Public Safety and Protection of Assets
The overall intent of this theme is to ensure that assets (e.g., gaming equipment and systems) are protected and that customer information and funds are safeguarded.
The identified regulatory risks under this theme are:
- People are not safe;
- Assets and customer information are not safeguarded; and
- Unauthorized individuals have access to prohibited areas.
IT Standards
Information Technology
5.01 A recognized industry standard framework shall be used to manage the information technology (IT) control environment to support compliance with the Standards and Requirements. (Also applicable to Gaming-Related Suppliers)
Security Management
5.02 Users shall be granted access to the gaming system based on business need. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
- Access privileges are granted, modified and revoked based on employment status and job requirements and all activities associated with these actions are logged.
- Access privileges are independently reviewed and confirmed on a periodic basis.
5.03 Access to gaming information systems shall be monitored, logged and shall be traceable to a specific individual, either through the assignment of uniquely assigned accounts to individual users or such other reasonable method. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
- All system accounts (or other accounts with equivalent privileges) shall be restricted to staff that provide IT support, and mechanisms shall be in place to secure and monitor use of those accounts.
5.04 Processes shall be in place to ensure that only authorized individuals are permitted to open system accounts. (Also applicable to Gaming-Related Suppliers)
5.05 Industry accepted components, both hardware and software, shall be used where possible. (Also applicable to Gaming-Related Suppliers)
5.06 Any connection or interface between the gaming system and any other system, whether internal or external third party, shall be monitored, hardened and regularly assessed to ensure the integrity and security of the gaming system. (Also applicable to Gaming-Related Suppliers)
5.07 Mechanisms shall be in place to ensure the reliability, integrity and availability of the gaming system. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
- Operators shall ensure that a disaster recovery site is in place.
5.08 There shall be a suitably secure physical environment in place to prevent unauthorized access to the gaming system and to ensure the protection of assets. (Also applicable to Gaming-Related Suppliers)
5.09 Gaming systems, infrastructure, data, activity logs and all other related components shall be protected from threats, vulnerabilities, attacks or breaches. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
- All users shall be authenticated.
- The appropriateness and effectiveness of steps taken to harden technology components shall be regularly assessed.
- Patches to correct any security risks shall be updated regularly.
5.10 Security monitoring activities shall be logged in an auditable manner, monitored, promptly analyzed and a report prepared and escalated as appropriate. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
- Attempts to attack, breach or access gaming system components in an unauthorized manner shall be responded to in a timely and appropriate manner.
- Intrusion attempts shall be actively detected and where possible prevented from causing disruption or outage of the gaming system.
- There shall be adequate logging to capture and monitor any attempts to attack, breach or access in an unauthorized manner any components of the gaming system. There shall be an appropriate escalation procedure.
5.11 Independent assessments shall be regularly performed by a qualified individual to verify the adequacy of gaming system security and all of its related components. (Also applicable to Gaming-Related Suppliers)
5.12 Operators and gaming related suppliers must inform themselves of the current threats and risks to the security, integrity, and availability of the gaming systems and related components that they operate or supply. Operators must have in place policies and procedures to mitigate such risks and threats. Gaming related suppliers must inform their customers of any material threat or risk to the security or integrity of the gaming systems that they supply or operate. (Also applicable to Gaming-Related Suppliers)
Change Management
5.13 A system development lifecycle that considers security and processing integrity shall be in place for gaming system technology developed in-house. (Also applicable to Gaming-Related Suppliers)
5.14 Due diligence must be performed on all acquired gaming system technology to ensure security and processing integrity requirements are met. (Also applicable to Gaming-Related Suppliers)
5.15 A testing strategy to address changes in technology shall be in place to ensure that deployed gaming systems operate as intended. (Also applicable to Gaming-Related Suppliers)
5.16 All gaming system changes shall be appropriately, consistently and clearly documented, reviewed, tested and approved. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
- All gaming system technology components are installed and maintained in accordance with the appropriate change management procedures.
- Requests for changes and maintenance of the gaming system are standardized and are subject to change management procedures.
