Information and operations security and integrity requirements for lottery and gaming organizations

IWA 17:2014 covers all types of lottery and gaming organizations, including commercial enterprises, government agencies and non-profit organizations. IWA 17:2014 specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented security and integrity system within the context of the organization's overall risks. It specifies the requirements for the implementation of security and integrity controls applicable to the needs of individual organizations, so that the security and integrity management systems can be designed to ensure the selection of adequate and proportionate security and integrity controls that protect assets and give confidence to interested parties. The requirements set out in IWA 17:2014 are generic and are intended to be applicable to all organizations, regardless of type, size and nature.

Informations et exigences d'intégrité et de sécurité relatives aux opérations pour la loterie et l'organisation de jeux

General Information

Status
Withdrawn
Publication Date
14-Dec-2014
Withdrawal Date
14-Dec-2014
Current Stage
9599 - Withdrawal of International Standard
Completion Date
15-Dec-2014
Ref Project

Buy Standard

Standard
IWA 17:2014 - Information and operations security and integrity requirements for lottery and gaming organizations
English language
14 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (sample)

INTERNATIONAL IWA
WORKSHOP 17
AGREEMENT
First edition
2014-12-15
Information and operations security
and integrity requirements for lottery
and gaming organizations
Informations et exigences d’intégrité et de sécurité relatives aux
opérations pour la loterie et l’organisation de jeux
Reference number
IWA 17:2014(E)
ISO 2014
---------------------- Page: 1 ----------------------
IWA 17:2014(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO 2014

All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form

or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior

written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of

the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO 2014 – All rights reserved
---------------------- Page: 2 ----------------------
IWA 17:2014(E)
Contents Page

Foreword ........................................................................................................................................................................................................................................iv

Introduction ..................................................................................................................................................................................................................................v

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ...................................................................................................................................................................................... 1

3 Overview ....................................................................................................................................................................................................................... 1

4 General security and integrity management requirements ................................................................................... 2

4.1 Information Security Management System (ISMS) ................................................................................................. 2

4.2 Scope of the ISMS .................................................................................................................................................................................. 2

4.3 Statement of applicability .............................................................................................................................................................. 2

5 General security and integrity control objectives and controls .......................................................................... 2

6 Lottery and gaming specific security and integrity control objectives and controls ....................2

Annex A (normative) General security and integrity control objectives and controls .....................................3

Annex B (normative) Lottery and gaming specific security and integrity control objectives

and controls ............................................................................................................................................................................................................... 6

Annex C (informative) Workshop contributors ......................................................................................................................................12

Bibliography .............................................................................................................................................................................................................................14

© ISO 2014 – All rights reserved iii
---------------------- Page: 3 ----------------------
IWA 17:2014(E)
Foreword

ISO (the International Organization for Standardization) is a worldwide federation of national standards

bodies (ISO member bodies). The work of preparing International Standards is normally carried out

through ISO technical committees. Each member body interested in a subject for which a technical

committee has been established has the right to be represented on that committee. International

organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.

ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of

electrotechnical standardization.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the

different types of ISO documents should be noted. This document was drafted in accordance with the

editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of any

patent rights identified during the development of the document will be in the Introduction and/or on

the ISO list of patent declarations received (see www.iso.org/patents).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation on the meaning of ISO specific terms and expressions related to conformity

assessment, as well as information about ISO’s adherence to the WTO principles in the Technical Barriers

to Trade (TBT) see the following URL: Foreword - Supplementary information

International Workshop Agreement IWA 17 was approved at a workshop organized by the World Lottery

Association (WLA), in association with the Association française de normalisation (AFNOR), and held in

Zurich, Switzerland, in September 2014.

International Workshop Agreement IWA 17 is based on WLA-SCS:2012, WLA Security Control Standard —

Lottery and Gaming Security and Integrity Standard for Operations.
iv © ISO 2014 – All rights reserved
---------------------- Page: 4 ----------------------
IWA 17:2014(E)
Introduction

This International Workshop Agreement defines a security, integrity and risk management standard

for use by the lottery and gaming sector and is intended to be the focal point for the sector on security

and integrity issues. It is intended to assist lottery and gaming organizers around the world towards

attaining a level of control in line with generally accepted practices and to make possible an increased

reliance on the integrity of lottery operations.

This International Workshop Agreement describes a security management process that is aligned both

with internationally recognized standards and with a common security baseline for specific aspects

relating to lottery and gaming organizers, which represents good practice. It comprises a comprehensive

set of requirements, controls and standards for lottery and gaming organizers, including conformity

with all requirements stated in ISO/IEC 27001 for information security management systems (ISMS).

This International Workshop Agreement can also be considered as the foundation for building trust

relationships with other lottery and gaming organizers, stakeholders and regulators for the purpose

of conducting lottery and gaming operations or multi-jurisdictional games, and can be of substantial

assistance to management by providing an independent review to build increased confidence in the

security of a lottery. Compliance with this International Workshop Agreement allows a lottery and

gaming organizer to ensure the integrity, availability and confidentiality of services and information

vital to their secure operation.

The adoption of this International Workshop Agreement is a strategic decision for a lottery and gaming

organizer. The design and implementation of the organization’s Security and Integrity management

systems are influenced by their specific needs, objectives, risks and security requirements, the processes

employed and the size and structure of the organization. These factors and their supporting systems are

expected to change over time and it is to be expected that a management system implementation will

be scaled in accordance with the needs of the organization, e.g. a simple situation requires a simple

Security and Integrity management system.

Compliance with this International Workshop Agreement can be used by interested internal and external

parties to evaluate the security and integrity of a lottery and gaming organization.

This International Workshop Agreement is aligned with ISO/IEC 27001 and ISO 9001 to allow for

consistent and integrated implementation and operation with related management system standards.

© ISO 2014 – All rights reserved v
---------------------- Page: 5 ----------------------
International Workshop Agreement IWA 17:2014(E)
Information and operations security and integrity
requirements for lottery and gaming organizations
1 Scope

This International Workshop Agreement covers all types of lottery and gaming organizations, including

commercial enterprises, government agencies and non-profit organizations. This International

Workshop Agreement specifies the requirements for establishing, implementing, operating, monitoring,

reviewing, maintaining and improving a documented security and integrity system within the context

of the organization’s overall risks. It specifies the requirements for the implementation of security and

integrity controls applicable to the needs of individual organizations, so that the security and integrity

management systems can be designed to ensure the selection of adequate and proportionate security

and integrity controls that protect assets and give confidence to interested parties.

The requirements set out in this International Workshop Agreement are generic and are intended to be

applicable to all organizations, regardless of type, size and nature.

NOTE 1 If an organization already has an operational business process management system (e.g. in relation

with ISO 9001 or ISO 14001), in most cases it is advisable to satisfy the requirements of this International

Workshop Agreement within the existing management system.

NOTE 2 Lottery and gaming organizers adopting this International Workshop Agreement are responsible for

its correct application.
2 Normative references

The following documents, in whole or in part, are normatively referenced in this document and are

indispensable for its application. For dated references, only the edition cited applies. For undated

references, the latest edition of the referenced document (including any amendments) applies.

ISO/IEC 27001, Information technology — Security techniques — Information security management

systems — Requirements
3 Overview

The main objective of the security and integrity approach for lottery and gaming organizations is to

ensure adequate operation as well as to provide confidence.

Confidence in a lottery operation is key to retaining players and other stakeholders. Lottery and gaming

organizers, therefore, need to develop and maintain a visible and documented security and integrity

environment.

This International Workshop Agreement describes the requirements, control objectives and controls

that are seen as best practice. A lottery and gaming organizer shall operate an information security

management system that implements all requirements stated in ISO/IEC 27001, as well as the mandatory

requirements and controls of this International Workshop Agreement.

This International Workshop Agreement incorporates baseline requirements and controls within

the lottery and gaming organizer’s overall security, integrity and risk management process, avoiding

overlaps with more general security frameworks. It provides lottery and gaming security and integrity

professionals with a process whereby they can formally manage, update and continuously improve

their controls. Lottery and gaming organizers, therefore, need to develop and maintain a visible and

documented security environment.
© ISO 2014 – All rights reserved 1
---------------------- Page: 6 ----------------------
IWA 17:2014(E)

In addition to general security and integrity management requirements contained in this International

Workshop Agreement, Annexes A and B specify the minimum controls necessary for the effective

management of security and integrity in a lottery and gaming organization.
4 General security and integrity management requirements
4.1 Information Security Management System (ISMS)

The organization shall operate an Information Security Management System (ISMS) that satisfies the

requirements stated in ISO/IEC 27001.
4.2 Scope of the ISMS

The scope of the organization’s ISMS shall include all lottery and gaming related activities of its operation,

including all related assets and information systems. The scope may only exclude operations of the

organization that are not related to the lottery and gaming activities. Those operations excluded shall

be fully identified and the causes for exclusion justified in detail. General organizational functions (e.g.

human resources, planning, finance) needed to produce the lottery and gaming operations are within

the scope.
4.3 Statement of applicability

The organization’s ISMS statement of applicability shall explicitly include all controls in Annexes A and

B. No control shall be excluded, but some of the controls in Annex B may be non-applicable. Claims of

non-applicability shall be justified in detail.

