WLA Certification : Preparation and Management Australia 27-30 April 2015 By Driss HAMDOUNE MDJS Secretary General & WLA Security & Risk Management Committee Member
What kinds of risk is our business activity exposed to? Can we predict all the risks? 2
NEXT 3
So, how can we predict and manage any potential security related risk effectively? 4
Presentation structure 01 Procedure 02 Management 03 MDJS Experience 5
WLA Certification : Preparation procedure 1 2 3 Comparing current situation with Standard Requirements 4 Establishing an action Plan 5 Preassessment Action plan updating 6 Certification Preparation stage Preparation 6 months 6
Certification Procedure Setting up a GAP Analysis : to calculate the gap between the standard and the current practices in terms of corporate security, to determine whether the control was done or not, and to come up with an action plan to reduce or eliminate the gaps. Gap analysis: status of WLA SCS implementation WLA SCS clause Mandatory requirement for the ISMS Status Look for Findings Remarks / Recommendations G.1 Organization of security G.1.1 Allocation of security responsibilities G.1.1.1 Security forum A security forum or other organizational structure comprised of senior managers shall be formally established to monitor and review the ISMS, maintain formal minutes of meetings and convene at least every six months. A security function shall exist that will be responsible to draft and implement security strategies and action plans. It shall be involved in and review all G.1.1.2 processes regarding security aspects of the organization, including, but not be Security function limited to, the protection of information, communications, physical infrastructure,and game processes. D MD G.1.1.3 The security function shall report to no lower than executive level Security function management and not reside within or report to the IT function. reporting PNP 7
Certification Procedure : Prerequisites refers to the visual representation of processes and links between them Process Mapping describes in detail the stages, stakeholders and tools for each activity Procedures Manual Prerequisites Risk Map predict and prioritizes major risks in the lottery and plans to avoid or minimise them Incident Data Base contains the description of incidents and the actions carried out to manage them 8
Certification Procedure The Statement Of Applicability (SOA) is a document which : formally justifies the choices for the implementation or non implementation of all or part of the WLA clauses, covers the entire requirements of the WLA standard and determines their applicability to the Company, shall be produced by the Lottery before initiating the certification audit. SOA : A model Annex A reference Control title Control description Applicability Statement of Applicability Implemented control/s Comments Evidence Internal Audit comments A.5 Security Policy A5.1 Information security policy To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations. A.5.1.1 A.5.1.2 Information security policy document Review of the information security policy An information security policy document shall be approved by management, and published and communicated to all employees and relevant external parties. The information security policy shall be reviewed at planned intervals or if significant changes occur to ensure its continuing suitability, adequacy, and effectiveness. Applicable Partially applicable ISMS policy on intranet Available to all employees with intranet http://intranet/policy.h access tml Comprehensive policy 9
Certification Procedure : Pre-assessment stage A pre-assessment process : ensures that all implementations are compliant with the requirements of the relevant standards enables the development of an action plan to reduce or eliminate gaps deviations prior to certification. is crucial before proceding to the final audit, may be carried out by internal teams, but it would be advisable if conducted by an external audit body. 10
Certification Procedure : Information This form must be filled in first and then sent to : WLA business offices, or a member of the WLA Safety and Risk Management Committee, or one of the WLA accredited auditors. 11
The accredited WLA certification auditors AENOR Asociación Española de Normalización y Certificación, Spain BMM Testlabs, Canada GLI Test Labs Canada ULC (dba TST, a GLI company), Canada BrightLine CPAs & Associates, Inc., the USA British Standards Institute (BSI), the UK Certification Europe Ltd, Ireland DNV Business Assurance, Norway Ernst & Young CertifyPoint KPMG IT Advisory, Netherlands (Holland)... 12
Certification validity Certification is valid for three years and is in fact since the certificate award date. NB : annual follow-up reviews shall be made to ensure continuing compliance. Certificate Annual audit Annual audit Recertification Initial Audit 12 months 24 months 3 years 13
The certification procedure success : the main pillars Managerial commitment review and monitor the project action plan define the project budget create a Safety Committee set up an adequate organization and assign the appropriate human resources Assignment of security responsibilities Security training Integration of information security Organization of security Security of Human Resources Staff training Code of conduct 14
WLA certification : Added value Physical security and security of the environment to implement the security policy related to the information systems; To design and implement the action plan for the physical security Scratch cards security To develop procedures for new games : transport, storage and distribution Security training for retailers POS security To instal security equipement (safes, access control, ) Improve points of sale control 15
WLA certification : Added value Online games security To develop procedure and charter for online games in line with regulations. Payment To manage payments more efficiently, To clarify the procedure for unclaimed prizes Sports betting security To control risks : preparation of the Totofoot games To Regulate and select the games 16
WLA certification : Added value WLA security standards provide best practices principles agreed on and compiled by experts and currently used by lotteries. Security and integrity of a lottery is essential to maintaining and fostering the client trust. 17
What is the ongoing commitment required once certification is achieved? 1 2 3 4 Information Organization review Training Annual review The organization shall establish, implement, maintain and continually improve an information security management system. Top management shall review the organization s information security management system at planned intervals to ensure its continuing suitability, adequacy and effectiveness. Continuous Training and awareness of all staff. To Prepare to Mandatory annual Reviews 18
How can certification related documents be obtained? The standard and all useful information for certification can be downloaded from the address: http://www.world-lotteries.org 19
MDJS Morocco 20
Morocco The Moroccan market is shared between three state corporations. SOREC : Horserace betting MDJS : Sports betting and scratch cards SGLN : Gambling In the absence of an official regulatory body, this role is fulfilled by three lotteries : Be a barrier to illegal gambling Be a responsible gambling actor protecting minors and participants against addiction. Provide additional revenue for the state to fight tax evasion related to illegal gambling. The total turnover for 2014 is 800 million Euros compared to 720 million Euros in 2013. 21
Morocco : La Marocaine des Jeux et des sports (MDJS) First lottery in Africa to be certified : ISO 27001 (2005) WLA Security Control standard (2005) Responsible Gaming (2013) First lottery in Morocco to be certified : Corporate Social Responsibility (2014) First lottery in Morocco to conform : to the personal data protection law (2011) 22
MDJS WLA certification : Merits The certification enables us to : predict and manage any potential security risk effectively, comply with the national and international legislations and standards, Increase security levels for our clients and players, develop our competitive advantage, consolidate MDJS brand image. 23
Conclusion I would highly recommend WLA certification 24
Thank you! Driss HAMDOUNE d.hamdoune@mdjs.ma 25
NEXT 26