Spillemyndigheden s Certification Programme. Instructions on Penetration Testing SCP EN.1.1

Similar documents
Spillemyndigheden s requirements for accredited testing organisations. Version of 1 July 2012

Testing Standards for Land-based Casino

What every IT professional needs to know about penetration tests

Standard report Online casino Testing standards SCP EN.1.0.SR. Standard report for inspection standards for online casino

PROTERRA CERTIFICATION PROTOCOL V2.2

IPC Certification Scheme IPC QMS/EMS Auditors

APLAC Application to Enter the APLAC MRA or to Extend Scope - APLAC MR 003

Data Sheet The PCI DSS

PEFC N 04 Requirements for certification bodies and accreditation bodies

Securing Digital Applications

University of Sunderland Business Assurance PCI Security Policy

IPC Certification Scheme IPC Management Systems Auditors

PCI DSS. Compliance and Validation Guide VERSION PCI DSS. Compliance and Validation Guide

Comodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business

Penetration testing.

Accreditation Criteria For Conformity Assessment Bodies

Personnel Certification Program

Global Specification Protocol for Organisations Certifying to an ISO Standard related to Market, Opinion and Social Research.

CERTIFICATION GUIDELINES FOR MANAGEMENT SYSTEM

Global Wind Organisation CRITERIA FOR THE CERTIFICATION BODY

S. Scholz / K. Meyer / J.E. Nielsen / Harald Drück/J.Fernández/E.Prado/L.Nelson Page 1 of 7

Governance, Organisation, Law, Regulation and Standards Syllabus QAN 603/0855/2

AUDITOR / LEAD AUDITOR PHARMACEUTICAL AND MEDICAL DEVICE INDUSTRY

An unofficial translation, in case of any discrepancies between the English version and the original Swedish version the latter will prevail.

FeliCa Approval for Security and Trust (FAST) Overview. Copyright 2018 FeliCa Networks, Inc.

PTSPAS Product Assessment HAPAS Equivalent in accordance with MCHW SHW Volume 1 Clause and

ETHIOPIAN NATIONAL ACCREDITATION OFFICE. Minimum Requirements For The Operation Of Product Certification Bodies

PRODUCT CERTIFICATION SCHEME FOR MECHANICAL-CUSTOMIZED VEHICLES

Certification Body Audit Resources

IMEC Cybersecurity for Manufacturers Penetration Testing and Top 10

Regulation for the accreditation of product Certification Bodies

Request for Proposal (RFP)

"Energy and Ecological Transition for the Climate" Label Control and Monitoring Plan Guidelines

Google Cloud & the General Data Protection Regulation (GDPR)

Merchant Guide to PCI DSS

A Passage to Penetration Testing!

Global Wind Organisation CRITERIA S FOR THE CERTIFICATION BODY

IAF Mandatory Document KNOWLEDGE REQUIREMENTS FOR ACCREDITATION BODY PERSONNEL FOR INFORMATION SECURITY MANAGEMENT SYSTEMS (ISO/IEC 27001)

Internet copy. EasyGo security policy. Annex 1.3 to Joint Venture Agreement Toll Service Provider Agreement

EA-7/05 - EA Guidance on the Application of ISO/IEC 17021:2006 for Combined Audits

The Role of the Data Protection Officer

CERTIFICATION BODY (CB) APPROVAL REQUIREMENTS FOR THE IFFO RESPONSIBLE SUPPLY (IFFO RS) AUDITS AND CERTIFICATION

UKAS accredited Certification Bodies

Superannuation Transaction Network

SLOVAK FOREST CERTIFICATION SYSTEM September 1, 2008

External Supplier Control Obligations. Cyber Security

USING STANDARDS TO ASSESS THE COMPETENCE OF CONFORMITY

Site Data Protection (SDP) Program Update

GUIDELINES FOR CERTIFICATION OF MANAGEMENT SYSTEMS

PRODUCT CERTIFICATION SCHEME FOR CHILDREN TOYS

Part 5: Requirements for ABs FOOD SAFETY SYSTEM CERTIFICATION Part V: Requirements for Accreditation Bodies

Data Processing Agreement

SWIFT Customer Security Programme

Battery Program Management Document

PCI DSS. A Pocket Guide EXTRACT. Fourth edition ALAN CALDER GERAINT WILLIAMS

FIRE SAFETY GUIDELINES

APPROVAL SHEET PROCEDURE INFORMATION SECURITY MANAGEMENT SYSTEM CERTIFICATION. PT. TÜV NORD Indonesia PS - TNI 001 Rev.05