- Emergency changes are approved, tested, documented, and monitored.
- Change management procedures shall account for segregation of duties between development and production.
- Only dedicated and specific accounts may be used to make changes.
5.17 Operators must have both preventative and detective measures in place to ensure that no unauthorized or unintentional changes are made to the gaming system.
Requirement — At a minimum:
- There must be a mechanism to validate that installed software is the certified software.
5.18 Post implementation reviews shall be performed to ensure that changes have been correctly implemented and the outcomes shall be reviewed and approved. (Also applicable to Gaming-Related Suppliers)
5.19 All change related documentation and information shall be captured, stored and managed in a secure and robust manner. (Also applicable to Gaming-Related Suppliers)
5.20 The implementation of software related updates, patches or upgrades shall be regularly monitored, documented, reviewed, tested and managed with appropriate management oversight and approval. (Also applicable to Gaming-Related Suppliers)
5.21 A mechanism shall be in place to regularly monitor, document, review, test and approve upgrades, patches or updates to all gaming-related hardware components as they become end of life, obsolete, shown to have weaknesses or vulnerabilities, are outdated or have undergone other maintenance. (Also applicable to Gaming-Related Suppliers)
5.22 Appropriate release and configuration management processes with support systems shall be in place to support both software and hardware related changes. (Also applicable to Gaming-Related Suppliers)
5.23 Only dedicated and specific accounts may be used to make changes. (Also applicable to Gaming-Related Suppliers)
Data Governance
5.24 Data governance shall be in place to address data processing integrity and protection of sensitive data. (Also applicable to Gaming-Related Suppliers)
5.25 Sensitive data, including player information and data relevant to determining game outcomes, shall be secured and protected from unauthorized access or use at all times. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
- The gaming system shall ensure that data is appropriately backed up in a manner that allows it to be completely and accurately restored.
- Data backups shall be stored off-site in a secure location and in accordance with applicable policies and laws.
5.26 Player information shall be securely protected and its usage controlled.
Requirements – At a minimum:
- Data collection and protection requirements for player personal information shall meet those set out in the Freedom of Information and Protection of Privacy Act.
- Player personal information shall only be used for the lottery schemes conducted and managed respectively by the OLG or iGaming Ontario, unless there is prior approval.
5.27 Communication of sensitive game data shall be protected for integrity. (Also applicable to Gaming-Related Suppliers)
5.28 Procedures shall be established and documented for IT operations and incident management, including managing, monitoring and responding to security and processing integrity events. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
- Proactive monitoring and detection of errors in the gaming system and related components shall be in place. Action shall be immediately taken to correct incidents of non-compliance with the Standards and Requirements or control activities.
- There shall be time synchronization of the gaming system environment and related components.
- Event data shall be retained to provide chronological information and logs to enable the reconstruction, review and examination of the time sequences of processing.
Architecture and Infrastructure
5.29 The gaming system architecture and all its related components shall demonstrate security in depth. (Also applicable to Gaming-Related Suppliers)
5.30 All gaming systems and devices shall validate inputs before inputs are processed. (Also applicable to Gaming-Related Suppliers)
5.31 The gaming system shall only display the minimum information about the gaming system to unauthorized users and during system malfunctions to minimize the risk of compromising the gaming system or the privacy of information. (Also applicable to Gaming-Related Suppliers)
5.32 All remote access methods shall be appropriately secured and managed. (Also applicable to Gaming-Related Suppliers)
5.33 Use of wireless communication shall be secured and only used where appropriate. (Also applicable to Gaming-Related Suppliers)
Guidance: The intent is to ensure that wireless communication is not present in areas where it could be potentially harmful (e.g. data centres).
5.34 All components shall be hardened as defined by industry and technology good practices prior to going live and as part of any changes. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
- All default or standard configuration parameters shall be removed from all components where a security risk is presented.
