Tap5050 has recognized the need for an adequate security and integrity standard for lottery/raffle organizers from its foundation and has developed further the work done by the World Lottery Association.
Lottery/raffle organizers have a business need to develop environments that maintain a visible and documented security and integrity position so as to retain the confidence of players and other stakeholders alike. The WLA Security Control Standard (WLA-SCS) is designed to help lottery and gaming organizers around the world achieve levels of control that are in accordance with both generally accepted information security and quality practices as well as specific industry requirements. We have used the WLA-SCS as a base roots security document and have amended the document to align with charitable organisations’ needs with regards to raffles and charitable lottery products. This will support a raffle organizer’s increased reliance on the integrity of their lottery operations.
The main objective of the security and integrity approach for lottery and gaming operations is to provide confidence in the operation. Confidence in a raffle operation is key to retaining players and other stakeholders. Lottery and gaming organizers, therefore, need to develop and maintain a visible and documented security and integrity environment.
This document consists of two parts that specify the minimum requirements necessary for the effective management of security and integrity in a raffle/lottery organization. The first part General Security and Integrity Control Objectives and Controls incorporates the ISO/IEC 27001 compliance within a global scope, with a further 18 basic controls.
The second part Raffle/Lottery Security and Integrity Control Objectives and Controls furnishes an additional 45 raffle and gaming-specific security and integrity controls representing current best practices.
1. General Security and Integrity Objectives and Controls
A. Organization of Security
Allocation of security responsibilities
Objective: To ensure that security function responsibilities are effectively implemented.
A1. Security function
- Control. A security function shall exist that will be responsible to draft and implement security strategies and action plans. It shall be involved in and review all processes regarding security aspects of the organization, including, but not be limited to, the protection of information, communications, physical infrastructure, and game processes.
A2. Security forum
- Control. A security forum or other organizational structure comprised of senior managers shall be formally established to monitor and review the ISMS (information security management system), maintain formal minutes of meetings, and convene at least every six months.
A3. Security function
- A security function shall exist that will be responsible to draft and implement security strategies and action plans. It shall be involved in and review all processes regarding security aspects of the organization, including, but not be limited to, the protection of information, communications, physical infrastructure, and game processes.
A4. Security function position
- The position shall be sufficiently empowered, and shall have access to all necessary corporate resources to enable the adequate assessment, management, and reduction of risk.
A5. Security function responsibility
- Control. The head of the security function shall be a full member of the security forum and be responsible for recommending security policies and changes.
B. Human Resources Security
Implementation of a code of conduct
Objective: To ensure that a suitable code of conduct is effectively implemented.
B1. Code of conduct
- Control. A code of conduct shall be issued to all personnel/volunteers when initially employed. All volunteers shall formally acknowledge acceptance of this code.
B2. Adherence and disciplinary action
- Control. The code of conduct shall include statements that all policies and procedures are adhered to and that infringement or other breaches of the code could lead to disciplinary action.
B3. Conflict of interest
- Control. The code of conduct shall include statements that employees/volunteers are required to declare conflicts of interest on employment as and when they occur. Specific examples of conflict of interest shall be cited within the code.
C. Physical and environmental security
Objective: To ensure that areas providing access to production gaming data centers or other systems effectively important for the gaming operations are adequately secured.
C1. Physical entry controls
- Control. Physical access to production raffle system data centers, computer rooms, network operations centers, printer stub printing and other defined critical areas shall have a two-factor authentication process. Single-factor electronic access control methods are acceptable if the area is staffed at all times.
D. Access control to gaming systems
Remote user access management
Objective: To ensure authorized remote user access and to prevent unauthorized access to gaming information systems.
D1. Remote user access to gaming systems
- Control. A procedure for strictly controlled remote access shall be established.
D2. Remote user access functions
- Control. The range of functions available to the user shall be defined in conjunction with the process owner, the IT function and the security function.
D3. Remote user access logging
- Control. All actions performed through remote user access shall be logged and these logs shall be regularly reviewed.
