Code of Practice for the WLA-SCS:2024 CoP:2024

The World Lottery Association (WLA) is an international trade organization that represents state-sanctioned lotteries and betting operators, as well as suppliers of the global gaming industry. According to the WLA By-Laws, member lotteries and betting operators must be licensed or authorized to conduct lotteries or sports betting by the jurisdiction in which their gaming products are sold.

The WLASecurity and Risk Management Committee (SRMC) consists of representatives and security specialists from lottery and gaming operators, as well as other lottery professionals from around the world. SRMC members are duly appointed by the WLA Executive Committee. The WLA SRMC reviews the WLA Security ControlStandard (WLA-SCS) and is authorized to oversee the selection process of certification auditors, as well as to advise the WLA and its members on security and risk management issues.

The structure of the WLA-SCS is aligned with that of the International Standards Organization (ISO) and the WLA is committed to keeping it updated and aligned in accordance with the ISO/IEC 27001 standard.

Introduction

This document has been written by the WLA SRMC, incorporating relevant comments and feedback received by WLA-SCS auditors and WLA members.

The security and integrity of lottery and betting activities play a critical role in maintaining the public’s confidence and trust in the sector. It is therefore vital that gaming operators, and gaming organizations in general, develop and maintain a visible and documented security and integrity environment to achieve and sustain public confidence in their operations.

With theCoP:2024 the WLA aims to support the understanding and the application ofWLA-SCS:2024 controls at a global level.

Scope

The CoP:2024 is designed to support:

WLA members that are organizing their Information Security Management Systems in preparation for a WLA-SCS:2024assessment.
WLA-affiliated auditors conducting WLA-SCS:2024 assessments of WLA members.

Some of the implementation guidelines shown within this document could be interpreted as extending the scope of the corresponding controls of the WLA-SCS:2024. In this case, the control provided by the implementation guidance should be considered as best practice only.

Normative references

The following documents are normatively referenced throughout CoP:2024 and are indispensable for its application. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.

ISO/IEC 27001 Information security, cybersecurity and privacy protection — Information security management systems — Requirements.
ISO/IEC 27017 Information Technology – Security techniques – Code of practice for information security controls based on ISO/IEC 27002 for cloud services.
WLA-SCS:2024
Guide to Certification for the WLA-SCS.

Terms and definitions

For the purposes of this document, the terms and definitions given in WLA-SCS:2024 apply.

Annex A (G Controls) Organizational controls

Applicability: G controls apply to gaming operators and gaming suppliers. All G controls are mandatory for organizations claiming conformity to the WLA-SCS.

G.1 Organization of security

G.1.1 Allocation of security responsibilities

Objective: To ensure that security function responsibilities are effectively implemented.

G.1.1.1 - Security forum

A security forum or other organizational structure comprised of senior managers shall be formally established to monitor and review the ISMS to ensure its continuing suitability, adequacy and effectiveness, maintain formal minutes of meetings, and convene at least every six months.

Implementation guidance

In order to ensure that senior management is sufficiently focused on security and integrity, an organization should establish a formal structure, a committee, or another equivalent group whose mandate is ensuring that security controls are effective and that security risks are being identified and managed appropriately. It is not the responsibility of the security forum to take ownership of security risks, but rather to ensure effective security risk management is in place.

Best practices would include making sure the membership of the security forum is sufficient to provide effective challenge on the strength of the security control environment.

There should also be adequate, cross-functional, wider business representation on the security forum.

Members of the security forum should be part of top management or report directly to top management.

For WLA-SCS level 1 certification, where an ISMS might not exist, the security forum should monitor and review the security control environment within the organization.

For organizations with an ISMS, the security forum could be used to help meet the management review requirements found in ISO/IEC 27001.

Examples of audit evidence

Organization chart and reporting lines from the security forum to top management.
Mandate / terms of reference of the security forum.
Meeting minutes of security forum or management reviews.

G.1.1.2 - Security function

A security function shall exist that is responsible for developing a security strategy in accordance with the overall business. The security function will subsequently work with the other business units to implement the associated action plans. It shall be involved in reviewing all tasks and processes that are necessary from the security perspective for the organization, including, but not limited to, the protection of information and data, communications, physical, virtual, personnel, and overall business operational security.

Implementation guidance

The security function’s role includes the development of a security strategy that aligns with both the wider business strategy and the security risk profile of the organization. Best practices would show the mapping between the security strategy and the security risk register to demonstrate how its delivery will help better manage risk over time. There might be one or more security strategies for different security domains (e.g., information security, personnel security, physical security) depending on how the organization is structured

It is also the responsibility of the security function to ensure that security is implemented in the business processes that are critical to the lottery and to ensure that the personnel have sufficient skills, training, and awareness about security. The security function should have the competence and resources to support the lottery and to minimize risks that could occur.

