Indian Gaming Association Mid-Year Gaming Commissioners Master Certification Program: Regulating Information Technology Premier Ballroom H at the Fox Towers
Tuesday, November 12 Program Outline and Expectations 900 - 10:30 am:
What are the Current Regulatory Requirements for Information Technology? Billy David, Bo-Co-Pa & Associates
10:30 - 10:45 am Break 10:45 - 12:00 noon Who Is Responsible for Regulating I.T.?
Billy David, Bo-Co-Pa & Associates and Abe Martin, CFE, Casino Cryptology
12:00 noon -1:30 p.m. Lunch 1:30 - 3:00 pm
Regulating I.T., Where Do I Start to Build My Knowledge Base? Abe Martin, CFE, Casino Cryptology
3:15- 3:30 pm
Break
Understanding and Using Risk Management in I.T. Abe Martin, CFE, Casino Cryptology and Billy David, Bo-Co-Pa & Associates End-of-Day Wrap-Up
3:30 - 5:00 pm
Wednesday, November 13 9:00 - 10:30 am:
Information (Cyber) Security for the Rest of Us Renita DiStefano, President & CEO Second Derivative
10:30 - 10:45 am
Break
Policy, Process, Procedures, and Standards for I.T . Renita DiStefano, President & CEO Second Derivative
10:45 am -12 noon
12:00n - 1:30 pm
Lunch (John Kieffer Luncheon)
What Do I Need to Know to Properly Regulate Slot Accountability Systems Peter Nikiper, Director, Technical Compliance BMM Test
1:30 - 3:00 pm
3:00 - 3:15 pm
Break
Considerations for Other “I.T. Devices” You May or May Not Know About Peter Nikiper, Director, Technical Compliance BMM Test
3:30 - 5:00 pm
Thursday, November 14 9:00 am – 10:00 am
Group Projects: Putting to Work What We Have Learned Billy David, Bo-Co-Pa & Associates, and Abe Martin, CFE, Casino Cryptology
10:15 – 10:30 am
Break
Finish Up Group Projects and Present Group Projects Billy David, Bo-Co-Pa & Associates and Abe Martin, CFE, Casino Cryptology
10:30 am – 12:00 pm
12:00
Released
2
9/11/23
INTRODUCTION TO INFORMATION TECHNOLOGY: CURRENT REGULATIONS AND BEYOND BO-CO-PA& Associates
1
2
1
9/11/23
BILLY DAVID, OWNER LEAD CONSULTANT BO-CO-PA & ASSOCIATES BILLY@BO-CO-PA.COM 541-810-0700
3
DISCLAIMER!!!! DO YOUR HOMEWORK
4
2
9/11/23
WHAT DOES THE NIGC SAY?
5
543.20 INFORMATION TECHNOLOGY AND INFORMATION TECHNOLOGY DATA
6
3
9/11/23
NATIONAL INDIAN GAMING COMMISSION MICS CLASS II - AUDIT CHECKLIST INFORMATION TECHNOLOGY & IT DATA (ITD)
7
1. DO CONTROLS IDENTIFY THE SUPERVISORY AGENT IN THE DEPARTMENT OR AREA RESPONSIBLE FOR ENSURING THAT THE DEPARTMENT OR AREA IS OPERATING IN ACCORDANCE WITH ESTABLISHED POLICIES AND PROCEDURES? (INQUIRY AND REVIEW SICS) QUESTION: WHO HAS ESTABLISHED THE PNPS?
8
4
9/11/23
2. IS THE SUPERVISORY AGENT INDEPENDENT OF THE OPERATION OF CLASS II GAMES? (INQUIRY AND REVIEW OTHER – ORGANIZATIONAL CHART)
9
3. DO CONTROLS ENSURE THAT DUTIES ARE ADEQUATELY SEGREGATED AND MONITORED TO DETECT PROCEDURAL ERRORS AND TO PREVENT THE CONCEALMENT OF FRAUD? (INQUIRY AND REVIEW OTHER – AUTHORIZATION LISTS) QUESTION: WHO ON YOUR TIME VERIFIES THIS?
10
5
9/11/23
4. ARE INFORMATION TECHNOLOGY AGENTS WITH ACCESS TO CLASS II GAMING SYSTEMS PREVENTED FROM HAVING SIGNATORY AUTHORITY OVER FINANCIAL INSTRUMENTS AND PAYOUT FORMS? (INQUIRY AND REVIEW OTHER – AUTHORIZATION LISTS)
11
5. ARE INFORMATION TECHNOLOGY AGENTS WITH ACCESS TO CLASS II GAMING SYSTEMS INDEPENDENT OF AND RESTRICTED FROM ACCESS TO: FINANCIAL INSTRUMENTS? (INQUIRY AND REVIEW
OTHER – AUTHORIZATION LISTS) QUESTION: WHO HAD IT AGENTS?
