WLA (World Lottery Association)

1. Introduction
2. Overview
3. Global adoption
4. Benefits
5. Auditing
6. Choosing a registrar
7. Route to registration
8. Costs
9. Contributing editor

The World Lottery Association (WLA) is an international trade organization that represents over 140 lotteries and 60 lottery suppliers from 90 countries on all five continents. Lottery members must be licensed or authorized to conduct lotteries and/or sports betting operations by the jurisdiction in which they trade. The WLA offers a range of services to its members that provide them with the knowledge needed to help them grow their individual businesses.
The World Lottery Association (WLA) Security Control Standard (short WLA SCS) is an industry specific, comprehensive set of security controls for the regulated lottery sector. Certification to the WLA SCS is open only to lottery organizations and lottery suppliers that are members of the WLA. It also includes compliance requirements with the ISO/IEC 27001 Standard for Information Security Management Systems (ISMS).

Certification to WLA SCS verifies risk management strategies and processes. It also clearly demonstrates to the respective stakeholders that a lottery organization has effective security measures in place that can be trusted and shows government regulators that the organization is committed to security and integrity through the compliance with an independent accreditation.

Confidence in a lottery operation is essential. Therefore, to retain the confidence of the players and other stakeholders, lottery organizations need to develop and maintain a visible and documented security environment. The WLA Security Control Standard incorporates baseline requirements and controls within the organization’s overall security and risk management process – and avoids overlaps with more general security certifications. It provides lottery security professionals with a process to formally manage, update, and continuously improve its security controls.

The WLA SCS is the lottery sector’s only internationally recognized security standard. Built on the ISO/IEC 27001:2005, the leading international standard for information security management, the WLA SCS has two parts.

The first part of the WLA SCS (WLA SCS:2006 Part A – General Security Requirements) incorporates the ISO/IEC 27001:2005, with a further 24 general security controls adjoined.

The second part of the WLA SCS (WLA-SCS:2006 Part B – Lottery-Specific Security Controls) furnishes an additional 72 lottery-specific security controls representing current security best practice. In total, the WLA SCS specifies the minimum requirements necessary for the effective management of security in a lottery organization. Compliance with the WLA-SCS enables an organization related to the lottery sector to ensure the integrity, availability, and confidentiality of information vital to its secure operations or services.

The steps involved in certifying your organization include:

1. Obtain the Standard documents: Obtain and read a copy of both Standards – the ISO 27001 and the WLA-SCS to familiarize yourself with the requirements. WLA members can get a copy of the WLA Security Control Standard on the World Lottery Association’s website (within the member section) or contact the WLA head office at info@world-lotteries.org.
2. Assemble a team and define your core policies: The adoption of an information security management system must be the strategic decision for the entire organization. In addition to having a dedicated team for the establishment and implementation of your information security management system, it is crucial that top management is involved in the steering process.
3. Consider external help: Pitfalls and costly initiatives can be avoided through the help of an experienced consulting firm. The costs of an external consultant may easily be compensated through the shortening of the development and implementation processes. One may also gain the satisfaction that the job was done correctly.
4. Develop required policies and procedures: Both the WLA SCS and the ISO 27001 require certain policies and procedures to be developed. Carefully review the related requirements and draft those documents in line with the specific needs of your business.
5. Implement your security management system: Involvement of departments, continuing communication, education and training are key elements to a successful implementation. During the implementation phase, people in the organization must be working in line with the policies and procedures that were developed to demonstrate the implementation of the management system.
6. Select a certification body/auditor: Your business relationship with the certification body/registrar will be in place for many years, as compliance with your certification must be maintained. In this age of corporate scrutiny, it is imperative to choose a registrar with a reputation beyond reproach. The selection of an ISO 27001 certification body can be freely made. For WLA SCS certification however, only WLA approved auditors are accepted. The information about the approved auditors can be found on the WLA homepage in the member section. Consideration should be given to the possibilities of integrated audits, meaning that the same auditor combines the audit of ISO 27001 and WLA SCS, which will make the process simpler and cheaper.

When you have implemented your information security management system and prepared it for certification, you are ready to approach the certification body to start with the formal certification and auditing process.

Is WLA SCS relevant to your organization?

The WLA-SCS is the lottery industry specific information security standard, which considers dedicated security requirements within the lottery gaming business processes. To be able to apply for such certification, the organization must either be a WLA member or WLA associated member in line with WLA statutes.

The WLA SCS certification as a requirement is also very often used by lottery organizations implementing multi-state lottery games, hence assuring that a solid level of security is in place.

For WLA associate members (e.g. suppliers) the WLA SCS certification is becoming increasingly important, as almost all procurements for services by lotteries require security compliance. Therefore this is going to be a business must in the future.

Within the lottery environment, currently more than 40 WLA member organizations and 5 WLA associated member organizations are certified. The numbers are steadily growing.

• A pro-active, systematic approach to analyzing the organization is taken in order to determine and avoid information security risks or other risks to the organization even before they arise.
• Implementing an Information Security Management System can motivate staff by defining their key roles and responsibilities.
• Processes will be reviewed and made more efficient through the systematic and continuous improvement processes.
• All information security requirements can be drafted in accordance with business needs, best practices and existing risks.
• You can demonstrate to your shareholders and government regulators, that you have implemented highly regarded processes in line with renowned ISO and industry standards.

