Spillemyndigheden s Certification Programme Change Management Programme



Similar documents
Spillemyndigheden s Certification Programme Change Management Programme

Spillemyndigheden s Certification Programme Instructions on Penetration Testing

Spillemyndigheden s Certification Programme Information Security Management System

Spillemyndigheden s Certification Programme. General requirements SCP EN.1.1

Spillemyndigheden s change management programme. Version of 1 July 2012

Spillemyndigheden s Certification Programme Information Security Management System

Spillemyndigheden s Certification Programme. Testing Standards for Online Betting SCP EN.1.0

Spillemyndigheden s Certification Programme Instructions on Penetration Testing

Spillemyndigheden s Certification Programme Instructions on Vulnerability Scanning

Spillemyndigheden s Certification Programme Inspection Standards for Online Casino

CHECKLIST ISO/IEC 17021:2011 Conformity Assessment Requirements for Bodies Providing Audit and Certification of Management Systems

Schedule of Accreditation issued by United Kingdom Accreditation Service 2 Pine Trees, Chertsey Lane, Staines-upon-Thames, TW18 3HR, UK

CP14 ISSUE 5 DATED 1 st OCTOBER 2015 BINDT Audit Procedure Conformity Assessment and Certification/Verification of Management Systems

Security audit advice For holders of all remote gambling operator licences including specified remote lottery licences

Schedule of Accreditation issued by United Kingdom Accreditation Service High Street, Feltham, Middlesex, TW13 4UN, UK

Procedure PS-TNI-001 Information Security Management System Certification

Gatekeeper PKI Framework. February Registration Authority Operations Manual Review Criteria

REQUIREMENTS FOR CERTIFICATION BODIES TO DETERMINE COMPLIANCE OF APPLICANT ORGANIZATIONS TO THE MAGEN TZEDEK SERVICE MARK STANDARD

Executive Order No. 67 of 25. January 2012 on online casinos 1

Regulations for certification of quality management systems

Regulations for the certification of environmental management systems in conformity with UNI EN ISO 14001:2004

ACT. on the amendment of the Gambling Law and some other Acts 1

Testing strategy for compliance with remote gambling and software technical standards. First published August 2009

Cyber Security Consultancy Standard. Version 0.2 Crown Copyright 2015 All Rights Reserved. Page 1 of 13

HKCAS Supplementary Criteria No. 8

Certification Procedure of RSPO Supply Chain Audit

General Rules for the certification of Management Systems

Compliance Management Systems

General Rules for the Certification of Management Systems Code: RG

Gaming Machine Type I Gaming Machine Type II

Audit of the control body through the monitoring of compliance with control plan. Measures for the irregularities

Land based betting Annex 1. Technical requirements of the control system

Monitoring requirements and global quality assurance

Guide for Registration of Gaming Machine. I General Provisions

IAF Mandatory Document. Witnessing Activities for the Accreditation of Management Systems Certification Bodies. Issue 1, Version 2 (IAF MD 17:2015)

Guidelines for the Acceptance of Manufacturer's Quality Assurance Systems for Welding Consumables

REGIONAL CENTRE EUROPE OF THE INTERNATIONAL FEDERATION OF TRANSLATORS

P-01 Certification Procedure for QMS, EMS, EnMS & OHSAS. Procedure. Application, Audit and Certification

INSURANCE ACT 2008 CORPORATE GOVERNANCE CODE OF PRACTICE FOR REGULATED INSURANCE ENTITIES

Security Control Standard

Binary Options

Graduate Project Engineer

ETSI TS V2.1.1 ( )

Specific Conditions for the Assessment of Management Systems and Product Certifications

ETSI EN V2.2.2 ( )

Nuclear Safety Council Instruction number IS-19, of October 22 nd 2008, on the requirements of the nuclear facilities management system

Assessment Strategy for. Audit Practice, Tax Practice, Management Consulting Practice and Business Accounting Practice.

Rules for the certification of event sustainability management system

DQS UL ASSESSMENT AND CERTIFICATION REGULATIONS

3 Terms and definitions 3.5 client organization whose management system is being audited for certification purposes

Application for CISM Certification

Certification Regulations and Requirements. International Certification Management GmbH

Promoting society and local authority lotteries

Board means the Board of Directors of each of Scentre Group Limited, Scentre Management Limited, RE1 Limited and RE2 Limited.