E. Information systems maintenance
Objective: To protect the confidentiality, authenticity, and integrity of important raffle, and customer related information by cryptographic means.
E1. Cryptographic controls for data on portable systems
- Control. Encryption shall be applied for non-public organization data on portable computer systems (laptops, USB devices, etc.).
E2. Cryptographic controls for networks
- Control. Encryption shall be applied for sensitive information passed over networks, which risk analysis has shown to have an inadequate level of protection, including validation or other important gaming information, electronic mail, etc.
E3. Cryptographic controls for storage
- Control. Integrity measures shall be applied for the storage of winning information ticket data and validation information.
E4. Cryptographic controls for validation numbers
- Control. Encryption shall be applied for ticket validation numbers.
E5. Cryptographic controls for transfers
- Control. Encryption shall be applied for financial transactions between the organization and a banking institution.
F. System testing
Objective: To maintain the security, confidentiality, and integrity of test data.
F1. Test methodology policy and data
- Control. The test methodology policy shall include provisions to prevent the use of data created in a live production system for the current draw period and to prevent the use of player personal information
2. Raffle specific control objectives and controls
Objective: To ensure that raffle game designs meet legal and regulatory requirements and are authorized at the appropriate level before going into production.
AA1. Documented ticket procedures
- Control. Formal procedures shall be established covering the design, development, production, and release of raffle games.
AA2. Game design approval
- Control. Final raffle game design shall be formally approved through a process involving the security function.
AA3. Supplier selection
- Control. Printers/suppliers of ticket stubs shall be subject to a selection and approval process. The approval process shall involve the security function.
AA4. Security requirements
- Control. Specific security requirements relating to the game and the paper used for the physical ticket shall be documented and formally included as part of the contract with the supplier/printer.
AA5. Policy on audits and laboratory testing
- Control. A policy shall be established describing the required audits and laboratory testing of raffle game design and ticket printing.
AB. Game Closures
Objective: To ensure that security control and audit requirements are maintained when an raffle game is closed.
AB1. Game closure procedure
- Control. The organization shall establish a raffle game closure procedure to be used in the closing of any raffle game.
AB2. Seller information
- Control. The method and timing of informing volunteers of a raffle game closure and the collection of marked or voided tickets shall be established and documented.
AB3. Authorized parties
- Control. Parties authorized to close a raffle game and/or destroy ticket stubs/marked or voided tickets shall be formally defined.
AB4. Ticket destruction
- Control. The method and control of ticket destruction shall be established.
AC. Lottery/Raffle draws
Lottery draw management
Objective: To ensure that draws are conducted at times required by regulation and in accordance with the rules of the applicable lottery game.
AC1. Draw event
- Control. A policy shall be established to ensure that raffle draws are conducted as a planned and controlled event and in accordance with a clear working instruction.
AC2. Draw working instructions
- Control. The organization shall publish a working instruction prior to any draw including special instructions with respect to the draw.
AC3. Draw team members
- Control. The working instruction shall include the composition of a draw team including their contact telephone numbers.
AC4. Draw team duties
- Control. The working instruction shall include the duties of the identified members of the draw team.
AC5. Reserve draw team
- Control. The working instruction shall nominate persons as reserves and detail how the reserve team are deployed.
AC6. Draw timing
- Control. The working instruction shall include the detailed timings of the draw operation from the opening of the draw location to the closing of that location.
AC7. Draw observers
- Control. The working instruction shall include details of any requirement under the raffle rules for independent observers to be present during a draw.
Conduct of the draw
Objective: To ensure that the conduct of draws is within regulatory requirements and the rules of the applicable raffle game.
AC8. Draw procedure
- Control. The organization shall establish a detailed draw procedure to ensure that all draw functions are conducted in compliance with the rules of the applicable raffle game and regulatory requirements.
AC9. Draw step-by-step guide
- Control. The draw procedure shall include a step-by-step guide of the draw process.
AC10. Draw location
- Control. The draw procedure shall include the definition of the draw location.