Examples of audit evidence

Security strategy.
Organization chart.
Documentation describing the mandate / remit of the security function or scope of their authority.

G.1.1.3 - Security function reporting

The security function shall report to nolower than executive level management and shall be independent of thetechnology function with regard to the management of security risk

Implementation guidance

To ensure that the ISMS and security controls are well implemented, that risks are known and understood by top management, and that leadership of the organization actively considers security in their wider decision making, the security function shall report to and have regular interaction with executive level management. Best practices will include regular formal reporting and discussions on security risk and security proactively involved in strategic discussions and decision making.

If the security function reports to the technology function, to avoid a conflict of interest between delivery / operations and security risk management, there should be a dotted line to another executive not responsible for project delivery, technology, or operations. This will ensure that security risk management decisions are not made by a single individual who might have conflicting responsibilities. Examples of appropriate dotted lines include, but are not limited to, the head of the internal audit function or head of the legal function.

Where the executive level manager is responsible for technology operations and / or project delivery, and is also responsible for security, then security is not considered independent of the technology function.

The security forum can be leveraged by the security function to assure independence from the technology function by having the security forum composed of senior managers representing the various sectors of the organization, beyond the technology sector.

Examples of audit evidence

Organization chart.
Job description of the head of security detailing their reporting line(s).
Presentations given to the board or formal risk committee.

G.1.1.4 - Security function position

It shall have the competences and besufficiently empowered and shall have access to all necessary resources toenable the adequate assessment, management, and reduction of risk.

Implementation guidance

The security function should be adequately resourced with sufficient personnel and budget to discharge its responsibilities. The personnel responsible for security should be competent to fulfill the role and they should be evidenced by relevant qualifications, certifications, and previous experience.

Where security resources are deployed to other teams, or individuals have a significant security responsibility as part of their role, they should have a reporting line to the security function that allows the security function to effectively manage risk.

Examples of audit evidence

Organization chart.
Proof of the security personnel’s competence.
Security budget.

G.1.1.5 - Security function responsibility

The head of the security function shall be a full member of the security forum and be responsible for recommending security policies and changes.

Implementation guidance

The head of the security function should proactively initiate discussions within the lottery and betting operations sectors on areas of security risk, where debate is required in helping obtain buy-in, resources, or investments pertaining to the management of security risk. Best practice would also see the head of the security function proactively recommending updates to security policies to ensure they align with both changes in threat as well as changes in business needs.

Examples of audit evidence

Security forum charter / terms of reference.
Security policy change log.
Head of security job description.

G.2 Human resources security

G.2.1 Implementation of a code of conduct

Objective: To ensure that a suitable code of conduct is effectively implemented.

G.2.1.1 - Code of conduct

A code of conduct shall be issued to all employees when initially employed. All employees shall formally acknowledge acceptance of this code.

Implementation guidance

The code of conduct gives the organization principles of good behavior among colleagues. It also often provides organizations with principles for reducing the risk of internal fraud or for preventing the misuse of information.

It should be noted that the code of conduct is applicable solely to employees. It is encouraged, when possible, to have the code of conduct, or an alternative version of it, applied to contractors or other third parties who work for the organization and, by virtue of their role or access, have the potential to impact the confidentiality, availability, or integrity of the organization’s gaming systems, or alternatively place the critical elements of the code of conduct in the contractual agreements with these third parties.

Examples of audit evidence

The code of conduct.
Evidence of how updates are communicated to personnel.
Evidence of acceptance of the code of conduct.

G.2.1.2 - Adherence and disciplinary action

The code of conduct shall include statements that all policies and procedures are adhered to and that infringement or other breaches of the code could lead to disciplinary action.

Implementation guidance

The reference to policies and procedures ensures employees are aware of their obligation to comply with them and provides a formal basis on which serious or repeated breaches of the code or the referenced policies and procedures can be dealt with.

Example of audit evidence

The code of conduct section that covers possible disciplinary or similar action.

G.2.1.3 – Conflict of interest

The code of conduct shall include statements that employees are required to declare conflicts of interest in employment as and when they occur. Specific examples of conflict of interest shall be cited within the code.

Implementation guidance

Employees of the organization can have roles or commitments outside the organization. To ensure that the organization has all the necessary information about these external roles, employees should inform the organization of any possible conflicts of interest. An example of a conflict of interest would be when an employee of an organization with a technology function also has a role in, or owns shares in, the company of the developer of the independent control system (ICS).

Examples of audit evidence

The code of conduct section that requires declarations to be made.
A contractual agreement that requires such declarations to be made.

