Spillemyndigheden s requirements for accredited testing organisations. Version of 1 July 2012

Similar documents
Spillemyndigheden s Certification Programme. Instructions on Penetration Testing SCP EN.1.1

Testing Standards for Land-based Casino

Standard report Online casino Testing standards SCP EN.1.0.SR. Standard report for inspection standards for online casino

PROTERRA CERTIFICATION PROTOCOL V2.2

REQUEST FOR EXPRESSIONS OF INTEREST

IPC Certification Scheme IPC Management Systems Auditors

S. Scholz / K. Meyer / J.E. Nielsen / Harald Drück/J.Fernández/E.Prado/L.Nelson Page 1 of 7

POSITION DESCRIPTION

Career Paths In Cybersecurity

Global Wind Organisation CRITERIA FOR THE CERTIFICATION BODY

ILNAS/PSCQ/Pr004 Qualification of technical assessors

SLOVAK FOREST CERTIFICATION SYSTEM September 1, 2008

"Energy and Ecological Transition for the Climate" Label Control and Monitoring Plan Guidelines

Global Specification Protocol for Organisations Certifying to an ISO Standard related to Market, Opinion and Social Research.

IPC Certification Scheme IPC QMS/EMS Auditors

Requirements for Certification Bodies

What every IT professional needs to know about penetration tests

Abu Dhabi Certification Scheme for Assistant Engineer Assessment and Surveillance Plan for Assistant Engineer

IAF Mandatory Document KNOWLEDGE REQUIREMENTS FOR ACCREDITATION BODY PERSONNEL FOR INFORMATION SECURITY MANAGEMENT SYSTEMS (ISO/IEC 27001)

Requirements for Certification Bodies operating Certification against the PEFC International Chain of Custody Standard

CERTIFICATION BODY (CB) APPROVAL REQUIREMENTS FOR THE IFFO RESPONSIBLE SUPPLY (IFFO RS) AUDITS AND CERTIFICATION

Mohammad Shahadat Hossain

Governance, Organisation, Law, Regulation and Standards Syllabus QAN 603/0855/2

Regulation for the accreditation of product Certification Bodies

PEFC N 04 Requirements for certification bodies and accreditation bodies

Data Sheet The PCI DSS

ETHIOPIAN NATIONAL ACCREDITATION OFFICE. Minimum Requirements For The Operation Of Product Certification Bodies

Payment Card Industry (PCI) 3-D Secure (PCI 3DS) Qualification Requirements for 3DS Assessors

Global Wind Organisation CRITERIA S FOR THE CERTIFICATION BODY

Securing Digital Applications

- OQSF - Occupational Qualifications Sub-framework

The Open Group Certification for People. Training Course Accreditation Requirements

PTSPAS Product Assessment HAPAS Equivalent in accordance with MCHW SHW Volume 1 Clause and

CRITERIA FOR CERTIFICATION BODY ACCREDITATION IN THE FIELD OF RISK BASED INSPECTION MANAGEMENT SYSTEMS

Battery Program Management Document

PRIOR LEARNING ASSESSMENT AND RECOGNITION (PLAR)

GLOBAL MANAGEMENT CERTIFICATION SERVICES PRIVATE LIMITED PROCEDURE

ArchiMate Certification for People Training Course Accreditation Requirements

A6 Training. A6.1 General. A6.2 Extract from the Health and Safety in Employment Act Training and supervision

ISO/IEC 17065:2012 VERTICAL/FILE REVIEW ASSESSMENT

An unofficial translation, in case of any discrepancies between the English version and the original Swedish version the latter will prevail.

2.1. Scope of environmental site assessment

Google Cloud & the General Data Protection Regulation (GDPR)

SPECIFIC PROVISIONS FOR THE ACCREDITATION OF CERTIFICATION BODIES IN THE FIELD OF INFOR- MATION SECURITY MANAGEMENT SYSTEMS (ISO/IEC 27001)

Policy for Certification of Private Label Products Within the Cradle to Cradle Certified Certification Scheme. Version 1.0.

Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation 2016/679

SECURITY CERTIFICATION

SECURITY+ COMPETITIVE ANALYSIS 1. GIAC GSEC 2. (ISC)2 SSCP 3. EC-COUNCIL CEH

PECB Change Log Form

Certification of Quality Management Systems with respect to Product Compliance

IT Audit Process. Prof. Mike Romeu. January 30, IT Audit Process. Prof. Mike Romeu

UKAS accredited Certification Bodies

VOLUNTARY CERTIFICATION SCHEME FOR MEDICINAL PLANT PRODUCE REQUIREMENTS FOR CERTIFICATION BODIES

IT Governance ISO/IEC 27001:2013 ISMS Implementation. Service description. Protect Comply Thrive

PRESENTATION OVERVIEW

Certification Body Audit Resources

Post-accreditation monitoring report: British Computer Society (BCS) September 2006 QCA/06/2926

Merchant Guide to PCI DSS

Audit Report. Chartered Management Institute (CMI)

Policy for Accrediting Assessment Bodies Operating within the Cradle to Cradle Certified Product Certification Scheme. Version 1.2

CASA External Peer Review Program Guidelines. Table of Contents

MSc Cyber Security. International Students Can Apply

CERTIFICATION GUIDELINES FOR MANAGEMENT SYSTEM

IATF - International Automotive Task Force Rules for achieving and maintaining IATF Recognition IATF Rules 5 th Edition Sanctioned Interpretations

Tiger Scheme QST/CTM Standard

Provider Monitoring Report. City and Guilds

Asian Institute of Chartered Bankers. Admission, Resignation, Cessation, and Re-admission of Individual Members. 1. Commencement and Application 02

Article II - Standards Section V - Continuing Education Requirements

GUIDELINE. of the European Committee for Welding of Railway Vehicles (ECWRV) ( ) PART 1

APLAC Application to Enter the APLAC MRA or to Extend Scope - APLAC MR 003

PCI DSS COMPLIANCE 101

PEFC Certification System Netherlands - Certification Procedures

CNAS-RC01. Rules for Accreditation of Certification Bodies

Request for Proposal (RFP)

GUIDE ON APPLICATION FOR ROUNDTABLE FOR SUSTAINABLE PALM OIL PRINCIPLES AND CRITERIA (RSPO P & C) INCLUDING GROUP CERTIFICATION

Part 5: Requirements for ABs FOOD SAFETY SYSTEM CERTIFICATION Part V: Requirements for Accreditation Bodies

Guidelines 4/2018 on the accreditation of certification bodies under Article 43 of the General Data Protection Regulation (2016/679)

Audit Report. English Speaking Board (ESB)

PRODUCT CERTIFICATION SCHEME FOR MECHANICAL-CUSTOMIZED VEHICLES

ITU CBS. Digital Security Capacity Building: Role of the University GLOBAL ICT CAPACITY BUILDING SYMPOSIUM SANTO DOMINGO 2018

Certification. Causes of Reduction of Scope of Certification

Business Continuity Planning

Accreditation Application as Provider Tax Professional Occupational Qualification. SAQA ID: Learnership No. 01/Q010048/00/400/8

Rules for the Certification of Social Accountability Management Systems

AUDITOR / LEAD AUDITOR PHARMACEUTICAL AND MEDICAL DEVICE INDUSTRY

Acceptance Conditions and Procedure for Certifying Bodies. International Good Manufacturing Practice Standard For Corrugated & Solid Board

Position Description IT Auditor

Abu Dhabi Certification Scheme for Pool Lifeguard Assessment and Surveillance Plan for Pool Lifeguard

Sense of Security. Compliance, Protection and Business Confidence

ARTICLE 29 DATA PROTECTION WORKING PARTY

FSC FM Lead Auditor Course FSC COC Lead Auditor Course. Comparative matrix ISO Guide 65 FSC-STD V3.0

KENYA SCHOOL OF GOVERNMENT EMPLOYMENT OPORTUNITY (EXTERNAL ADVERTISEMENT)

SANAS TECHNICAL REQUIREMENT FOR THE APPLICATION OF ISO/IEC IN THE FIELD OF FUSION WELDING METALLIC MATERIALS

Rules for LNE Certification of Management Systems

Asian Institute of Chartered Bankers. Admission, Resignation, Cessation, and Re-admission of Individual Members. 1. Commencement and Application 02

IQ Level 4 Award in Understanding the External Quality Assurance of Assessment Processes and Practice (QCF) Specification

FOUNDATION CERTIFICATE IN INFORMATION SECURITY v2.0 INTRODUCING THE TOP 5 DISCIPLINES IN INFORMATION SECURITY SUMMARY

Audit Report. The Prince s Trust. 27 September 2017

Level 3 Award in Introduction to Crime Prevention

American Association for Laboratory Accreditation

Transcription:

Version 1.3.0 of 1 July 2012

Contents 1 Introduction... 3 1.1 Authority... 3 1.2 Objective... 3 1.3 Target audience... 3 1.4 Version... 3 1.5 Enquiries... 3 2 Certification... 4 2.1 Framework for certification... 4 2.2 Responsibility for certification and accreditation... 4 2.3 Certification categories... 4 2.4 Certification and requirements for certification... 4 2.4.1 Gambling functions ( A )... 6 2.4.1.1 Requirement as to procedure... 6 2.4.1.2 Requirements to be met by the testing organisation... 6 2.4.1.3 Requirements for staff who supervise and attest the certification... 6 2.4.1.4 Requirements for the certification... 6 2.4.1.5 The frequency of certification... 6 2.4.2 Business functions ( B )... 7 2.4.2.1 Requirements as to procedure... 7 2.4.2.2 Requirements to be met by the testing organisation... 7 2.4.2.3 Requirements for staff who supervise and attest the certification... 7 2.4.2.4 Requirements for the certification... 7 2.4.2.5 The frequency of certification... 8 2.4.3 Preventive measures to counter money laundering of proceeds and financing of terrorism ( C ) 8 2.4.3.1 Requirements as to procedure... 8 2.4.3.2 Requirements to be met by the testing organisation... 8 2.4.3.3 Requirements for staff who supervise and attest the certification... 8 2.4.3.4 Requirements for the certification... 9 2.4.3.5 The frequency of certification... 9 2.4.4 Vulnerability and penetration testing ( D )... 9 2.4.4.1 Requirements as to procedure... 9 2.4.4.2 Requirements to be met by the testing organisation... 9 2.4.4.3 Requirements for staff who supervise and attest the certification... 9 2.4.4.4 Requirements for the certification... 10 2.4.4.5 The frequency of certification... 10 2.4.5 Change Management ( E )... 11 2.4.5.1 Requirements as to procedure... 11 2.4.5.2 Requirements to be met by the testing organisation... 11 2.4.5.3 Requirements for staff who supervise and attest the certification... 11 2.4.5.4 Requirements for the certification... 11 2.4.5.5 The frequency of certification... 12 Version 1.3.0 of 1 July 2012 Page 2 of 12

1 Introduction 1.1 Authority This document Spillemyndigheden s requirements has been issued by Spillemyndigheden (the Danish Gambling Authority) under the Gambling Act (Act No. 848 of 1 July 2010 as later amended) and the executive orders on online casinos, online betting and land-based betting. It is part of the overall certification programme, which consists of the documents Spillemyndigheden s requirements, Spillemyndigheden s change management programme and Spillemyndigheden s technical standards. 1.2 Objective The document contains the requirements specifying how testing organisations obtain accreditation for conducting certification of the gambling systems operated by licence holders, including gambling functionality and business functionality, internal procedures, etc. This accreditation will be carried through by DA- NAK, the Danish Accreditation and Metrology Fund, or a similar accreditation body being covered by the multilateral agreement on reciprocal recognition of the European Co-operation for Accreditation or a member of the International Laboratory Accreditation Cooperation. 1.3 Target audience The document is intended for licence holders, suppliers, accreditation bodies and testing organisations. 1.4 Version This document is Version 1.3.0 of 1 July 2012. Spillemyndigheden will revise the certification programme on an on-going basis, making the latest version and the version history accessible at Spillemyndigheden s website: http://spillemyndigheden.dk. If the certification programme is modified, as a rule certifications already issued will remain in force. It is important to emphasise that only the Danish version is legally binding and that the English version holds the status of guidance only. 1.5 Enquiries Enquiries concerning this document should be sent in writing to Spillemyndigheden at the following address: spillemyndigheden@skat.dk or Spillemyndigheden Helgeshøj Allé 9 DK-2630 Taastrup Version 1.3.0 of 1 July 2012 Page 3 of 12