IAF Mandatory Document for the Transfer of Accredited Certification of Management Systems

Rules for the certification of asset management systems

POLICY STATEMENT AND GUIDANCE NOTES ON: (1) OUTSOURCING; AND

MHRA GMP Data Integrity Definitions and Guidance for Industry January 2015

CHAPTER Verification of non-existence of the grounds for exclusion. Article 1

COMMISSION REGULATION (EU)

Client information note Assessment process Management systems service outline

GSA PRODUCT CERTIFICATION PROGRAM POLICY GUIDE RELEASE 5

Act on Insurance Mediation and Reinsurance Mediation

Manual for ITC Clients

Application for registration Building contractor (company)

An Alternative Method for Maintaining ISO 9001/2/3 Certification / Registration

a) To achieve an effective Quality Assurance System complying with International Standard ISO9001 (Quality Systems).

IRAP Policy and Procedures up to date as of 16 September 2014.

FINAL DOCUMENT. Guidelines for Regulatory Auditing of Quality Management Systems of Medical Device Manufacturers Part 1: General Requirements

EA IAF/ILAC Guidance. on the Application of ISO/IEC 17020:1998

NABL NATIONAL ACCREDITATION

College of Education Computer Network Security Policy

INTEROPERABILITY UNIT

July Objectives and key requirements of this Prudential Standard

MANAGEMENT SYSTEM FOR A NUCLEAR FACILITY

TERMS OF REFERENCE FOR CERTIFICATION BODIES (CBs)

EA-7/01. EA Guidelines. on the application. Of EN Publication Reference PURPOSE

The certification process

PCI DSS and SSC what are these?

INSTITUTE FOR TESTING AND CERTIFICATION, Inc.

SMSF Professionals Association of Australia Ltd Page 1 of 11 Z:\SPAA\Membership\Specialist Accreditation\SSA\Standard Documents\Editable Member

LONDON STOCK EXCHANGE HIGH GROWTH SEGMENT RULEBOOK 27 March 2013

IAF Informative Document. IAF Informative Document for the Transition of Management System Accreditation to ISO/IEC 17021:2011 from ISO/IEC 17021:2006

Standards for Education Standards and requirements for providers of education and training programmes

BANKING UNIT BANKING RULES OUTSOURCING BY CREDIT INSTITUTIONS AUTHORISED UNDER THE BANKING ACT 1994

Guideline about provision of guessing competitions

Fundamental Principles of Public-Sector Auditing

CORPORATE GOVERNANCE GUIDELINES

GUIDELINES FOR INVESTMENT ADVISERS AND INVESTMENT REPRESENTATIVES UNDER THE SECURITIES INDUSTRY ACT 1983

National Home Inspector Certification Council. Policy & Procedures Manual

CMVM Regulation No. 4/2013 Corporate Governance

IAF Informative Document. Transition Planning Guidance for ISO 9001:2015. Issue 1 (IAF ID 9:2015)

Casino Gaming Regulation

DCA metrics for the approval of Auditing Firms for Certifications Scheme VERSION 1.0

KINGDOM OF SAUDI ARABIA. Capital Market Authority CREDIT RATING AGENCIES REGULATIONS

Checklist. Standard for Medical Laboratory

Drinking Water Quality Management Plan Review and Audit Guideline

TG TRANSITIONAL GUIDELINES FOR ISO/IEC :2015, ISO 9001:2015 and ISO 14001:2015 CERTIFICATION BODIES

Level 5 Diploma in Managing the Supply Chain (QCF) Qualification Specification

Transcription:

SCP.06.00.EN.2.0

Table of contents Table of contents... 2 1 Introduction... 4 1.1 Spillemyndigheden s certification programme... 4 1.2 Objectives of the change management programme... 4 1.3 Scope of this document... 4 1.4 Definitions... 5 1.5 Legal basis for this document... 6 1.6 Version... 6 1.7 Document identifier... 6 1.8 Enquiries... 7 2 Certification... 7 2.1 Certification framework... 7 2.2 Certification requirements... 7 2.3 Certification frequency... 8 2.4 Transfer of certifications... 8 2.4.1 Inspections and tests conducted in accordance with Spillemyndigheden s certification programme... 8 2.4.2 Inspections and tests conducted in accordance with other standards... 8 2.5 Suppliers to the licence holder... 9 2.5.1 Supplier certification... 9 2.5.2 Integration into the gambling system of the licence holder... 9 2.5.3 Period deferment... 9 2.5.4 Compilation of the certifications... 9 2.6 Accredited testing organisations... 9 2.6.1 Requirements for accredited testing organisations... 10 2.6.2 Requirements for personnel at the accredited testing organisations... 10 3 Change Management Framework... 10 3.1 Change Management Responsibility... 11 3.1.1 Change Management responsibilities of the licence holder... 11 3.1.2 Personnel responsible for Change Management... 11 3.2 Change Management Planning... 11 3.3 Configuration Management... 12 3.3.1 Structure of the gambling system and definition of components... 12 3.3.2 Registration of components in a component register... 12 3.3.3 Classification of components... 13 3.4 Recording changes in a Change Log... 13 3.5 Configuration baseline of the Gambling System... 13 4 Change Management Process... 14 4.1 Justification for change... 14 4.2 Evaluation of change... 14 4.3 Approval of change... 15 4.3.1 Approval of changes recommended by a supplier... 15 4.3.2 Dismissal of changes recommended by a supplier... 15 4.4 Implementation and verification of change... 15 4.4.1 Changes to components classified with relevance code 3... 15 4.4.2 Changes to components classified with relevance code 2... 16 5 Reports from the component register and the change log... 16 6 Prior approval of change from Spillemyndigheden... 16 SCP.06.00.EN.2.0 Side 2 af 17

6.1 Random Number Generator... 16 6.2 New games and changes in the existing offer of games... 17 6.2.1 Implementation of new games... 17 6.2.2 Changes in the existing offer of games... 17 6.2.3 Situations where Spillemyndigheden s Standard Records cannot be utilised... 17 SCP.06.00.EN.2.0 Side 3 af 17

1 Introduction Spillemyndigheden s certification programme is set out to ensure that the gambling system executes games in a correct way and that the security surrounding the gambling system is maintained. The requirements in the certification programme is adapted to the different types of games based on an evaluation of the type of game s significance and risk in relation to extent, prevalence, nature, size of the prize and the risk of the customers being deceived etc. Currently the following types of games are in use: Online betting Land-based betting Online casino Land-based casino Gaming machines with cash prizes Lottery games The accredited testing organisation performs testing, inspection and certification of the gambling system, business processes and business systems of the licence holder. The testing, inspection and certification must be adapted to the individual licence holder s offer of gambling products. 1.1 Spillemyndigheden s certification programme Spillemyndigheden s certification programme consists of a number of documents, which are continuously adapted to the development in technology. The licence holder must be certified at all times in accordance with those parts of the certification programme which apply to their specific offer of gambling products. Types of games not offered by the licence holder are not subject to certification. Each of the six types of games has a set of testing standards and a set of inspection standards associated. Furthermore, four documents apply across all types of games and cover information security management system, penetration testing, vulnerability scanning and change management. Each document sets out minimum requirements for the arrangement of the gambling system, business processes and business systems of the licence holder. Spillemyndigheden s certification programme supplements the gambling regulation, individual licence terms and the administrative practice set out by Spillemyndigheden. 1.2 Objectives of the change management programme The change management programme ensures that all changes to the gambling system are conducted to this set of standards, hereby seeking an adequate quality for the implementation of changes. The programme ensures transparency in relation to changes to the gambling system and the decision process behind those changes. 1.3 Scope of this document This document contains the requirements specifying how testing organisations obtain accreditation for conducting certification of the gambling system, business processes and business systems of the licence SCP.06.00.EN.2.0 Side 4 af 17

holder as well as instructions on how to conduct the certification. The accreditation will be undertaken by DANAK, the Danish Accreditation and Metrology Fund, or a similar accreditation body being covered by the multilateral agreement on reciprocal recognition of the European Co-operation for Accreditation or a member of the International Laboratory Accreditation Cooperation. The requirements concerning accreditation of the testing organisation and certification of the licence holder can be found in section 2 certification. The licence holder shall have a number of basic functions and procedures in place as the foundation for its change management programme. These functions and procedures are described in section 3 Change Management Framework. All changes to the gambling system shall be described, evaluated and approved before being implemented into the gambling system. This process is described in section 4 Change Management Process. The licence holder shall be capable of creating a number of reports concerning the gambling system and these are described in section 5 Reports from the component register and the change log. In certain situations Spillemyndigheden must be notified about a change or in some cases have to approve the change before implementation. These situations are described in section 6 Prior approval of change from Spillemyndigheden. 1.4 Definitions Inspection: Sensitive information: Testing: Auditable log: Gambling system: The accredited testing organisation performs an assessment of the gambling system, business processes and business systems of the licence holder in relation to requirements set out by Spillemyndigheden and determines whether the requirements are met or not. Information of a sensitive nature related to either business or people. The accredited testing organisation performs in depth testing of the gambling system of the licence holder, analysis the comprised data and evaluates the results with regards to the requirements set out by Spillemyndigheden and determines whether the requirements are met or not. A log in which the recorded data can not be manipulated after the initial recording. Any changes to the log shall happen through the recording of new data instead of changing or deleting existing records. Electronic or other equipment used by or on behalf of the licence holder for the offering of gambling, including equipment that: 1. is used for the storage of information pertaining to a person s participation in gambling, including historical data and information concerning results, 2. produce and/or presents games to the gambler, or 3. determine the result of a game or calculate whether the gambler has won or lost a game. SCP.06.00.EN.2.0 Side 5 af 17

