When it comes to maintaining public trust and confidence in lottery games, effective security of operations plays a key role. The WLA Security Risk Management Committee (SRMC) is responsible for managing the continuous improvement of the Security Control Standard (currently WLA - SCS: 2020), which it first developed over 20 years ago.
It is the only internationally recognized standard for the lotteries and sports betting operators, and their suppliers, which aims to assist WLA members to achieve a level of security control that is aligned with generally accepted best practices.
Anton Stiglic, General Manager of IT, Loto-Québec, Canada, and member of the WLA SRMC Technical Working Group, discusses some of the developments and work done to update the standard, due to be released in October 2024.
What areas of the standard have you looked at?
The committee works hard to ensure this global standard is of world-class quality. Our aim is to make the standard as clear and simple as possible.
Some of the basic changes we are working on are around general criteria that can be applied to any lottery. The WLA - SCS: 2020 standard is based on the international ISO/IEC 27001, Information security management systems (ISMS)- Requirements, standard, which was updated in 2022.
The beauty of an ISMS is that it requires an organization to establish governance and continually improve. More specifically, ISO/IEC 27001 tells organizations that they need to have an information security policy; individuals must have responsibilities for various aspects of information security; specific threats to an organization need to be continually identified, and controls established to manage those threats. It also provides a list of security controls that must be considered in Appendix A.
We looked at the main differences between the 2022 and previous ISO/IEC 27001 version to see if any controls needed to be modified in our standard.
We have also carefully considered the controls for cloud security. Feedback from WLA auditors and software provider partners indicates that there has been some of ambiguity around the controls for suppliers and cloud security.
Not all providers consider that they have a cloud solution, rather, they use managed solutions. With this in mind, our main objective is to secure any gaming component that runs in a managed service via cloud, or whatever other type of managed solution.
We are revisiting the cloud security controls to make it clearer that they are applicable to any managed service in general. We also want to clarify the requirement regarding hosted gaming services and their compliance with ISO/IEC 27017 security standard, developed for cloud service providers and users, to make a safer cloud-based environment and reduce the risk of security problems. ISO/IEC 27017 is in fact based on ISO/IEC 27001 with additional specific requirements for managed services.
How do new technologies impact the industry and the standard?
The lottery industry is very adept at adopting cutting-edge technologies in its offerings. Thus, part of the Committee’s work is to follow new technologies, such as blockchain and artificial intelligence (AI), to see how they affect our sector, and whether or not we need to include additional controls or modify existing ones to cover the new threat landscapes.
The lottery industry is very niche, with the specific requirement that a high level of importance be placed on the integrity of games. If we uphold our reputation, it means that players will trust the integrity of draws and games which is fundamental to lotteries.
Digital technologies bring many benefits, but they also facilitate illicit activities, such as fraud. We are working with a Task Force on fraud management. A survey we conducted on the topic revealed that the lotteries are looking for a platform where they can share information, best practices and learn from each other.
We will also work to raise awareness through fraud management seminars, with the goal of providing the best advice possible, for lotteries to manage different types of fraud, which continue to evolve.
How important is supply chain security for the lotteries?
Increasingly, lottery organizations are leveraging technological solutions from various suppliers. It might be for one or several parts of the gaming system, or the entire gaming system. As more lotteries move from retail to digital, the lotteries are looking at omnichannel experiences and how the traditional anonymous lottery players can become identified players, in line with each jurisdiction’s regulation.
This speaks to the point that lotteries are very good adapters of technologies and that many lotteries deploy a multitude of third-party solutions in their gaming systems. They may be managed directly in the lottery operator’s data center, or by third parties either in the cloud or in a managed service setting. It is paramount that we have controls to cover all these situations.
Supplier management doesn’t just include a traditional lottery gaming system supplier. You may have components, such as customer identification, authentication, external solutions for know your customer (KYC), fraud detection or responsible gaming solutions. The term ‘gaming system’ covers many aspects and it is a very composable architecture, in other words, an ecosystem that contains independent systems and components that communicate with each other. So the question becomes: How do you manage a whole ecosystem that needs to be secure?
Supply chain management is crucial to ensure that threats are managed properly. The lotteries, their suppliers, and the suppliers’ suppliers all need to establish their security management systems, to continuously evaluate all types of threats and manage them. One key aspect to this is requiring security certification from third parties.
The majority of attacks to cloud services occur because of misconfigurations. This means that the organization using the cloud service misconfigures the service, which allows a way in to breach the system’s integrity.
Human error is an important point to consider, whether resulting through a lack of knowledge, or use of best practices for the cloud security service being deployed.
Emerging cyber security threats include more cases of ransomware hitting lotteries and casinos.
These and other new threats did not exist a decade ago. This is why the Committee’s work to manage and continually evolve the standard and adapt it to the new technologies is crucial. All controls in our standard are based on different risks. The risks continue to evolve, and we work to find the best controls to mitigate them.
Find out more about the SRMC and its work.
About
Media inquiries
Legal notice
This pop-up contains legal information about this website.
This content is the property of the World Lottery Association (WLA). It may not be transferred
from the custody or control of the WLA except as authorized in writing by an officer of the WLA.
Neither this document, nor the information it contains, may be used, transferred, reproduced,
published, or disclosed, in whole or in part, either directly or indirectly, except as expressly
authorized by an officer of the WLA, pursuant to written agreement.
The WLA Website has been designed to provide information to the lottery community. The World Lottery Association has used great efforts to provide accurate and up-to-date information. However, WLA excludes any warranty, whether express or implied, for any information provided under these pages. WLA cannot be held responsible for any action taken that is based on the information hereunder.
The WLA Website also contains third party information. Such information is, wherever practically possible, marked with the name of the source and does not necessarily represent the opinion of the World Lottery Association. WLA does not take any responsibility whatsoever for such third party information.
The WLA Website also contains links to other Internet sites. WLA does not have any knowledge of the information contained in such other sites, nor has WLA been able to include such other sites in its efforts to provide accurate information. WLA therefore does not take any responsibility whatsoever for such third party information.
All rights reserved except where indicated.