5.35 Access shall be appropriately restricted to ensure that the domain name server records are kept secure from malicious and unauthorized changes. (Also applicable to Gaming-Related Suppliers)
Data and Information Management
5.36 All private encryption keys shall be stored on secure and redundant media that are only accessible by authorized management personnel. (Also applicable to Gaming-Related Suppliers)
5.37 Encryption algorithms and key lengths shall be regularly assessed for security vulnerabilities. (Also applicable to Gaming-Related Suppliers)
5.38 The gaming system architecture shall limit the loss of data and session information. (Also applicable to Gaming-Related Suppliers)
System Account Management
5.39 The gaming system shall be able to change, block, deactivate or remove system accounts in a timely manner upon termination, change of role or responsibility, suspension or unauthorized usage of an account. (Also applicable to Gaming-Related Suppliers)
5.40 A secure authenticator that meets industry good practices shall be used to identify users and their accounts to ensure that only authorized individuals are permitted to access their system account on the gaming system. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
- The gaming system shall automatically lock out accounts where any identification and authorization requirement is not met after a defined number of attempts.
- Multi-factor authentication shall be implemented as part of a secure authenticator.
5.41 The gaming system shall ensure that all access to the system is fully attributable to, and logged against, a unique user identification. (Also applicable to Gaming-Related Suppliers)
5.42 Only the minimum access rights shall be granted to each system account on the gaming system and access rights shall be clearly documented. (Also applicable to Gaming-Related Suppliers)
5.43 All temporary and guest accounts shall be disabled immediately after the purpose for which the account was established is no longer required. (Also applicable to Gaming-Related Suppliers)
5.44 System accounts and system access rights for the gaming system shall be regularly reviewed and updated. (Also applicable to Gaming-Related Suppliers)
5.45 A log of account owners shall be kept and regularly reviewed and updated. (Also applicable to Gaming-Related Suppliers)
5.46 A mechanism shall be in place to ensure that the assignment of administrator accounts is approved by the Operator’s management and that usage is monitored for appropriateness. (Also applicable to Gaming-Related Suppliers)
5.47 Inappropriate use of system accounts on the gaming system shall be logged, reviewed and responded to within a reasonable period of time. (Also applicable to Gaming-Related Suppliers)
5.48 Inappropriate use of administrator accounts shall be reported to the Registrar in accordance with the notification matrix. (Also applicable to Gaming-Related Suppliers)
Software
Note: The following Standards apply to the following types of software: 1) Modified commercial off-the-shelf software, 2) Proprietary developed software, and 3) software specifically developed by the OLG or iGaming Ontario.
5.49 Software used for the gaming system shall be developed using industry good practices. (Also applicable to Gaming-Related Suppliers)
5.50 Software development methodologies used shall be clearly documented, regularly updated and stored in an accessible, secure and robust manner. (Also applicable to Gaming-Related Suppliers)
5.51 An appropriate system shall be in place to manage the software development and ongoing software management lifecycle. (Also applicable to Gaming-Related Suppliers)
5.52 All software development roles shall be segregated during and after release of code to a production environment. (Also applicable to Gaming-Related Suppliers)
5.53 An appropriate audit trail of authority and management review of code for software shall be established. (Also applicable to Gaming-Related Suppliers)
5.54 Controls shall be in place to ensure software is appropriately secured and access is appropriately restricted throughout development. (Also applicable to Gaming-Related Suppliers)
5.55 Authorized management staff shall review and approve software documentation to ensure that it is appropriately and clearly documented.
5.56 Source code and compiled code shall be securely stored. (Also applicable to Gaming-Related Suppliers)
Guidance: Compiled code could be digitally signed or hashed (including each time there is a change) in a manner that allows for external verification.
5.57 The promotion or movement of code from testing through other environments to production shall be accompanied by the appropriate documentation and approvals. (Also applicable to Gaming-Related Suppliers)
5.58 All promotion of code from development to production shall only be performed by production support staff and not by development staff. (Also applicable to Gaming-Related Suppliers)
5.59 Appropriate testing environments shall be in place to allow for thorough testing of any code before it is put into production. (Also applicable to Gaming-Related Suppliers)
5.60 Access to production environments shall be restricted from development personnel. (Also applicable to Gaming-Related Suppliers)
Note: This does not preclude granting of temporary supervised access for conducting technical investigations that may only be performed on the production environment.