2 Certification 2.1 Framework for certification A certification is based on inspection and testing (hereafter referred to as testing) of procedures and technical standards according to criteria specified in Spillemyndigheden s certification programme. Since the requirements to secure certification will vary, expertise in a range of different areas will be necessary, for which reason the overall certification is divided into five categories as shown in section 2.3 below. This makes it possible for a broad range of professionals to issue certifications within one or more categories. In addition, it gives licence holders and suppliers access to a wider choice, when deciding who should manage their certification process. 2.2 Responsibility for certification and accreditation The licence holder is responsible for obtaining the required certifications by planning its activity based on the certification programme. The licence holder is also responsible for ensuring that the certifications are issued by an accredited testing organisation in conformity with the certification programme. The testing organisation holds the responsibility for obtaining accreditation. 2.3 Certification categories Certification category Requirement Description A Gambling functions Spillemyndigheden s technical standards Random Number Generator (RNG), game rules, registration, reporting on operations, customer overview, terms and conditions, etc. B Business functions Spillemyndigheden s technical standards Information security, etc. (inspection) C Preventive measures to counter money laundering of proceeds and financing of terrorism Vulnerability and penetration Spillemyndigheden s technical standards D Spillemyndigheden s technical testing standards E Change Management Spillemyndigheden s Change Management Programme Registration, security, suspicious player behaviour Information security (testing) Standard for approved changes to gambling systems 2.4 Certification and requirements for certification To ensure that the necessary qualifications are present when a certification process is carried out, testing organisations and their staff shall meet the minimum requirements set out in this document. Documentation showing that the requirements are met shall be attached to all certifications. The document Spillemyndigheden s technical standards consists of a number of requirements listed as points with each requirement having a reference to which one of the certification categories A, B, C and D it belongs to and thus which category/-ies of accredited testing organisations will be qualified to certify the compliance with the requirement in question. Version 1.3.0 of 1 July 2012 Page 4 of 12

The example below shows that testing organisations accredited in certification category A, B and/or C can certify the compliance with the requirement. Other requirements may be certified by various accredited testing organisations as indicated in the column at the right hand side of the requirements. 3 Gambling accounts 3.1 Management 3.1.1 Registration 1 The gambling system shall be able to save documentation of the customer identification process (customer details). A B C Guidance: After customer registration, the system can open a temporary gambling account. When an accredited testing organisation has certified a given requirement in one certification category and this requirement is part of several certification categories, it will not be necessary to repeat the certification of the requirement. In such cases there shall, instead, be a reference to the above-mentioned certification. It is also allowed to base the certification on tests carried out on previous occasions and to similar criteria if the methodology mentioned in section 2.4.1.4, 2.4.2.4, 2.4.3.4, 2.4.4.4 and 2.4.5.4 below is used. When this option is utilised the actual time of the previous test shall be used when calculating the certification frequency. This means that if the certification is based on tests performed six months prior, then the renewal of said certification shall be performed six months earlier than ordinarily required. If some suppliers have certified their products fully or partly according to the Spillemyndigheden s certification programme, the accredited testing organisation shall, when testing the licence holder s gambling system, only test the elements of the gambling system that have not been certified. The accredited testing organisation shall be particularly alert to the fact that, even if the supplier s product has been certified already, it may be necessary to repeat parts of the certification, when the product is integrated into the licence holder s overall gambling system. This will be relevant, for example, when the implementation involves changes to the certified product. It is always the licence holder s responsibility to ensure compliance with the entire certification programme. Testing organisations shall achieve ISO/IEC 17020 accreditation and/or ISO/IEC 17025 accreditation based on the criteria described in the following sections, which deal with the various categories of certification. The scope of the accreditation shall be extended to include Spillemyndigheden s certification programme or local language equivalent as well as the relevant certification categories. Version 1.3.0 of 1 July 2012 Page 5 of 12