1.5 Legal basis for this document The (SCP.06.00.DK.2.0) is issued by Spillemyndigheden pursuant to Act no. 848 of 1 July 2010 on Gambling section 41 and executive order no. 65 of 25 January 2012 on land-based betting section 1, executive order no. 66 of 25 January 2012 on online betting section 26 and executive order nr. 67 of 25 January 2012 on online casino section 26. 1.6 Version Spillemyndigheden will continuously revise the certification programme, making the latest version and the version history accessible at Spillemyndigheden s website: https://spillemyndigheden.dk/en/certificationprogramme Date Version Description If the certification programme is modified, as a rule, certifications already issued will remain in force. It is important to emphasise that only the Danish version is legally binding and that the English version holds the status of guidance only. 1.7 Document identifier Each document in Spillemyndigheden s Certification Programme has a unique identifier comprised of: SCP Which indicates Spillemyndigheden s Certification Programme. Two digits Which indicates the type of document. The identifiers are: "01" Testing standards "02" Inspection standards "03" Information Security Management System "04" Penetration Testing "05" Vulnerability Scanning "06" Two digits Which indicates the type of game covered. The identifiers are: "00" All types of games "01" Online betting "02" Land-based betting "03" Online casino "04" Land-based casino "05" Gaming machines with cash prizes "06" Lottery games DK or EN Which indicates the language version. DK for Danish and EN for English. Version number Which is described in section 1.6 above. The document identifier SCP.02.02.DK.1.0 would thus be version 1.0 of the inspection standards for landbased betting in Danish. SCP.06.00.EN.2.0 Side 6 af 17

A standard report with the identifier SCP.XX.XX.ST is associated with each document and must be used when submitting certifications to Spillemyndigheden. The document identifiers for the standard reports follow the methodology above and are language neutral. 1.8 Enquiries Enquiries concerning this document should be sent in writing to Spillemyndigheden at the following address: mail@spillemyndigheden.dk or Spillemyndigheden Helgeshøj Allé 9 DK-2630 Taastrup 2 Certification 2.1 Certification framework A certification consists of inspection and testing of the gambling system, business processes and business systems of a licence holder based on the requirements set out in Spillemyndigheden s certification programme. It is the responsibility of the licence holder to attain the required certifications and to organise the company s business activities in accordance with Spillemyndigheden s certification programme. The certifications shall be issued by an accredited testing organisation in accordance with Spillemyndigheden s certification programme. It is always the responsibility of the licence holder that the requirements of the certification programme are met at all times. 2.2 Certification requirements Certification carried out to the standards of this document shall be submitted using the standard report SCP.06.00.ST. The accredited testing organisation shall attest that the gambling system, business processes and business systems of the licence holder adhere to the requirements set out in this document. As an extraordinary exception it may be accepted that the accredited testing organisation attests to the certification even if all requirements have not been met as described in this document. In this case the certifications must be substantiated by a This shall be underpinned by a risk assessment, taking into account the purpose of the Gambling Act and the associated executive orders. The risk assessment shall be based on ISO/IEC 31010 Risk management - Risk assessment techniques. The certification shall reflect whether this method has been used. SCP.06.00.EN.2.0 Side 7 af 17