5.61 Development code shall not be present in the production environment. (Also applicable to Gaming-Related Suppliers)
5.62 A mechanism shall be in place to verify the integrity of the software that is deployed to production, including before changes are implemented, as well as on an ongoing basis. (Also applicable to Gaming-Related Suppliers)
5.63 Appropriate release and configuration management systems shall be in place to support software development. (Also applicable to Gaming-Related Suppliers)
5.64 All code developed by a third party shall be tested to ensure it meets industry good practices and that it performs to meet its purpose prior to being added to the testing environment and prior to integration testing. (Also applicable to Gaming-Related Suppliers)
5.65 All code developed by a third party shall pass integration testing before it is added to production. (Also applicable to Gaming-Related Suppliers)
5.66 Mechanisms shall be in place to ensure that bugs are identified and addressed prior to, and during, production. (Also applicable to Gaming-Related Suppliers)
5.67 Quality assurance processes, including testing, shall take place during development and prior to the release of any code. (Also applicable to Gaming-Related Suppliers)
5.68 All components, where appropriate, shall be tested for the purposes for which they will be used. (Also applicable to Gaming-Related Suppliers)
Funds Management
Deposits
5.69 Players may be permitted to deposit funds into their player accounts only after the appropriate verifications and authorization.
Requirements – At a minimum, deposits shall be verified and authorized to ensure the following:
- Deposits made are appropriately authorized by a financial services provider.
Note: Cryptocurrency is not legal tender and shall not be accepted.
Withdrawals
5.70 Players are permitted to withdraw funds from their player account only after the appropriate verifications and authorization.
Requirements – At a minimum:
- Withdrawals shall be verified and authorized to ensure the following, before a withdrawal is permitted:
- The withdrawal is being made by a holder of the account; and
- The withdrawal is being transferred to an account of which the player is a legal holder.
5.71 Players are permitted to withdraw funds from their player account in an accurate and complete fashion and as soon as is practicable, subject to appropriate authorization and verification.
Funds Maintenance and Transactions
5.72 Player funds shall be clearly and appropriately managed.
5.73 All player funds deposited in respect of igaming lottery schemes conducted and managed by the OLG shall be held in an OLG account. iGaming Ontario shall take steps to ensure that all player funds deposited in respect of igaming lottery schemes conducted and managed by iGaming Ontario are subject to oversight by iGaming Ontario and available to players.
5.74 Operators shall not extend credit or lend money to players or refer players to credit providers or imply or infer that a player should seek additional credit to play games.
5.75 No player’s account is permitted to have a negative funds balance. A player’s account with a negative funds balance must be suspended and no transactions permitted after the negative funds balance arises. No transaction is permitted until the negative funds balance is eliminated. No bet will be accepted that could result in a negative funds balance.
Guidance: This Standard is not intended to prohibit the resettlement of bets when reasonable and necessary.
5.76 Players shall be provided with a clear and accurate representation of their funds account balance that is easily accessible and readily available at all times. (Also applicable to Gaming-Related Suppliers)
Requirements – At a minimum:
- The player balance shall be displayed in Canadian dollars.
5.77 Players shall be provided with unambiguous information about all player account fees prior to making a withdrawal or deposit.
5.78 Players shall be informed clearly and specifically of all rules and restrictions regarding deposits and withdrawals and access to funds in connection with deposits and withdrawals.
5.79 Funds shall not be transferred between player accounts.
5.80 Adjustments to player accounts shall be made accurately and only by authorized individuals.
5.81 Adjustments to player accounts shall be recorded and logged in an accurate and complete manner. (Also applicable to Gaming-Related Suppliers)
5.82 Players shall be provided with accurate, clear and specific reasons for any adjustments made to their accounts. (Also applicable to Gaming-Related Suppliers)