2.4.1 Gambling functions ( A ) 2.4.1.1 Requirement as to procedure The document Spillemyndigheden s technical standards specifies the requirements comprised by certification category A (gambling functions). 2.4.1.2 Requirements to be met by the testing organisation a) Shall have at least three years experience in testing gambling functions or a similar closely related subject area, b) Shall work on the basis of the ISO/IEC 17020 accreditation and/or ISO/IEC 17025 accreditation, which refers to the requirements of certification category A in Spillemyndigheden s technical standards and c) Shall ensure that staff with sufficient qualifications will carry through the certification. 2.4.1.3 Requirements for staff who supervise and attest the certification The certification shall be carried through by staff with sufficient qualifications, see section 2.4.1.2 above. The performance shall be supervised and the declaration of certification shall be attested by one or more persons who warrant(s) that the work has been carried out to adequate professional standards. These persons shall meet the following requirements: a) For the testing of the Random Number Generator the supervisor shall have a relevant master s or PhD degree or in other ways be able to prove relevant qualifications b) For the testing of other gambling functions the supervisor shall have a relevant educational background or in other ways be able to prove relevant qualifications c) In case the supervisor referred to in a) or b) above does not have five years of professional experience in testing gambling functions or a similar closely related subject area for an accredited or certified organisation, the certification shall also be supervised and attested by a person who has five years of professional experience in testing gambling functions or a similar closely related subject area for an accredited or certified organisation. 2.4.1.4 Requirements for the certification The testing organisation shall attest that the requirements in certification category A of Spillemyndigheden s technical standards are met. In exceptional circumstances it may be accepted that the testing organisation attests to the certification even if all requirements have not been met as described in Spillemyndigheden s technical standards. This shall be underpinned by a risk assessment, taking into account the purpose of the Gambling Act and the associated executive orders, based on ISO/IEC 31010 Risk management - Risk assessment techniques. 2.4.1.5 The frequency of certification The gambling functions of the licence holder shall be certified at all times. The licence holder shall ensure that the gambling functions of the licence holder are subject to on-going certification of the adherence to the requirements of certification category A with an interval of no more than 12 months. Version 1.3.0 of 1 July 2012 Page 6 of 12

A renewal of the certification may be based on sampling, spot checks and compliance with the requirements set out in the document Spillemyndigheden s Change Management Programme. The certification shall clearly state whether this method has been used. 2.4.2 Business functions ( B ) 2.4.2.1 Requirements as to procedure The document Spillemyndigheden s technical standards specifies the requirements comprised by certification category B (business functions). 2.4.2.2 Requirements to be met by the testing organisation a) Shall have at least three years of experience in testing business functions or a similar closely related subject area, b) Shall work on the basis of the ISO/IEC 17020 accreditation and/or ISO/IEC 17025 accreditation, which refers to the requirements of certification category B of Spillemyndigheden s technical standards and c) Shall ensure that staff with adequate qualifications carries through the certification. 2.4.2.3 Requirements for staff who supervise and attest the certification The certification shall be carried through by staff with adequate qualifications, see section 2.4.2.2 above. The performance shall be supervised and the declaration of certification shall be attested by one or more persons who warrant(s) that the work has been carried out to adequate professional standards. These persons shall meet the following requirements: a) shall have a relevant education background or in other ways prove relevant qualifications, b) Shall be certified as: International Information Systems Security Certification Consortium (ISC) 2 Certified Information Systems Security Professional (CISSP), Payment Card Industry (PCI) Qualified Security Assessor (QSA), or Information Systems Audit and Control Association (ISACA) Certified Information Systems Auditor (CISA). c) if the supervisor referred to in a) and b) above does not have five years of professional experience in testing business functionality or a similar closely related subject area for an accredited or certified organisation, the certification shall also be supervised and attested by a person who has five years of professional experience in testing business functionality or a similar closely related subject area for an accredited or certified organisation. 2.4.2.4 Requirements for the certification The testing organisation shall attest that the requirements in certification category B of Spillemyndigheden s technical standards are met. In exceptional circumstances it may be accepted that the testing organisation attests to the certification even if all requirements have not been met as described in Spillemyndigheden s technical standards. This shall be underpinned by a risk assessment, taking into account the purpose of the Gambling Act and the associated executive orders, based on ISO/IEC 31010 Risk management - Risk assessment techniques. Version 1.3.0 of 1 July 2012 Page 7 of 12