2.3 Certification frequency The gambling system, business processes and business systems of the licence holder shall be certified at all times. The licence holder shall ensure that the gambling system, business processes and business systems are subject to on-going certification to ensure adherence to the requirements of this document with an interval of no more than 12 months. The following instructions apply in relation to the renewal and submission of the certifications: The inspection shall have commenced before the lapse of the current certification and shall be concluded within two months of the lapse of the current certification. The certification shall be submitted with Spillemyndigheden within this time frame as well. The re-certification shall be dated with the date of the conclusion of the inspection unless the inspection continued after the lapse of the current certification in which case the new certification shall be dated with the date of the lapse of the current certification, as a certification period cannot exceed twelve months. Additionally a report compiling the on-going certifications and other relevant information shall be submitted every three months. 2.4 Transfer of certifications 2.4.1 Inspections and tests conducted in accordance with Spillemyndigheden s certification programme When an accredited testing organisation has certified a given requirement in Spillemyndigheden s certification programme and this requirement is part of several separate documents of the programme e.g. SCP.01.01.EN Testing Standards for online betting and SCP.01.02.EN Testing Standards for land-based betting, it will not be necessary to repeat the certification of the requirement. In such cases there shall, instead, be a reference to the above-mentioned certification. This is also the case if the prior certification has been conducted by another accredited testing organisation. 2.4.2 Inspections and tests conducted in accordance with other standards It is allowed to base the certification on inspections and tests carried out on previous occasions and to similar criteria. When this option is utilised the actual time of the previous inspection or test shall be used when calculating the certification frequency. This means that if the certification is based on inspections or tests performed six months prior, then the renewal of said certification shall be performed six months earlier than ordinarily required. The above-mentioned option is also available if the prior certification has been conducted by another accredited testing organisation. When the accredited testing organisation is assessing whether to base the certification on inspections or tests carried out to similar criteria, this shall be substantiated by a risk assessment, taking into account the purpose of the Gambling Act and the associated executive orders. The risk assessment shall be based on ISO/IEC 31010 Risk management - Risk assessment techniques. The certification shall reflect whether this method has been used. SCP.06.00.EN.2.0 Side 8 af 17

2.5 Suppliers to the licence holder 2.5.1 Supplier certification A supplier to a licence holder can have their products certified fully or partially in accordance with Spillemyndigheden s certification programme. In these situations the accredited testing organisation of the supplier issues a similar report as described in section 2.2. The accredited testing organisation of the licence holder shall, when testing the gambling system of the licence holder, only test the elements of the gambling system that have not been certified during the certification of the supplier. The accredited testing organisation of the licence holder is not required to assess the work done by the accredited testing organisation of the supplier and need only reference this work when issuing the certification. 2.5.2 Integration into the gambling system of the licence holder The accredited testing organisation shall be particularly aware of the fact that, even if the supplier s product has been certified already, it may be necessary to repeat parts of the certification, when the product is integrated into the licence holder s overall gambling system. This will be particular relevant when the implementation involves changes to the certified product. 2.5.3 Period deferment The period of the certification of the supplier and the period of the certification of the licence holder, as described in section 2.3, can differ with no more than one month. Guidance: This would been that a licence holder could be using the certification period from 1 May to 30 April while the supplier could be using the certification period from 1 April to 31 march. 2.5.4 Compilation of the certifications It is the task of the accredited testing organisation of the licence holder to ensure that all requirements in this document have been assessed. It shall be evident from the certification of the licence holder whether a given requirement has been inspected or tested by the accredited testing organisation of the licence holder, the accredited testing organisation of a supplier or is out of scope in relation to the games offered by the licence holder. 2.6 Accredited testing organisations Testing organisations shall attain ISO/IEC 17020 accreditation and/or ISO/IEC 17025 accreditation based on the criteria described in the following sections. The scope of the accreditation shall be extended to include Spillemyndigheden s certification programme SCP.06.00.EN.2.0. To ensure that the necessary qualifications are in place during the certification the testing organisation and their staff shall fulfil the following requirements. Documentation that the requirements are fulfilled shall be enclosed with the certification. SCP.06.00.EN.2.0 Side 9 af 17

