates shall be conducted through a formal documented process. 200.R.3 200.R.4 200.R.5 Terms and conditions applicable to calculation of affiliate revenue shall be clearly displayed on the operator s website. Affiliate revenue calculation shall be conducted in accordance with published terms and conditions. Player account and financial data relevant to affiliate revenue calculation shall be verified and correctly allocated in accordance with published terms and conditions. De-activated Player Accounts SP O 200.R.6 Activation of player accounts previously de-activated by the operator shall be conducted through a formal documented procedure. 200.R.7 The terms and conditions shall state the operator s policy for calculating affiliate commission on player accounts previously de-activated. Affiliate Deductions SP O 200.R.8 Affiliate deductions shall be calculated in accordance with published terms and conditions. 200.R.9 Deduction amounts relevant to affiliate revenue calculation shall be verified and correctly allocated in accordance with published terms and conditions. 200.R.10 Terms and conditions shall state the operator s policy for carrying over negative player account balances. Negative account balances relevant to affiliate revenue calculation shall be verified and correctly allocated in accordance with published terms and conditions. 200.R.11 Deduction amounts relevant to large wins shall be verified and correctly allocated in the winning month and in accordance with published terms and conditions. Affiliate Account Information SP O 200.R.12 Affiliate account and payment related information shall be available electronically. 200.R.13 Changes to affiliate account information must be subject to strict security control and shall be maintained in a system audit log. - 3 -

201 AFFILIATE TRACKING REQUIREMENTS Preventative and detective controls shall be in place to ensure accurate and correct linking of players to affiliates. The ecogra Regulatory Compliance Services Department shall ensure acceptable process, information, technology and monitoring controls are in place, over a period-of-time, to meet this objective. Player Tracking to SP O 201.R.1 Appropriate controls must be in place to detect and prevent delinking of player accounts from affiliate accounts. 201.R.2 Manual adjustments to affiliate accounts shall be reviewed and authorised. 201.R.3 Manual adjustments on inactive player accounts linked to affiliates shall be affected in accordance with the operator s policy on expiry of cookies. 201.R.4 All manual adjustment transactions must be subject to strict security control. Player Tracking Information SP O 201.R.5 All information relating to tracking of information shall be logged and retained as far as reasonably possible. - 4 -

202 AFFILIATE SYSTEM AND SECURITY REQUIREMENTS Affiliate applications shall be developed, implemented, maintained and secured in a manner representative of best practice standards. The ecogra Regulatory Compliance Services Department shall ensure that an acceptable software development process, information, technology and monitoring controls are in place, over a period-of-time, to meet this objective. Software Development SP O 202.R.1 All affiliate application development and implementation shall be conducted in accordance with a formal process. Change Control SP O 202.R.2 All changes to affiliate applications and player tracking software shall be conducted through a formal documented change control procedure and shall cater for: 202.R.2.1 Approval procedures for changes. 202.R.2.2 Emergency change procedures. 202.R.2.3 Procedures for testing and migration of changes. 202.R.2.4 Segregation of duties between developers, implementers and users. 202.R.2.5 Procedures to ensure that relevant documentation is updated as a result of a change. 202.R.3 All documentation relevant to the development or enhancement of affiliate applications shall be retained. 202.R.4 The test environment must be isolated physically and logically from the live operational systems. Access Control SP O 202.R.5 Appropriate access controls for end users shall be implemented on affiliate applications. Security Architecture SP O 202.R.6 Security policies and procedures shall be documented, communicated and reviewed at least annually or in the event of material changes 202.R.7 Security policies and procedures shall be implemented. Risk-based internal and external security reviews shall be conducted at least annually or in the event of material changes. Virus Detection Software SP O 202.R.8 Virus scanners and/or detection programs must be installed on all pertinent information systems. These programs shall be updated regularly to scan for new strains of viruses. - 5 -

203 DISASTER RECOVERY Affiliate programs shall be able to demonstrate that they can recover from a system disaster. The ecogra Regulatory Compliance Services Department shall use appropriate disaster recovery and/or business continuity methodologies to confirm that this objective is met. Backup of Information SP O 110.R.1 Backup and recovery procedures shall be in place to ensure data and information (e.g. logs and financial information) are backed up on a regular basis and can be restored in the event of a disaster. 110.R.2 Critical data and information shall be backed-up and secured off-site on a daily basis. 110.R.3 Backup and disaster recovery responsibilities and procedures between software providers and operators shall be clearly defined. - 6 -

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information