Establishing trust: Introducing the WLA Security Control Standard 2020
This week the WLA Security and Risk Management Committee (SRMC) has been working to finalize the 2020 version of the WLA Security Control Standard (WLA-SCS:2020), which is soon to be launched, pending approval by the delegates of the WLA General Meeting in October. The new standard will help WLA members give assurance to all their stakeholders that security is, and remains, one of their highest priorities. Alongside the work we have done on the standard, I thought it would be useful to write a series of blog posts explaining some of the new controls and their significance, and offer some considerations in their implementation. The blog posts will appear in the coming days under the subheading, “Introducing the WLA Security Control Standard 2020”.
In this first post we’ll have a look at a new control in Annex A, section G.2, on personnel security. This new control calls for WLA members to:
“have a policy and process for establishing trust in individuals that could impact the integrity of games through security vetting. There shall be an associated policy and process for implementing monitoring of the system activity of personnel to detect and investigate activity that might impact game integrity. These policies shall balance an individual’s right to privacy with the obligation of the lottery to protect the integrity of the games.”
Why is this important and why have we introduced this new control? Perhaps noted Dutch Economist, Bart Nooteboom expressed it best when he said: “Trust in things or people entails the willingness to submit to the risk that they may fail us, with the expectation that they will not, or the neglect of lack of awareness of that possibility that they might.”
Everyone needs to be able to trust those that work at the lottery in order to operate with the utmost integrity. Best practice would therefore include vetting and background checks for past criminal activity, significant financial debt, or similar character indicators, both prior to and throughout employment with the lottery. Whilst trusting colleagues by default is important, best practices would also advocate a “trust but verify” principle, whereby activity that could impact game integrity is closely monitored to supplement any preventative controls that might be in place. Such monitoring programs are not easy to setup and an effective monitoring program is much more than merely collecting a few log files and asking someone to review them periodically. In most jurisdictions any monitoring of colleagues to protect the integrity of the lottery has to be balanced carefully against a colleague’s legal right to privacy. There has to be a good understanding of what the risks are and how they could materialize, to make sure the right logs are generated and collected. The security team should also know how to identify anything that might merit further investigation. A solid personnel security program is a collaboration between security, HR, and the organization’s legal function. It should also include other disciplines such as psychology and data science.
For more information on WLA-SCS:2020, we will be conducting a series or webinars in October. The webinars will highlight the standard's new features and outline its many improvements as compared to its predecessor WLA-SCS:2016. Details on the webinars will be announced in the coming days.
Head of Information Security for Camelot and member of the WLA SRMC