2.4.2.5 The frequency of certification The business functions of the licence holder shall be certified at all times. The licence holder shall ensure that the business functions of the licence holder are subject to on-going certification of the adherence to the requirements of certification category B with an interval of no more than 12 months. A renewal of the certification may be based on sampling, spot checks and compliance with the requirements set out in the document Spillemyndigheden s Change Management Programme. The certification shall clearly state whether this method has been used. 2.4.3 Preventive measures to counter money laundering of proceeds and financing of terrorism ( C ) 2.4.3.1 Requirements as to procedure There is no requirement for certification in connection with preventive measures to counter money laundering of proceeds of crime and financing of terrorism, but testing organisations with experience in this area may certify compliance with requirements in certification category C. The document Spillemyndigheden s technical standards specifies the requirements covered by certification category C (preventive measures to counter money laundering of proceeds of crime and financing of terrorism). 2.4.3.2 Requirements to be met by the testing organisation a) Shall have at least two years of experience in the area of preventive measures to counter money laundering of proceeds of crime and financing of terrorism or a similar closely related subject area, b) Shall work on the basis of the ISO/IEC 17020 accreditation and/or ISO/IEC 17025 accreditation, which refers to the requirements of certification category C in Spillemyndigheden s technical standards, and c) Shall ensure that staff with adequate qualifications will carry out the certification. 2.4.3.3 Requirements for staff who supervise and attest the certification The certification shall be carried through by staff with sufficient qualifications, see section 2.4.3.2 above. The performance shall be supervised and the declaration of certification shall be attested by one or more persons who warrant(s) that the work has been carried out to adequate professional standards. These persons shall meet the following requirements: a) Shall have a relevant education background or prove relevant qualifications in other ways, b) Shall have Certified Anti-Money Laundering Specialists (CAMS) Association of Certified Anti-Money Laundering Specialists (ACAMS) accreditation. c) In case the supervisor referred to in a) and b) above does not have three years of professional experience in the area of preventive measures to counter money laundering of proceeds and financing of terrorism in the regulated online gambling industry or a similar closely related subject area, the certification shall also be supervised and attested by a person who has three years of professional experience in preventive measures to counter money laundering of proceeds and financing of terrorism in the regulated online gambling industry or a similar closely related subject area. Version 1.3.0 of 1 July 2012 Page 8 of 12

2.4.3.4 Requirements for the certification The testing organisation shall attest that the requirements of certification category C in Spillemyndigheden s technical standards are met. In exceptional circumstances it may be accepted that the testing organisation attests to the certification even if all requirements have not been met as described in Spillemyndigheden s technical standards. This shall be underpinned by a risk assessment, taking into account the purpose of the Gambling Act and the associated executive orders, based on ISO/IEC 31010 Risk management - Risk assessment techniques. 2.4.3.5 The frequency of certification The preventive measures to counter money laundering of proceeds of crime and financing of terrorism of the licence holder shall be certified at all times. The licence holder shall ensure that the preventive measures to counter money laundering of proceeds of crime and financing of terrorism of the licence holder are subject to on-going certification of the adherence to the requirements of certification category C with an interval of no more than 12 months. Guidance: Currently all requirements in certification category C are covered by category A or B, thus, being certified in accordance with certification category A and B also ensures compliance with certification category C. A renewal of the certification may be based on sampling, spot checks and compliance with the requirements set out in the document Spillemyndigheden s Change Management Programme. The certification shall clearly state whether this method has been used. 2.4.4 Vulnerability and penetration testing ( D ) 2.4.4.1 Requirements as to procedure The document Spillemyndigheden s technical standards specifies the requirements comprised by certification category D (vulnerability and penetration testing). 2.4.4.2 Requirements to be met by the testing organisation a) Shall have a minimum of two years experience in the area of vulnerability and penetration testing of systems or a similar closely related subject area. b) Shall have accreditation as a Payment Card Industry (PCI) Approved Scanning Vendor (ASV) c) Shall work on the basis of the ISO/IEC 17020 accreditation and/or ISO/IEC 17025 accreditation, which refers to the requirements of certification category D in Spillemyndigheden s technical standards and d) Shall ensure that staff with adequate qualifications will carry through the certification. 2.4.4.3 Requirements for staff who supervise and attest the certification The certification shall be carried through by staff with sufficient qualifications, see section 2.4.4.2 above. The performance shall be supervised and the declaration of certification shall be signed by one or more persons who warrant(s) that the work has been carried out to adequate professional standards. These persons shall meet the following requirements: Version 1.3.0 of 1 July 2012 Page 9 of 12