Excluding any of the requirements specified in this clause (Clause 4), as well as any control in Annexes

A and B, is not acceptable when an organization claims conformity to this International Workshop

Agreement.

Any non-applicability of controls of Annex B found to be necessary needs to be formally justified and

evidence needs to be provided that the non-applicability has been accepted by accountable people of

the organization. Where any controls are non-applicable, claims of conformity to this International

Workshop Agreement are not acceptable unless such exclusions do not affect the organization’s ability

and/or responsibility to provide security and integrity that meets the requirements as determined by a

risk assessment and applicable statutory or regulatory requirements.
5 General security and integrity control objectives and controls

The organization shall implement the 21 general controls described in Tables A.1 to A.6.

6 Lottery and gaming specific security and integrity control objectives and con-

trols

The organization shall implement the 90 lottery and gaming specific controls described in Tables B.1 to

B.7, if applicable.
2 © ISO 2014 – All rights reserved
---------------------- Page: 7 ----------------------
IWA 17:2014(E)
Annex A
(normative)
General security and integrity control objectives and controls

The control objectives and controls listed in Tables A.1 to A.6 are mandatory controls under this

International Workshop Agreement. They have been derived from ISO/IEC 27001 and extend beyond

the requirements of ISO/IEC 27001. The lists in Tables A.1 to A.6 are not exhaustive and a lottery

organization may consider that additional control objectives and controls are necessary.

Table A.1 — Organization of security
G.1 Organization of security
G.1.1 Allocation of security responsibilities

Objective: To ensure that security function responsibilities are effectively implemented.

Type of control Control

G.1.1.1 Security forum A security forum or other organizational structure comprised of senior managers shall be

formally established to monitor and review the ISMS to ensure its continuing suitability,

adequacy and effectiveness, maintain formal minutes of meetings and convene at least

every six months.

G.1.1.2 Security function A security function shall exist that will be responsible to draft and implement security

strategies and action plans. It shall be involved in and review all processes regarding secu-

rity aspects of the organization, including, but not be limited to, the protection of informa-

tion, communications, physical infra-structure and game processes.

G.1.1.3 Security function reporting The security function shall report to no lower than executive level management and not

reside within or report to the IT function.

G.1.1.4 Security function position It shall have the competences and be sufficiently empowered, and shall have access to, all

necessary resources within the organization to enable the adequate assessment, manage-

ment and reduction of risk.

G.1.1.5 Security function responsibility The head of the security function shall be a full member of the security forum and be

responsible for recommending security policies and changes.
Table A.2 — Human resource security
G.2 Human resource security
G.2.1 Implementation of a code of conduct

Objective: To ensure that a suitable code of conduct is effectively implemented.

Type of control Control

G.2.1.1 Code of conduct A code of conduct shall be issued to all personnel when initially employed. All personnel

shall formally acknowledge acceptance of this code.

G.2.1.2 Adherence and disciplinary action The code of conduct shall include statements that all policies and procedures are adhered

to and that infringement or other breaches of the code could lead to disciplinary action.

G.2.1.3 Conflict of interest The code of conduct shall include statements that employees are required to declare con-

flicts of interest on employment as and when they occur. Specific examples of conflict of

interest shall be cited within the code.

G.2.1.4 Policy on hospitality or gifts The code of conduct shall include an anti-graft policy also including hospitality and gifts

provided by or given to persons or entities with which the organization transacts business.

© ISO 2014 – All rights reserved 3
---------------------- Page: 8 ----------------------
IWA 17:2014(E)
Table A.3 — Physical and environmental security
G.3 Physical and environmental security
G.3.1 Secure areas

Objective: To ensure that access to production gaming data centres or other systems areas important for the gaming operations are

adequately secured.
Type of control Control

G.3.1.1 Physical entry controls Physical access to production gaming system data centres, computer rooms, network

operations centres and other defined critical areas shall have a two-factor authentica-

tion process. Single-factor electronic access control methods are acceptable if the area is

staffed at all times.
Table A.4 — Access control to gaming systems
G.4 Access control to gaming systems
G.4.1 Remote user access management

Objective: To ensure authorized remote user access and to prevent unauthorized access to gaming systems.

Type of control Control

G.4.1.1 Remote user access to gaming A procedure for strictly controlled remote access shall be established.

systems

G.4.1.2 Remote user access functions The range of functions available to the user shall be defined in conjunction with the pro-

cess owner, the IT function and the security function.

G.4.1.3 Remote user access logging All actions performed through remote user access shall be logged and these logs shall be

regularly reviewed.
Table A.5 — Information systems maintenance
G.5 Information systems maintenance
G.5.1 Cryptographic controls

Objective: To protect the confidentiality, authenticity and integrity of important gaming, lottery and customer related information by

cryptographic means.
Type of control Control

G.5.1.1 Cryptographic controls for data on Encryption shall be applied for non-public organization data on portable computer sys-

portable systems tems (laptops, USB devices, etc.).

G.5.1.2 Cryptographic controls for net- Encryption shall be applied for sensitive information passed over networks, which risk

works analysis has shown to have an inadequate level of protection, including validation or other

important gaming information, electronic mail, etc.

G.5.1.3 Cryptographic controls for storage Integrity measures shall be applied for the storage of winning information ticket data and

validation information.

G.5.1.4 Cryptographic controls for valida- Encryption shall be applied for instant ticket validation numbers.

tion numbers

G.5.1.5 Cryptographic controls for pay- Encryption shall be applied for financial transactions between the organization and a

ment orders banking institution.
G.5.2 System testing

Objective: To maintain the security, confidentiality and integrity of test data.

G.5.2.1 Test methodology policy and data The test methodology policy shall include provisions to prevent the use of data created

in a live production system for the current draw period and to prevent the use of player

personal information.
4 © ISO 2014 – All rights reserved
---------------------- Page: 9 ----------------------
IWA 17:2014(E)
Table A.6 — Business continuity management
G.6 Business continuity management
G.6.1 Press media handling and availability

Objective: To ensure the protection of organization image and reputation and to counteract interruptions to business activities.

Type of control Control

G.6.1.1 Press media and personnel han- The business continuity plan shall include plans to handle the media and personnel during

dling crisis situations.

G.6.1.2 Shareholder or board approval The organization shall ensure that the board or shareholders of the organization agree to

the decided availability requirements.
© ISO 2014 – All rights reserved 5
---------------------- Page: 10 ----------------------
IWA 17:2014(E)
Annex B
(normative)
Lottery and gaming specific security and integrity control
objectives and controls

The control objectives and controls listed in Tables B.1 to B.7 are mandatory unless not applicable to the

operations of a lottery and gaming organization. The lists are not exhaustive and a lottery and gaming

organization may consider that additional control objectives and controls are necessary.

Table B.1 — Instant tickets
L.1 Instant tickets
L.1.1 Instant game design

Objective: To ensure that game designs meet legal and regulatory requirements and are authorized at the appropriate level before going

into production.
Type of control Control

L.1.1.1 Documented instant ticket proce- Formal procedures shall be established covering the design, development, production and

dures release of instant games.

L.1.1.2 Game design approval Final game design shall be formally approved through a process involving the security

function.

L.1.1.3 Supplier selection Printers/suppliers of instant tickets shall be subject to a selection and approval process.

The approval process shall involve the security function.

L.1.1.4 Security requirements Specific security requirements relating to the game and the physical instant ticket shall be

documented and formally included as part of the contract with the supplier/printer.

L.1.1.5 Quality control Quality control requirements for printing instant tickets shall be documented and form

part of the contract with the supplier/printer.

L.1.1.6 Policy on audits and laboratory A policy shall be established describing the required audits and laboratory testing of game

testing design and ticket printing.
L.1.2 Instant ticket printing

Objective: To ensure that instant tickets comply with the organization’s security standards for production and printing.

L.1.2.1 Instant ticket printing require- The organization shall provide the printer/supplier with a detailed game specification and

ments detailed security requirements.

L.1.2.2 Printing quality assurance Security requirements shall include a requirement for the supplier/printer’s internal qual-

ity assurance function.

L.1.2.3 Encrypted validation numbers Security requirements shall include validation numbers that employ encryption tech-

niques.

L.1.2.4 Encrypted validation and winner Security requirements shall include validation files and winner information to be stored

files using encryption techniques.

