Report
Assessment of online games design changes
Gambling Commission report focusing on research conducted into the impact of the online gambling games design changes.
4 - Remote gambling and software technical standards (RTS) security requirements
Standard - A.5 Information security policies
Standard - A.6 Organisation of information security
Standard - A.7 Human resources security
Standard - A.8 Asset management
Standard – A.9 Access Control
Standard – A.10 Cryptography
Standard – A.11 Physical and environmental security
Standard – A.12 Operations Security
Standard – A.13 Communications Security
Standard – A.14 System acquisition, development and maintenance
Standard – A.15 Supplier Relationships
Standard – A.16 Information Security Incident Management
Standard – A.18 Compliance
4.1 This section sets out a summary of the RTS security requirements that licence holders must meet. The Commission has based the security requirements on the relevant sections of Annex A to the ISO/EIC 27001:20013 standard.
4.2 This 2013 standard replaces ISO/IEC 27001:2005.
4.3 The Commission’s aim in setting out the security standards is to ensure customers are not exposed to unnecessary security risks by choosing to participate in remote gambling. The Commission has highlighted those systems that are most critical to achieving the Commission’s aims and the security standards apply to these critical systems:
- electronic systems that record, store, process, share, transmit or retrieve sensitive customer information, for example, credit/debit card details, authentication information, customer account balances
- electronic systems that generate, transmit, or process random numbers used to determine the outcome of games or virtual events
- electronic systems that store results or the current state of a customer’s gamble
- points of entry to and exit from the above systems (other systems that are able to communicate directly with core critical systems)
- communication networks that transmit sensitive customer information.
Security requirements summary
Standard - A.5 Information security policies
Objective A.5.1 Information security policy
Requirement A.5.1.1 Policies for information security
Requirement A.5.1.2 Review of the information security policy
Standard – A.6 Organisation of information security
Objective A.6.2 Mobile devices and teleworking
Requirement A.6.2.1 Mobile device policy
Requirement A.6.2.2 Teleworking
Standard – A.7 Human resources security
Objective A.7.2 During employment
Requirement A.7.2.2 Information Security Awareness, Education and Training.
Objective A.7.3 Termination or change of employment
Requirement 7.3.1 Termination or change of employment responsibilities
Standard – A.8 Asset management
Objective A.8.2 Information classification
Requirement A.8.2.3 Handling of assets.
Objective A.8.3 Media Handling
Requirement A.8.3.1 Management of removable media
Requirement A.8.3.2 Disposal of media
Standard – A.9 Access Control
Objective A.9.1 Business requirements of access control
Requirement A.9.1.1 Access control policy
Requirement A.9.1.2 Access to network and network services
Objective A.9.2 User access management
Requirement A.9.2.1 User registration and de-registration
Requirement A.9.2.2 User access provisioning
Requirement A.9.2.3 Management of privileged access rights
Requirement A.9.2.4 Management of secret authentication information of users
Requirement A.9.2.5 Review of user access rights
Requirement A.9.2.6 Removal or adjustment of access rights
Objective A.9.3 User responsibilities
Requirement A.9.3.1 Use of secret authentication information
Objective A.9.4 System and application access control
Requirement 9.4.1 Information access restriction
Requirement A.9.4.2 Secure log-on procedure
Requirement A.9.4.3 Password management system
Requirement A 9.4.4 Use of privileged utility programmes
Standard – A.10 Cryptography
Objective A.10.1 Cryptographic controls
Requirement A.10.1.1 Policy on use of cryptographic controls
Requirement A.10.1.2 Key management
Standard – A.11 Physical and Environmental Security
Objective A 11.2 Equipment
Requirement A.11.2.1 Equipment siting and protection
Requirement A.11.2.7 Secure disposal or re-use of equipment.
Requirement A.11.2.8 Unattended user equipment
Standard - A.12 Operations Security
Objective A.12.1 Operational procedures and responsibilities
Requirement A.12.1.4 Separation of development, testing and operational environments.
Objective A.12.2 Protection from malware
Requirement A.12.2.1 Controls against malware
Objective A.12.3 Protect against loss of data
Requirement A.12.3.1 Information backup
Objective A.12.4 Logging and monitoring
Requirement A.12.4.1 Event logging
Requirement A.12.4.2 Protection of log information
Requirement A.12.4.3 Administrator and operator logs.
Requirement A.12.4.4 Clock synchronisation.
Standard – A. 13 Communications Security
Objective A.13.1 Network security management
Requirement A.13.1.1 Network controls
Requirement A.13.1.2 Security of network services
Requirement A.13.1.3 Segregation in networks
Standard – A.14 System acquisition, development and maintenance
Objective A.14.1 Security requirements of information systems.
Requirement A.14.1.2 Securing application services on public networks
Requirement A.14.1.3 Protecting application service transactions
Objective A. 14.2 Security in development and support processes
Requirement A. 14.2.1 Secure development policy
Requirement A. 14.2.2 System change control procedures
Requirement A. 14.2.3 Technical review of applications after operating platform changes
Requirement A.14.2.4 Restrictions on changes to software packages
Requirement A. 14.2.5 Secure system engineering principles
Requirement A. 14.2.6 Secure development environment
Requirement A. 14.2.7 Outsourced development
Requirement A. 14.2.8 System security testing
Requirement A. 14.2.9 System acceptance testing
Objective A. 14.3 Test Data
Requirement A. 14.3.1 Protection of test data
Standard – A.15 Supplier Relationships
Objective A.15.1 Information security in supplier relationships.
Requirement A.15.1.1 Information security policy for supplier relationships.
Requirement A.15.1.2 Addressing security within supplier agreements
Requirement A.15.1.3 Information and communication technology supply chain
Objective A.15.2 Supplier service delivery management.
Requirement A.15.2.1 Monitoring and review of supplier services
Requirement A 15.2.2 Managing changes to supplier services
Standard – A.16 Information security incident management
Objective A. 16.1 Management of security incidents and improvements
Requirement A. 16.1.1 Responsibilities and procedures
Requirement A. 16.1.2 Reporting information security events
Requirement A. 16.1.3 Reporting information security weaknesses
Requirement A. 16.1.4 Assessment of and decision on information security events
Requirement A 16.1.5 Response to information security incidents
Requirement A. 16.1.7 Collection of evidence
Standard – A.18 Compliance
Objective A.18.2 Information security review
Requirement A.18.2.1 Independent review of security policy
Last updated: 23 November 2023
Show updates to this content
Formatting changes