2.6.1 Requirements for accredited testing organisations The accrediting testing organisation: a) Shall have at least three years experience in testing gambling systems or a similar closely related subject area, b) Shall work on the basis of the ISO/IEC 17020 accreditation and/or ISO/IEC 17025 accreditation, which refers to the requirements of SCP.06.00.EN.2.0, and c) Shall ensure that staff with sufficient qualifications will carry through the certification. 2.6.2 Requirements for personnel at the accredited testing organisations The certification shall be carried through by staff with sufficient qualifications cf. sections 2.6.1 above. Work done in relation to the certification shall be supervised and the declaration of certification shall be attested by one or more persons who warrant(s) that the work has been carried out to adequate professional standards. These persons shall meet the following requirements: a) Shall have a relevant education background or be able to prove relevant qualifications in other ways, b) Shall be certified as: International Information Systems Security Certification Consortium (ISC) 2 Certified Information Systems Security Professional (CISSP), Payment Card Industry (PCI) Qualified Security Assessor (QSA), or Information Systems Audit and Control Association (ISACA) Certified Information Systems Auditor (CISA). c) The supervisor referred to in a) and b) above shall have five years of professional experience in testing gambling systems or a similar closely related subject area for an accredited or certified organisation. Guidance: Certification and attestation can be carried out by staff who in conjunction fulfil the requirements. 3 Change Management Framework This general framework for managing changes to the gambling system sets out the necessary foundation needed for the implementation of a change management programme. It requires the licence holder to: delegate responsibilities and authorities in relation to change management, create a formal change plan defining the structure for change management, identify and classify the components of the gambling system for the configuration management, record changes in a change log, and determine a configuration baseline for the gambling system in its entirety. When classifying components it may be relevant to consider the differences between the games and the game types as well as the different risks involved. SCP.06.00.EN.2.0 Side 10 af 17

3.1 Change Management Responsibility 3.1.1 Change Management responsibilities of the licence holder The licence holder is responsible for changes in its gambling system irrespective of whether such changes have been carried out by the licence holder or a third party on behalf of the licence holder. The licence holder shall clarify and define responsibilities and authorities with regards to the implementation and approval of the change process. If the gambling system changes are managed by one of the licence holder s suppliers, the licence holder shall ensure that the supplier carries out equal procedures and that these procedures comply with the requirements of this document. 3.1.2 Personnel responsible for Change Management The licence holder shall appoint one or more people among its staff to take overall responsibility for system changes. The responsible personnel may be organised as a committee. The responsible personnel shall possess sufficient proficiency and experience in change management and hold the necessary authority within the licence holder s organisation to make decisions with regards to change management. The responsible personnel shall involve other relevant staff members at the licence holder and/or at the relevant supplier(s) in the decision process in order to ensure changes of high quality. Prior to the approval of a system change the responsible personnel shall confirm that: the proposed system change is consistent with Spillemyndigheden s Certification Programme, the proposed system change is necessary, the proposed system change has been carefully considered, documented and categorised, the consequences of implementing the change does not compromise the integrity of the gambling system, and the process for the planned actions when implementing the system change in documentation, hardware and/or software is consistent with section 4 of this document. This, along with who has been involved in the decision making process, shall be recorded in the change log cf. section 3.4. 3.2 Change Management Planning The change management of the licence holder shall be documented in a change management plan which sets out the overall framework for managing system changes. The change management plan of the licence holder shall: be documented, be approved by senior management, be subject to sufficient internal control, identify the configuration management procedure to be used cf. section 3.3, describe the responsibilities and authorities of the personnel in relation to changes to the gambling system and its components as well as ensure that the lifecycle of components is described, SCP.06.00.EN.2.0 Side 11 af 17

integrate with the change management plans of suppliers, establish the delegation of responsibilities between licence holder and supplier, and make reference to relevant procedures of the licence holder and supplier whenever possible. 3.3 Configuration Management The licence holder shall use a degree of configuration management which creates an overview of the gambling system by identifying the individual components. When the components have been registered and classified in the component register cf. section 3.3.2 the configuration baseline is created cf. section 3.5 which ensures the possibility of identifying changes to the gambling system in future certifications. The configuration management set out in this document is meant to supplement the existing configuration management used by the licence holder. If the licence holder is not subjecting the gambling system to any configuration management then this document is to be considered the minimum requirements for configuration management. 3.3.1 Structure of the gambling system and definition of components The structure of the gambling system is comprised of the defined hardware and software components and the inter-relationships and -dependencies of the components. The components shall be defined in the component register cf. section 3.3.2 based on whether their functional and physical characteristics can be managed separately. The definition shall be based on: regulatory requirements, criticality in terms of risks to confidentiality, integrity, availability and accountability cf. section 3.3.3, new or modified technology, design or development, and interfaces with other components. The objective of defining the components is to optimise the ability to control the development process of the gambling system. The definition of components shall be initiated as early as possible in the component s lifecycle and be reviewed on a continuous basis during the development of the component. 3.3.2 Registration of components in a component register The licence holder and their suppliers shall register all defined components in a component register. The licence holder and their suppliers are free to set the level of detail in the component register. If the level of detail is very low e.g. if the gambling system is the only component then any change to this component would require a very high degree of management and control. A high level of detail would make it possible to scale the degree of management and control according to the significance of the individual component s role in the gambling system. The following information shall be registered on each component: the definition of the component, SCP.06.00.EN.2.0 Side 12 af 17

