Security & Risk Management
The WLA Security Control Standard is the lottery sector's only internationally recognized security standard. It is designed to assist the lottery sector around the globe in obtaining a level of security controls in line with generally accepted best practices, and to enable an increased reliance on the integrity of lottery operations.
The first WLA-SCS came in 2000 from the Intertoto Security Standard, renamed WLA-SCS:2000. The WLA-SCS is drafted and updated by the WLA Security and Risk Management Committee (WLA SRMC), which includes representatives and security specialists from lottery and gaming operators from around the world.
The Guide to Certification for the WLA-SCS, known also as GtC, is the document containing the regulations and procedures for the WLA-SCS certification process. It includes the requirements for becoming a WLA affiliated Assessment Service Entity (ASE) and a WLA recognized auditor as well.The GtC presupposes familiarity with the WLA-SCS documentation.
The Code of Practice for the WLA-SCS:2020, also known as CoP:2020 is the document containing the implementation guidelines and the examples of audit evidence for the WLA-SCS:2020 controls. With the CoP:2020 the WLA aims to support the understanding and the application of WLA-SCS:2020 controls on a global level.
No, the CoP contains recommendations and best practices. Where the CoP extend the scope of the WLA-SCS:2020, following the expanded interpretation of the control should be considered as best practice only and is not mandatorily required to obtain the WLA-SCS certification.
Only WLA Regular Members (lotteries and gaming operators) and Associate Members (suppliers) can be certified against the WLA-SCS.
The WLA is the only entity entitled to release WLA-SCS certificates. The issuing of certificates or the renewal of existing certificates is based on recommendations received by the auditor in the aftermath of a WLA-SCS assessment
Auditors who are compliant with the mandatory requirements contained in the WLA-SCS Guide to Certification (GtC) and are employee, agent or subcontractor of an Assessment Service Entity (ASE) affiliated to the WLA.
On the WLA website (Security section), there is the list of ASEs with a valid and current affiliation to the WLA. The names and contact details of auditors assigned to WLA-SCS services must be asked directly to the ASEs or to the WLA office at [email protected].
It must fill the WLA-ASE Report and send it to the WLA requesting a new affiliation. The WLA office will verify the data and once everything is in order, the WLA provides the text of the non-commercial agreement to be signed. The affiliation is concluded with the publication of the ASE’s contact details on the WLA website and the official communication sent by the WLA to the ASE.
Additional information is in the Guide to Certification, Part B.
ASEs must promptly inform the WLA about any changes that occurs in their organization or in the list of auditors assigned to WLA-SCS services. Additionally, ASEs must send to the WLA the WLA-ASE Report on an annual basis.
ASEs shall verify that the auditors assigned to WLA-SCS services are compliant with the mandatory requirements established in the GtC. Moreover, on an annual basis all ASEs shall send the WLA-ASE Report to the WLA confirming the validity of data and contact details, as well as the list of active auditors.
Additionally, auditors working for ASEs which are not accredited to the ISO/IEC 17021 shall keep their ISO/IEC 27001 Lead Auditor certificate updated and send a copy to the WLA.
It is responsibility of the ASEs and the auditors to comply with the rules. The WLA has internal procedures in place to organize spot checks and verify the compliance of ASEs and auditors. Those that are found non-compliant with the GtC are informed about their affiliation suspension, until evidence of the update is provided.
The WLA-SCS assessment is considered invalid and the certificate cannot be released.
All forms for WLA-SCS assessments are downloadable from the WLA website (security section). Here are the direct links to the WLA-SCS:2020 and the Guide to Certification, containing procedures and requirements.
The only difference is that the WLA-SCS Level 2 requires the certification to the ISO/IEC 27001.
No, the WLA-SCS standard of certification is always the same, both for the WLA-SCS level 1 and the WLA-SCS Level 2 certificate.
The two levels require the compliance with all the applicable controls of the WLA-SCS:2020. WLA-SCS Level 1 and Level 2 are both designed to guarantee that lotteries maintain the same, high level of security standard concerning their lottery system(s).
No, the two levels of certification are available only for assessments based on the WLA-SCS:2020.
The auditor is responsible for establishing the severity of non-conformities.
In principle all premises must be physically visited and assessed against all the applicable controls. If two or more premises perform the same function, the auditor can decide on how best to gain his own confidence on compliance on the number of premises to be physically assessed.
No, during WLA-SCS annual assessments applicable controls can be sampled.
The auditor. Usually, the auditor should select the most critical controls or those where non-conformities where found during previous assessments.