Two types of auditing are required to become registered to the WLA SCS: Audits by internal staff trained for this process (internal audits) to confirm that the requirements are effectively implemented and auditing by an external certification body (the external or certification audit). The aim is a continual process of review and assessment, to verify that the Information Security Management System is working as it's supposed to and to find out where it can be improved and to correct or prevent problems identified. Auditors may not audit their own work. Cross-auditing outside one’s own department creates a good basis for shared experience and knowledge within the organization.

External auditors must be approved by the WLA in advance to ensure sufficient lottery related know-how and experience.

There are currently about eight (8) WLA approved certification bodies globally. It is important to select a WLA approved certification body and auditor to ensure they comply with the following criteria:

• Ensure the company is accredited to ISO/IEC 17021:2006, and that the certification body accreditation is issued by a recognized competent body
• Ensure the company is familiar with the WLA Guide to Certification (see WLA website)
• Receive quotations from several certification bodies
• Do not select the cheapest or the easiest as their auditing or service may be below standard
• Ensure the certification body is recognized and their auditors provide significant lottery experience
• Consider inquiring at certified industry peers about their experience

There are various phases to registration:

1. Pre-audit assessment
   This optional assessment will help the organization get to know the auditor in person as well as allow the auditor to familiarize himself with the details of the organization seeking certification. The activities of the auditor typically include
   • A documentation review
     Together, you and your auditor will review your documentation. This will ensure that all documented policies and procedures are in place and cover the requirements of the related standards.
   • Physical walk-around at the facility
     This will help the auditor to understand certain physical risks and potentially point to areas that need improvement before the certification audit
   • Determine the date of assessment
     Together with your auditor, you will determine the best timetable for your registration and agree on a date for the initial assessment. Many organizations benefit from the pre-assessment "dry run" of the formal assessment.
2. Initial assessment conducted
   An initial assessment will be conducted by your auditor. This initial assessment will consist of two separate audit visits:
   • Stage 1 Audit (also known as “Desk-Top or Documentation review”):
     The objective of the Stage 1 visit is to confirm that the management system has been formally correctly established – in line with the requirement of the standards. This includes a formal review of all the policies and procedures against the Standard requirements and typically takes one or two days.
   • Stage 2 Audit (also known as “Implementation audit”):
     The objective of this audit is to verify, how your own policies and procedures have been implemented within the organization. This is done through interviews, observing and testing of areas. You will be informed of the auditor’s recommendation for certification at the closing meeting.
3. Registration Confirmation
   Following your auditor’s recommendation, your registration will be confirmed by the WLA.
4. Certificate Issued
   Your certificate of registration will arrive soon after your registration has been confirmed.
5. Continuing Assessment
   After registration your nominated auditor will visit your organization every 12 months to ensure that your management system continues to meet the requirements of ISO 27001 and WLA-SCS.
6. Reassessment
   The certification body is required to perform a complete re-assessment of your information security management system every three years. This is normally about two thirds of the initial assessment duration time and at the end of the closing meeting your auditor will confirm the outcome if you were successful. The World Lottery Association will issue a new WLA SCS certificate.

The largest cost for implementing an information security management system along with WLA SCS requirements is the internal cost within the organization to (re-)structure the processes, optimize certain tasks and eventually make some investments in security controls (physically or administratively). The costs for the internal resources (e.g. Security Manager tasks, internal audits, trainings, etc) are however quickly amortized by the benefits as certain problems are avoided upfront or do not reoccur.

There could be certain costs for external consultants, which would potentially bring experience, best practice knowledge, sample documents, training help and other benefits into the process. Also, it would accelerate the overall initiative, provided the organization can follow the processes accordingly. Also, certain costs for useful tools could arise.

The certification costs are dependent upon the size of the organization, specifically the number of personnel within the scope of registration as well as the number of site locations. These factors along with the complexity and risk situation of the organization will determine the number of audit days (initially and ongoing). Typically the certification body charges a day rate per audit day along with some annual administrative fees. The WLA also charges an administrative fee for handling the certificate and managing the WLA SCS program on an annual basis. This is invoiced by the WLA directly to the WLA member when the certificate is issued.

The initial audit and the reassessment audit after three years are more comprehensive audits and will take longer. The regular continuing assessment (annual) audits are less complicated and therefore shorter in duration.

Tony Steinegger

Tony Steinegger, Managing Director of SIT-CON GmbH, is a qualified and certified ISO 27001 and WLA-SCS Lead Auditor. In this capacity he has audited numerous lottery organizations and has helped gaming organizations become successfully certified through the provision of consulting services. As a member of the Austrian Standards Institute expert group supporting the improvements on the ISO 2700x standards globally, he shares his experience in furthering the WLA Standard.

Tony was instrumental in drafting and developing the WLA Security Control Standard in 2006 for the WLA, through sharing his experience of more than 18 years of working within the lottery and gaming industry.