a unique identification number, version number, identifying characteristics, check sum/hash sum, the owner responsible for changes to the component, classification in relation to confidentiality, integrity, availability and accountability cf. section 3.3.3, and the geographic location if the component is a hardware component. This information shall be the foundation on which the accredited testing organisation can inspect whether the component has changed compared to the configuration baseline cf. section 3.5. 3.3.3 Classification of components All defined components shall be classified against the following four criteria: Confidentiality; confidential information concerning the customer (e.g. identification and transaction information). Integrity; the integrity of the gambling system, it s functionality and the information stored in the gambling system. Availability; the availability of information concerning the customer. Accountability; user activity (including customers, personnel and third parties) in relation to the component. Each component shall be assigned a relevance code on the scale below based on the component s role in achieving or ensuring each of the above criteria: 1; no relevance (the component can have no negative impact on the criteria), 2; some relevance (the component can have an impact on the criteria), and 3; substantial relevance (the criteria is related to or dependant on the component). The highest relevance code of the four criteria determines the classification of the component. 3.4 Recording changes in a Change Log All changes to the gambling system shall be recorded and dated in a change log. The change log shall be the foundation on which the accredited testing organisation can inspect the changes done to each specific component compared to the configuration baseline cf. section 3.5. 3.5 Configuration baseline of the Gambling System The configuration baseline is established during the initial certification of the licence holder as the certified gambling system in its entirety. The configuration baseline enables the accredited testing organisation to inspect all changes to the components in such a manner that upon the yearly re-certification a complete audit trail exists back to the initial configuration baseline. SCP.06.00.EN.2.0 Side 13 af 17

As part of the yearly re-certification a new configuration baseline is established and this will serve as the baseline for the changes during the following year. 4 Change Management Process All system changes shall be controlled. The degree of control depends on the impact the change is expected to have on the gambling system. The change management process shall be documented in the change log cf. section 3.4 and the documentation shall include: a description of the change, a classification of the change in terms of complexity, resources and scheduling, a justification for the change cf. section 4.1, an evaluation of the change cf. section 4.2, a description of how the change shall be approved cf. section 4.3, and a description of how the change shall be implemented and verified cf. section 4.4. 4.1 Justification for change Prior to the formal approval of a change cf. section 3.1.2 the change proposal shall be substantiated and documented in the change log cf. section 3.4. The change proposal shall include the following information: the component(s) and related documentation to be changed including the unique identification number, version number and status, a description of the proposed change, a listing of other components and related documentation that may be affected by the change, the personnel or supplier composing the change proposal as well as the date of the proposal, the reason for the change, and the category of the change. The status of the change processing, the related decisions and dispositions shall be documented on an ongoing basis. 4.2 Evaluation of change The change proposal shall be evaluated and this shall be documented in the change log cf. section 3.4. The evaluation shall be conducted in accordance with the purpose of the Gambling Act and associated executive orders. The risk assessment shall be based ISO/IEC 31010 Risk management - Risk assessment tech- niques - The change evaluation shall include: the expected effect of the change, a description of the risk associated with the change, a description of the change s effect on the licence holder s regulatory compliance, and SCP.06.00.EN.2.0 Side 14 af 17

the impact of the change on the gambling system s confidentiality, integrity, availability and accountability cf. section 3.3.3. 4.3 Approval of change A process shall be established that ensures all change proposals and associated change evaluations are presented for formal approval cf. section 3.1.2 and the final approval or dismissal of the change can take place. All decisions on changes including relevant considerations shall be recorded in the change log cf. section 3.4. 4.3.1 Approval of changes recommended by a supplier When a change in the gambling system of the licence holder is initiated on the basis of a recommendation from a supplier, the licence holder s approval of the change can be based on the supplier s change justification cf. section 4.2 and change evaluation cf. section 4.2. The licence holder shall still make a separate change evaluation describing how the change will impact the entire gambling system. The time between the supplier recommendation and the implementation shall be justified in the change log cf. section 3.4. Documentation for the implementation of the supplier s recommendation shall also be recorded in the change log. 4.3.2 Dismissal of changes recommended by a supplier If a licence holder dismisses the implementation of a change recommended by a supplier it shall be justified in the change log cf. section 3.4. The accredited testing organisation shall analyse and attest on each individual justification and dismissal of the supplier s recommendations. The justification for not following the recommendation of the supplier as well as the result of the analysis of the accredited testing organisation shall be included in the tri-monthly report cf. section 2.3. 4.4 Implementation and verification of change This section applies to changes to components classified with relevance code 2 or 3 cf. section 3.3.3. Components classified with relevance code 1 have no relevance in relation to the criteria in section 3.3.3 and changes to these do not need approval from the accredited testing organisation. After the implementation of a change the compliance with the approved change shall be verified. The verification shall be recorded in the change log cf. section 3.4. 4.4.1 Changes to components classified with relevance code 3 The accredited testing organisation shall assess and approve the change evaluation cf. section 4.2 of the licence holder of all changes to the components of the gambling system classified with relevance code 3 ( significant relevance ) cf. section 3.3.3. The accredited testing organisation shall certify all changes during or in direct continuation of the implementation. These certifications shall be included in the report submitted every three months cf. section 2.3. SCP.06.00.EN.2.0 Side 15 af 17