AC11. Draw attendance and responsibilities
- Control. The draw procedure shall include a definition of the attendance at the draw and the responsibilities and actions of all participants.
AC12. Draw supervision
- Control. The draw procedure shall define the policy regarding the attendance of an (independent) compliance officer or an auditor.
AC13. Draw operation security
- Control. The draw procedure shall include adequate security measures for the draw operation and all equipment used during the draw process.
AC14. Draw emergency
- Control. The draw procedure shall include actions in the event of an emergency occurring at any time during the course of the draw
AD Gaming terminal security
Objective: To ensure the adequacy of raffle terminal security.
AD1. Transaction security
- Control. The data traffic between the gaming terminals and the central computer gaming system shall be protected.
AD2. Terminal security testing
- Control. Thorough testing of terminal security functionality shall be performed prior to production environment use. This testing shall include provisions that the correct version of software is in place.
AD3. Self-service terminal security
- Control. Self-service terminals shall have security mechanisms in place to protect game integrity.
AE. Prize money protection
Validation and payout of prizes
Objective: To ensure that the organization has the necessary controls in place for validation and payment of prizes.
AE1. Validity of winning information
- Control. The organization shall implement procedures to ensure the validity of winning transactions, claims and/or tickets.
AE2. Validation processes
- Control. The organization shall define and document validation processes for different prize levels and types of game.
AE3. Prize payout
- Control. The organization shall establish a process for payment or transfer of prizes.
AF. Unclaimed prize money
Objective: To secure unclaimed prize money before and after the end of the prize claim period.
AF1. Unique ticket reference number
- Control. Provisions shall be made in the on-line production system for each ticket issued to have a unique reference number.
AF2. Procedure for the protection of unclaimed prize money
- Control. The organization shall establish a procedure specifically related to the protection of unclaimed prize money and data files containing information relating to the payout status of each game, the specific transactions yet to be claimed and the validation files.
AF3. Prize payout period and auditing
- Control. The procedure shall cover the entire prize payout period as well as the auditing of the final transfers upon game settlement.
AF4. Payout rules and inquiries
- Control. The procedure shall confirm the rules covering ticket validity time, payout on lost and defaced tickets, inquiries into the validity of claims and late or last minute payouts.
AF5. Unclaimed prize information access control
- Control. The procedure shall confirm that access control be strict and limited to that required in respect of records of unclaimed prizes.
AF6. Access reporting
- Control. The procedure shall confirm a reporting process in case of unauthorized access attempts.
AF7. Escalation process
- Control. The procedure shall confirm an escalation process for any incident or suspicious activity.
AF8. Audits of access log information
- Control. The procedure shall confirm that unclaimed prize money is secured.
AF9. Audit trails
- Control. The procedure shall confirm audit trails are able to identify unusual patterns of late payouts.
AG. Sales staff and customer services
Staff working outside organization premises
Objective: To ensure that sales representatives and technicians working outside of raffle premises are receiving an adequate level of protection.
AG1. Staff working outside of organization premises
- Control. A policy shall be established to ensure that staff working outside raffle premises are receiving and implementing an adequate level of protection.
AG2. Staff working in sensitive areas with public access
- Control. A policy shall be established to ensure that staff working in sensitive areas with public access are receiving an adequate level of protection.
AH. Player account
Objective: To combat fraud and money laundering.
AH1. Player identification
- Control. There shall be a formal process for identification of players.
AH2. Multiple player accounts
- Control. There shall be an established procedure for the use of multiple player accounts whenever this does not exist only one account per player shall be allowed.
AH3. Excluding players
- Control. There shall be an established procedure for excluding players
AI. Game design and approval
Objective: To ensure that the raffle game design meets legal and regulatory requirements and are authorized at the appropriate level before going live.
AI1. Documented internet game procedures
- Control. Established rules shall cover raffle design and development. In addition, game rules shall be accessible by players.
AI2. Game approval
- Control. Final raffle game design shall be formally approved through a process involving the Security Function.