Provider Monitoring Report. City and Guilds

PRODUCT CERTIFICATION SCHEME FOR ENERGY DRINKS

AsureQuality Limited. CodeMark Programme. Certificate Holder Responsibilities and Requirements

Revised November EFESC Handbook

Audit Report. Association of Chartered Certified Accountants (ACCA)

Policy for Accrediting Assessment Bodies Operating within the Cradle to Cradle Certified Product Certification Scheme. Version 1.2

Welder Qualification Testing to AS/NZS for accreditation. criteria. supplementary

Description of the certification procedure MS - ISO 9001, MS - ISO 14001, MS - ISO/TS and MS BS OHSAS 18001, MS - ISO 45001, MS - ISO 50001

Audit Report. The Prince s Trust. 27 September 2017

PRODUCT CERTIFICATION SCHEME FOR METROLOGY SYSTEM

VOLUNTARY CERTIFICATION SCHEME FOR MEDICINAL PLANT PRODUCE REQUIREMENTS FOR CERTIFICATION BODIES

AQMS AUDITOR APPLICATION GUIDE

GENERAL REQUIREMENTS FOR THE CERTIFICATION OF PERSONNEL FOR ENGINEERING INSPECTION AND TESTING

ASP Professional Standards and Certification Program for Strategic Planning and Strategic Management ASP CERTIFICATION

American Association for Laboratory Accreditation

A6 Training. A6.1 General. A6.2 Extract from the Health and Safety in Employment Act Training and supervision

ILNAS/PSCQ/Pr004 Qualification of technical assessors

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

ASSURANCE PENETRATION TESTING

SWIFT Customer Security Controls Framework and self-attestation via The KYC Registry Security Attestation Application FAQ

GUIDELINE. of the European Committee for Welding of Railway Vehicles (ECWRV) ( ) PART 1

PRODUCT CERTIFICATION SCHEME FOR ORGANIC PRODUCTS

Better Regulatory Outcomes & the CASCO Toolbox

POSITION DESCRIPTION

PCI COMPLIANCE IS NO LONGER OPTIONAL

Requirements for Certification Bodies

SANAS TECHNICAL REQUIREMENT FOR THE APPLICATION OF ISO/IEC IN THE FIELD OF FUSION WELDING METALLIC MATERIALS

Cloud Security Standards Supplier Survey. Version 1

EU Code of Conduct on Data Centre Energy Efficiency

EOQ methods and criteria for approval of training courses and training providers

REQUEST FOR EXPRESSIONS OF INTEREST

IATF - International Automotive Task Force Rules for achieving and maintaining IATF Recognition IATF Rules 5 th Edition Sanctioned Interpretations

Qualification Specification. Suite of Internal Quality Assurance Qualifications

IAF Mandatory Document for the Transfer of Accredited Certification of Management Systems

When Recognition Matters INTRODUCING NEW PECB CERTIFICATION SCHEMES.

IAF Guidance on the Application of ISO / IEC Guide 65:1996

ASEAN AUSTRALIA DEVELOPMENT COOPERATION PROGRAM (AADCP) PHASE II TERMS OF REFERENCE FOR

PRIOR LEARNING ASSESSMENT AND RECOGNITION (PLAR)

CyberSecurity. Penetration Testing. Penetration Testing. Contact one of our specialists for more information CYBERSECURITY SERVICE DATASHEET

FedRAMP Penetration Test Guidance. Version 1.0.1

Guidelines 4/2018 on the accreditation of certification bodies under Article 43 of the General Data Protection Regulation (2016/679)

Accreditation Application as Provider Tax Professional Occupational Qualification. SAQA ID: Learnership No. 01/Q010048/00/400/8

ACCREDITATION CRITERIA FOR MANAGEMENT SYSTEM CERTIFICATION BODIES ISSUE NO : 01 ISSUE DATE : 17/01/2015 PREFACE

Transcription:

SCP.04.00.EN.1.1

Table of contents Table of contents... 2 1 Objectives of the... 3 1.1 Scope of this document... 3 1.2 Version... 3 1.3 Applicability... 3 2 Certification... 4 2.1 Certification frequency... 4 2.1.1 Initial certification... 4 2.1.2 Renewed certification... 4 2.2 Accredited testing organisations... 4 2.2.1 Requirements for accredited testing organisations... 4 2.2.2 Requirements for personnel at the accredited testing organisations... 5 3 Penetration Testing Framework... 5 3.1 Objective of the penetration testing... 5 3.2 Protected components... 6 3.3 Updating software and hardware... 6 3.3.1 Component updates... 6 3.3.2 Internal function with the licence holder... 6 4 Penetration Testing Process... 6 SCP.04.00.EN.1.1 Page 2 of 7

1 Objectives of the The seeks to ensure that the gambling system and business systems of the licence holder are tested for vulnerabilities that could be exploited to gain access to sensitive information. 1.1 Scope of this document This document contains the requirements specifying how testing organisations obtain accreditation for conducting certification of the gambling system, business processes and business systems of the licence holder as well as instructions on how to conduct the certification. The requirements concerning accreditation of the testing organisation and certification of the licence holder can be found in section 2 certification. The Penetration Test shall be conducted in such a way that exposes vulnerabilities in components. This is particularly relevant during system upgrades and updates. These requirements are set out in section 3 Penetration Testing Framework. Spillemyndigheden specify a number of mandatory penetration scenarios. These scenarios are set out in section 4 Penetration Testing Process. 1.2 Version Spillemyndigheden will continuously revise the certification programme, making the latest version and the version history accessible at Spillemyndigheden s website: https://spillemyndigheden.dk/en/certificationprogramme Date Version Description 2014.07.04 1.0 A new document structure than the previous version 1.3 alongside with a range of updates in different areas. A new version 1.0 is therefore published. It is the intention to follow normal versioning for future changes. 2015.12.21 1.1 Extension of applicability to cover offering of lotteries and betting on horseand dog races. Spillemyndigheden will publish guidelines regarding the validation of existing certifications together with previously performed inspections and tests, when new versions of the certification programme is released. It is important to emphasise that only the Danish version is legally binding and that the English version holds the status of guidance only. 1.3 Applicability Instructions on penetration testing is applicable for offering of: Online betting Land-based betting Online Casino SCP.04.00.EN.1.1 Page 3 of 7

Lotteries 2 Certification 2.1 Certification frequency The licence holder is responsible to ensure to be certified in accordance with the requirements in this document with an interval of maximum of 12 months. 2.1.1 Initial certification The licence holder must, as a rule, be certified before a licence to offer games can be issued, unless Spillemyndigheden has informed otherwise. 2.1.2 Renewed certification The licence holder must, as a rule, have completed a new certification within 12 months of the latest certification. The standard report must reflect, when the certification has been renewed. The licence holder can choose to postpone the certification up to two months from the time where a new certification should have been completed. The new certification must be finalised no later than 14 months after the latest certification and the standard report must be submitted to Spillemyndigheden within the same deadline. Use of this postponement requires that the testing is commenced within 12 months of the latest certification. Spillemyndigheden must be notified before the certication is postponed. The deadline for renewal of certification is shortened with the equally amount of time the former 12 month deadline has been postponed. Meaning that if you for instance make use of the maximum two months postponement, then the next certification is due 10 months later. The time for the next certification shall be reflected in the standard report. 2.2 Accredited testing organisations Testing organisations shall attain ISO/IEC 17020 accreditation and/or ISO/IEC 17025 accreditation based on the criteria described in the following sections. The scope of the accreditation shall be extended to include Spillemyndigheden s certification programme SCP.04.00.EN.1.1. The accreditation will be undertaken by DANAK, the Danish Accreditation and Metrology Fund, or a similar accreditation body being covered by the multilateral agreement on reciprocal recognition of the European Co-operation for Accreditation or a member of the International Laboratory Accreditation Cooperation. To ensure that the necessary qualifications are in place during the certification the testing organisation and their staff shall fulfil the following requirements. Documentation that the requirements are fulfilled shall be enclosed with the certification. 2.2.1 Requirements for accredited testing organisations The accrediting testing organisation: SCP.04.00.EN.1.1 Page 4 of 7

a) Shall have at least two years experience in penetration testing of systems or a similar closely related subject area, b) Shall be accredited as Payment Card Industry (PCI) Approved Scanning Vendor (ASV), c) Shall work on the basis of the ISO/IEC 17020 accreditation and/or ISO/IEC 17025 accreditation, which refers to the requirements of SCP.04.00.EN.1.1, and d) Shall ensure that staff with sufficient qualifications will carry through the certification. 2.2.2 Requirements for personnel at the accredited testing organisations The certification shall be carried through by staff with sufficient qualifications cf. sections 2.6.1 above. Work done in relation to the certification shall be supervised and the declaration of certification shall be attested by one or more persons who warrant(s) that the work has been carried out to adequate professional standards. These persons shall meet the following requirements: a) Five years of professional experience in penetration testing of systems or a similar closely related subject area, and b) Shall be certified as: International Council of E-Commerce (EC-Council) Certified Ethical Hacker (CEH), International Council of E-Commerce (EC-Council) Licensed Penetration Tester (LPT), Information Assurance Certification Review Board (IACRB) Certified Penetration Tester (CPT), Global Information Assurance Certification (GIAC) Certified Penetration Tester (GPEN), CESG CHECK Team Leader, CESG CHECK Team Member, CREST Infrastructure Certification, CREST Registered Tester, Tiger Scheme Senior Security Tester, eller Tiger Scheme Qualified Security Tester. Guidance: Testing, supervision and attestation can be carried out by staff who in conjunction fulfil the requirements. 3 Penetration Testing Framework Spillemyndigheden s is in part inspired by Payment Card Industry Data Security Standard (PCI-DSS). 3.1 Objective of the penetration testing When performing penetration testing the accredited testing organisation shall seek to exploit any vulnerabilities in the licence holders gambling system. The penetration test should cover but not be limited to the weaknesses uncovered during the vulnerability scanning, cf. Spillemyndighedens Instructions on Vulnerability Scanning SCP.05.00.EN. SCP.04.00.EN.1.1 Page 5 of 7

3.2 Protected components The gambling system and business systems in the licence holder s production environment shall be protected against any attack from outsiders. The components containing sensitive information concerning customers in particular shall be protected. The definition of components and their relevance follows from Spillemyndigheden s Change Management Programme SCP.06.00.EN, section 3.3.3. The licence holder can minimise the risk of unauthorised access by segmenting the internal networks including which sub-systems communicates sensitive information by public networks. 3.3 Updating software and hardware It is the responsibility of the licence holder that the system components are updated to a degree that ensures the highest level of security possible and does not compromise the integrity of the systems. By doing so the risk of unauthorised access to sensitive information is minimised. 3.3.1 Component updates In the event of an update of components of the licence holder or a supplier, a new vulnerability test must be conducted to ensure that the systems integrity remains intact. Penetration testing is necessary after significant up-dates or changes to infrastructure or the use of it (for example any installation of new system components, addition of a sub-network or addition of a web server), in the case where the vulnerability scan has elements that score 4 or higher on the NVD CVSS scale. What will be considered to be significant changes will depend to a high degree on the set-up of a given environment and therefore it cannot be defined as such by Spillemyndigheden. It is, however, always considered significant if an upgrade or a change is capable of affecting or providing access to sensitive information and/or components cf. Spillemyndigheden s Change Management Programme SCP.06.00.EN, section 3.3.3. 3.3.2 Internal function with the licence holder The accredited testing organisation can allow that penetration testing as described in section 3.3.1 is conducted by a dedicated internal function at the licence holder undertaking penetration testing of the systems. This function shall be manned with appropriately skilled staff as well as being organisationally separated from the function implementing system changes. If the penetration testing is conducted by an internal function at the licence holder, the accredited testing organisation shall assess, approve and certify these tests every three months. The standard report shall clearly state whether this method has been used. This option is only available to licence holders. The option cannot be used by suppliers without an individual licence to offer gambling in Denmark. 4 Penetration Testing Process When performing penetration testing the accredited testing organisation shall seek unauthorised access to the systems of the licence holder. The unauthorised access shall be attempted escalated to the highest SCP.04.00.EN.1.1 Page 6 of 7

access level possible, and completed with and without access credentials available (whitebox/blackbox). Through this access the following minimum list of scenarios shall be tested: Manipulation of result generation Affecting the execution of games Fraud with customer funds Theft of customer funds Manipulation of audit logs Access to sensitive information Manipulation of sensitive information Manipulation of data transfer to SAFE SCP.04.00.EN.1.1 Page 7 of 7

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback