Spillemyndigheden s requirements for accredited testing organisations. Version of 1 July 2012

Transcription

1 Version of 1 July 2012

2 Contents 1 Introduction Authority Objective Target audience Version Enquiries Certification Framework for certification Responsibility for certification and accreditation Certification categories Certification and requirements for certification Gambling functions ( A ) Requirement as to procedure Requirements to be met by the testing organisation Requirements for staff who supervise and attest the certification Requirements for the certification The frequency of certification Business functions ( B ) Requirements as to procedure Requirements to be met by the testing organisation Requirements for staff who supervise and attest the certification Requirements for the certification The frequency of certification Preventive measures to counter money laundering of proceeds and financing of terrorism ( C ) Requirements as to procedure Requirements to be met by the testing organisation Requirements for staff who supervise and attest the certification Requirements for the certification The frequency of certification Vulnerability and penetration testing ( D ) Requirements as to procedure Requirements to be met by the testing organisation Requirements for staff who supervise and attest the certification Requirements for the certification The frequency of certification Change Management ( E ) Requirements as to procedure Requirements to be met by the testing organisation Requirements for staff who supervise and attest the certification Requirements for the certification The frequency of certification Version of 1 July 2012 Page 2 of 12

3 1 Introduction 1.1 Authority This document Spillemyndigheden s requirements has been issued by Spillemyndigheden (the Danish Gambling Authority) under the Gambling Act (Act No. 848 of 1 July 2010 as later amended) and the executive orders on online casinos, online betting and land-based betting. It is part of the overall certification programme, which consists of the documents Spillemyndigheden s requirements, Spillemyndigheden s change management programme and Spillemyndigheden s technical standards. 1.2 Objective The document contains the requirements specifying how testing organisations obtain accreditation for conducting certification of the gambling systems operated by licence holders, including gambling functionality and business functionality, internal procedures, etc. This accreditation will be carried through by DA- NAK, the Danish Accreditation and Metrology Fund, or a similar accreditation body being covered by the multilateral agreement on reciprocal recognition of the European Co-operation for Accreditation or a member of the International Laboratory Accreditation Cooperation. 1.3 Target audience The document is intended for licence holders, suppliers, accreditation bodies and testing organisations. 1.4 Version This document is Version of 1 July Spillemyndigheden will revise the certification programme on an on-going basis, making the latest version and the version history accessible at Spillemyndigheden s website: If the certification programme is modified, as a rule certifications already issued will remain in force. It is important to emphasise that only the Danish version is legally binding and that the English version holds the status of guidance only. 1.5 Enquiries Enquiries concerning this document should be sent in writing to Spillemyndigheden at the following address: spillemyndigheden@skat.dk or Spillemyndigheden Helgeshøj Allé 9 DK-2630 Taastrup Version of 1 July 2012 Page 3 of 12

4 2 Certification 2.1 Framework for certification A certification is based on inspection and testing (hereafter referred to as testing) of procedures and technical standards according to criteria specified in Spillemyndigheden s certification programme. Since the requirements to secure certification will vary, expertise in a range of different areas will be necessary, for which reason the overall certification is divided into five categories as shown in section 2.3 below. This makes it possible for a broad range of professionals to issue certifications within one or more categories. In addition, it gives licence holders and suppliers access to a wider choice, when deciding who should manage their certification process. 2.2 Responsibility for certification and accreditation The licence holder is responsible for obtaining the required certifications by planning its activity based on the certification programme. The licence holder is also responsible for ensuring that the certifications are issued by an accredited testing organisation in conformity with the certification programme. The testing organisation holds the responsibility for obtaining accreditation. 2.3 Certification categories Certification category Requirement Description A Gambling functions Spillemyndigheden s technical standards Random Number Generator (RNG), game rules, registration, reporting on operations, customer overview, terms and conditions, etc. B Business functions Spillemyndigheden s technical standards Information security, etc. (inspection) C Preventive measures to counter money laundering of proceeds and financing of terrorism Vulnerability and penetration Spillemyndigheden s technical standards D Spillemyndigheden s technical testing standards E Change Management Spillemyndigheden s Change Management Programme Registration, security, suspicious player behaviour Information security (testing) Standard for approved changes to gambling systems 2.4 Certification and requirements for certification To ensure that the necessary qualifications are present when a certification process is carried out, testing organisations and their staff shall meet the minimum requirements set out in this document. Documentation showing that the requirements are met shall be attached to all certifications. The document Spillemyndigheden s technical standards consists of a number of requirements listed as points with each requirement having a reference to which one of the certification categories A, B, C and D it belongs to and thus which category/-ies of accredited testing organisations will be qualified to certify the compliance with the requirement in question. Version of 1 July 2012 Page 4 of 12

5 The example below shows that testing organisations accredited in certification category A, B and/or C can certify the compliance with the requirement. Other requirements may be certified by various accredited testing organisations as indicated in the column at the right hand side of the requirements. 3 Gambling accounts 3.1 Management Registration 1 The gambling system shall be able to save documentation of the customer identification process (customer details). A B C Guidance: After customer registration, the system can open a temporary gambling account. When an accredited testing organisation has certified a given requirement in one certification category and this requirement is part of several certification categories, it will not be necessary to repeat the certification of the requirement. In such cases there shall, instead, be a reference to the above-mentioned certification. It is also allowed to base the certification on tests carried out on previous occasions and to similar criteria if the methodology mentioned in section , , , and below is used. When this option is utilised the actual time of the previous test shall be used when calculating the certification frequency. This means that if the certification is based on tests performed six months prior, then the renewal of said certification shall be performed six months earlier than ordinarily required. If some suppliers have certified their products fully or partly according to the Spillemyndigheden s certification programme, the accredited testing organisation shall, when testing the licence holder s gambling system, only test the elements of the gambling system that have not been certified. The accredited testing organisation shall be particularly alert to the fact that, even if the supplier s product has been certified already, it may be necessary to repeat parts of the certification, when the product is integrated into the licence holder s overall gambling system. This will be relevant, for example, when the implementation involves changes to the certified product. It is always the licence holder s responsibility to ensure compliance with the entire certification programme. Testing organisations shall achieve ISO/IEC accreditation and/or ISO/IEC accreditation based on the criteria described in the following sections, which deal with the various categories of certification. The scope of the accreditation shall be extended to include Spillemyndigheden s certification programme or local language equivalent as well as the relevant certification categories. Version of 1 July 2012 Page 5 of 12

6 2.4.1 Gambling functions ( A ) Requirement as to procedure The document Spillemyndigheden s technical standards specifies the requirements comprised by certification category A (gambling functions) Requirements to be met by the testing organisation a) Shall have at least three years experience in testing gambling functions or a similar closely related subject area, b) Shall work on the basis of the ISO/IEC accreditation and/or ISO/IEC accreditation, which refers to the requirements of certification category A in Spillemyndigheden s technical standards and c) Shall ensure that staff with sufficient qualifications will carry through the certification Requirements for staff who supervise and attest the certification The certification shall be carried through by staff with sufficient qualifications, see section above. The performance shall be supervised and the declaration of certification shall be attested by one or more persons who warrant(s) that the work has been carried out to adequate professional standards. These persons shall meet the following requirements: a) For the testing of the Random Number Generator the supervisor shall have a relevant master s or PhD degree or in other ways be able to prove relevant qualifications b) For the testing of other gambling functions the supervisor shall have a relevant educational background or in other ways be able to prove relevant qualifications c) In case the supervisor referred to in a) or b) above does not have five years of professional experience in testing gambling functions or a similar closely related subject area for an accredited or certified organisation, the certification shall also be supervised and attested by a person who has five years of professional experience in testing gambling functions or a similar closely related subject area for an accredited or certified organisation Requirements for the certification The testing organisation shall attest that the requirements in certification category A of Spillemyndigheden s technical standards are met. In exceptional circumstances it may be accepted that the testing organisation attests to the certification even if all requirements have not been met as described in Spillemyndigheden s technical standards. This shall be underpinned by a risk assessment, taking into account the purpose of the Gambling Act and the associated executive orders, based on ISO/IEC Risk management - Risk assessment techniques The frequency of certification The gambling functions of the licence holder shall be certified at all times. The licence holder shall ensure that the gambling functions of the licence holder are subject to on-going certification of the adherence to the requirements of certification category A with an interval of no more than 12 months. Version of 1 July 2012 Page 6 of 12

7 A renewal of the certification may be based on sampling, spot checks and compliance with the requirements set out in the document Spillemyndigheden s Change Management Programme. The certification shall clearly state whether this method has been used Business functions ( B ) Requirements as to procedure The document Spillemyndigheden s technical standards specifies the requirements comprised by certification category B (business functions) Requirements to be met by the testing organisation a) Shall have at least three years of experience in testing business functions or a similar closely related subject area, b) Shall work on the basis of the ISO/IEC accreditation and/or ISO/IEC accreditation, which refers to the requirements of certification category B of Spillemyndigheden s technical standards and c) Shall ensure that staff with adequate qualifications carries through the certification Requirements for staff who supervise and attest the certification The certification shall be carried through by staff with adequate qualifications, see section above. The performance shall be supervised and the declaration of certification shall be attested by one or more persons who warrant(s) that the work has been carried out to adequate professional standards. These persons shall meet the following requirements: a) shall have a relevant education background or in other ways prove relevant qualifications, b) Shall be certified as: International Information Systems Security Certification Consortium (ISC) 2 Certified Information Systems Security Professional (CISSP), Payment Card Industry (PCI) Qualified Security Assessor (QSA), or Information Systems Audit and Control Association (ISACA) Certified Information Systems Auditor (CISA). c) if the supervisor referred to in a) and b) above does not have five years of professional experience in testing business functionality or a similar closely related subject area for an accredited or certified organisation, the certification shall also be supervised and attested by a person who has five years of professional experience in testing business functionality or a similar closely related subject area for an accredited or certified organisation Requirements for the certification The testing organisation shall attest that the requirements in certification category B of Spillemyndigheden s technical standards are met. In exceptional circumstances it may be accepted that the testing organisation attests to the certification even if all requirements have not been met as described in Spillemyndigheden s technical standards. This shall be underpinned by a risk assessment, taking into account the purpose of the Gambling Act and the associated executive orders, based on ISO/IEC Risk management - Risk assessment techniques. Version of 1 July 2012 Page 7 of 12

8 The frequency of certification The business functions of the licence holder shall be certified at all times. The licence holder shall ensure that the business functions of the licence holder are subject to on-going certification of the adherence to the requirements of certification category B with an interval of no more than 12 months. A renewal of the certification may be based on sampling, spot checks and compliance with the requirements set out in the document Spillemyndigheden s Change Management Programme. The certification shall clearly state whether this method has been used Preventive measures to counter money laundering of proceeds and financing of terrorism ( C ) Requirements as to procedure There is no requirement for certification in connection with preventive measures to counter money laundering of proceeds of crime and financing of terrorism, but testing organisations with experience in this area may certify compliance with requirements in certification category C. The document Spillemyndigheden s technical standards specifies the requirements covered by certification category C (preventive measures to counter money laundering of proceeds of crime and financing of terrorism) Requirements to be met by the testing organisation a) Shall have at least two years of experience in the area of preventive measures to counter money laundering of proceeds of crime and financing of terrorism or a similar closely related subject area, b) Shall work on the basis of the ISO/IEC accreditation and/or ISO/IEC accreditation, which refers to the requirements of certification category C in Spillemyndigheden s technical standards, and c) Shall ensure that staff with adequate qualifications will carry out the certification Requirements for staff who supervise and attest the certification The certification shall be carried through by staff with sufficient qualifications, see section above. The performance shall be supervised and the declaration of certification shall be attested by one or more persons who warrant(s) that the work has been carried out to adequate professional standards. These persons shall meet the following requirements: a) Shall have a relevant education background or prove relevant qualifications in other ways, b) Shall have Certified Anti-Money Laundering Specialists (CAMS) Association of Certified Anti-Money Laundering Specialists (ACAMS) accreditation. c) In case the supervisor referred to in a) and b) above does not have three years of professional experience in the area of preventive measures to counter money laundering of proceeds and financing of terrorism in the regulated online gambling industry or a similar closely related subject area, the certification shall also be supervised and attested by a person who has three years of professional experience in preventive measures to counter money laundering of proceeds and financing of terrorism in the regulated online gambling industry or a similar closely related subject area. Version of 1 July 2012 Page 8 of 12

