Security & Risk Management
The security of a lottery will always play a critical role in maintaining the confidence and trust of the public in its lottery games. Therefore, it is vital that a lottery organization develops and maintains a visible and documented security environment in order to achieve and sustain public confidence in its operations.
The WLA Security Control Standard (WLA-SCS) is the only internationally recognized security standard for the lottery sector. It is designed to assist WLA members to obtain a level of security control in line with generally accepted best practices and to enable an increased reliance on the integrity of their operations. The WLA-SCS specifies the required practices for an effective security management structure by which a lottery may maintain the integrity, availability, and confidentiality of information vital to its secure operation.
A security and risk management framework, such as the WLA-SCS, is established by comparing current security and integrity practices used in the industry with those approved by lottery security experts. The WLA-SCS is developed and maintained by the WLA Security and Risk Management Committee, a group of lottery security experts appointed by the WLA Executive Committee.
All new or updated standards must be approved by the WLA Executive Committee and ratified by the delegates of the WLA General Meeting prior to publication.
The WLA-SCS:2020 features new controls for lottery technology suppliers, the use of cloud hosting for lottery gaming systems, as well as controls for privacy and application security. It also enhances controls from the previous version of the standard, consolidating controls in some areas to avoid redundancy and offering clarification on controls where needed to better facilitate the understanding of the standard.
In addition to the two annexes of the WLA-SCS:2016, the WLA-SCS:2020 introduces two new annexes, those transforming the structure as it follows:
As a result of the consolidation work performed by the WLA SRMC members, the total number of controls went from 127 to 120. Redundancies have been eliminated, some control have been merged to facilitate the application and some new control have been included to reflect the evolution of the market.
In particular, the Annex C (S Controls) has been included to clarify the Controls related to the specific products and services offered by suppliers and lottery and sports betting operators. The S Controls cover lottery systems security assurance, integrity measures related to the development of gaming system hardware, software and firmware, and integrity measures related to printing of retail instant tickets.
Annex D (M Controls) has been included with the aim to start including the multijurisdictional games as a specific category of controls for the lottery and sports betting sector. At the moment of the launch, the M controls are mandatory only for US lotteries participating in games run by the Multi-State Lottery Association (MUSL). Annex D will be expanded in future iterations of the WLA-SCS to include requirements for other multi-jurisdictional games.
For a better understanding of changes occurred from WLA-SCS:2016 and WLA-SCS:2020 download the documents here below:
The WLA SCS couples a comprehensive information security management baseline incorporating ISO/IEC 27001, a leading international standard for information security management, with additional lottery-specific security controls representing current best practice.
From October 2020 WLA members who perform a WLA-SCS assessment and hold a valid and current ISO/IEC 27001 certificate obtain the WLA-SCS Level 2 certificate.
Contemporarily, those lotteries and sports betting operators who are approaching the certification for the first time and prefer a more graded path, there is the possibility to obtain the WLA-SCS Level 1 certificate, which requires the assessment of all applicable controls of WLA-SCS:2020, excluding the ISO/IEC 27001 certificate as a prerequisite. The WLA-SCS Level 1 certificate is not available for suppliers.
Another important goal reached by the WLA SRMC in 2020 is the partnership with the Multi-State Lottery Association. From October 2020 US lotteries certified to MUSL Rule 2 automatically qualify for the WLA-SCS Level 1 certificate. The automatic recognition is available for three years (i.e. until November 1, 2023), after which time lotteries certified to MUSL Rule 2 seeking WLA-SCS:2020 certification must explicitly certify to the WLA-SCS:2020 following the regular procedures contained in the WLA-SCS Guide to Certification.
Contemporarily, the MUSL board has approved an update to the MUSL Rule 2 that will allow U.S. lotteries to use the WLA-SCS certificate to count as evidence of compliance for certain parts of the MUSL Rule 2.
With the write-in ballot and the subsequent adoption of the WLA-SCS:2020 by the WLA General Assembly in October 2020, the WLA SRMC established the following transition periods.
For initial certifications, the WLA SRMC established a transition period of six months, which extends until April 30, 2021. During this period, WLA members that request to be WLA-SCS certified can choose to certify to either the WLA-SCS:2016 or the WLA-SCS:2020.
Initial certifications completed after April 30, 2021 must be to the WLA-SCS:2020.
For recertifications and annual review assessments the WLA SRMC established a transition period of two years, which extends until October 31, 2022. During this period, WLA members can choose to perform recertifications or annual review assessments based to either the WLA-SCS:2016 or the WLA-SCS:2020.
Recertifications and annual review assessments completed after October 31, 2022 must be to WLA-SCS:2020.
If a WLA-SCS:2016 certified member chooses to recertify to the WLA-SCS:2020 within the framework of an annual review assessment, all the new controls of the WLA-SCS:2020 must be assessed in addition to the controls originally scheduled for the annual review assessment.