G.2.1.4 - Hospitality or gifts

The code of conduct shall address anti-graft provisions including hospitality and gifts provided by, or given to, persons or entities with which the organization transacts business.

Implementation guidance

Gifts or hospitality from other companies or individuals can influence decision making. Best practice would be to oblige all employees to report any gifts or hospitality offered to them – whether accepted or not – and pose a maximum limit on the amount of any gift or hospitality that can be accepted.

Examples of audit evidence

Code of conduct section that refers to hospitality and gifts.
Gift and hospitality policy.
Register(-s) in which gifts and hospitality over a stated value are recorded.
A gift and hospitality register (record of gifts offered and given to others, as well as any gifts received or accepted by the organization).
A register of disclosed gifts and hospitality.
Notifications by employees to their line manager about any offered or received gifts/hospitality.
A training program to provide staff with the tools to deal with dilemmas around the giving and accepting of gifts and hospitality.
Employee surveys with questions that serve to clarify doubts and identify pressures on staff regarding hospitality or gifts.

G.2.1.5 – Corporate wagering policy

There shall be an internal policy, aligned with any legislative or regulatory requirements, that addresses the right to play of personnel and those who are financially dependent on them. Where there are roles that could impact the integrity of the games without collusion they shall be prohibited from playing. Where the policy requires a prohibition of play, those roles impacted shall be explicitly defined and the prohibition shall be enforced contractually with the personnel or their employer (if not the gaming operator or supplier itself).

Implementation guidance

Organizations should establish a policy that defines who can play games and who should be prohibited from doing so. The policy should recognize the risks associated with anyone affiliated with the lottery having a legitimate win, as it might create doubt on the game's integrity in the minds of others. Best practice would be to have a process to monitor both new accounts created with the gaming operator as well as any prize claims against those who are prohibited from playing, to ensure compliance with the policy.

The control applies to all parties that can potentially impact the integrity of a game, be it internal employees, contractors, or suppliers.

Suppliers’ policies should ensure all jurisdictions they support or operate in are covered by the policy.

Examples of audit evidence

List of positions who are not allowed to play.
Code of conduct with a section that covers this subject.
Clause on the contract with the personnel stating if they are not allowed to play.
Clause on the contract with the supplier/s stating they are not allowed to play.
The corporate wagering policy.

G.2.1.6 – Personnel security

There shall be a policy and process for establishing trust in individuals that could impact the integrity of games through security vetting. There shall be an associated policy and process for implementing monitoring of the system activity of personnel to detect and investigate activity that might impact game integrity. These policies shall balance an individual’s right to privacy with the obligation of the organization to protect the integrity of the games.

Implementation guidance

Organizations should have a vetting process for establishing who they are placing their trust in, before they do so, and through the life of the individual holding a sensitive role. Best practice would be to verify the identity of personnel to be assigned to sensitive roles, check for any criminal records, and ensure that individuals do not have any significant financial debt before holding a sensitive role.

Regarding monitoring activities, organizations should identify where there is risk to integrity. This might be anything from ensuring the integrity of a certain area of code, or a configuration file on the server, or access to a report on unclaimed prizes. For sensitive areas, a monitoring process should be in place to proactively alert any suspicious activity for investigation.

Examples of audit evidence

Vetting policy and process.
Examples of logs and rules to alert on behaviors that could impact game integrity.

G.2.1.7 – Segregation of duties

There shall be a policy to implement segregation of duties detailing the respective roles and responsibilities of the people in charge of critical processes that

could impact the integrity of a game, such as, but not limited to, draw processing and prize payment. The intention is to avoid possible collusion. Furthermore, no single group or team shall have overall control in a way that could impact game integrity without management oversight.

Implementation guidance

There should not be a single individual (or team) that can impact game integrity without oversight. Best practice would be to look at all key processes (e.g., the conducting of the draw, the publishing of results, prize validation and payment) to ensure that there are no scenarios where an individual (or team) has sufficient access or authority to commit fraud.

Other examples include, but are not limited to, full separation of pre-production and production, and distribution teams in physical instants production, or separation between those that develop gaming systems and those that operate them.

For small organizations, where the implementation of this control could be more challenging, it might be useful to consider compensating controls.

Examples of audit evidence

List of identified critical positions where collusion could occur.
Segregation of the duty rules.

G.2.1.8 – Policy on employee protection

A policy shall be established to ensure that employee conducting lone working, those working remotely outside the organization’s premises, or those working inside the organization’s premises in areas with public access, are receiving an adequate level of protection with regard to both their safety and security.

Implementation guidance

Employees working outside the organization, or interacting with the public, could be exposed to threats or violence. To ensure that this risk is minimized the organization should provide adequate education, and if necessary, protection.

By way of example this could include the provision of, and the monitoring of. distress/panic alarms.

Examples of audit evidence

Evidence of education provided to employees.
Process for checking on staff who are conducting lone working.

G.3 Physical and environmental security

G.3.1 Secure areas

Objective: To ensure that access to production gaming data centers or other systems areas important for the gaming operations are adequately secured.

G.3.1.1 – Physical entry controls

Physical access to production gaming system data centers, computer rooms, network operations centers, and other defined critical areas, shall be restricted and adequately secured or monitored by staff at all times. While this control is risk based, in practice it shall require a minimum of an auditable two-factor authentication process. The list of critical areas shall be documented.

Implementation guidance

Information assets should be physically protected to avoid or minimize the risk of damage or theft. Physical security best practices would include multiple layers of protection to prevent entry by unauthorized individuals and detective controls such as CCTV and intrusion detection systems to deter and detect any attempted compromise.

When using cloud computing services or managed services in general, physical access to office spaces of the organization used by personnel to remotely access the production gaming system should be considered in the list of critical areas and protected according to identified risk.

Examples of audit evidence

Automatic or manual log showing access to data center.
Visitor log.
Demonstration of video surveillance.
Contract of job description for security personnel.
Floor plans overlayed with physical security controls.

‍

G.4 Access control to gaming systems

G.4.1 User access management

Objective: To ensure authorized user access and to prevent unauthorized access to gaming systems.

For gaming suppliers G.4 controls shall be applied to the code repositories used to develop gaming systems.

G.4.1.1 - User access functions

The range of functions available to the user shall be defined and maintained in conjunction with the process owner, the IT function, and the security function.

Implementation guidance

Access to gaming systems should be allocated to users based on the principle of least privilege. Access should be consciously given to users based on their job role and revoked if they change the role or leave the organization. User access to gaming systems should be periodically audited according to the organization's access procedure.

Example of audit evidence

Gaming system role-based access control matrix with permissions / functionality mapped to roles.
User access audit files.

G.4.1.2 - User access logging

All actions performed on the gaming systems by human or system accounts shall be logged and these logs shall be monitored, regularly reviewed, and acted upon as appropriate.

Implementation guidance

The logging of critical events can be used to prevent or detect weakness in the access system of the gaming systems. The review of log events contributes to the reduction of this risk. Logs should be reviewed for all privileged accounts. For normal accounts, a risk-based approach would be sensible. Reviewing does not necessarily have to be manual. It could be automated using event correlation techniques to generate alerts for review. This control might extend to staging or pre-production environments as well as production if those environments could be used to impact game integrity.

Note: control S.1.2.2 is about the system generating the logs and those developing the system ensuring adequate documentation so those logs can be understood by those charged with analyzing them. This control (G.4.1.2) is about undertaking reviews of the logs and acting upon them as appropriate.

Examples of audit evidence

Log events and reports of the review process.
Triggered alarms or incidents.

G.5 Information systems security

G.5.1 Cryptographic controls

Objective: To protect the confidentiality, authenticity, and integrity of cryptographic keys and important gaming and customer related information by cryptographic means.

G.5.1.1 - Cryptographic controls for the confidentiality and integrity of data at rest on portable systems and on terminals

Cryptography to protect the confidentiality of information shall be applied for sensitive information on portable computer systems and to protect the integrity of sensitive information held at rest on terminals.

Implementation guidance

This control relates to the confidentiality and integrity of information at rest on a device such as a portable computer system (e.g., laptops, removable media, USB devices, and similar) and lottery terminals. Cryptography should be applied on sensitive information that risk analysis has shown to have an inadequate level of protection if left in its native form. Organizations should consider what information is stored on devices used outside secure locations and what the impact would be if that information were disclosed to those who are not authorized to see it or if unauthorized modifications were made to that information.

It is noted that some portable devices will not store data but process it only in volatile memory. In these cases, if the volatile memory is cleared then there is no requirement for additional cryptographic controls to be applied.

In cases where the storage used is immutable, then additional cryptographic controls for integrity are not required.

Cryptographic algorithms and key lengths should be in line with best practices.

Examples of information that risk analysis might determine requires additional cryptographic controls applied for confidentiality include details of prize claimants or unclaimed prizes held on a portable system.

Examples of information that risk analysis might determine requires additional cryptographic controls applied for integrity would include physical instant ticket game data moved onto a central gaming system using removable media, after having been received from a supplier of physical instant tickets. It might also include files that, if modified, could impact random number generation on a lottery terminal.

Example of audit evidence

Group policy on a Windows/MAC system that enforces BitLocker or equal encryption on laptops and removable media.
Tests showing data exported to removable media from a corporate device is automatically encrypted.
Encrypted partitions on storage (if there is storage) within a lottery terminal (if sensitive lottery information is stored on the terminals).

G.5.1.2 - Cryptographic controls for the confidentiality and integrity of data in transit over networks

Cryptography to protect the confidentiality and integrity of information as appropriate shall be applied for sensitive information passed over networks, which risk analysis has shown to have an inadequate level of protection. This includes, but is not limited to, validation or other important gaming information, customer data, and financial transactions.

Implementation guidance

This control relates to both the confidentiality and integrity of data while in transit. Cryptographic controls should be chosen to mitigate the specific risk (e.g., a cryptographic primitive designed to provide confidentiality will not necessarily protect integrity). Lotteries should ensure that data is protected as it passes across public networks, and they should assess the risk as to what is proportionate when data transits private or internal networks. Cryptographic algorithms and key lengths should be in line with best practices.

Examples of audit evidence

Packet capture showing data is protected in transit.
Configuration on a server / infrastructure showing appropriate use of cryptographic controls.
Policy regarding the use of cryptography in network communications.
Code showing integrity checks being conducted.

G.5.1.3 - Cryptographic controls for the integrity of sensitive ticket data

Cryptographic controls for integrity shall be applied for the storage of winning ticket data and validation information. This control applies to all game types.

Implementation guidance

There are several diverse ways to achieve this requirement. By way of example a lottery could use a hash function to check the integrity of validation information as it passes between a supplier of scratch cards and the lottery operator.

Example of audit evidence

Procedure for integrity checks.

G.5.2 System testing

Objective: To enable and conduct system testing.

G.5.2.1 - Test methodology policy

The test methodology policy shall include provisions to prevent the use of data created in a live production system for the current draw period and to prevent the use of player, retailer, or staff personal information. In this context current draw period shall be defined as the period for which prizes can still be claimed.

Implementation guidance

Test data is used to verify that changes or new lottery services are correct and secure. Test data samples could be created based on earlier gaming transactions prior to the current draw period. Another option might be to generate test data. Alternatively transforming production data in some way through methods such as zeroing out, masking or otherwise are possibilities but care should be taken here on the exact algorithms used for the transformation and which attributes in the overall data schema the transformation will be applied to. To reduce the risk of production data being stored and processed in a potentially less secure test environment, the lottery should have clear procedures showing how this risk is managed.

Examples of audit evidence

Test procedure.
Awareness training given to test personnel.
Procedure for anonymizing sensitive data copied from production environments into test environments.

G.5.2.2 - Gaming system security testing

Thorough testing of the gaming system security functionality shall be performed prior to production environment use and on any significant changes.

Implementation guidance

Security testing can take different forms. Here below are some examples:

Testing of security features and security functionality.
Vulnerability testing.
Penetration testing.
Code review.

The type of testing conducted should be commensurate with the risk posed by the changes being introduced into the system.

Testing should follow a recognized methodology such as OSSTMM, OWASP®, or a similar methodology.

Testing should only be conducted by those with sufficient experience and competence. Those testing the change should be independent of those who have designed or developed the change, although they can reside in the same organization.

If the developer of the system and operator of the lottery are one in the same organization, then this control can be combined with the testing required in S.1.1.3. However, if the system is developed by a third-party supplier, then the supplier should ensure the product or service they are providing is secure (S.1.1.3) before it is passed across to the lottery, who should then perform their own security testing, if the change is considered as a significant change, as part of this control (G.5.2.2).

Examples of audit evidence

Test plans.
Test reports.
System change log.

G.5.3 Managed services security

Objective: To ensure information security of gaming systems and gaming systems components managed by third parties or hosted in the cloud.

G.5.3.1 - ISO/IEC 27001 compliance

Managed environments (including cloud services, hosted services and in general managed services) that run gaming systems and gaming system components shall be compliant with ISO/IEC 27001. A managed environment is defined as computing resources managed by a third party and to which the organization subscribes to for services.

Implementation guidance

Any part of the gaming systems that are managed by a third party should be covered by a risk assessment and managed within the ISMS.

ISO/IEC 27001 certification is the easiest way to cover this requirement but in case the supplier is not ISO/IEC 27001 certified, the operator shall demonstrate that all the relevant controls of the ISO/IEC 27002 have been assessed and that there is a formal governance around risk management of those components.

Examples of audit evidence

ISO/IEC 27001 certificate of the service provider.
Attestation that the controls of the ISO/IEC 27001/27002 framework have been assessed by the service provider.
For a cloud provider, ISO/IEC 27017: 2015 or more recent certificate.

G.5.3.2- Documented responsibilities and procedures

The following elements shall be documented, communicated, and implemented:

Responsibilities for shared information security roles between the organization and the managed service provider.
Procedures for administrative operations on the managed service environment and monitoring of these.
A termination process that covers return and removal of the organization's assets in a timely manner.

Implementation guidance

When you outsource some of your operations or host your systems in the cloud the responsibility is shared with your service provider.

The operator must clearly identify the key assets and the operations so that controls can be defined, and adequate governance can be set.

The operator should define or extend its existing policies and procedures in accordance with its use of cloud services and make cloud service users aware of their roles and responsibilities in the use of the cloud service.

The operator should document procedures for critical operations where a failure can cause unrecoverable damage to assets in the cloud computing environment.

Examples of the critical operations are:

– installation, changes, and deletion of virtualized devices such as servers, networks, and storage.

– termination procedures for cloud service usage.

– backup and restoration.

The document should specify that a supervisor should monitor these operations.

The operator should request a documented description of the termination of the service process that covers return and removal of cloud service customers’ assets followed by the deletion of all copies of those assets from the cloud service provider's systems

For cloud providers, ISO/IEC 27017 would cover this control.

Examples of audit evidence

Shared responsibility matrix (RACI).
Governance policy with the provider.
SLAs and steering committees with the service provider.
List of the assets.
Schedule for the termination of service.
Critical operations procedures.
For a cloud provider, ISO/IEC 27017:2015 or more recent certificate.

G.5.3.3 - Segregation and access control

The managed service virtual environment of the organization shall be protected from other host service customers and unauthorized persons.

Implementation guidance

When outsourcing a service in the cloud, a risk analysis shall be performed to clearly identify how the data will be managed and to set controls to secure the service adequately.

The operator should verify that the cloud service provider enforces appropriate logical segregation of cloud service customer data, virtualized applications, operating systems, storage, and network for:

– the separation of resources used by cloud service customers in multi-tenant environments.

– the separation of the cloud service provider's internal administration from resources used by cloud service customers.

For cloud providers, ISO/IEC 27017 would cover this control.

Examples of audit evidence

Technical architecture document.
List of controls in place by the service provider and evidence that the controls are correctly set.
SOC2 Type 2 report.
For a cloud provider, ISO/IEC 27017:2015 or more recent certificate.

G.5.3.4 - Hardening and protection of virtual components

When configuring virtual machines or containers, gaming operators and cloud service providers should ensure that appropriate aspects are hardened (e.g., only those ports, protocols and services that are needed), and that the appropriate technical measures are in place (e.g., anti-malware, logging) for each virtual machine used.

For cloud providers, ISO/IEC 27017 would cover this control.

Examples of audit evidence

Hardened master image.
Hardening policy.
For a cloud provider, ISO/IEC 27017:2015 or more recent certificate.

G.5.3.5 - Monitoring

The organization shall have the capability to monitor specified aspects of the operation of the managed service that the organization uses.

Implementation guidance

The operator should request information from the cloud service provider regarding the service monitoring capabilities available for each cloud service.

Examples of audit evidence

List of access controls.
List of SLAs.
For a cloud provider, ISO/IEC 27017:2015 or more recent certificate.

G.5.4 Gaming system security

Objective: To protect the confidentiality, integrity, and availability of gaming systems in order to protect gaming and player data.‍

G.5.4.1 - Layered systems architecture

The organization shall provide a layered approach to security within the gaming systems architecture to ensure secure storage and processing of data.

Implementation guidance

Network aspects:

Network should be partitioned accordingly to these following principles:

Different network areas should be defined according to the levels of sensitivity of the hosted assets and manipulated data. Assets that are exposed on the Internet shall be separated from other types of assets.
A secure interconnection gateway (DMZ area) should be deployed to protect internal layers of the information system from Internet flows.
The filtering equipment is implemented and monitors the inbound and outbound traffic of each area.
The flows matrices are formalized and used as referential for the filtering equipment configuration. The matrices and configuration firewalls are periodically reviewed to detect inconsistencies or out-of-date parameters.
Sensitive assets are not directly accessible from the Internet.

System aspects:

Assets are classified according to the sensitivity of their roles within the infrastructure.
Specific security measures are defined in relation to their classification.
Systems are designed following the n-tiers models. A system should not have more than one responsibility.
Systems with different levels of sensitivity cannot be hosted on the same physical infrastructure.
Dedicated systems should be deployed for administrative operations. Mutualization with less sensitive operations should be forbidden.

Examples of audit evidence

Functional Architecture document.
Technical Architecture document.
A list of all the system’s IT components with their classification.

G.5.4.2 - Responsible disclosure

The organization shall have in place a Responsible Disclosure Policy for the disclosure of security vulnerabilities by the public to the gaming operator.

Implementation guidance

There should be a policy and an associated process for dealing with responsible disclosures. This should identify where reports should be made, if necessary, and how rapidly they will be assessed and acted upon.

Best practice would be to include a security.txt file on all gaming operator branded, Internet-facing websites.

Example of audit evidence

Responsible disclosure policy.

G.6 System availability and business continuity

G.6.1 Availability of services and business continuity

Objective: To ensure the protection of the organization’s image and reputation and to counteract interruptions to business activities.

G.6.1.1 - Availability and resilience requirements

The organization shall have documented the list of critical services to players (both retail and digital channels) that are required for the continued operation of games, as well as the availability and resilience requirements of those services. Systems shall be architected to meet those requirements.

Implementation guidance

Availability requirements are often used to measure fulfillment of security objectives, but also enable capacity planning and disaster recovery prioritization. Identifying and documenting critical services to players gives the organization a better overview for monitoring and incident handling. Critical services should therefore be classified according to how critical each service is to the player. Organizations should have a procedure in place to control the critical services when these are changed, or new services are established.

Availability requirements to critical services should be formally approved by the security forum and board of directors, taking into consideration stakeholder’s expectations, and include both requirements in a normal operation and a disaster recovery operation. Organizations should undertake a risks evaluation to ensure that the organization’s requirement is considered.

By articulating availability requirements an organization can settle the cost versus risk tradeoff about architecting resilience and redundancy into their systems.

Examples of audit evidence

List of systems showing availability and criticality requirements.
Monitoring reports on present availability.
Procedures on how critical services are classified.
Availability requirements decision given by the security forum.
Risk evaluation reports.

G.6.1.2 - Business Continuity

The organization shall prepare a documented business continuity plan that covers, at minimum, the continued operation of games and continued stakeholder confidence in the integrity of gaming operations. The organization shall furthermore plan, perform, and evaluate business continuity exercises in regular intervals to prepare the organization for crisis situations, covering the elements included in the business continuity plan.

Implementation guidance

Organizations should have a resilience plan to ensure that critical services can be provided in a crisis or disaster situation. Continuity planning should cover the range of realistic events that could impact the organization such as, but not limited to, pandemics, loss of the availability of key systems for a significant period, or natural disasters.

Exercises should be conducted with different individuals and teams in the organization and should take different forms. This could involve physically moving a team to operate out of a business continuity site, running a tabletop exercise, or switching off systems to test automatic failover to other systems in the cluster.

ISO 22301 provides good guidance and advice on crisis management but is not required to be used during the WLA SCS audit.

Examples of audit evidence

Business continuity plan.
Action plan on when to do exercises.
Audit reports.
Evidence that exercises have been executed on critical systems.
Learning reports from conducted exercises (i.e., workshop exercises).

Annex B (L Controls) Controls for the operation of games

Applicability: L controls apply to gaming operators. Applicable L controls are mandatory for gaming operators claiming conformity to the WLA-SCS.

L.1 Physical instant tickets

L.1.1 Instant game operations

Objective: To ensure that game designs and production meet legal and regulatory requirements and to ensure game integrity and prevent fraud.

L.1.1.1 - Lifecycle management and integrity requirements

The organization shall implement a documented procedure that covers the entire game lifecycle, from design to destruction, by specifying the integrity requirements for each instant game.

Implementation guidance

The integrity requirements shall include at least, but not be limited to, the following: final visuals and text, prize structure, protection of validation/winner files, quality controls, auditable inventory to account for the distribution, location of packs, and adequate testing of the requirements before the game is accepted.

There are many security aspects to take into consideration when designing and producing instant games. These include conforming to applicable laws; avoiding controversial game motifs (political, social, religious); identifying errors in game rules or prize structures; identifying errors during the production, distribution, and disposal of tickets; and, preventing fraud.

Formal procedures that cover the entire instant game lifecycle, and contain integrity requirements for each instant game, should be established. Integrity requirements to take into consideration are:

Visuals and texts:
- Compliance with current legislation, copyright.
- Conduct of a social impact analysis (controversial visuals, responsible gaming).
- Validation of game rules, visuals, and texts printed on tickets (comprehension, respect for game rules).
Quality controls. The scope ofquality controls should include, but not be limited to the following areas:
- Programming
  - Compliance with game mechanics.
  - Compliance with prizestructure.
  - Compliance with specificationsfor the distribution of tickets in the books (Guaranteed Low End PrizeStructure – GLEPS), if applicable.
- Printing
  - Non-predictability of aticket’s winning status based on visible information.
  - Ticket opacity tests: Usingvarious techniques to determine whether a ticket is a winning ticket withoutscratching it or without visibly altering it.
Tests
- Internal quality and security tests (by the printer).
- L.1 Physical instant tickets
- L.1.1 Instant game operations
Protection of validation/winner files.
- Encrypted validation numbers.
- Encrypted validation and winner files.
Inventory
The lottery operator should be able to follow instant ticket stocks to detect any loss/theft. Here are examples of actions that could be taken in this area:
- Inventory of available ticket books in a lottery’s facilities.
- Inventory of tickets to be destroyed.
- Monitoring of retailer stocks.
- Monitoring of instant tickets in transit.
- Investigation of book loss and reporting to security function as appropriate.

Examples of audit evidence

A documented procedure, covering the entire game lifecycle that describes integrity and test requirements implemented by the organization.
Evidence of the controls applied by the operator.

L.1.1.2 - Game data integrity

There shall be controls to ensure the integrity of game data, including but not limited to the importing of game data into the gaming system and the transfer of validation data between the supplier / operator / retailers.

Implementation guidance

To prevent errors and fraud, the lottery operator should implement controls that mitigate risks to the game-data integrity. Ideally, those controls should be documented in the procedure mentioned in L.1.1.1. Here are some examples of controls to take into consideration:

Implement encryption measures to guarantee the integrity and the confidentiality of game data during its transfer from the printer to the lottery system.
Give access to the gaming system on a least privileged basis.
Provide appropriate security awareness to personnel with access to the gaming system.
Ensure the integrity of the instant game data loading into gaming systems through the following measures:
Implement checklists to ensure that all controls are executed.
Test the loading of game data on test systems.
Use the four-eyes control principle to load the game data and check that imported game data matches the expected instant game.

Examples of audit evidence

A documented procedure describing the controls developed by the lottery operator.
A procedure, agreed upon with the printer/supplier, which describes security requirements for game data that is transferred to the lottery operator.
Evidence of the controls applied by the lottery.

L.1.1.3 - Ticket prize confidentiality

Controls shall be in place to ensure that prior to the claiming of a prize no one in the organization has access to and knowledge of which instant ticket is a winning ticket and which is not; nor shall they be able to identify the location of the winning ticket and which retailer it has been assigned to.

Implementation guidance

The printer/supplier can determine which ticket is winning or not. On the other hand, the lottery operator has knowledge of where the books of tickets are located. To prevent fraud, the lottery operator should ensure that no one has the knowledge of both where the books of tickets are located, and which tickets are winning tickets. Here are some best practices that can be applied:

Any requirements to the printer regarding the confidentiality of validation data (e.g., contract, audit result, certification covering the control S.1.3.2.3 of the WLA-SCS:2020).
A written process describing ticket reconstruction requests.
Lists of reconstruction requests.

L.2 Lottery draws

L.2.1 Lottery draw management

Objective: To ensure that draws are conducted at times required by regulation and in accordance with the rules of the applicable lottery game.

L.2.1.1 - Draw event

A policy shall be established to ensure that lottery draws are conducted as a planned and controlled event and in accordance with a clear working instruction.

Implementation guidance

A global policy should be defined that documents the guiding principle of lottery draws and the publication of results. For both, the following principles should be identified:

The general organization of a draw: the role and duties of the individual draw internal participants, the required documentation, the management planning.
The accredited external participants: the security officer, the court bailiff/regulator representative (depending on applicable regulations).
The physical security measures in place to protect both processes: video camera, access control, guards.
The possible draw locations/sites/rooms should be identified: this also includes the location(s) used for announcing the results.
Physical resource management: lottery ball set, draw machine.

Examples of audit evidence

Draw policy.

L.2.1.2 - Draw working instructions

The organization shall publish a working instruction prior to any draw including special instructions with respect to the draw.

Implementation guidance

Operational procedures detailing the entire drawing process – before, during, and after should be formalized. The operational procedures should be defined for each type of game.

Each type of game includes:

The different steps for each range of the game. The description of each step should answer the question: Who does what, when, where, why, and how to do it?
The different (internal and external) participants, along with their roles and duties.
The different physical resources.
The different activities to perform and their results.
The sequencing of these activities.
For each draw location and for each range of the game, the role of the observers / external participants should be defined. Their roles and duties (before, during, and after) a draw should be specified.
The list of draw managers for each game.
The draw managers schedule for each game, as evidence that their appointment has been published.
The list of staff members and internal contacts with their functions, internal phone number, mobile phone.

Examples of audit evidence

Operational procedures.
Working instructions issued before any draw.

L.2.1.3 - Draw team members

The working instruction shall include the composition of a draw team including their contact telephone numbers.