9 Requirements for the certification The testing organisation shall attest that the requirements of certification category C in Spillemyndigheden s technical standards are met. In exceptional circumstances it may be accepted that the testing organisation attests to the certification even if all requirements have not been met as described in Spillemyndigheden s technical standards. This shall be underpinned by a risk assessment, taking into account the purpose of the Gambling Act and the associated executive orders, based on ISO/IEC Risk management - Risk assessment techniques The frequency of certification The preventive measures to counter money laundering of proceeds of crime and financing of terrorism of the licence holder shall be certified at all times. The licence holder shall ensure that the preventive measures to counter money laundering of proceeds of crime and financing of terrorism of the licence holder are subject to on-going certification of the adherence to the requirements of certification category C with an interval of no more than 12 months. Guidance: Currently all requirements in certification category C are covered by category A or B, thus, being certified in accordance with certification category A and B also ensures compliance with certification category C. A renewal of the certification may be based on sampling, spot checks and compliance with the requirements set out in the document Spillemyndigheden s Change Management Programme. The certification shall clearly state whether this method has been used Vulnerability and penetration testing ( D ) Requirements as to procedure The document Spillemyndigheden s technical standards specifies the requirements comprised by certification category D (vulnerability and penetration testing) Requirements to be met by the testing organisation a) Shall have a minimum of two years experience in the area of vulnerability and penetration testing of systems or a similar closely related subject area. b) Shall have accreditation as a Payment Card Industry (PCI) Approved Scanning Vendor (ASV) c) Shall work on the basis of the ISO/IEC accreditation and/or ISO/IEC accreditation, which refers to the requirements of certification category D in Spillemyndigheden s technical standards and d) Shall ensure that staff with adequate qualifications will carry through the certification Requirements for staff who supervise and attest the certification The certification shall be carried through by staff with sufficient qualifications, see section above. The performance shall be supervised and the declaration of certification shall be signed by one or more persons who warrant(s) that the work has been carried out to adequate professional standards. These persons shall meet the following requirements: Version of 1 July 2012 Page 9 of 12

10 a) Shall have five years professional experience in vulnerability and penetration testing of systems or a similar closely related subject area, and b) Shall be certified as: International Council of E-Commerce (EC-Council) Certified Ethical Hacker (CEH), International Council of E-Commerce (EC-Council) Licensed Penetration Tester (LPT), Information Assurance Certification Review Board (IACRB) Certified Penetration Tester (CPT), Global Information Assurance Certification (GIAC) Certified Penetration Tester (GPEN), CESG CHECK Team Leader, CESG CHECK Team Member, CREST Infrastructure Certification, CREST Registered Tester, Tiger Scheme Senior Security Tester, or Tiger Scheme Qualified Security Tester Requirements for the certification The testing organisation shall attest that the requirements of certification category D in Spillemyndigheden s technical standards are met. In exceptional circumstances it may be accepted that the testing organisation attests to the certification even if all requirements have not been met as described in Spillemyndigheden s technical standards. This shall be underpinned by a risk assessment, taking into account the purpose of the Gambling Act and the associated executive orders, based on ISO/IEC Risk management - Risk assessment techniques The frequency of certification The penetration testing of the licence holder shall be certified at all times. The licence holder shall ensure that the penetration testing of the licence holder is subject to on-going certification of the adherence to the requirements of certification category D with an interval of no more than 12 months. The vulnerability testing of the licence holder shall be certified at all times. The licence holder shall ensure that the vulnerability testing of the licence holder is subject to on-going certification of the adherence to the requirements of certification category D with an interval of no more than 3 months. It shall be indicated in the certification of penetration testing that it will be withdrawn after significant upgrades or changes to infrastructure or the use of it (for example any installation of new system components, addition of a sub-network or addition of a web server). What will be considered to be significant changes will depend to a high degree on the set-up of a given environment. Therefore it cannot be defined as such by Spillemyndigheden in advance, but if an upgrade or a change is capable of affecting or providing access to customer data, gambling data, financial data and/or functionality, it shall always be considered to be significant. Where a licence holder has an internal function dedicated to undertaking penetration testing and this function is manned with appropriately skilled staff as well as separated from the function of implementing system changes, the relevant accredited testing organisation has the option of not withdrawing the certification after significant upgrades or changes to infrastructure or the use of it. This option is only available to licence holders. The option is not available to suppliers and vendors without a licence to offer online casino and/or betting in Denmark. Version of 1 July 2012 Page 10 of 12

11 Significant in a highly segmented network in which customer data, gambling data, financial data and/or functionality are distinctly isolated from other data and functions is very different from significant in a flat network, for example, in which all persons and systems will have potential access to customer data, gambling data, financial data and/or functionality. It is recommended to carry through penetration testing of all upgrades and changed in order to make sure that the existing internal controls still work effectively after an upgrade or change Change Management ( E ) Requirements as to procedure The document Spillemyndigheden s Change Management Programme specifies the requirements comprised by certification category E (Change Management) Requirements to be met by the testing organisation The requirements are the same as for certification category A (gambling functions) as referred to in section Requirements for staff who supervise and attest the certification The certification shall be carried through by staff with sufficient qualifications, see sections and above. The performance shall be supervised and the declaration of certification shall be attested by one or more persons who warrant(s) that the work has been carried out to adequate professional standards. These persons shall meet the following requirements: a) shall have a relevant education background or be able to prove relevant qualifications in other ways, b) Shall be certified as: International Information Systems Security Certification Consortium (ISC) 2 Certified Information Systems Security Professional (CISSP), Payment Card Industry (PCI) Qualified Security Assessor (QSA), or Information Systems Audit and Control Association (ISACA) Certified Information Systems Auditor (CISA). c) If the supervisor referred to in a) and b) above does not have five years of professional experience in testing gambling or business functionality or a similar closely related subject area for an accredited or certified organisation, the certification shall also be supervised and attested by a person who has five years of professional experience in testing gambling or business functionality or a similar closely related subject area for an accredited or certified organisation Requirements for the certification The testing organisation shall attest that the requirements of certification category E of Spillemyndigheden s Change Management Programme are met. In exceptional circumstances it may be accepted that the testing organisation attests to the certification even if all requirements have not been met as described in Spillemyndigheden s Change Management Programme. This shall be underpinned by a risk assessment, taking into account the purpose of the Gam- Version of 1 July 2012 Page 11 of 12

12 bling Act and the associated executive orders, based on ISO/IEC Risk management - Risk assessment techniques The frequency of certification The change management of the licence holder shall be certified at all times. The licence holder shall ensure that the change management of the holder is subject to on-going certification of the adherence to the requirements of certification category E with an interval of no more than 12 months. Version of 1 July 2012 Page 12 of 12