Skip to main content

Beyond GSA G2S Standards: The Security Program

March 22, 2012

Casino Mouse
Last month, I wrote about applying a strategic view of security as you move your gaming environment toward GSA/Open G2S standards. While these standards do specify networking standards and some security protocols, particularly for G2S, they don’t really discuss best practices in security in the overall gaming environment. Gaming operators should approach security of their systems and network within a larger view, or framework, of security best practices.

It’s important to take a holistic approach that takes into account security from a program perspective that includes: operations and monitoring, maintenance and change control, access control, testing, incident management and repeatable security processes. Approaching it holistically has been proven to improve operational efficiency, increase security and, in the end, save money.

Security Programs

The first place to start is to ensure you have a security program that encompasses regulatory and corporate standards, policies and procedures that your organization can use to maintain security throughout the organization. It’s developed against frameworks such as ISO 27001:2005 or COBIT. You may not have to start from scratch, though, as there are numerous standards (like PCI) and frameworks that are used in many industries and perhaps in your own company, which can be the basis for building your security program when implementing G2S.

While I won’t cover the how to develop a security program in this article, at a minimum a security program needs to assess the risk to an organization, identify those responsible for maintaining it, and have standard, documented ways to monitor the effectiveness of the program.

I do want to touch on some key points you need to keep in mind in assessing your security program’s effectiveness against those standards.

  • Identify and document all standards and requirements:
    • Ensure you have identified all standards and requirements, including but not limited to G2S/GSA, and others specific to your industry or company, as well as general security best practices that will need to be included in the program.
    • Beyond gaming and regulatory standards reporting and requirements, take a look deep into your company, including portions you might not normally look at (e.g., hotel, retail, HR, accounting, third-party providers) and ensure that any security standards they have are taken into consideration for you as well, or at least identified that they are there.
    • You can create a matrix that identifies all included standards requirements and align them with the framework you’re going to use. This can save you time and resources and may identify areas to reduce duplication of effort on standards, policies and processes.
  • Identify and corral all the policies, standards and processes that will need to be assessed against your program and maintained. At a minimum, identify owners of these and document this information for future assessments.
  • If assessing controls being used (e.g., configuration controls) against the standards or policies, identify how these controls will be assessed and add those to your matrix. For instance, do you have a gold standard for builds for your G2S systems? If so, what are they, are they being used, who maintains the gold standard and what are the policies and processes for changing and then implementing gold standard updates?
  • Perform a Gap Analysis:
    • Perform a gap analysis of the current state of the program by assessing standards, policies, procedures against the framework and identifying positive practices and areas of
    • If this is your first time through this, don’t get too down in the weeds. Pick your most critical standards (usually regulatory) and do those first. Prioritize the gaps and remediate.
    • If you have multiple standards to assess against, you may find that there are cost savings in time/resources if you perform your gap analysis against more than one regulatory standard at a time. Many standards use a security best practices model and have very similar requirements.
  • Create a roadmap that identifies priorities and timelines for remediating those areas in need of improvement. This roadmap should be a high level with timelines, and use it as a template for products, resources and budgets that you need to remediate those gaps.
  • Finally, be sure to train your personnel to manage and understand the framework, standards, policies and processes.

Related Blogs

July 23, 2012

Managing and Maintaining Logging Security in Gaming Environments

One of the criteria for security in Gaming requires the logging and monitoring/management of log files that record every event that happens on critica...

See Details

February 28, 2012

Thinking Strategically on GSA Gaming Standards Security

As the gaming industry moves further toward open-source Gaming Standards Association (GSA) standards for lowering costs and risks while increasing int...

See Details

April 26, 2012

Security Policies & Standards for GSA S2S & G2S Systems

Sometimes it’s easy to lose the overall security picture when trying to get the latest gaming systems, protocols and networking standards incorporated...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Related Insights

November 21, 2011

Emerging Technologies - Virtual Security | Optiv

Virtual Security is garnering a lot of attention these days. With the mass adoption of virtualization technologies, traditional security tools are pro...

See Details

July 21, 2015

Network Security Solutions

Learn how we help protect your environment while maintaining connectivity.

See Details

October 06, 2017

Managed Security Services - Service Guide

Learn about our flexible and scalable services to improve your security capabilities.

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.