a) Shall have five years professional experience in vulnerability and penetration testing of systems or a similar closely related subject area, and b) Shall be certified as: International Council of E-Commerce (EC-Council) Certified Ethical Hacker (CEH), International Council of E-Commerce (EC-Council) Licensed Penetration Tester (LPT), Information Assurance Certification Review Board (IACRB) Certified Penetration Tester (CPT), Global Information Assurance Certification (GIAC) Certified Penetration Tester (GPEN), CESG CHECK Team Leader, CESG CHECK Team Member, CREST Infrastructure Certification, CREST Registered Tester, Tiger Scheme Senior Security Tester, or Tiger Scheme Qualified Security Tester. 2.4.4.4 Requirements for the certification The testing organisation shall attest that the requirements of certification category D in Spillemyndigheden s technical standards are met. In exceptional circumstances it may be accepted that the testing organisation attests to the certification even if all requirements have not been met as described in Spillemyndigheden s technical standards. This shall be underpinned by a risk assessment, taking into account the purpose of the Gambling Act and the associated executive orders, based on ISO/IEC 31010 Risk management - Risk assessment techniques. 2.4.4.5 The frequency of certification The penetration testing of the licence holder shall be certified at all times. The licence holder shall ensure that the penetration testing of the licence holder is subject to on-going certification of the adherence to the requirements of certification category D with an interval of no more than 12 months. The vulnerability testing of the licence holder shall be certified at all times. The licence holder shall ensure that the vulnerability testing of the licence holder is subject to on-going certification of the adherence to the requirements of certification category D with an interval of no more than 3 months. It shall be indicated in the certification of penetration testing that it will be withdrawn after significant upgrades or changes to infrastructure or the use of it (for example any installation of new system components, addition of a sub-network or addition of a web server). What will be considered to be significant changes will depend to a high degree on the set-up of a given environment. Therefore it cannot be defined as such by Spillemyndigheden in advance, but if an upgrade or a change is capable of affecting or providing access to customer data, gambling data, financial data and/or functionality, it shall always be considered to be significant. Where a licence holder has an internal function dedicated to undertaking penetration testing and this function is manned with appropriately skilled staff as well as separated from the function of implementing system changes, the relevant accredited testing organisation has the option of not withdrawing the certification after significant upgrades or changes to infrastructure or the use of it. This option is only available to licence holders. The option is not available to suppliers and vendors without a licence to offer online casino and/or betting in Denmark. Version 1.3.0 of 1 July 2012 Page 10 of 12

Significant in a highly segmented network in which customer data, gambling data, financial data and/or functionality are distinctly isolated from other data and functions is very different from significant in a flat network, for example, in which all persons and systems will have potential access to customer data, gambling data, financial data and/or functionality. It is recommended to carry through penetration testing of all upgrades and changed in order to make sure that the existing internal controls still work effectively after an upgrade or change. 2.4.5 Change Management ( E ) 2.4.5.1 Requirements as to procedure The document Spillemyndigheden s Change Management Programme specifies the requirements comprised by certification category E (Change Management). 2.4.5.2 Requirements to be met by the testing organisation The requirements are the same as for certification category A (gambling functions) as referred to in section 2.4.1.2. 2.4.5.3 Requirements for staff who supervise and attest the certification The certification shall be carried through by staff with sufficient qualifications, see sections 2.4.5.2 and 2.4.1.2 above. The performance shall be supervised and the declaration of certification shall be attested by one or more persons who warrant(s) that the work has been carried out to adequate professional standards. These persons shall meet the following requirements: a) shall have a relevant education background or be able to prove relevant qualifications in other ways, b) Shall be certified as: International Information Systems Security Certification Consortium (ISC) 2 Certified Information Systems Security Professional (CISSP), Payment Card Industry (PCI) Qualified Security Assessor (QSA), or Information Systems Audit and Control Association (ISACA) Certified Information Systems Auditor (CISA). c) If the supervisor referred to in a) and b) above does not have five years of professional experience in testing gambling or business functionality or a similar closely related subject area for an accredited or certified organisation, the certification shall also be supervised and attested by a person who has five years of professional experience in testing gambling or business functionality or a similar closely related subject area for an accredited or certified organisation. 2.4.5.4 Requirements for the certification The testing organisation shall attest that the requirements of certification category E of Spillemyndigheden s Change Management Programme are met. In exceptional circumstances it may be accepted that the testing organisation attests to the certification even if all requirements have not been met as described in Spillemyndigheden s Change Management Programme. This shall be underpinned by a risk assessment, taking into account the purpose of the Gam- Version 1.3.0 of 1 July 2012 Page 11 of 12

bling Act and the associated executive orders, based on ISO/IEC 31010 Risk management - Risk assessment techniques. 2.4.5.5 The frequency of certification The change management of the licence holder shall be certified at all times. The licence holder shall ensure that the change management of the holder is subject to on-going certification of the adherence to the requirements of certification category E with an interval of no more than 12 months. Version 1.3.0 of 1 July 2012 Page 12 of 12

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback