Advanced Search

Resolution Of 12 July 2012, The General Direction Of Management Of The Game, Which Approves The Provision Which Establishes The Model And Content Of The Report Of Final Certification Of The Technical Systems Of The Operators Of Ju...

Original Language Title: Resolución de 12 de julio de 2012, de la Dirección General de Ordenación del Juego, por la que se aprueba la disposición que establece el modelo y contenido del informe de certificación definitiva de los sistemas técnicos de los operadores de ju...

Subscribe to a Global-Regulation Premium Membership Today!

Key Benefits:

Subscribe Now for only USD$40 per month.

TEXT

Law 13/2011, of 27 May, of regulation of the game, establishes the regulatory framework of the activity of play, in its various modalities, that it is developed with state scope, in order to guarantee the protection of the order public, fight against fraud, prevent addictive behaviour, protect the rights of minors and safeguard the rights of participants in games.

Article 16 states that " the entities that carry out the organization, exploitation and development of regulated games in the field of Law 13/2011, of 27 May, of regulation of the game, must have the software, equipment, systems, terminals and instruments in general necessary for the development of the game activities, duly approved ", attributing to the National Game Commission the approval of the technical systems of the game, the establishment of the specifications necessary for the operation of the specifications and the procedure for their certification.

For its part, the Royal Decree 1613/2011, of 14 November, for which the Law 13/2011, of 27 May, of regulation of the game is developed, regarding the technical requirements of the activities of the game, establishes, in its Article 6.1, in fine, that the National Gaming Commission " for the performance of the approvals may be based on reports of certification of the adequacy of the technical systems of the operator's game issued by entities designated to them effects '. Also, the first Article 8 of the Royal Decree 1613/2011 provides that the National Gaming Commission shall establish the minimum content of the reports issued by the designated entities for the certification of technical systems. game.

It should be noted that the Royal Decree 1613/2011 attributes in the final disposition first to the National Commission of the Game the development of certain technical aspects of the marketing of the Activities of play object of Law 13/2011, of May 27, of regulation of the game.

This Resolution, which is issued in compliance with the mandate of Article 8 of Royal Decree 1613/2011, aims to establish the minimum content of the final certification reports of the entities. designated for the issuance of the same, as well as the models to be used by these entities.

In application of the transitional provision of Law 13/2011, of 27 May, of regulation of the game, it corresponds to this Directorate General of Management of the Game of the Ministry of Finance and Public Administrations. the development and concreteness of the technical requirements laid down in Law 13/2011 and Royal Decree 1613/2011 of 14 November, which develops it.

This provision was submitted to the hearing, dated 22 May 2012, with allegations made by GLI Europe B.V., Quinel, Quality in Electronics, Epoche and Espri, s.l., Spread your wings Spain, Plc., Bet365 Group limited, Remote Gambling Association, PT Entertainment Online Ead., Betfair International, Plc and Electraworks Spain, plc.

Also, dated May 29, 2012, the State Attorney's report was requested at the Secretariat of State of Finance, obtaining the favorable report dated July 4, 2012.

Views on each other, the General Directorate of the Management of the Game of the Ministry of Finance and Public Administrations agrees:

First.

Approve the provision establishing the model and content of the final certification report for the technical gaming systems of the operators enabled in Spain, which is attached as Annex I to this Resolution.

Second.

Approve annexes II, III, IV, V, VI, and VII that accompany this Resolution.

Third.

The references that in the provision that this Resolution approves are made to the National Gaming Commission will be understood as done to the General Direction of Management of the Game of the Ministry of Finance and Public Administrations. References to the President of the National Gaming Commission shall be construed as references to the Director General of the Game Management.

Fourth.

This Resolution shall enter into force on the day following that of its publication in the "Official State Gazette".

Against this resolution, pursuant to Articles 114 and 115 of Law 30/1992, of 26 November, of the Legal Regime of Public Administrations and of the Common Administrative Procedure, the person concerned may to bring proceedings before the Secretary of State for Finance, within one month of the day following that of its publication.

Madrid, July 12, 2012. -Director General of the Game Management, Enrique Alejo González.

INDEX

Annex I. Provision for the model and content of the final certification report of the technical systems of the game operators and the change management procedure is developed.

First. Object and scope.

Second. Definitions.

Third. Procedure and time limit for the approval of technical gaming systems.

Fourth. Description of the technical system licensed.

Fifth. Certification reports.

Sixth. Game service providers.

Seventh. Functionality certification report.

Eighth. Safety certification reports.

Ninth. Compliance with personal data protection regulations.

10th. Change management procedure in the game technical system.

11th. Fingerprints.

Annex II. Descriptive questionnaire for the license

Annex III. Model and minimum content of the functionality certification report.

Annex IV. Model and content of the security certification report.

Annex V. Relationship of technical requirements for functionality.

Annex VI. Minimum integration test relationship.

Annex VII. Relationship of security technical requirements.

ANNEX I

Disposition by which the model and content of the final certification report of the technical systems of the game operators is established and the change management procedure is developed

First. Object and scope.

This provision aims to establish the minimum model and content of the final certification report for compliance with the requirements laid down in the current regulations for technical gaming systems. employees for the development and exploitation of the games covered by the relevant general or singular licence.

The final certification report shall be issued by one or more of the entities designated for this purpose by the National Gaming Commission and shall have the purpose of obtaining the approval of the technical game systems. of the operators. A report shall be submitted for each general or individual licence granted to the operator concerned.

The final certification report, whose minimum model and content is set out in this provision, reaches the certification of the technical gaming systems of operators with general licensing for development and exploitation of the methods of play referred to in points (c), (e) and (f) of Article 3 of Law 13/2011 of 27 May of regulation of the game, and in respect of the regulated types of game until the date of publication of the game.

The type-approval of accessorial physical terminals is not the object of this provision.

Also, this provision develops the change management procedure referred to in Article 8.4 of Royal Decree 1613/2011 of 14 November, for which Law 13/2011, of 27 May, of regulation of the In addition to the technical requirements of the gambling activities, in addition to the provisions of paragraph 4.13 of the Resolution of 16 November 2011 of the Directorate-General for the Management of the Game, which is approved by the Commission, the a provision for the development of the technical specifications to be met by the technical systems of game.

Second. Definitions.

For the purposes of this provision, the terms used in this provision shall have the meaning set out in paragraph 1.2 of the provision implementing the technical specifications to be met by the systems. Game technicians subject to licenses granted under Law 13/2011, of 27 May, of regulation of the game, approved by Resolution of the General Direction of the Game of 16 November 2011 ("BOE" of November 18, 2011).

Third. Procedure and time limit for the approval of technical gaming systems.

The initial approval of the technical game systems will be carried out in the framework of the procedure for granting general and singular licenses.

The final report or reports of certification of the technical systems of the operators ' game must be submitted by the person concerned within the term of four months after the notification of the Resolution of granting of the general license or provisional singular license.

The final certification report consists of the following documents:

a) Description of the licensed technical system, completed by the operator.

b) Definitive report of functionality certification.

c) Definitive security certification report.

d) Report on the compliance of operator with personal data protection regulations.

The approval procedure shall be initiated at the time when the final certification report has entered the General Register of the Ministry of Finance and Public Administrations in the form established in the Article 38 (4) of Law 30/1992 of 26 November 1992 on the Legal Regime of Public Administrations and the Common Administrative Procedure. The procedures will be started based on the order of input of the reports.

The final certification report and additional documentation and reports must be submitted in electronic form. Only the identification of the certification, the object of the certification and its executive summary shall be submitted on paper, and duly signed by the person or persons authorised in the certification body.

If the operator performs the telematic presentation of the certification report, he/she shall ensure that the certification report is signed by a certified certificate in the field of the General Administration of the State, in accordance with Law 11/2007, of 22 June, on the electronic access of citizens to Public Services and their regulatory development.

The National Gaming Commission may require interested parties as much documentation and information as it deems necessary for the resolution of the approval procedure.

Received the final certification report and after the favorable assessment of it, the National Gaming Commission will approve the technical systems of the game according to the provisions of article 16 of Law 13/2011, May 27, regulation of the game, within a maximum period of six months from the notification of the granting of the licence, without prejudice to the extension of the time limit cited for the time that the person concerned would have used to attend to the requirements which, following the submission of the final certification report, will be National Gaming Commission.

Fourth. Description of the technical system licensed.

For the description of the technical system licensed, the following documentation must be provided:

-Updated description of the technical system.

-In the case of singular licenses, the particular rules.

-The descriptive questionnaire of the license in which the scope of the technical system of the game being certified will be exposed.

The questionnaire will include the reference to all the technical elements employed in the technical system for the development and exploitation of the game object of the corresponding license, the description of the technical infrastructure and the identification of the software elements used, with express reference to the manufacturer, product name and version.

In cases where certification entities are required to use the questionnaire in the certification reports, they must include the fingerprints of those elements qualified as critical components.

The content of the questionnaire completed by the operator must match that of the final certification reports submitted. Otherwise, the operator must justify the existing differences.

Fifth. Certification reports.

The operator must present a definitive certification report of the functionality of the technical gaming system and a definitive report of certification of the safety of the technical game system used for the development and execution of the game object of the corresponding license.

The final certification report of the gaming technical system functionality shall be issued by one of the entities designated by the National Gaming Commission for the certification of gaming software.

The final safety certification report must be issued by one of the entities designated by the National Gaming Commission for the certification of information systems security.

Definitive certification reports must prove that the technical system effectively employed by the operator for the development and operation of the game subject to the corresponding license meets the technical requirements required by the current gaming regulations, pronouncing on the state of the technical game system used to the date of its presentation.

The final certification reports to be provided by the operator after the granting of a general license must reach the user registry, the game account, the management of the charges and payments, the system internal control and the different terminals or applications that allow participant access.

The final certification reports to be provided by the operator after the provisional grant of a singular license must be reached with the game software and, if applicable, the random number generator, the internal control system and the different terminals or applications that allow participant access.

The operator concerned may submit a single certification report only, irrespective of whether it is applicable in the approval processes of one or more of the licences granted to it. In this case, and after the first submission of the certification report, the reference to its contribution and the identification of the procedure in which it has been carried out shall be sufficient.

The report will be made entirely in Spanish. The annexes, evidence or supporting documentation of the report may be collected in Spanish or in the original language in which they are written, in which case the National Gaming Commission may require the operator to, within the ten days, please provide translation into Spanish of any of the annexes or documents initially provided in another language.

Sixth. Game service providers.

The gaming technical system effectively employed by the operator for the development and exploitation of the game subject to the license shall comprise the systems of all the gaming service providers involved in the solution. complete.

The requesting operator must be responsible for the approval of the complete game technical system and for the submission of definitive certification reports to be understood by the technical systems of all service providers. game.

Seventh. Functionality certification report.

The final functionality certification report will assess compliance with the technical requirements of the game technical system effectively employed by the operator for the development and exploitation of the game object of the game. license.

A single report covering the full scope will be presented in the general licenses.

Multiple reports may be presented in singular licenses when the software of the games or modes included in a report is completely independent of the software of the games or modes of other reports. In any case, each report shall demonstrate compliance with all technical requirements for the games and modalities included as well as the internal control system and the integration with the gaming platform.

The minimum model and content of the definitive functionality certification report is the one set out in Annex III to the Resolution approving this provision.

The final certification report for the functionality will consist of at least three test sets or analyses:

a) Testing for assessment of compliance with technical requirements:

For the assessment of compliance with the technical requirements, the certification body may choose the test or evidence that it considers most appropriate. The relationship of technical requirements is described in Annex V to the Resolution approving this provision.

The certification entity issuing the report may perform any of the tests referred to in a different environment than the one effectively employed by the operator for the development and exploitation of the game subject to the license, but the In any case, the certification issued must refer in any case to the technical game system which is effectively employed by the operator. In cases where different environments are used by the operator, the certification body must certify under its responsibility that the results obtained in the test environment are extrapolable to those of the operator. have been obtained from having been made in the technical system effectively employed by the operator for the development and operation of the game covered by the licence, having analysed that any differences between the test environment and the Effectively employed game technical system does not affect the quality of the test result performed.

b) Specific analysis of relevant functionalities:

The certification entity must perform a specific analysis of certain functionalities of special relevance.

In general license cases, the checks on identity and the causes of subjective prohibition will be analyzed and measures to combat fraud and money laundering will be evaluated. In the case of singular license, the logic of the game will be analyzed, and, when applicable, the percentage of return to the player and the random number generator.

c) Integration tests:

The certification entity must design and perform the necessary integration tests to demonstrate compliance with the requirements in the game technical system effectively employed.

Integration tests must always be carried out in the technical system of play effectively used by the operator for the development and exploitation of the game which is the subject of the licence, and cannot be used for such purposes. different environment.

The integration test set must comprise at least those described in Annex VI of the Resolution approving this provision.

Integration tests are intended to analyze actual data generated during the development and marketing of the gaming activity by the operator. These integration tests with real data require that the game technical system has at least one month of data, and cannot be completed by testing or simulations. In cases where, at the time of submission of the final certification report, the operator has not initiated the development of the gaming activity, the report may be submitted without providing the result of the above tests, if The approval shall be conditional upon the presentation of the result of the approval and its favourable assessment by the National Gaming Commission. The results of the tests carried out for the analysis of actual data generated during the development and marketing of the gaming activity, if not presented together with the final certification report, shall be presented in the three-month period from the start date of the corresponding play activity.

The definitive functionality certification report will include a copy of the certified software binaries and a fingerprint of those components that are qualified as critical.

Eighth. Safety certification reports.

Safety certification can only be carried out on the technical game system effectively employed by the operator for the development and exploitation of the game which is the subject of the corresponding licence, in relation to the effectively implemented procedures, processes, plans and security measures.

The operator may ask the certification body for a single safety certification report which reaches the entire gaming technical system, in order to be able to use it in the approval processes of each one of the licenses that would have been granted to you.

In cases where one or more gaming service providers are part of the gaming technical system effectively employed by the operator for the development and exploitation of the game object of the corresponding license, the The applicant operator shall submit a final certification report on the safety of the technical infrastructure of each of the suppliers.

The minimum model and content of the definitive safety certification report is the one set out in Annex IV to the Resolution approving this provision.

The final safety certification report will consist of two parts. In the first, the certification body shall demonstrate compliance with the safety requirements, the list of which is set out in Annex VII to the Resolution approving this provision. Partial validation of compliance with the technical safety requirements shall be possible where the safety management system under certification has an ISO 27001 certification with the same scope as the date of the certification. Application for approval. The safety requirements which may benefit from this recognition are set out in Annex VII. The certification body shall attach a copy of the ISO 27001 certification, in which the consignee clearly states, the scope of the certification and its temporary validity.

In the second part, the certification entity must perform specific audit analysis with respect to the critical component relationship, change management, business continuity management, and loss prevention information.

Ninth. Compliance with personal data protection regulations.

The operator will present a descriptive report on the compliance of personal data protection regulations with the final certification report.

This report will be unique by operator and will result from application to the different general and unique licenses from which it is a holder.

The National Gaming Commission, pursuant to Article 16 (4) of Law 13/2011, of May 27, regulating the game, will request a report from the Spanish Data Protection Agency.

10th. Change management procedure in the game technical system.

The operator must have a documented change management procedure, which controls the changes of the equipment and components of the game technical system effectively employed.

a) There will be a formal internal approval process for all changes, which must involve the change request and its approval by the relevant decision-makers.

b) In the case of changes in critical components, it shall be assessed whether this is a substantial change.

c) Change requests and decisions made will be recorded and may be the object of subsequent audit.

d) Copies of the software items ' binaries will be retained for all software versions that have been used in the technical system effectively employed in the last four years. The National Gaming Commission may establish the obligation that the procedure for the preservation of the copies of the binaries include a fingerprint of the binaries.

The production of any substantial modification affecting a critical component will require the prior authorization of the National Gaming Commission upon submission of the corresponding certification report. The National Gaming Commission shall decide on the authorisation of substantial changes of critical components within one month from the date of receipt of the operator's request.

The National Gaming Commission may qualify as critical additional components to those found in the definitive certification reports or to which the operator has qualified as such.

In the face of extraordinary emergency situations affecting security, duly accredited and communicated to the National Gaming Commission, the operator may make substantial changes to critical components and request subsequently their authorisation. In these cases, for the purpose of obtaining the approval, the operator shall submit to the National Gaming Commission, together with the certification report, a report showing the exceptional circumstances and the security risk. of the game technical system.

From licensing until the operator performs the definitive certification reports, any changes to the technical game system will not require prior authorization for their If the technical project evaluated to grant the license, substantial changes will have to be made to the National Gaming Commission 15 days in advance of its implementation. If the National Gaming Commission estimates that any of the changes made do not comply with the rules of the game, it may require immediate withdrawal.

After obtaining the approval, the operator shall compile a quarterly descriptive report of all the changes made to the technical game system and notify the National Gaming Commission. The following documentation will be included:

-An executive summary, in Spanish, that explains in a qualitative way the changes made.

-The description of the technical system that is the subject of an updated license, with the content described in the fourth article of Annex I to the Resolution approving this provision.

The National Gaming Commission may establish the obligation that the quarterly descriptive report of all changes made to the technical gaming system include a digital fingerprint of the binaries.

The National Gaming Commission will ask the operator for information about the changes made.

If the National Gaming Commission considers any changes made to critical components to be substantial, it will require the operator to proceed to the approval of the changes, without prejudice to the possibility of requiring the operator to proceed with the removal of the change until it obtains the relevant approval.

11th. Fingerprints.

With regard to the procedure for obtaining the digital fingerprint of the software referred to in this Resolution, the following must be observed:

a) The SHA-1 algorithm shall be used, except technical justification for the convenience of the use of another algorithm, which must be previously authorized by the National Gaming Commission.

(b) The tool or procedure used to obtain fingerprints, as well as the tool or procedure to validate the fingerprints obtained, must be attached together with fingerprints. The necessary tools must be enclosed in digital support or the location from which they are publicly available and free of charge should be indicated.

(c) In the case of a patent or intellectual property tool, the manner in which the National Gaming Commission and any other certification body may have free access and rights of access shall be justified. use of the same.

ANNEX II

License descriptive questionnaire

The questionnaire will collect information about the technical elements used in the technical system for the development and exploitation of the game that is the subject of the corresponding license.

The questionnaire may include, among others, the following information:

-Operator and license identification data.

-Description of the game offer.

-Description of the communication channels used.

-Description of accepted payment means.

-Description of means to perform identity checks and subjective prohibition.

-Description of the game service providers.

-Description of the game software vendors.

-Description of the technical infrastructure.

-Description of the software items used.

-Description of the associated data.

-Description of applications for participant access.

-Description of the physical terminals of the accessorial character.

The questionnaire may also include any other data from the technical gaming system that is relevant to the approval activity.

To facilitate completion, it will be published in electronic form on the National Gaming Commission website.

The National Gaming Commission will be able to update the content and format of the questionnaire. The questionnaire to be used will in any case be the last published.

ANNEX III

Model and minimum content of the functionality certification report

The definitive certification report for the functionality is structured in the sections and will present the minimum content that follows:

1. Identification of the certification.

2. Description of the certification object.

3. Executive summary of the functionality certification.

4. Detail of compliance with technical requirements.

5. Detail of the specific analyses.

6. Detail of the integration tests.

7. Description of the place, equipment and dates of completion of the certification.

8. Description of the environments used in the tests different from the one effectively employed by the operator for the development of the gaming activity.

9. Description of the digital support that will accompany the certification report.

1. Identification of the certification

The first page of the report will detail the following:

a) Type of certification report: "Final report of certification of the functionality".

(b) The report identification code: The identification code of the report shall be unique and shall allow for a single reference to be made and its differentiation from any other report issued by the certification body. Each time the certification entity makes any changes to a report, it must generate a new identification code for it.

c) Identification data of the certifying entity.

d) Identifying data from which the report is signed by the certifying entity.

e) Dates of completion of the certification jobs.

f) The issue date of the certification report.

2. Description of the certification object

The certification object will expose the scope of the technical game system to be certified, and will include the reference to the technical elements used in the technical system for the development and exploitation of the game object. of the corresponding licence, the description of the technical infrastructure and the identification of the software elements used, with express reference to the manufacturer, name of the product and version, as well as the identification of the element of the the technical infrastructure in which they are installed.

To this end, the certification body shall complete the descriptive questionnaire of the licence referred to in Annex II to the Resolution approving this provision. The questionnaire must also be enclosed in electronic form.

3. Executive summary of the functionality certification

3.1 Overall rating of the functionality.

A global qualification for compliance with technical requirements shall be included with the technical gaming system effectively used by the operator for the licence. The rating may be "Compliant" or "Not compliant".

This rating may only be "Compliant" when the certification body considers that the technical system of play effectively used by the operator for the license is in accordance with all requirements resulting from the application.

rating of the functionality.

The result of the analysis will be globally qualified as "Compliant" or " No compliant "

3.2 Table summary of compliance with technical requirements.

Requirements areas that must be certified for each license are described in Annex V to the Resolution that this provision is approved for.

For each requirement, a qualification will have been obtained that can be "Compliant", "Noncompliant", or "Does not apply".

Technical requirements have been grouped by area.

A summary table will be presented in the executive summary with the number of requirements each rating receives for each area.

Ratings will be detailed as follows:

Number

requirements

Number

compliant requirements

Number

non-compliant

requirements

Number

Requirements

does not

7

6

0

7

7

1

Area YYY

4

4

0

0

3.3 Summary of specific analyses.

For certain functionalities of particular relevance, the certification entity must perform several specific analyses. In some cases it will be necessary to detail the analysis carried out in a subsequent section.

3.3.1 Analysis of Identity Checks and Bans.

This analysis will apply only to general licenses.

Rating.

The result of the analysis as "Compliant" or "Not compliant" with respect to the technical requirements in this matter

Data

Accepts non-resident participants.

Yes/No.

Allows to play without a user record.

Yes/No.

If so, list the games in which it allows.

to credit the identity.

Indicate channel relationship: internet, phone, SMS, face-to-face, others

before you activate the user

Uses the identity verification service provided by the National Commission Game for residents.

Yes/No.

In case it is used but not in all cases, indicate when.

Other means of identity checking.

Relationship of other identity check media used

documents supported for non-residents.

Relation of supported documents to credit the identity of non-residents

Majority Check.

Yes/No.

the include verification service in the RGIAJ.

Yes/No.

Linked Check.

Yes/No.

Checks before the Awards

Uses the RGIAJ Variations service every hour and updates the operator's prohibited list.

Yes/No.

3.3.2 Random Number Generator Analysis.

This analysis will apply only to singular licenses where a random number generator is used, or GNA.

GNA shared.

Rating.

The result of the analysis as "Compliant", or "Not compliant" with respect to the technical requirements in this matter

.

GNA Manufacturer Data

Product and Version.

Name of the software element and version

Footprint.

Digital Footprint of the Binary.

Type of GNA.

It will be indicated:

-GNA hardware.

-GNA software.

/Pseudorandom.

It will be indicated:

-Aleatorium.

-The name of the phenomenon on which it is based will be indicated.

One of the following values will be indicated:

-GNA Instance not shared with other games.

-GNA Instance shared with other games. Indicate which.

-GNA integrated into the game software itself.

-Other. Describe.

Algorithm.

In the case of GNA hardware the name of the phenomenon on which it is based will be indicated.

In the case of GNA software the name of the algorithm will be indicated, as well as the name of the libraries or calls of the operating system on which it is based.

In case you are based on an algorithm itself, indicate it.

Resemilted.

Indicate Yes/Does Not Include Resemilting Procedure.

Length of Space.

Length in bits of space of different random numbers

Relationship statistics.

Relation of the names of the statistical tests that have been performed.

3.3.3 Analysis of the percentage of return to the player.

This analysis will apply only to singular licenses, in those games with a return percentage.

Percentage of return to the published player for the game.

The percentage of return published by the operator for each game.

The site where the rate of return is published will be further indicated

3.3.4 Analysis of the game logic and random events.

This analysis will apply only to singular licenses.

Compliance with particular rules of the game.

Yes/No.

Risk Management System for Counterbets.

Custom development indication or product name or service used

Audit of configuration changes using the risk management system parameters of the Counterpart bets.

Yes/No.

Audit of changes made by the operator's staff on the bets.

Event Relation.

Event relationship in which the random number generator intervenes, indicating whether they are presorted.

Audit in configuration using game logic parameters.

Yes/No.

3.3.5 Measures against fraud and money laundering.

This analysis will apply only to general licenses.

existence of technical measures against fraud and money laundering.

Yes/No.

3.4 Summary Table of Integration Tests.

This table shall include the qualification of the test of integration carried out by area, which shall at least include those described in Annex VI.

The nomenclature for additional tests as described in Annex VI shall begin with "X".

The results will be detailed as follows:

Requirement Area and Reference

A. 1 Test Name

Rating

Requirements Area A

Compliant

A. 2 Test Name

Not applicable

A. 3 Test Name

Not compliant.

X.1 Additional test name

X.2 Additional Test Name

Compliant

Requirements Area B

B. 1 Test Name

Compliant.

2 Test Name

Not applicable

X.3 Additional Test Name

Compliant

4. Details of compliance with technical requirements

The technical requirements to be certified for each license are described in Annex V to the Resolution approving this provision.

For each requirement, a qualification will have been obtained that can be "Compliant", "Noncompliant", or "Does not apply".

This section will detail the compliance of each of the technical requirements. The requirements have been grouped by areas.

Additionally, the following situations need to be documented in the observations space:

-When the reason the requirement might be qualified as "Does not apply".

-When there were incidents, even if they were subsequently subsated.

-When tests have been performed in a different environment than the one effectively employed by the operator for the development of the gaming activity.

Ratings will be detailed as follows:

Requirement Area and Reference

Rating

Remarks

Area X:

Reference To

Compliant

Reference B

Not compliant.

Not conforming to requirement due to ...

Reference C

Does not apply.

The requirement is not applicable because of ...

The certification body must deliver an annex where for each technical requirement the evidence of the tests performed and the results obtained are documented.

5. Detail of the specific analyses

For certain functionalities of special relevance, the certification entity must perform several specific analyses described in this section.

5.1 Analysis of identity checks and subjective bans.

The certification entity will analyze identity checks and subjective prohibitions.

The analysis should describe at least the following aspects:

-General data:

whether the system accepts non-resident participants.

Yes The system allows you to play without user registration. The certification body shall describe the game or games in which this circumstance may occur.

The relationship of channels that can be used to credit identity: Internet, telephone, SMS, face-to-face, or others.

-The checks performed before activating the user registry:

Yes The identity verification service provided by the National Gambling Commission for residents is used.

The relationship of other identity check media used.

Most Age Check.

The use of the include verification service in the RGIAJ.

The realization of the linked check.

-Checks made before award credit:

The use of the RGIAJ variations service every hour and the subsequent update of the operator's prohibited list and the states of the affected participants.

5.2 Random Number Generator Analysis.

This analysis will apply only to singular licenses where a random number generator is used, or GNA.

The certification body shall describe the analyses, tests or tests performed to justify the random behaviour of the GNA and compliance with the technical requirements. The supporting summaries or graphs, the number of simulations performed, the parameters used, as well as the confidence interval shall be included.

The certification entity will indicate if there are resemilting procedures and if they meet the technical requirements.

In the event that there are configuration parameters that might depend on the operation of the GNA, they will be described and the configuration settings for which the certification has been performed will be indicated.

5.3 Analysis of the return to the player in the games.

The certification entity must describe the percentage of return to the player posted by the operator for each game. You must also verify the posting site of the percentage.

The certification entity must describe all configuration parameters that may affect the percentage of return to the player, as well as whether the game technical system allows to record the audit of the changes in those settings. parameters.

5.4 Analysis of game logic and random events.

The certification entity, for each of the game variants, must prove that the game's development is in accordance with the particular rules.

The certification entity must analyze certain aspects of the game logic, random events in the game, parameterizable configurations, game accounting, and overall audit capability of any change to be entered in bets or winners manually.

This analysis will apply only to singular licenses.

In the case of bets:

-Risk Management System.

For counterpart bets, the risk management system will be described, indicating whether any commercial application or custom development has been installed for this purpose.

It must be indicated whether the system used is parameterizable or not. If yes, the most important configuration parameters as well as the values configured at the time of certification should be described.

The certification entity will also include in this report if the application keeps a record of the changes made to the system referred to risk management. If this is the case, the database files or tables where this information is stored will be indicated.

-Audit of bets.

The certification entity must explain the betting management application, and record and trace any modifications that may be made from backoffice applications by the operator's staff, including the following shall be analysed at least:

Changing a bet's data change.

Inserting new bets.

Bets Deleted.

Change Change in Event Result.

Change in award award.

The audit of the changes will be described, as will the way the audit is prevented from handling.

The database files or tables where this audit information is stored should be described.

-Managing the funds.

In the mutual bets, the application that manages the accounting of the funds must be analyzed.

The application will explain the registration and auditing of the gambling fund, the distribution of prizes, the assumptions in which there would be no entries of a category, or any other movement.

In casino games, poker and complementary games:

-Each of the random events implemented in the game will be described in which the random number generator intervenes. For example if there is an initial mix of cards, the drawing of the letter of the deck if there is no initial mix, the manufacture of the bingo cards, sale of bingo cards, the presorting of the bingo balls, the drawing of a bingo ball if not is presorted, the spin of the roulette, etc.

-The accounting management of the items and, of the progressive jackpots, must be analyzed in those games where their use is permitted. The amounts wagered, the prizes obtained, the commissions calculated or the progressive jackpots constituted or applied shall be able to be audited.

-Audit of items.

The certification entity must explain the record and trace any modifications that might be made from backoffice applications by the operator's staff.

The audit of the changes will be described, as will the way the audit is prevented from handling.

The database files or tables where this audit information is stored should be described.

-In the event that the software used to implement the gaming logic is configurable, the certification entity must describe and indicate the value of the configuration parameters that are related to the Following aspects:

• Game modes.

• Banking gaming strategy or risk level assumed.

• Maximum amounts.

• Rules of play.

The certification entity must also certify that there is an audit record of any modification of these parameters.

5.5 Measures against fraud and money laundering.

This analysis will apply only to general licenses.

The certification body shall describe and evaluate the measures implemented in the technical system of gambling against fraud and money laundering.

6. Detail of the integration tests

This section will detail the integration tests performed, sorted by areas, which at least will comprise those described in Annex VI to the Resolution approving this provision.

The nomenclature for these additional tests as described in Annex VI will begin with "X".

The result of each test will be rated as "Compliant", "Not compliant", or "Not applicable", depending on the expected outcome and regulatory compliance.

Each test will be detailed as follows:

Area.

In Annex VI.

Reference.

Of Annex VI or "X* **" for additional tests

Name of the test.

Description of the test.

 

Result.

Type.

According to the classification of test types in Annex VI

Date/time of test realization.

Result obtained.

Rating.

Observations.

As a result, the certification body must deliver an annex in which it will collect and document evidence of the outcome of the integration tests. The evidence to be collected depends on the type of test to be performed and is described in Annex VI to the Resolution approving this provision.

7. Description of the place, equipment and dates of completion of the certification

This section will describe the work equipment that has been certified, as well as the place (s) and the date (s) in which it was performed.

8. Description of the environments used in the tests different from the one effectively employed by the operator for the development of the gaming activity

In the event that certain tests of the technical game system have been performed in a different environment than the one effectively employed by the operator for the development and exploitation of the game object of the license, the entity of certification should describe in this section the different environments used.

For each of these environments, the test relationship for which each environment was used will be indicated.

9. Description of the digital support that will accompany the certification report

This section will describe the content of the digital media that will accompany the certification report.

The certification report will be accompanied by a digital media, and will be structured as follows:

-Full certification report in digital format.

-A descriptive questionnaire for the certification object in digital format.

-Evidence of the assessment of technical requirements. They will be grouped within a folder named "Technical Requirements".

-Evidence of integration tests. They will be grouped within a folder named "Integration".

-Copy of the software elements of the game technical system, which will contain copies of the binary of the software elements of the certified game technical system. They must be grouped into a folder named "Binary" and will be structured into subfolders with the name of each of the software elements indicated in the questionnaire.

ANNEX IV

Model and contents of the security certification report.

The security certification report is structured in the sections and will present the minimum content that follows:

1. Identification of the certification.

2. Description of the certification object.

3. Executive summary of the security certification.

4. Detail of the compliance with the security requirements.

5. Detail of the specific audit analyses.

6. Description of the place, equipment and dates of completion of the certification.

7. Description of the digital support that will accompany the certification report.

1. Identification of the certification

The first page of the report will detail the following:

a) Type of certification report: "Final safety certification report" shall be entered.

(b) The report identification code: The identification code of the report shall be unique and shall allow for a single reference to be made and its differentiation from any other report issued by the certification body. Each time the certification entity makes any changes to a report, it must generate a new identification code for it.

c) Identification data of the certifying entity.

d) Identifying data from which the report is signed by the certifying entity.

e) Dates of completion of the certification jobs.

f) The issue date of the certification report.

2. Description of the certification object

The object of safety certification shall be the technical system of play effectively employed by the operator for the development and operation of the game which is the subject of the relevant licence, in relation to the procedures, effectively implemented security processes, plans and measures.

For the purposes of describing the scope of the security certification object, the data processing centers where the technical game system is hosted and where the procedures, processes, and processes are implemented will be listed. security plans and measures.

Street, number

City

Country

Type

Hosting provider social

1

 

2

The "street", "number", "city" and "country" fields refer to the physical location of the CPD. The "type" field indicates the enclosure mode of the CPD and must match one of the following values: "hosting", "housing", or "own".

The "hosting provider's social reason" field, only to be completed in case "type" contains one of these values: "hosting" or "housing".

3. Executive summary of security certification

3.1 Global security rating.

A comprehensive rating of compliance with technical safety requirements shall be included in the technical gaming system effectively used by the operator for the licence. The rating may be "Compliant" or "Not compliant".

This rating may only be "Compliant" when the certification body considers that the technical system of play effectively used by the operator for the license is in accordance with all requirements resulting from the application.

rating of the functionality.

The result of the analysis will be globally qualified as "Compliant" or " No as ".

27001 validation.

It will be indicated if the capability to validate certain requirements from the report is used in the report an ISO 27001 certification.

3.2 Table summary of compliance with security requirements.

The technical safety requirements to be certified for each license are described in Annex VII to the Resolution approving this Disposition.

For each requirement, a qualification will have been obtained that can be "Compliant", "Convalidated", "Not compliant", or "Not applicable".

Technical requirements have been grouped by area.

A summary table will be presented in the executive summary with the number of requirements each rating receives for each area.

Ratings will be detailed as follows:

Number of requirements

Number of compliant requirements

Number of validated requirements (ISO 27000)

Number of non-compliant requirements

Number of requirements does not apply

Area XXX

7

6

0

0

1

4

3

1

4

4

0

0

3.3 Summary of specific audit analyses.

For certain security areas of special relevance, the certification entity must perform several specific audit analyses that are described in a subsequent section.

This section will point to an executive summary of these:

3.3.1 Audit analysis of critical components.

Rating.

The result of the analysis as "Compliant" or "Not compliant" with respect to the correct identification of critical components.

3.3.2 Change Management Audit Analysis.

Rating.

The result of the analysis as "Compliant" or "Not compliant" with respect to the technical requirements in this field

3.3.3 Audit analysis of business continuity management and prevention of loss of information.

Rating.

The result of the analysis as "Compliant" or "Not compliant" with respect to the technical requirements in this field.

The result "Compliant" represents the compliance of the certification entity with which the operator's technical system allows the recovery or loss times to be reached data analyzed in this section

Maximum disaster recovery time.

The worst of the maximum recovery times for a disaster, or RTO of the English "recovery time objective" from among the provided by the operator.

time of loss of information in the event of a disaster.

The worst of the maximum times of loss of information in the event of a disaster, or RPO of the English "recovery point objective" provided by the operator.

4. Security requirements compliance detail

The technical safety requirements to be certified for each license are described in Annex VII to the Resolution approving this Disposition.

For each requirement, a qualification will have been obtained that can be "Compliant", "Noncompliant", or "Does not apply".

This section will detail the compliance of each of the technical requirements. The requirements have been grouped by areas.

Additionally, the following situations need to be documented in the observations space:

-The reason why the requirement might be qualified as "Does not apply".

-When there were incidents, even if they were subsequently subsated.

In the event that the possibility of validation of certain requirements is made using an ISO 27001 certification, the "Convalidated" rating shall be used and in the field of observations "ISO 27001" shall be indicated.

Ratings will be detailed as follows:

Requirement Area and Reference

Rating

Remarks

Documentary Reference

Area X:

AA.

Compliant

Document XXXXX section YY.

Requisition XX.

Not compliant.

Not as required because of ...

Requisition YY.

Not applicable.

The requirement is not applicable because of ...

Requisition ZZ.

Convalidated.

ISO 27001

 

The certification entity must deliver an annex in which it will attach the security documentation, as well as all evidence to verify compliance with the requirements.

In those cases where there is documentary support of the policy or procedure, it should be noted in the field of observations, the documentary reference as well as the epigraph where compliance is supported.

The certification body must demonstrate the effective application of the security controls in the game technical system effectively employed. For this purpose, additional tests shall be described for the documentary check that has been carried out.

5. Detail of the specific audit analysis

For certain security areas of special relevance, the certification entity must perform several specific audit analyses described in this section.

5.1 Audit analysis of critical components.

The certification entity will issue an analysis on the correct identification by the operator of the critical components of the gaming technical system.

The certification entity shall include the relationship of critical components of the technical gaming system, indicating whether the safety of the technical system has been strengthened. For each component of this relationship it shall be indicated which element or software elements of the questionnaire submitted by the operator corresponds.

5.2 Change Management Audit Analysis.

The certification entity will issue an analysis on the correct conduct of the change management procedure.

The certification body shall attach, in the event of any such evidence and associated documentation of the last three changes, as to the time of this analysis, carried out by the operator.

If a software tool is available for change management, it must be indicated. The certification body must also prove that any action (high, modification or change) can be audited.

5.3 Business Continuity Management Audit Analysis and Information Loss Prevention.

The certification entity must analyze the maximum disaster recovery time, or RTO of the English "recovery time objective", which the operator indicates, and assess whether the available technical measures are sufficient for achieve this. The analysis shall describe the technical measures and the use of redundancy, backup plans, backup centres or other measures.

The certification entity must analyze the maximum time of loss of information in the event of a disaster, or RPO of the English "recovery point objective". to indicate the operator, and to assess if the technical measures available are sufficient to achieve this. The analysis shall describe the technical measures and the use of redundancy, backup plans, backup centres or other measures. The certification body shall ensure that the measures in place protect all operator data, both user and gaming data.

A disaster should be evaluated for an incident that totally inuses a physical location in the event of unforeseen contingency.

6. Description of the place, equipment and dates of completion of the certification

This section will describe the work equipment that has been certified, as well as the place (s) and the date (s) in which it was performed.

7. Description of the digital support that will accompany the certification report

This section will describe the content of the digital media that will accompany the certification report.

The certification report will be accompanied by a digital attachment, which will be structured as follows:

-Full certification report in digital format.

-Full security documentation used for security assessment, which will be collected within a folder with the name "Documentation".

-Evidence of the assessment of technical safety requirements. They will be grouped within a folder named "Technical Requirements".

ISO 27001 certification, in case they are provided for validation.

ANNEX V

Relationship of functionality technical requirements.

The different requirements to be certified are laid down in the regulatory rules of the game: Law, Royal Decrees, Ministerial Orders and Resolutions.

Only the obligations laid down in the regulations that are directly related to the technical evaluation of equipment, software or instruments shall be the subject of certification of the technical game system.

In this section you intend to maintain a guide that collects the technical requirements of the different normative texts that must be considered for the certification of the functionality.

The requirements are grouped by area and the nomenclature to be used in the definitive functionality certification reports is included.

Areas:

General Licenses:

-Area: Responsible Game.

-Area: Contract. Acceptance, copying and modifications.

-Area: User registry and check for bans.

-Area: Play account, charges, and payments.

-Area: Limits to the depots.

-Area: Registration and Traceability.

-Area: Terminals and Session.

-Area: Channels of communication.

-Area: Free gaming apps.

-Area: Internal control system.

Singular licenses:

-Area: Percentage of return and prize tables.

-Area: Random Number Generator.

-Area: Game logic.

-Area: Registration and Traceability.

-Area: Terminals and Session.

-Area: Channels of communication.

-Area: Free gaming apps.

-Area: Graphical Interface.

-Area: Behavior for technical errors.

-Area: Auto play.

-Area: Repetition of the move.

-Area: Live Games.

-Area: Multiple functionality.

-Area: Progressive botes.

-Area: Internal control system.

-Area: Game development.

-Area: Economic limits to participation.

-Area: Reporting obligations to participants.

-Area: Promotion of the games.

ANNEX VI

Minimum integration test relationship

This Annex aims at the description of the tests that must be carried out for the certification of the integration of the technical systems of the operators.

Integration testing should always be performed in the environment effectively employed by the operator for the development and exploitation of the game licensed.

In the integration tests that require personal data of residents in Spain, the certification bodies may make use of the test games that will facilitate to this effect the National Gaming Commission for the environment production of the verification web services.

Tests are classified based on the license type.

The following types of tests are defined along with the minimum evidence to be collected in each of them:

a) Functional.

Functional tests will consist of evaluating external features of an application or system, using the same means that are available to a participant or management applications that are Provision of operator's staff.

As evidence must be collected at least:

Test Test Conformity or Discompliance

The screen captures result of the interaction between the participant or operator of the operator performing the test and the gaming platform.

b) Traceability.

Traceability tests will consist of the analysis and contrast of the records and traces that are generated in the system when the described test is performed. The records and traces of this type of test shall be those of the information system of the central gaming unit, not the internal control system.

As evidence must be collected at least:

Test Test Conformity or Discompliance.

The screen captures that display the information for the record or trace object.

The description of the information source (file, table ...) where the record or trace was obtained.

c) Actual data.

The actual data analysis will consist of verifying the correct accounting, format and integrity of the data generated by the interaction between participants and the technical gaming system.

These integration tests with real data will require the technical gaming system to have at least one month of data, which cannot be completed by testing or simulations.

As evidence must be collected at least:

Test Test Conformity or Discompliance.

The source (file, tables, etc.) from which the information was obtained.

Data The representative data that is required for each test.

Here are several images in the original. See the official and authentic PDF document.

ANNEX VII

Relationship of security technical requirements

This Annex aims to establish the relation of the requirements that, in accordance with the provisions of the provision for the development of the technical specifications to be met by the technical systems of the game the purpose of the licences granted under Law 13/2011, of 27 May, of regulation of the game, approved by Resolution of the General Direction of the Management of the Game, of 16 November 2011 ("BOE" of November 18), must be fulfilled by the technical systems of the game operators and which must be verified by the certification in their final certification reports.

The areas to be verified by the certification bodies and the order in which they are to be presented in the relevant report is the following:

a) Security Policy.

In accordance with paragraph 4.4 of the provision for the development of the technical specifications to be met by the technical gaming systems, the certification body shall verify that:

1. The operator has security procedures.

2. The security procedures have been communicated to all of its employees and, where appropriate, to the collaborating entities.

Those organisations which have obtained the ISO 27001 certification in force, may comply with requirements 1 and 2. In the comments section "ISO 27001" shall be indicated

b) Analysis and Risk Management.

In accordance with paragraphs 4.1, 4.2 and 4.3 of the provision for the development of the technical specifications to be met by the technical gaming systems, the certification body shall verify that:

1. The operator has a risk management and analysis plan

2. A periodic review of the risk analysis is performed.

3. The organization has identified critical components of the Technical Gaming System.

4. Critical components are included in the relationship:

a) The user registry.

b) The game account.

c) Processing of the means of payment.

d) In the random number generator: the components of the technical game system that transmit or process random numbers that will be the object of the results of the games and the integration of the results of the generator random numbers in the logic of the game.

e) Those components that store, manipulate, or transmit sensitive customer information such as personal data, authentication, etc.

f) Those components that store the point-in-time status of the games.

g) Connections to the National Gaming Commission.

h) The internal control system: the capture and the storeroom.

i) Access points and communications to and from previous critical components.

j) Communication networks that transmit sensitive participant information.

5. The operator has enhanced security for all critical components.

In relation to requirements 4 and 5, the certification body in the field of observations shall record the documentary references as well as the epigraps within those in which compliance with those requirements is established. requirements.

c) Organization of Information Security.

In accordance with paragraph 4.5 of the provision implementing the technical specifications to be met by the technical gaming systems, the certification body shall verify that the organisation has defined a management framework for the security of information, indicating the roles and responsibilities of its staff.

Those organizations that have obtained the current ISO 27001 certification will be able to conform to the requirements of this area. The section for observations shall indicate 'ISO 27001'

d) Security in communicating with participants.

In accordance with paragraphs 2.1.12 and 4.6 of the provision for the development of the technical specifications to be met by the technical gaming systems, the certification body shall verify that:

1. The operator has adopted authentication mechanisms that allow the gaming system to identify the participant, and which in turn allows the participant to identify the gaming system.

2. Communications are encrypted in cases of personal data transmission (user registration) or economic (game account).

3. In relation to communications, the operator has taken the necessary measures to ensure the integrity and the non-repudiation in the cases of the transmission of personal or economic data, and in the transactions of participation in the game.

4. An initial user password is set, by default or by the participant.

5. During the process of defining the user password, the participant is informed about good practices in choosing secure passwords

6. The minimum password length is 4 characters or digits

7. If the password is set by the user and its length is less than 6 characters, of which one is letter and at least one is a digit, the user receives a message recommending good practices in choosing secure passwords.

8. The password cannot contain any of the following data: the user's name, the pseudonym, the name or last name, or the date of birth of the participant.

9. A password change reminder is offered to the user at a minimum annual frequency, although it is not mandatory for the user to make the change.

10. The user and password identification mechanism is blocked if more than 5 failed access attempts occur on the same day. The operator can set a lower limit to this requirement.

In relation to requirements 1, 2, 3, 4, 5, 6, 7, 8, 9, the certification body, in the field of observations, shall record the documentary references as well as the epigraps within those in which the compliance with those requirements.

e) Security of human and third-party resources.

In accordance with paragraph 4.7 of the provision for the development of the technical specifications to be met by the technical gaming systems, the certification body shall verify that:

1. The operator has a Personnel Security plan.

2. The plan includes training actions for all employees of the organization, paying particular attention to access to critical information and component permits.

3. In cases where the operator requires third party services involving access, processing, communication or processing of the information, or access to facilities, products or services related to the game, these third parties must meet all of the security requirements for the rest of the staff.

Those organizations that have obtained the current ISO 27001 certification will be able to conform to the requirements of this area. The section for observations shall indicate 'ISO 27001'

f) Physical and environmental security.

In accordance with paragraph 4.8 of the provision for the development of the technical specifications to be met by the technical gaming systems, the certification body shall verify that:

1. There is a physical security plan for the game technical system components.

2. Perimeter security for areas containing critical components and sensitive information is defined.

3. There is a physical access control to the facilities in which the equipment is located, both for employees and for external personnel, and that this control includes physical elements, authorization procedures, access records and services surveillance.

4. Protection against environmental risks: water, fire, caused by people, etc.

5. Critical equipment is protected from power outages and other outages caused by failure in support installations and electrical wiring is protected from damage.

6. Communications cabling access control mechanisms are defined if you are transporting unencrypted critical information.

7. Adequate maintenance of facilities and equipment is provided and planned.

8. Devices that contain information are securely deleted or destroyed before they are reused or removed.

9. Equipment containing information cannot be moved out of secure facilities without the appropriate authorization.

In relation to requirements 2, 3, 4, 5, 7, 8, 9 above, the certification body, in the field of observations, shall record the documentary references as well as the epigraps within those in which the compliance with those requirements.

Those organizations that have obtained the current ISO 27001 certification will be able to conform to the requirements of this area. The comments section shall indicate 'ISO 27001'.

g) Communications and Operations Management.

In accordance with paragraph 4.9 of the provision for the development of the technical specifications to be met by the technical gaming systems, the certification body shall verify that:

1. Critical components are monitored to prevent different versions of the type-approval from being used.

2. Communication between the components of the technical gaming systems ensures integrity and confidentiality.

3. Tasks are segregated between different areas of responsibility, to minimize the possibility of unauthorized access and potential damage.

4. Development, testing, and production tasks have been separated.

5. Services provided by third parties include security controls and metrics on contracts and are periodically audited and monitored.

6. Malicious code protection measures have been adopted.

7. Backups are regularly made with the appropriate frequency and kept guarded as collected in the backup plan.

8. Security measures have been adopted in the communications network.

9. Safety measures have been taken in the handling of portable media as well as safe erasure or destruction of the portable media and which is plasma in a documented procedure.

10. The clocks of all components, especially of the critics, are synchronized with a reliable source of time and the operator has established measures and controls to prevent the manipulation of the time marks or their subsequent alteration, especially in audit records.

11. All users ' activity audit log, exceptions, and information security events are generated and saved for a minimum period of 2 years.

12. Audit records are protected against alteration and improper access.

13. The System Administrator and System Operator activities are being registered.

14. Periodic analysis of audit records is performed and actions are taken based on detected incidents.

In relation to requirements 2, 4, 5, 6, 7, 8, 9,10, 11, 12, 13 and 14, the certification body in the field of observations shall record the documentary references as well as the epigraps within those in which it is notes compliance with those requirements.

Those organizations that have obtained the current ISO 27001 certification will be able to conform to the requirements of this area. The comments section shall indicate 'ISO 27001'.

h) Access Control.

In accordance with paragraph 4.10 of the provision for the development of the technical specifications to be met by the technical gaming systems, the certification body shall verify that:

1. The information access policy is documented.

2. Authorized access is secured and unauthorized by user-high controls, access privilege management, periodic review of access privileges, and password management policy.

3. Users follow best practices in using passwords and properly protect the documentation and media in their workplace.

4. Users only have access to the services they have been authorized to use.

5. There are no generic users and all users access their own unique user.

6. The system authenticates all access, whether personal, maintenance or other, from other systems and components. The inspection personnel of the Game Commission or other personnel acting on their behalf shall also be authenticated.

7. Networks are segregated based on the area and responsibility of the task or function.

8. Access to operating systems requires a secure authentication mechanism.

9. The use of programs to prevent access and security controls is restricted and controlled.

10. Sessions have a maximum connection duration time and a disconnect time for inactivity.

11. IT support staff have restricted access to real application data. The sensitive real data is located in isolated environments.

12. The risks associated with mobile devices are managed.

13. If teleworking exists, the associated risk is found to be managed within the security plan framework.

In relation to requirements 1, 2, 3, 4, 6, 7, 8, 9, 10, 11, 12, the certification body in the field of observations shall record the documentary references as well as the epigraps within those in which it is established. compliance with those requirements.

Those organizations that have obtained the current ISO 27001 certification will be able to conform to the requirements of this area. The comments section shall indicate 'ISO 27001'.

i) Purchase, development, and maintenance of systems.

In accordance with paragraph 4.11 of the provision implementing the technical specifications to be met by the technical gaming systems, the certification body shall verify that there is a plan of security in making decisions to purchase, develop and maintain information systems.

Those organizations that have obtained the current ISO 27001 certification will be able to conform to the requirements of this area. The comments section shall indicate that 'ISO 27001'.

j) Managing security incidents.

In accordance with paragraph 4.12 of the provision for the development of the technical specifications to be met by the technical gaming systems, the certification body shall verify that:

1. There is a documented security incident management procedure.

2. There is a security incident record (with facts, impacts, and measures taken).

Those organizations that have obtained the current ISO 27001 certification will be able to conform to the requirements of this area. The section for observations shall indicate 'ISO 27001'

k) Change management.

In accordance with paragraph 4.13 of the provision implementing the technical specifications to be met by the technical gaming systems and as set out in Article 10 of this Disposition, the institution certification must verify that:

1. There is a procedure for managing changes in equipment and components of the game technical system in the production environment.

2. There is an internal approval process for changes (change request, decision-makers ' approval).

3. A change log (requests, decisions adopted) is preserved and can be audited later.

4. In the case of changes in critical components, it shall be assessed whether this is a substantial change.

5. Copies of the software items ' binaries will be retained for all software versions that have been used in the technical system effectively employed. The National Gaming Commission may establish the obligation that the procedure for the preservation of the copies of the binaries include a fingerprint of the binaries.

In relation to requirements 1, 2, 3, 4 and 5 above, the certification body in the field of observations shall record the documentary references as well as the epigraps within those in which the compliance with the requirements is established. those requirements.

l) Information loss prevention plan.

In accordance with paragraph 4.15 of the provision for the development of the technical specifications to be met by the technical gaming systems, the certification body shall verify that:

1. There is a plan for the prevention of data loss or transactions affecting the development of the games, the rights of the participants or the public interest.

2. There is a plan of measures to comply with the information loss prevention plan and will include the following:

a) Location where copies of the information will be kept.

b) Backup protection measures against unauthorized access.

3. There is an action procedure in case of loss of information which will include the following:

a) Claims care mechanisms.

b) Continuation mechanisms for interrupted games.

In relation to the requirements 1, 2 and 3 above, the certification body in the field of observations shall record the documentary references as well as the epigraps within those in which compliance with those requirements is established. requirements.

m) Business continuity management.

In accordance with paragraphs 4.14 and 4.16 of the provision for the development of the technical specifications to be met by the technical gaming systems, the certification body shall verify that:

1. There is a business continuity management for disasters that will include the following:

a) Technical, human and organizational measures required to ensure continuity of service.

b) Replica of the Central Games Unit that allows the normal development of the activity.

2. The continuity plan considers the following scenarios:

a) User registration and game account, with the possibility of consulting the balance and the movements of their associated game accounts. The maximum time to provide these services again will be one week.

b) Withdrawal of funds. The maximum time to provide these services again will be one week.

c) Continuation of incomplete games or pending bets and payment of the prizes validly achieved. The maximum time to provide these services again will be one month.

d) Full Reset of all services.

3. The following information is included in all scenarios:

a) Services retrieved.

b) Maximum recovery time.

In relation to the requirements 1, 2 and 3 above, the certification body in the field of observations shall record the documentary references as well as the epigraps within those in which compliance with those requirements is established. requirements.

Those organizations that have obtained the current ISO 27001 certification will be able to conform to the requirements of this area. The comments section shall indicate that 'ISO 27001'.

n) Penetration and vulnerability analysis.

In accordance with paragraph 4.17 of the provision for the development of the technical specifications to be met by the technical gaming systems, the certification body shall verify that:

1. In the last six months the gaming technical system has passed a penetration test and vulnerability analysis.

2. There is an analysis plan, at least biannual, of vulnerabilities.

In relation to the above requirement 1, the certification body in the field of observations shall record the documentary references as well as the epigraps within those in which compliance with those references is established. requirements.