In this first post we’ll have a look at a new control in Annex A, section G.2, on personnel security. This new control calls for WLA members to:
“have a policy and process for establishing trust in individuals that could impact the integrity of games through security vetting. There shall be an associated policy and process for implementing monitoring of the system activity of personnel to detect and investigate activity that might impact game integrity. These policies shall balance an individual’s right to privacy with the obligation of the lottery to protect the integrity of the games.”
Why is this important and why have we introduced this new control? Perhaps noted Dutch Economist, Bart Nooteboom expressed it best when he said:
“Trust in things or people entails the willingness to submit to the risk that they may fail us, with the expectation that they will not, or the neglect of lack of awareness of that possibility that they might.”
Everyone needs to be able to trust those that work at the lottery in order to operate with the utmost integrity. Best practice would therefore include vetting and background checks for past criminal activity, significant financial debt, or similar character indicators, both prior to and throughout employment with the lottery. Whilst trusting colleagues by default is important, best practices would also advocate a “trust but verify” principle, whereby activity that could impact game integrity is closely monitored to supplement any preventative controls that might be in place. Such monitoring programs are not easy to setup and an effective monitoring program is much more than merely collecting a few log files and asking someone to review them periodically. In most jurisdictions any monitoring of colleagues to protect the integrity of the lottery has to be balanced carefully against a colleague’s legal right to privacy. There has to be a good understanding of what the risks are and how they could materialize, to make sure the right logs are generated and collected. The security team should also know how to identify anything that might merit further investigation. A solid personnel security program is a collaboration between security, HR, and the organization’s legal function. It should also include other disciplines such as psychology and data science.
For more information on WLA-SCS:2020, we will be conducting a series or webinars in October. The webinars will highlight the standard's new features and outline its many improvements as compared to its predecessor WLA-SCS:2016. Details on the webinars will be announced in the coming days.
By David Boda, Head of Information Security for Camelot and member of the WLA SRMC