1、 ISO 2014 Information and operations security and integrity requirements for lottery and gaming organizations Informations et exigences dintgrit et de scurit relatives aux oprations pour la loterie et lorganisation de jeux INTERNATIONAL WORKSHOP AGREEMENT IWA 17 Reference number IWA 17:2014(E) First
2、 edition 2014-12-15 IWA 17:2014(E)ii ISO 2014 All rights reserved COPYRIGHT PROTECTED DOCUMENT ISO 2014 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying,
3、or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mai
4、l copyrightiso.org Web www.iso.org Published in Switzerland IWA 17:2014(E) ISO 2014 All rights reserved iii Contents Page Foreword iv Introduction v 1 Scope . 1 2 Normative references 1 3 Overview . 1 4 General security and integrity management requirements . 2 4.1 Information Security Management Sy
5、stem (ISMS) . 2 4.2 Scope of the ISMS 2 4.3 Statement of applicability 2 5 General security and integrity control objectives and controls 2 6 Lott ery and g aming specific security and int egrity c ontr ol objecti v es and c ontr ols 2 Annex A (normative) General security and integrity control objec
6、tives and controls .3 Annex B (normative) Lott ery and g aming specific security and int egrity c ontr ol objecti v es and controls . 6 Annex C (informative) Workshop contributors 12 Bibliography .14 IWA 17:2014(E) Foreword ISO (the International Organization for Standardization) is a worldwide fede
7、ration of national standards bodies (ISO member bodies). The work of preparing International Standards is normally carried out through ISO technical committees. Each member body interested in a subject for which a technical committee has been established has the right to be represented on that commi
8、ttee. International organizations, governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization. The procedures used to develop this document an
9、d those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the different types of ISO documents should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Par
10、t 2 (see www.iso.org/directives). Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of any patent rights identified during the development of t
11、he document will be in the Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents). Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement. For an explanation on the meaning of ISO specific t
12、erms and expressions related to conformity assessment, as well as information about ISOs adherence to the WTO principles in the Technical Barriers to Trade (TBT) see the following URL: Foreword - Supplementary information International Workshop Agreement IWA 17 was approved at a workshop organized b
13、y the World Lottery Association (WLA), in association with the Association franaise de normalisation (AFNOR), and held in Zurich, Switzerland, in September 2014. International Workshop Agreement IWA 17 is based on WLA-SCS:2012, WLA Security Control Standard Lottery and Gaming Security and Integrity
14、Standard for Operations.iv ISO 2014 All rights reserved IWA 17:2014(E) Introduction This International Workshop Agreement defines a security, integrity and risk management standard for use by the lottery and gaming sector and is intended to be the focal point for the sector on security and integrity
15、 issues. It is intended to assist lottery and gaming organizers around the world towards attaining a level of control in line with generally accepted practices and to make possible an increased reliance on the integrity of lottery operations. This International Workshop Agreement describes a securit
16、y management process that is aligned both with internationally recognized standards and with a common security baseline for specific aspects relating to lottery and gaming organizers, which represents good practice. It comprises a comprehensive set of requirements, controls and standards for lottery
17、 and gaming organizers, including conformity with all requirements stated in ISO/IEC 27001 for information security management systems (ISMS). This International Workshop Agreement can also be considered as the foundation for building trust relationships with other lottery and gaming organizers, sta
18、keholders and regulators for the purpose of conducting lottery and gaming operations or multi-jurisdictional games, and can be of substantial assistance to management by providing an independent review to build increased confidence in the security of a lottery. Compliance with this International Wor
19、kshop Agreement allows a lottery and gaming organizer to ensure the integrity, availability and confidentiality of services and information vital to their secure operation. The adoption of this International Workshop Agreement is a strategic decision for a lottery and gaming organizer. The design an
20、d implementation of the organizations Security and Integrity management systems are influenced by their specific needs, objectives, risks and security requirements, the processes employed and the size and structure of the organization. These factors and their supporting systems are expected to chang
21、e over time and it is to be expected that a management system implementation will be scaled in accordance with the needs of the organization, e.g. a simple situation requires a simple Security and Integrity management system. Compliance with this International Workshop Agreement can be used by inter
22、ested internal and external parties to evaluate the security and integrity of a lottery and gaming organization. This International Workshop Agreement is aligned with ISO/IEC 27001 and ISO 9001 to allow for consistent and integrated implementation and operation with related management system standar
23、ds. ISO 2014 All rights reserved v Information and operations security and integrity requirements for lottery and gaming organizations 1 Scope This International Workshop Agreement covers all types of lottery and gaming organizations, including commercial enterprises, government agencies and non-pro
24、fit organizations. This International Workshop Agreement specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented security and integrity system within the context of the organizations overall risks. It specifies the requireme
25、nts for the implementation of security and integrity controls applicable to the needs of individual organizations, so that the security and integrity management systems can be designed to ensure the selection of adequate and proportionate security and integrity controls that protect assets and give
26、confidence to interested parties. The requirements set out in this International Workshop Agreement are generic and are intended to be applicable to all organizations, regardless of type, size and nature. NOTE 1 If an organization already has an operational business process management system (e.g. i
27、n relation with ISO 9001 or ISO 14001), in most cases it is advisable to satisfy the requirements of this International Workshop Agreement within the existing management system. NOTE 2 Lottery and gaming organizers adopting this International Workshop Agreement are responsible for its correct applic
28、ation. 2 Normative references The following documents, in whole or in part, are normatively referenced in this document and are indispensable for its application. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including an
29、y amendments) applies. ISO/IEC 27001, Information technology Security techniques Information security management systems Requirements 3 Overview The main objective of the security and integrity approach for lottery and gaming organizations is to ensure adequate operation as well as to provide confid
30、ence. Confidence in a lottery operation is key to retaining players and other stakeholders. Lottery and gaming organizers, therefore, need to develop and maintain a visible and documented security and integrity environment. This International Workshop Agreement describes the requirements, control ob
31、jectives and controls that are seen as best practice. A lottery and gaming organizer shall operate an information security management system that implements all requirements stated in ISO/IEC 27001, as well as the mandatory requirements and controls of this International Workshop Agreement. This Int
32、ernational Workshop Agreement incorporates baseline requirements and controls within the lottery and gaming organizers overall security, integrity and risk management process, avoiding overlaps with more general security frameworks. It provides lottery and gaming security and integrity professionals
33、 with a process whereby they can formally manage, update and continuously improve their controls. Lottery and gaming organizers, therefore, need to develop and maintain a visible and documented security environment. International Workshop Agreement IWA 17:2014(E) ISO 2014 All rights reserved 1 IWA 1
34、7:2014(E) In addition to general security and integrity management requirements contained in this International Workshop Agreement, Annexes A and B specify the minimum controls necessary for the effective management of security and integrity in a lottery and gaming organization. 4 General security a
35、nd integrity management requirements 4.1 Information Security Management System (ISMS) The organization shall operate an Information Security Management System (ISMS) that satisfies the requirements stated in ISO/IEC 27001. 4.2 Scope of the ISMS The scope of the organizations ISMS shall include all
36、lottery and gaming related activities of its operation, including all related assets and information systems. The scope may only exclude operations of the organization that are not related to the lottery and gaming activities. Those operations excluded shall be fully identified and the causes for ex
37、clusion justified in detail. General organizational functions (e.g. human resources, planning, finance) needed to produce the lottery and gaming operations are within the scope. 4.3 Statement of applicability The organizations ISMS statement of applicability shall explicitly include all controls in
38、Annexes A and B. No control shall be excluded, but some of the controls in Annex B may be non-applicable. Claims of non-applicability shall be justified in detail. Excluding any of the requirements specified in this clause (Clause 4), as well as any control in Annexes A and B, is not acceptable when
39、 an organization claims conformity to this International Workshop Agreement. Any non-applicability of controls of Annex B found to be necessary needs to be formally justified and evidence needs to be provided that the non-applicability has been accepted by accountable people of the organization. Whe
40、re any controls are non-applicable, claims of conformity to this International Workshop Agreement are not acceptable unless such exclusions do not affect the organizations ability and/or responsibility to provide security and integrity that meets the requirements as determined by a risk assessment a
41、nd applicable statutory or regulatory requirements. 5 General security and integrity control objectives and controls The organization shall implement the 21 general controls described in Tables A.1 to A.6. 6 Lott ery and g aming specific security and int egrity c ontr ol objecti v es and c on- trols
42、 The organization shall implement the 90 lottery and gaming specific controls described in Tables B.1 to B.7, if applicable.2 ISO 2014 All rights reserved IWA 17:2014(E) Annex A (normative) General security and integrity control objectives and controls The control objectives and controls listed in T
43、ables A.1 to A.6 are mandatory controls under this International Workshop Agreement. They have been derived from ISO/IEC 27001 and extend beyond the requirements of ISO/IEC 27001. The lists in Tables A.1 to A.6 are not exhaustive and a lottery organization may consider that additional control object
44、ives and controls are necessary. Table A.1 Organization of security G.1 Organization of security G.1.1 Allocation of security responsibilities Objective: To ensure that security function responsibilities are effectively implemented. Type of control Control G.1.1.1 Security forum A security forum or
45、other organizational structure comprised of senior managers shall be formally established to monitor and review the ISMS to ensure its continuing suitability, adequacy and effectiveness, maintain formal minutes of meetings and convene at least every six months. G.1.1.2 Security function A security f
46、unction shall exist that will be responsible to draft and implement security strategies and action plans. It shall be involved in and review all processes regarding secu- rity aspects of the organization, including, but not be limited to, the protection of informa- tion, communications, physical inf
47、ra-structure and game processes. G.1.1.3 Security function reporting The security function shall report to no lower than executive level management and not reside within or report to the IT function. G.1.1.4 Security function position It shall have the competences and be sufficiently empowered, and
48、shall have access to, all necessary resources within the organization to enable the adequate assessment, manage- ment and reduction of risk. G.1.1.5 Security function responsibility The head of the security function shall be a full member of the security forum and be responsible for recommending sec
49、urity policies and changes. Table A.2 Human resource security G.2 Human resource security G.2.1 Implementation of a code of conduct Objective: To ensure that a suitable code of conduct is effectively implemented. Type of control Control G.2.1.1 Code of conduct A code of conduct shall be issued to all personnel when initially employed. All personnel shall formally acknowledge acceptance of this code. G.2.1.2 Adherence and disciplinary action The code of conduct shall include statements that all policies and procedures are adhered to and th