Shall be read as the systems that are required to operate games, which encompasses the central gaming system and any of its peripheral components which are necessary to operate those games.
For initial certifications, the WLA-SCS:2016 is available until April 30, 2021.
For recertifications and annual reviews, the WLA-SCS:2016 is available until October 31, 2022.
Yes. In that case all the new applicable controls of the WLA-SCS:2020 must be assessed in addition to the sampled controls initially scheduled for the annual review.
The gaming operator might include the central entity and/or the suppliers of gaming systems directly as suppliers within their own scope. In this case the gaming operator shall provide proof of the integrity and security by-design of the products and services provided by the central entity operating the gaming system according to the relevant controls form the WLA-SCS:2020.
A significant change is any change introduced to the operational environment that could induce significant risk and impact the security of the gaming system (physical or logical) according to the risk assessment outcome of the organization. This could include, but not be limited to:
G controls apply to lottery and gaming operator, as well as to suppliers.
This control can be implemented regardless of the size of the organization. All that is asked here is for people to declare if they have any conflict of interest. This can be done with a formal audit or process whereby each member of the lottery declares if they have any conflict of interest.
Note: Conflict of interest differs from Segregation of duties. Read also Q 29.
A typical example of conflict of interest happens when an employee of a lottery with a technology function has also a role or owns shares of an independent party that run independent verification. In that case, the employee has some interest in the third-party activities, therefore he/she has conflict of interest working for the lottery.
Implementing the control on segregation of duties in a small organization could be challenging. In this case it might be useful thinking about compensating controls. There are also other measures that can be put in place if the number of staff available does not allow for a full segregation of duties in terms of access or responsibilities.
“Live production system” and “production environment” are used as synonyms to refer to the set of data, software, computers, networks and their setting that are put in to operation in order to offer services accessible to end-users.
Production environment is distinguished from development and testing environments, such as QA and staging environments which are not accessed by end-users.
In the production environment activities/transactions can impact the accounting, while this cannot happen in the testing environment.
It is not a pre-requisite for WLA-SCS auditors to have detailed training in, or knowledge of ISO/IEC 27017 given that it follows the same principles as ISO/IEC 27001 although auditors should understand the concepts behind the public cloud sufficiently to assess compliance with this control requirement.
No. On the control G.5.3 is requested to be compliant with ISO/IEC 17021.
Compliance is different to certification. Compliance means that a system fully adheres to the requirements of a standard. Certification means that a system has been certified to be in conformance with the requirements of the standard.
An operator or supplier should have adequate documentation as part of its ISMS to demonstrate compliance to ISO/IEC 27017 to a WLA-SCS auditor. There are some questionnaires on cloud security available online which could be used to verify if a system is compliant with ISO/IEC 27017.
It is worth mentioning that many of the controls contained in the ISO/IEC 27017 are built on the already existing controls of the ISO/IEC 27001. In the ISMS that organizations have in place, auditors might expect to see references on how those controls are applied in a cloud environment.
Yes, this is correct. If a service provider is hosting an application for you in a cloud located data center, that is not considered as cloud hosting.
Lottery systems refers to all systems that can somehow impact the lottery systems operations.
If gaming systems are hosted in the cloud both the provider and user should be compliant.
Note: major cloud providers are already ISO/IEC 27017 compliant.
No. Nonetheless, the compliance with ISO/IEC 27017 can be checked directly on cloud providers’ websites.
The auditor should check if the evidence provided by the operator makes sense when advocating for an architectural review. For example, if an operator cannot tell what their critical services and systems are, that should already be considered as a red flag; if the operator can’t show that they defined the Recovery Time Objective (RTO) and the Recovery Point Objective (RPO) in their availability requirements for those systems they think to be critical, that should be considered a red flag as well.
L controls apply to lottery and gaming operators, with the exception of L.2.4 that applies to suppliers as well where applicable.
On the WLA-SCS documentation is not included a definition of “instant ticket”. Nonetheless, the notion of instant ticket relies on the fact that winning tickets are predetermined. Instant tickets can be referred to as scratch cards.
Yes, the allocation of prize to each tier is integral part of the draw process and subject to the control L.2.2.8.
L.2.4.3 is only for electronic draws which uses random number generator. It is not applicable for the RNG used to select the random numbers for customers to bet. In this case, the RNG fall under a normal quality control testing.
Templates on Responsible Disclosure Policy are not provided by the WLA.
The operator remains accountable for the risk management.
S controls apply to entities developing and managing gaming systems (as defined in the WLA-SCS:2020), whether be a supplier or a lottery and gaming operator.
Gaming system suppliers are entities that supply goods or services necessary to operate games. Any supplier providing services and products related to platforms, electronic games and instant tickets is considered a gaming system supplier.
Yes. In the framework of WLA-SCS assessments to an operator, the auditor shall be checking S controls are being delivered by the operator’s supplier/s as part of the operator’s certification.
Yes. If the suppliers are already WLA-SCS:2020 certified, this can be taken as sufficient evidence that all applicable S controls are met by the suppliers, without any further checks.
If the suppliers are not WLA-SCS:2020 certified, the auditor shall verify that all activities and controls that require validation procedures and/or a documentation exchange between the operator and the supplier, are assessed, making sure operators can provide proof of the integrity and security by-design of the products and services provided by their suppliers.
In the framework of operators’ assessments, S controls shall be checked directly with the operator, and not with the supplier or on the supplier’s premises.
Firstly, it should be taken into consideration that the issuing of a WLA-SCS certificates is questioned only in case of severe non-conformities.
Secondly, in case of non-conformities to S controls by suppliers, the ultimate responsibility is on the lottery. Contractually, it is recommended that the lottery and the supplier establish action plans to correct any eventual non-conformities.
Annex C (S controls) are applicable to both systems.
There is specific software that can be used to make sure no unsecure codes are injected. The WLA does not provide commercial information; it is suggested to make a research on the web or to ask for suggestions directly to the selected auditor.
More than tools to be used, it is important to put the attention on logs generated by the application or the infrastructure of services.
In more practical terms, the infrastructure where a central gaming system sits on should be generating logs about who has logged onto that infrastructure, what commands he/she has run on the servers, what operations have happened – either human or computer based.
Equally at the application layer there should be adequate logging of the events that have taken place, to know what records have been modified by whom.
Logs should be made available to whoever within the operator is responsible for consuming and reviewing those logs and can understand the legitimacy of actions and logs, as well as the presence of potentially suspicious activities on the system.
Logs should be made available in such a way that they can be consumed by whatever tool the operator uses.
Technology suppliers should ensure that unauthorized attempts to add or modify system hardware can be tracked and identified. Several tools can be used for accomplishing this activity, depending on the situation.
For example, tamper-proof seals on hardware can be used for situations where there is physical access to the hardware. Beyond that, firmware integrity monitoring can be used for situations where the hardware is housed remotely or where there is no physical access to the hardware.
Note: In situations where hardware is being hosted “in the cloud” on an infrastructure as a service basis, ensuring hardware integrity might be difficult. This situation can constitute an exception in the application of control S.1.2.4, and it must be clearly stated by the auditor in the recommendation field of the WLA-SCS Assessment Form (AF).
If the controls contained in the ISO/IEC 27001 are all listed under the risk assessment where the vulnerability management is identified and are already mitigated by the necessary controls, there is no need to provide additional evidence for the WLA-SCS assessment.
Note: This reply is valid only for WLA-SCS Level 2 assessments. For WLA-SCS Level 1 assessments proof on vulnerability management is necessary.
There are many commercial tools available on the market that can be used for vulnerability management. The WLA does not provide commercial information; it is suggested to make a research on the web or to ask for suggestions directly to the selected auditor.
No, the WLA-SCS:2020, Annex D (M controls) refers only to multijurisdictional games run by the Multi State Lottery Association. In the future the M controls could be generalized, including different multijurisdictional games.
Powerball, Mega Million, Lotto America, and Lucky for Life. More details on MUSL activities can be checked on the MUSL website (www.musl.com).
Yes, for MUSL lotteries who want to obtain the WLA-SCS Level 2 certificate, the retailer point of sale device must meet NASPL requirements.
ICS stands for Internal Control System. It is used to process transactions independently from the computer gaming system as a form of checks and balances.
(Definition provided by MUSL)
CGS stands for Computer Gaming System, also known as the online gaming system. This system includes all computer systems required to allow the processing, storage, and reporting of gaming transactions with all intended redundancy, which can include multiple sites and multiple vendors.
Systems required for processing of transactions through non-traditional methods (electronic/web play, mobile play, plays through devices that are not terminals, etc.) are part of the CGS. Terminals and retailer provided point of sale devices (e.g. cash registers) or player provided point of sale devices (e.g. smartphones) are not part of the CGS.
It is worth noticing that while not included in this definition of CGS, MUSL Rules do include requirements and definitions for terminals and retailer point of sale devices in MUSL Rule 2.4.
(Definition provided by MUSL)