L.1.2.5 Ticket verification Checks of random samples of ticket packs for each game shall be carried out to ensure that

games conform to the tolerances set out in the organization’s specification.

L.1.2.6 Acceptance testing of data Security requirements shall include that after the first print run and before launch, inven-

tory and validation data is provided to the appointed organization’s security or quality

assurance function for acceptance testing.
L.1.3 Shipment of instant tickets

Objective: To ensure the secure transportation of instant tickets from the printer/supplier to the organization.

L.1.3.1 Shipping manifest Shipping requirements shall specify that a complete shipping manifest shall be sent to the

organization before a consignment is dispatched.

L.1.3.2 Transportation method The organization shall ensure that the shipment process in accordance with an agreed

(either through a direct agreement or through an agreement with the supplier) method of

transportation that is not to be varied without the authority of the organization.

L.1.3.3 Sealed transport containers Shipping containers shall be sealed and seal numbers recorded on manifests.

6 © ISO 2014 – All rights reserved
---------------------- Page: 11 ----------------------
IWA 17:2014(E)
Table B.1 (continued)
L.1.4 Storage and distribution of instant tickets

Objective: To ensure that instant tickets are stored and distributed in a secure manner.

L.1.4.1 Storage facility audits A procedure shall be established to provide for authorized personnel to inspect instant

ticket storage facilities at least annually.

L.1.4.2 Ticket transport verification Each consignment of instant tickets shall be formally verified on arrival.

L.1.4.3 Ticket verification procedure An arrival verification procedure shall ensure that seal numbers are correct and that the

security of the container has been maintained.

L.1.4.4 Ticket verification outcome The verification outcome shall be documented and in case of non-conformities and/or

irregularities action shall be taken to determine whether the security of a consignment

has been compromised.

L.1.4.5 Instant ticket control system A control system shall be in place to account for packs of instant tickets from the time they

arrive at the organization’s storage facilities to the time they arrive at the retailer.

L.1.5 Retailer security – instant tickets

Objective: To ensure that retailers conform to the security requirements applicable to the receipt, storage and sale of instant tickets.

L.1.5.1 Instant ticket receipt by retailers The organization shall require retailers, either via contract or other means, to validate the

integrity of packages of instant tickets on receipt and to confirm that they have received a

particular consignment of tickets.

L.1.5.2 Receipt confirmation Upon receipt confirmation, the tickets shall be formally recorded as having been issued to

that retailer.

L.1.5.3 Retailer instructions The organization shall provide retailers with instructions regarding prize claim pay-out,

ticket validation, instant ticket handling and storage, reporting of security issues and the

handling of lost and stolen tickets.

L.1.5.4 Retailer security training The organization shall provide and document training for retailers to enable them to meet

the security requirements for handling instant tickets.
L.1.6 Instant game closures

Objective: To ensure that security control and audit requirements are maintained when an instant game is closed.

L.1.6.1 Game closure procedure The organization shall establish a game closure procedure to be used in the closing of an

instant game.

L.1.6.2 Retailer information The method and timing of informing retailers of a game closure and the collection of

unused tickets shall be established and documented.

L.1.6.3 Balance of ticket stock A procedure to be used to balance game tickets held in storage and by retailers shall be

established.

L.1.6.4 Stock audit check Requirements for audit checks of instant ticket stock shall be established and documented.

L.1.6.5 Authorized parties Parties authorized to close a game and/or destroy tickets shall be formally defined.

L.1.6.6 Ticket destruction The method and control of ticket destruction shall be established.

© ISO 2014 – All rights reserved 7
---------------------- Page: 12 ----------------------
IWA 17:2014(E)
Table B.2 — Lottery draws
L.2 Lottery draws
L.2.1 Lottery draw management

Objective: To ensure that draws are conducted at times required by regulation and in accordance with the rules of the applicable lottery

game.
Type of control Control

L.2.1.1 Draw event A policy shall be established to ensure that lottery draws are conducted as a planned and

controlled event and in accordance with a clear working instruction.

L.2.1.2 Draw working instructions The organization shall publish a working instruction prior to any draw including special

instructions with respect to the draw.

L.2.1.3 Draw team members The working instruction shall include the composition of a draw team including their

contact telephone numbers.

L.2.1.4 Draw team duties The working instruction shall include the duties of the identified members of the draw

team.

L.2.1.5 Reserve draw team The working instruction shall nominate persons as reserves and detail how the reserve

team are deployed.
L.2.1.6 Draw timing The working instruction shall includ
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.