The accredited testing organisation can allow changes to occur without certification where the licence holder has an internal function dedicated to undertaking quality assurance of change management. This function shall be manned with appropriately skilled staff as well as being organisationally separated from the function implementing system changes. If the certification is postponed the accredited testing organisation shall assess, approve and certify these changes every three months. The certification shall clearly state whether this method has been used. The option to postpone certification to the interval of three months is only available to licence holders. The option to postpone certification is not available to suppliers without an individual licence to offer gambling in Denmark. 4.4.2 Changes to components classified with relevance code 2 The accredited testing organisation shall assess and approve the change evaluation cf. section 4.2 of the licence holder of all changes to the components of the gambling system classified with relevance code 2 ( some relevance ) cf. section 3.3.3 and subject to Spillemyndigheden s testing standards SCP.01.xx.EN. The accredited testing organisation shall certify these changes every three months. The accredited testing organisation shall assess and approve the change evaluation cf. section 4.2 of the licence holder of all changes to the components of the gambling system classified with relevance code 2 ( some relevance ) cf. section 3.3.3 and subject to Spillemyndigheden s inspection standards SCP.02.xx.EN. The accredited testing organisation shall certify these changes every twelve months. Guidance to the accredited testing organisation: The analysis of the risk involved in changes should be carried through based on an appropriate sampling method and it shall take account of the assessed relevance of and risk involved in the change. Thereby a complete audit of all changes will not be necessary. 5 Reports from the component register and the change log Upon request from Spillemyndigheden or the accredited testing organisation the licence holder shall be able to generate the following reports based on the information in the component register cf. section 3.3.2 and the change log cf. section 3.4: a report of all components including the registered information from the component register, a report of the change history of an individual component, a report of the geographical location of all hardware components, and a report of all verified changes cf. section 4.4. 6 Prior approval of change from Spillemyndigheden 6.1 Random Number Generator The implementation of a new Random Number Generator (RNG) and changes to an existing RNG shall be notified with Spillemyndigheden five working days before the implementation or change is carried out. SCP.06.00.EN.2.0 Side 16 af 17

6.2 New games and changes in the existing offer of games The technical requirements for the SAFE and the use of Standard Records are described in annex 1 to the executive orders cf. section 1. 6.2.1 Implementation of new games The implementation of new games, which does not affect how the licence holder utilises Spillemyndigheden s Standard Records, can commence without prior notification with Spillemyndigheden. The offering of new games, which utilises Spillemyndigheden s Standard Records not previously utilised by the licence holder, shall be notified with Spillemyndigheden five working days before the offering commences and examples of Standard Records must be submitted along with the notification. 6.2.2 Changes in the existing offer of games Changes to the existing offering of games, which does not affect how the licence holder utilises Spillemyndigheden s standard records, can commence without prior notification with Spillemyndigheden. Changes to the existing offering of games, which would affect the utilisation of Spillemyndigheden s existing standard records by the licence holder, shall be notified with Spillemyndigheden five working days before the offering is changed and examples of Standard Records must be submitted along with the notification. 6.2.3 Situations where Spillemyndigheden s Standard Records cannot be utilised The offering of new games, which cannot utilise Spillemyndigheden s Standard Records, shall be notified with Spillemyndigheden at least 60 working days before the offering commences and shall not commence without prior approval from Spillemyndigheden. Changes to the existing offering of games, which would affect the utilisation of Spillemyndigheden s Standard Records to an extent where they can no longer be used by the licence holder, shall be notified with Spillemyndigheden at least 60 days before the offering is changed and shall not commence without prior approval from Spillemyndigheden. SCP.06.00.EN.2.0 Side 17 af 17

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information