12
6
9/11/23
6. ARE INFORMATION TECHNOLOGY AGENTS WITH ACCESS TO CLASS II GAMING SYSTEMS INDEPENDENT OF AND RESTRICTED FROM ACCESS TO: ACCOUNTING, AUDIT, AND LEDGER ENTRIES? (INQUIRY AND REVIEW OTHER – AUTHORIZATION LISTS)
13
7. ARE INFORMATION TECHNOLOGY AGENTS WITH ACCESS TO CLASS II GAMING SYSTEMS INDEPENDENT OF AND RESTRICTED FROM ACCESS TO: PAYOUT FORMS? (INQUIRY AND REVIEW OTHER – AUTHORIZATION LISTS)
14
7
9/11/23
(C) CLASS II GAMING SYSTEMS’ LOGICAL AND PHYSICAL CONTROLS
15
8. ARE CONTROLS ESTABLISHED AND PROCEDURES IMPLEMENTED TO ENSURE ADEQUATE: CONTROL OF PHYSICAL AND LOGICAL ACCESS TO THE INFORMATION TECHNOLOGY ENVIRONMENT, INCLUDING ACCOUNTING, VOUCHER, CASHLESS AND PLAYER TRACKING SYSTEMS, AMONG OTHERS USED IN CONJUNCTION WITH CLASS II GAMING? (INQUIRY AND REVIEW SICS)
16
8
9/11/23
9. ARE CONTROLS ESTABLISHED AND PROCEDURES IMPLEMENTED TO ENSURE ADEQUATE: PHYSICAL AND LOGICAL PROTECTION OF STORAGE MEDIA AND ITS CONTENTS, INCLUDING RECOVERY PROCEDURES? (INQUIRY AND REVIEW SICS)
17
10. ARE CONTROLS ESTABLISHED AND PROCEDURES IMPLEMENTED TO ENSURE ADEQUATE: ACCESS CREDENTIAL CONTROL METHODS? (INQUIRY AND REVIEW SICS)
18
9
9/11/23
11. ARE CONTROLS ESTABLISHED AND PROCEDURES IMPLEMENTED TO ENSURE ADEQUATE: RECORD KEEPING AND AUDIT PROCESSES? (INQUIRY AND REVIEW SICS)
19
12. ARE CONTROLS ESTABLISHED AND PROCEDURES IMPLEMENTED TO ENSURE ADEQUATE: DEPARTMENTAL INDEPENDENCE, INCLUDING, BUT NOT LIMITED TO, MEANS TO RESTRICT AGENTS THAT HAVE ACCESS TO INFORMATION TECHNOLOGY FROM HAVING ACCESS TO FINANCIAL INSTRUMENTS? (INQUIRY AND REVIEW SICS)
20
10
9/11/23
(D) PHYSICAL SECURITY
21
13. IS THE INFORMATION TECHNOLOGY ENVIRONMENT AND INFRASTRUCTURE MAINTAINED IN A SECURED PHYSICAL LOCATION SUCH THAT ACCESS IS RESTRICTED TO AUTHORIZED AGENTS ONLY? (INQUIRY AND OBSERVATION)
22
11
9/11/23
14. ARE ACCESS DEVICES TO THE SYSTEMS’ SECURED PHYSICAL LOCATION, SUCH AS KEYS, CARDS, OR FOBS, CONTROLLED BY AN INDEPENDENT AGENT? (INQUIRY AND OBSERVATION) (DEFINITIONAL NOTE: AS USED THROUGHOUT THIS IT SECTION, A SYSTEM IS ANY COMPUTERIZED SYSTEM THAT IS INTEGRAL TO THE GAMING ENVIRONMENT. THIS INCLUDES, BUT IS NOT LIMITED TO, THE SERVER AND PERIPHERALS FOR CLASS II GAMING SYSTEM, ACCOUNTING, SURVEILLANCE, ESSENTIAL PHONE SYSTEM, AND DOOR ACCESS AND WARNING SYSTEMS.)
23
15. IS ACCESS TO THE SYSTEMS’ SECURED PHYSICAL LOCATION RESTRICTED TO AGENTS IN ACCORDANCE WITH ESTABLISHED POLICIES AND PROCEDURES, WHICH INCLUDES MAINTAINING AND UPDATING A RECORD OF AGENTS, GRANTED ACCESS PRIVILEGES? (INQUIRY, OBSERVATION, AND REVIEW OTHER – AUTHORIZATION LISTS)
24
12
9/11/23
16. IS THE NETWORK COMMUNICATION EQUIPMENT PHYSICALLY SECURED FROM UNAUTHORIZED ACCESS? (INQUIRY AND OBSERVATION)
25
(E) LOGICAL SECURITY
26
13
9/11/23
17. ARE CONTROLS ESTABLISHED AND PROCEDURES IMPLEMENTED TO PROTECT ALL SYSTEMS AND TO ENSURE THAT ACCESS TO THE FOLLOWING IS RESTRICTED AND SECURED: SYSTEMS’ SOFTWARE AND APPLICATION PROGRAMS? (INQUIRY AND REVIEW OTHER – AUTHORIZATION LISTS)
27
18. ARE CONTROLS ESTABLISHED AND PROCEDURES IMPLEMENTED TO PROTECT ALL SYSTEMS AND TO ENSURE THAT ACCESS TO THE FOLLOWING IS RESTRICTED AND SECURED: DATA ASSOCIATED WITH CLASS II GAMING? (INQUIRY AND REVIEW OTHER – AUTHORIZATION LISTS)
28
14
9/11/23
19. ARE CONTROLS ESTABLISHED AND PROCEDURES IMPLEMENTED TO PROTECT ALL SYSTEMS AND TO ENSURE THAT ACCESS TO THE FOLLOWING IS RESTRICTED AND SECURED: COMMUNICATIONS FACILITIES, SYSTEMS, AND INFORMATION TRANSMISSIONS ASSOCIATED WITH CLASS II GAMING SYSTEMS? (INQUIRY AND REVIEW OTHER – AUTHORIZATION LISTS)
29
20. ARE UNUSED SERVICES AND NON-ESSENTIAL PORTS DISABLED WHENEVER POSSIBLE? (INQUIRY, OBSERVATION AND REVIEW SUPPORTING DOCUMENTATION)
30
15
9/11/23
21. ARE PROCEDURES IMPLEMENTED TO ENSURE THAT ALL ACTIVITY PERFORMED ON SYSTEMS IS RESTRICTED AND SECURED FROM UNAUTHORIZED ACCESS? (INQUIRY AND REVIEW SUPPORTING DOCUMENTATION)
31
22. ARE PROCEDURES IMPLEMENTED TO ENSURE THAT ALL ACTIVITY PERFORMED ON SYSTEMS IS LOGGED? (INQUIRY AND REVIEW SUPPORTING DOCUMENTATION)
32
16
9/11/23
23. ARE COMMUNICATIONS TO AND FROM SYSTEMS VIA NETWORK COMMUNICATION EQUIPMENT LOGICALLY SECURED FROM UNAUTHORIZED ACCESS? (INQUIRY AND REVIEW SUPPORTING DOCUMENTATION)
33
(F) USER CONTROLS
34
17
9/11/23
24. ARE SYSTEMS, INCLUDING APPLICATION SOFTWARE, SECURED WITH PASSWORDS OR OTHER MEANS FOR AUTHORIZING ACCESS? (INQUIRY AND PERFORM LOG-IN TESTS ON NETWORK SYSTEM(S) AND EACH STAND-ALONE SYSTEM)
35
25. IS ACCESS TO SYSTEM FUNCTIONS ASSIGNED AND CONTROLLED ONLY BY MANAGEMENT PERSONNEL OR AGENTS INDEPENDENT OF THE DEPARTMENT BEING CONTROLLED? (INQUIRY AND REVIEW SUPPORTING DOCUMENTATION)
36
18
9/11/23
26. DOES EACH USER HAVE HIS OR HER OWN INDIVIDUAL ACCESS CREDENTIAL (SUCH AS PASSWORDS, PIN’S, OR CARDS)? (INQUIRY)
37
27. ARE ACCESS CREDENTIALS CHANGED AT AN ESTABLISHED INTERVAL APPROVED BY THE TGRA? (INQUIRY, REVIEW TGRA APPROVAL, AND REVIEW OTHER – SYSTEM SECURITY SETTINGS)
38
19
9/11/23
28. ARE ACCESS CREDENTIAL RECORDS MAINTAINED FOR EACH USER EITHER MANUALLY OR BY SYSTEMS THAT AUTOMATICALLY RECORD ACCESS CHANGES AND FORCE ACCESS CREDENTIAL CHANGES? (INQUIRY AND REVIEW SUPPORTING DOCUMENTATION)
39
29. DO ACCESS CREDENTIAL RECORDS INCLUDE THE FOLLOWING INFORMATION FOR EACH USER: USER’S NAME? (REVIEW SUPPORTING DOCUMENTATION)
40
20
9/11/23
29. DO ACCESS CREDENTIAL RECORDS INCLUDE THE FOLLOWING INFORMATION FOR EACH USER: USER’S NAME? (REVIEW SUPPORTING DOCUMENTATION)
41
30. DO ACCESS CREDENTIAL RECORDS INCLUDE THE FOLLOWING INFORMATION FOR EACH USER: DATE THE USER WAS GIVEN ACCESS AND/OR PASSWORD CHANGE? (REVIEW SUPPORTING DOCUMENTATION)
42
21
9/11/23
31. DO ACCESS CREDENTIAL RECORDS INCLUDE THE FOLLOWING INFORMATION FOR EACH USER: DESCRIPTION OF THE ACCESS RIGHTS ASSIGNED TO USER? (REVIEW SUPPORTING DOCUMENTATION)
43
32. ARE LOST OR COMPROMISED ACCESS CREDENTIALS DEACTIVATED, SECURED OR DESTROYED WITHIN AN ESTABLISHED TIME PERIOD APPROVED BY THE TGRA? STATE THE TIME PERIOD ________________. (INQUIRY AND REVIEW TGRA APPROVAL)
44
22
9/11/23
33. ARE ACCESS CREDENTIALS OF TERMINATED USERS DEACTIVATED WITHIN AN ESTABLISHED TIME PERIOD APPROVED BY THE TGRA? STATE THE TIME PERIOD ________________. (INQUIRY AND REVIEW TGRA APPROVAL
45
34. DO ONLY AUTHORIZED AGENTS HAVE ACCESS TO INACTIVE OR CLOSED ACCOUNTS OF OTHER USERS, SUCH AS PLAYER TRACKING ACCOUNTS AND TERMINATED USER ACCOUNTS? (INQUIRY AND REVIEW OTHER – AUTHORIZATION LISTS)
46
23
9/11/23
(G) INSTALLATIONS AND/OR MODIFICATIONS
47
35. ARE ONLY TGRA AUTHORIZED OR APPROVED SYSTEMS AND MODIFICATIONS INSTALLED? (INQUIRY AND REVIEW TGRA APPROVAL)
48
24
9/11/23
36. ARE RECORDS KEPT OF ALL NEW INSTALLATIONS AND/OR MODIFICATIONS TO CLASS II GAMING SYSTEMS THAT INCLUDE THE FOLLOWING, AT A MINIMUM: THE DATE OF THE INSTALLATION OR MODIFICATION? (INQUIRY AND REVIEW SUPPORTING DOCUMENTATION)
49
37. ARE RECORDS KEPT OF ALL NEW INSTALLATIONS AND/OR MODIFICATIONS TO CLASS II GAMING SYSTEMS THAT INCLUDE THE FOLLOWING, AT A MINIMUM: THE NATURE OF THE INSTALLATION OR CHANGE SUCH AS NEW SOFTWARE, SERVER REPAIR, SIGNIFICANT CONFIGURATION MODIFICATIONS? (INQUIRY AND REVIEW SUPPORTING DOCUMENTATION)
50
25
9/11/23
38. ARE RECORDS KEPT OF ALL NEW INSTALLATIONS AND/OR MODIFICATIONS TO CLASS II GAMING SYSTEMS THAT INCLUDE THE FOLLOWING, AT A MINIMUM: EVIDENCE OF VERIFICATION THAT THE INSTALLATION OR THE MODIFICATIONS ARE APPROVED? (INQUIRY AND REVIEW SUPPORTING DOCUMENTATION)
51
39. ARE RECORDS KEPT OF ALL NEW INSTALLATIONS AND/OR MODIFICATIONS TO CLASS II GAMING SYSTEMS THAT INCLUDE, THE FOLLOWING, AT A MINIMUM: THE IDENTITY OF THE AGENT(S) PERFORMING THE INSTALLATION/ MODIFICATION? (INQUIRY AND REVIEW SUPPORTING DOCUMENTATION)
52
26
9/11/23
40. IS DOCUMENTATION (SUCH AS MANUALS AND USER GUIDES, DESCRIBING THE SYSTEMS IN USE AND THE OPERATION, INCLUDING HARDWARE) MAINTAINED? (INQUIRY AND REVIEW SUPPORTING DOCUMENTATION)
53
(H) REMOTE ACCESS
54
27
9/11/23
41. IS DOCUMENTATION FOR EACH REMOTE ACCESS SYSTEM SUPPORT SESSION MAINTAINED AT THE PLACE OF AUTHORIZATION? (INQUIRY AND
REVIEW SUPPORTING DOCUMENTATION)
55
42. DOES DOCUMENTATION FOR EACH REMOTE ACCESS SESSION INCLUDE: NAME OF AGENT AUTHORIZING THE ACCESS? (REVIEW SUPPORTING DOCUMENTATION)
56
28
9/11/23
43. DOES DOCUMENTATION FOR EACH REMOTE ACCESS SESSION INCLUDE: NAME OF AGENT ACCESSING THE SYSTEM? (REVIEW SUPPORTING DOCUMENTATION)
57
44. DOES DOCUMENTATION FOR EACH REMOTE ACCESS SESSION INCLUDE: VERIFICATION OF THE AGENT’S AUTHORIZATION? (REVIEW SUPPORTING DOCUMENTATION
58
29
9/11/23
45. DOES DOCUMENTATION FOR EACH REMOTE ACCESS SESSION INCLUDE: REASON FOR REMOTE ACCESS? (REVIEW SUPPORTING DOCUMENTATION)
59
46. DOES DOCUMENTATION FOR EACH REMOTE ACCESS SESSION INCLUDE: DESCRIPTION OF WORK TO BE PERFORMED? (REVIEW SUPPORTING DOCUMENTATION)
60
30
9/11/23
47. DOES DOCUMENTATION FOR EACH REMOTE ACCESS SESSION INCLUDE: DATE AND TIME OF START OF END-USER REMOTE ACCESS SESSION? (REVIEW SUPPORTING DOCUMENTATION)
61
48. DOES DOCUMENTATION FOR EACH REMOTE ACCESS SESSION INCLUDE: DATE AND TIME OF CONCLUSION OF END-USER REMOTE ACCESS SESSION? (REVIEW SUPPORTING DOCUMENTATION)
62
31
9/11/23
49. IS ALL REMOTE ACCESS PERFORMED VIA A SECURED METHOD? (INQUIRY AND
REVIEW SUPPORTING DOCUMENTATION)
63
(I) INCIDENT MONITORING AND REPORTING
64
32
9/11/23
50. ARE PROCEDURES IMPLEMENTED FOR RESPONDING TO, MONITORING, INVESTIGATING, RESOLVING, DOCUMENTING, AND REPORTING SECURITY INCIDENTS ASSOCIATED WITH INFORMATION TECHNOLOGY SYSTEMS? (INQUIRY, REVIEW SICS, AND REVIEW SUPPORTING DOCUMENTATION)
65
51. ARE ALL SECURITY INCIDENTS RESPONDED TO WITHIN THE ESTABLISHED TIME PERIOD APPROVED BY THE TGRA? STATE THE TIME PERIOD________________. (INQUIRY, REVIEW TGRA APPROVAL, AND REVIEW SUPPORTING DOCUMENTATION)
66
33
9/11/23
52. ARE ALL SECURITY INCIDENTS AND RESPONSES FORMALLY DOCUMENTED? (INQUIRY, REVIEW TGRA APPROVAL, AND REVIEW SUPPORTING DOCUMENTATION)
67
(J) DATA BACKUPS
68
34
9/11/23
53. DO CONTROLS INCLUDE ADEQUATE BACKUP, INCLUDING, BUT NOT LIMITED TO, THE FOLLOWING: DAILY DATA BACKUP OF CRITICAL INFORMATION TECHNOLOGY SYSTEMS? (INQUIRY AND REVIEW SUPPORTING DOCUMENTATION)
69
54. DO CONTROLS INCLUDE ADEQUATE BACKUP, INCLUDING, BUT NOT LIMITED TO, THE FOLLOWING: DATA BACKUP OF CRITICAL PROGRAMS OR THE ABILITY TO REINSTALL THE EXACT PROGRAMS AS NEEDED? (INQUIRY AND REVIEW SUPPORTING DOCUMENTATION)
70
35
9/11/23
55. DO CONTROLS INCLUDE ADEQUATE BACKUP, INCLUDING, BUT NOT LIMITED TO, THE FOLLOWING: SECURED STORAGE OF ALL BACKUP DATA FILES AND PROGRAMS, OR OTHER ADEQUATE PROTECTION? (INQUIRY AND OBSERVATION)
71
56. DO CONTROLS INCLUDE ADEQUATE BACKUP, INCLUDING, BUT NOT LIMITED TO, THE FOLLOWING: MIRRORED OR REDUNDANT DATA SOURCE? (INQUIRY AND REVIEW SUPPORTING DOCUMENTATION)
72
36
9/11/23
57. DO CONTROLS INCLUDE ADEQUATE BACKUP, INCLUDING, BUT NOT LIMITED TO, THE FOLLOWING: REDUNDANT AND/OR BACKUP HARDWARE? (INQUIRY AND REVIEW SUPPORTING DOCUMENTATION)
73
58. DO CONTROLS INCLUDE RECOVERY PROCEDURES , INCLUDING, BUT NOT LIMITED TO, THE FOLLOWING: DATA BACKUP RESTORATION? (INQUIRY AND
REVIEW SUPPORTING DOCUMENTATION)
74
37
9/11/23
59. DO CONTROLS INCLUDE RECOVERY PROCEDURES , INCLUDING, BUT NOT LIMITED TO, THE FOLLOWING: PROGRAM RESTORATION? (INQUIRY AND REVIEW SUPPORTING DOCUMENTATION)
75
60. DO CONTROLS INCLUDE RECOVERY PROCEDURES , INCLUDING, BUT NOT LIMITED TO, THE FOLLOWING: REDUNDANT OR BACKUP HARDWARE RESTORATION? (INQUIRY AND REVIEW SUPPORTING DOCUMENTATION)
76
38
9/11/23
61. ARE RECOVERY PROCEDURES TESTED ON A SAMPLE BASIS AT SPECIFIED INTERVALS (AT LEAST ANNUALLY) AND RESULTS DOCUMENTED? STATE THE INTERVAL ________________. (INQUIRY AND REVIEW SUPPORTING DOCUMENTATION)
77
62. ARE BACKUP DATA FILES AND RECOVERY COMPONENTS MANAGED WITH AT LEAST THE SAME LEVEL OF SECURITY AND ACCESS CONTROLS AS THE SYSTEM FOR WHICH THEY ARE DESIGNED TO SUPPORT? (INQUIRY AND REVIEW SUPPORTING DOCUMENTATION)
78
39
9/11/23
(L) VERIFYING DOWNLOADS
79
64. FOLLOWING THE DOWNLOAD OF ANY CLASS II GAMING SYSTEM SOFTWARE, DOES THE CLASS II GAMING SYSTEM VERIFY THE DOWNLOADED SOFTWARE USING A SOFTWARE SIGNATURE VERIFICATION METHOD? (INQUIRY AND REVIEW SUPPORTING DOCUMENTATION)
80
40
9/11/23
65. DOES THE TGRA CONFIRM THE VERIFICATION PERFORMED IN CHECKLIST QUESTION 64 (TGRA CAN USE ANY METHOD IT DEEMS APPROPRIATE)? (INQUIRY, REVIEW TGRA APPROVAL AND REVIEW SUPPORTING DOCUMENTATION)
81
WHAT ABOUT GLI? ALL THIS INFORMATION IS TAKEN OFF THE GLI WEBSITE
82
41
9/11/23
GLI-27: NETWORK SECURITY BEST PRACTICES
83
1.0 STANDARD OVERVIEW
84
42
9/11/23
1.1 INTRODUCTION 7 1.2 ACKNOWLEDGEMENT OF OTHER DOCUMENTS REVIEWED 8 1.3 PURPOSE OF THIS BEST PRACTICES REFERENCE 8 1.4 PRINCIPLES OF SECURE NETWORK DESIGN 9 1.5 KEY NETWORK SECURITY DEFINITIONS
10 1.6 KEY NETWORK OPERATOR / STAKEHOLDER DOCUMENTATION
85
CHAPTER 2 2.0 NETWORK HARDWARE 2.1 NETWORKING DEVICES
2.2 PHYSICAL ACCESS CONTROLS AND SECURITY 2.3 PHYSICAL PORTS AND WIRED CONNECTIONS 2.4 DISASTER RECOVERY AND REDUNDANCY (PHYSICAL)
86
43
9/11/23
CHAPTER 3 3.0 NETWORK SOFTWARE 3.1 PROTOCOLS AND COMMUNICATIONS 3.2 FIREWALLS 3.3 PASSWORD PROTECTION AND LOGINS 3.4 MULTI-LAYERED PROTECTION 3.5 ENCRYPTION – TRANSMISSION AND STORAGE 3.6 EXTERNAL CONNECTIONS 3.7 ANTIVIRUS AND MALWARE PROTECTION PROGRAMS 3.8 SOFTWARE UPDATES AND PATCHES 3.9 DISASTER RECOVERY (LOGICAL) 3.10 INTRUSION DETECTION AND PREVENTION 41 3.11 VULNERABILITY SCANNING 3.12 LOGGING 3.13 REMOTE ACCESS ...
87
CHAPTER 4 4.0 WIRELESS NETWORKS 4.1 INDUSTRY STANDARDS 4.2 UNIQUE CONSIDERATIONS
88
44
9/11/23
CHAPTER 5 5.0 SOCI AL ENGI NEERI NG AND EDUCATI ON 5.1 GENERAL STATEMENT 5.2 VENDOR IMPERSONATIONS 5.3 PUBLICLY AVAILABLE INFORMATION 5.4 VOICEMAIL SECURITY 5.5 TARGETED EMAIL “PHISHING” 5.6 SENSITIVE DOCUMENT DISPOSAL
89
CHAPTER 6 6.0 CLOUD COMPUTING RESOURCES 6.1 GENERAL STATEMENT 6.2 GENERAL CONSIDERATIONS
90
45
9/11/23
THERE ARE OTHER FEDERAL STANDARDS THAT MAY APPLY BUT, WE MUST BE OPEN TO ACCEPTING THOSE AS TRIBAL REGULATIONS.
91
THANK YOU!
92
46
Who is Responsible for Regulating I.T.?
Billy David, Owner billy@bo-co-pa.com Phone: 541-810-0700 www.bo-co-pa.com
Abe Martin, CFE, CSP abe@casinocryptology.com 931-CRYPTIC (279-7842) www.casinocryptology.com
Warm up:
Establishing our Goals
• Basic functions?
• Email and Internet • Confidentiality, Integrity and, Accessibility • Completing audit checklists? • Copy & paste standards from superior documents?
Threats
• 2022 Statistics: • 493 million ransomware attacks detected • 3.4 billion spam emails, A DAY • 52% of people reuse 1 password for multiple accounts • 13% use same password for all accounts • Most common vulnerability:
Business email compromise
Credit: techopedia.com
Threats
Credit: statista + fbi.gov
Case Study:
Credit: tenor.com
Compliance Vs. Security
CONTROLS POLICIES
PROCEDURES
Whose job is it anyway?
Industry Experts
Fraudsters
Federal Government
End Users
NIGC
Surveillance
TGRA
Security
State Government
Operation Management
IT Department(s)
Experts
• Technology: • Vendors • Designers
• Manufacturers • Professional Associations/Groups
• National Institute of Standards and Technology • International Organization for Standardization • Information Systems Audit and Control Association • Folks like you and your colleagues!
Government: Tribal
• Provides
• Authority
• Gaming Ordinance • Charter(s)
• Budget • Access to other government(s) offices
Government: Federal
• Just a few federal agencies: • Congress
• National Indian Gaming Commission (NIGC) • Federal Communications Commission (FCC) • Federal Trade Commission (FTC)
Government: Federal
• Federal standards to consider: • Sarbanes Oxley (SOX) • Federal Information Security Modernization Act (FISMA) • Health Insurance Portability and Accountability Act (HIPAA) • Gramm-Leach-Bliley Act – companies that offer financial products must explain information sharing process and safeguard sensitive data • National Defense Authorization Act (NDAA)
State Government
• Can also create laws that influence/effect IT standards • Example: California SB-327 2018
• If compacted, MICS
TGRA
• PRIMARY REGULATOR • Establish and maintain clear understanding of authority and mission • Clearly define roles and responsibilities
• Approval • Assurance
• Enforcement • Review(ers)? • Tribal Internal Control Standards? • IT standards
TGRA: Audit
• Frequency of initial, follow-up and other • Other audits • Participate, observe or review other audits? • Define expectations for data collected • Audit checklists should be living documents • Is it ok to add items of local relevance/importance? • Consider rotating auditors/audit functions
Management (Operation)
• Primarily IT and Compliance but all department heads are responsible • Create and/or reinforce a culture of awareness • This includes standards and threats • Ensure there is adequate: • Staff • Training
• Adherence • Reporting • Resolution
IT Department
• Consider TGRA and Operation IT personnel • Never, ever let the internet go down! • Maintain and protect systems/information • Ensure compliance to internal and external standards • Provide appropriate reports to stakeholders • Recommend and provide training • Resolve issues
Surveillance/Security
• Include IT physical elements as part of Risk Management: • Barriers • Locks • Access control systems (cards/biometrics) • Surveillance and; • Intrusion detection • Patrols include awareness and observation of IT risks/threats
End User
• Anyone with access to corporate network(s); including hardware. • Documented acknowledgement of User Agreement(s) • Security: Computer and Storage/Backups • Distribution of Information • Passwords • Remote Access • Protection/mitigation tools • Reporting • Destruction
Hackers, fraudsters, etc.
• Opportunists may take a variety of forms, with a variety if intentions • Many use skills & tactics like old fashioned confidence artists: • Identify vulnerability • Determine gains and strategy • Exploit • Continue or repeat as long/often as possible • Success depends on knowing target strengths/weaknesses and anticipating how they will react
Joining Forces
• Compliance/Risk Committees • Organization leaders with authority to approve resources and changes • Working groups • Boots on the ground that know the nuts & bolts
Information Sharing
• Controlled pipelines between silos • Established and approved mechanisms for open communication • Training • Sharing ideas and experience
• Project collaboration • Improve efficiencies • Reviewing documents • Troubleshooting
Key Takeaways
• Roles may differ, but all personnel have responsibilities in IT Compliance • Technology will always be a step ahead of the law • Threats and attacks will continue to increase • Strong regulatory structure and compliance programs are essential defenses • Standards and checklists are living documents • Culture of awareness (top down)
Billy David, Owner billy@bo-co-pa.com Phone: 541-810-0700 www.bo-co-pa.com
Abe Martin, CFE, CSP abe@casinocryptology.com 931-CRYPTIC (279-7842) www.casinocryptology.com
Regulating IT: Where Do I Start My Knowledge Base?
Billy David, Owner billy@bo-co-pa.com Phone: 541-810-0700 www.bo-co-pa.com
Abe Martin, CFE, CSP abe@casinocryptology.com 931-CRYPTIC (279-7842) www.casinocryptology.com
Warm up
I.T. Knowledge Base… where to start?
• Governing documents • Internally, within your work group/leadership and expand out incrementally (with approval) • Two questions: “Why?” and “Then what?” • Let’s divide basics into a few categories….
IT Categories: Networks
• Internet = the world: good, bad and the ugly • Domain = items controlled by authority or rules • Network = system of interconnected things • Open = touches the internet • Closed = “can’t” touch the internet
Let’s put networks in one of two categories:
• Local Area Network (LAN) • Wide Area Network (WAN)
Network
Image credit: edrawmax.com
DMZ
Image credit: Wikimedia commons
It Categories: Physical
• Physical = you can hold it in your hands “Hardware” • Servers • Routers/modems
• Switches • Firewalls • Computers • Mice, Keyboards, Monitors, etc • DEVICES
It Categories: Logical
• Logical = digital, in the computer. “Software” • Security/user groups • User objects • User Names/Passwords “Credentials” • Permissions • Access control – including systems that can talk to each other.
IT Categories: Access
• Access is both physical and logical: • Physical access controls where people can go and what they can touch/insert. • Lock & key • Logical access controls what a person can click on/open from a device. • Credentials & permissions
It Categories: People
• IT (personnel) roles, responsibilities and duties are segregated in a number of ways, based on the [NIST] principle that no user should be given enough privilege
to misuse a system on their own. • Chain of command (supervision) • Gaming operations • Finance/accounting • Physical and/or logical access
Simple…RIGHT?
• Knowledge and experience are usually some of a team’s strongest assets. • Can they be a liability if… • Create a knowledge funnel or operational bottleneck? • Influence day-to-day decisions? • Effect operational outcome? • Contribute to culture of learned helplessness? • Impede development/growth? • Effect morale?
Documentation is key
• Have you ever heard these sayings in regulatory or compliance circles? • Document, document, DOCUMENT • If it’s important, write it down • If you don’t write it down, it didn’t happen • Check the Desk Guide
You already have a knowledge base • Any medium that stores information that is only accessible to employees: • People • Database/reporting engine • Regulatory documents • Audits (checklists) • Equipment data • Really any collection of: • PDFs • Spreadsheets • Word docs
Starting considerations
• Purpose of the Knowledge Base • Audience and the need it will fulfill – find gaps • Most frequent questions • Who is overwhelmed • Measure response rate(s) • Failing productivity • Who can you NOT lose? • Choose type of Knowledge Base
Types of Knowledge Base
• Internal: Library where employees search for resources they need to do their job [better] • Hosted: third party vendor/software/storage • Self-hosted: housed on company servers • Open-source: public facing, intended more for those outside the organization but in the industry • Customer service: public facing…contains organized info that is relevant, usable and accessible to your customers
Structure
• Organizing information (for ease of access) is the goal and the base will continually grow. Measure twice, cut once. • Choose to structure by: • Service/activity type
• Regulation/control type • User position or function • User experience level
Assemble Project Team
• Consider and assign key roles: • Project (Base) Manager(s) • Expert(s) • Reviewer/editor(s) • User(s)
• Approver(s) • Maintenance
Assemble & create content
• Approver(s) and Project Manager(s) should set define expectations for finished product.Things like: • Value: content offers solutions to relevant questions/problems • Usability: Headers & prompts that stand out. Sub- script that uses clear language • Functionality: Short bursts of information, links if available; especially to other sites within base • Diversify: use a variety of media…charts, graphics, videos, etc.
Review
• Editors should have as little exposure to production phase as possible • Test content against expectations • Include spelling, grammar, etc. • Communicate corrections and recommendations directly to Expert(s) in this phase • Repeat review after revision(s) • Flows to Manager(s) when draft is accepted, then to Approver(s)
Approval
• Approver(s) should have as little exposure to production and review phases as possible • Communicate revisions and recommendations directly to Manager(s) • Repeat Production, Review and Approval phases as needed • Flow to User(s) for beta test
Beta Test
• Provide access to a select (small) group of users • Users may or may not be advised of production expectations • Provide each user with a method of rating experience and documenting feedback • Compare responses to expectations
Deployment
• Release Knowledge Base to work group • Leadership and experts should demonstrate and encourage use • Provide (condensed) methods for, rating experience, feedback and questions • Flow to Maintenance phase
Maintenance
• Maintenance person(s) should monitor use, develop and/or adjust methods for measuring performance of users AND the base • Collaborate with stakeholders to set frequency of updates • Consider: • more frequent initially, broadening span over time • Include other experts (internal/external) • Repeat process (all or in part) for each update
Key Takeaways
• Start small, build your way up & out. • Basic IT categories: • Networks – Internet, LAN orWAN. Open/closed • Physical vs. Logical • Access • People > Segregation of duties
Key Takeaways
• Building a Knowledge Base: 1. Purpose 2. Choose type 3. Structure 4. Team 5. Content
6. Review 7. Approval 8. Beta test 9. Deploy 10.Maintenance
Billy David, Owner billy@bo-co-pa.com Phone: 541-810-0700 www.bo-co-pa.com
Abe Martin abe@casinocryptology.com 931-CRYPTIC (279-7842) www.casinocryptology.com
9/11/23
Understanding and Using Risk Assessment/Management in the I.T. department
u A risk assessment is a process to identify potential hazards and analyze what could happen if a hazard occurs
1
What is Risk Assessment?
u a systematic process of evaluating the potential risks that may be involved in a projected activity or undertaking.
u Is this agreeable?
2
1
9/11/23
What is Information Technology?
u Information technology (IT) is a vast field of expertise that involves the use of computer systems to manage, process, protect, and exchange information u the study or use of systems (especially computers and telecommunications) for storing, retrieving, and sending information:
3
What are some I.T. systems in your casino?
u Discussion….
4
2
9/11/23
Vulnerability vs threat vs risk
u These terms are frequently used together, but they do explain three separate components of cybersecurity. In short, we can see them as a spectrum: • First, a vulnerability exposes your organization to threats.
• A threat is a malicious or negative event that takes advantage of a vulnerability.
• Finally, the risk is the potential for loss and damage when the threat does occur.
5
What is a vulnerability?
u Vulnerabilities is a weakness, flaw or other shortcoming in a system (infrastructure, database or software), but it can also exist in a process, a set of controls, or simply just the way that something has been implemented or deployed.
6
3
9/11/23
There are different types of vulnerabilities, we can sum them up generally as:
u Technical vulnerabilities , like bugs in code or an error in some hardware or software. u Human vulnerabilities , such as employees falling for phishing, smishing or other common attacks.
7
What is a threat?
u In cybersecurity, the most common definition of a threat is this: u Anything that could exploit a vulnerability, which could affect the confidentiality, integrity or availability of your systems, data, people and more. (Confidentiality, integrity and availability, sometimes known as the CIA triad, is another fundamental concept of cybersecurity.)
8
4
9/11/23
9
What is a risk?
u Risk is the probability of a negative (harmful) event occurring as well as the potential of scale of that harm. Your organizational risk fluctuates over time, sometimes even on a daily basis, due to both internal and external factors. u A slightly more technical angle, the Open FAIR body of knowledge defines cyber risk as the probable frequency and probably magnitude of loss. Sounds complicated, until we break it down: “For starters,” Rudis says, "there is no ethereal risk. Something is at risk, be it a system, device, business process, bank account, your firm’s (casino/tribes) reputation or human life.”
10
5
9/11/23
This is where your teams can begin to measure risk:
u Estimate how often an adversary or attacker is likely to attempt to exploit a vulnerability to cause the desired harm. u Gauge how well your existing systems, controls and processes can be standup to those attempts. u Determine the value of the impact or harm the adversary may cause if the adversary is indeed successful. u One way of describing risk was consequence X likelihood, but as security teams have advanced their processes and intelligence, we see that you have to also account for the safeguards you’ve already put in place.
11
Risk = threat x vulnerability
u This is another way of looking at risk, albeit a bit simplified: u Vulnerability x Threat = Risk
u We can sum up this calculation with the concepts from above: that a single vulnerability multiplied by the potential threat (frequency, existing safeguards, and potential value loss) can give you an estimate of the risk involved. u In order for organizations to begin risk mitigation and risk management , you first need to understand your vulnerabilities and the threats to those vulnerabilities. This is no small task.
12
6
9/11/23
Risk Management the forecasting and evaluation of financial risks together with the identification of procedures to avoid or minimize their impact.
13
The 5 Step Risk Management Process •Identify potential risks •Measure frequency and severity •Examine alternative solutions •Decide which solution to use and implement it •Monitor results
14
7
9/11/23
What is the likelihood of a risk occurring and if it did, what would be the impact?
Measure frequency and severity
A risk map is a visual tool that details which risks are frequent and which are severe (and thus require the most resources).
15
Examine alternative solutions
u What are the potential ways to treat the risk and of these, which strikes the best balance between being affordable and effective? Casinos usually have the options to accept, avoid, control, or transfer a risk. u Accepting the risk means deciding that some risks are inherent in doing business and that the benefits of an activity outweigh the potential risks. u To avoid a risk , the organization simply has to not participate in that activity. u Risk control involves prevention (reducing the likelihood that the risk will occur) or mitigation, which is reducing the impact it will have if it does occur. u Risk transfer involves giving responsibility for any negative outcomes to another party, as is the case when an organization purchases insurance.
16
8
9/11/23
Monitor the results and do something with the results!
Risk management is a process, not a project that can be “finished” and then forgotten about. The organization, its environment, and its risks are constantly changing, so the process should be consistently revisited.
Determine whether the initiatives are effective and whether changes or updates are required. Sometimes, the team may have to start over with a new process if the implemented strategy is not effective.
17
Our Process
u Identify Risk u Measure Risk u Examine Solutions u Implement Solutions u Monitor Results
18
9
9/11/23
Mitigating the Risk
u Good sound internal controls for the I.T, department should be in place that help mitigate risk. u Good and accurate department policy and procedures.
Processes that “keep honest people honest”
19
Decide which solution to use and implement it
Once all reasonable potential solutions are listed, pick the one that is most likely to achieve desired outcomes.
Set up a formal process to implement the solution logically and consistently across the organization and encourage employees every step of the way.
20
10
9/11/23
QUESTIONS?
21
Thank you
22
11