Beyond GSA G2S Standards: The Security Program
Last month, I wrote about applying a strategic view of security as you move your gaming environment toward GSA/Open G2S standards. While these standards do specify networking standards and some security protocols, particularly for G2S, they don’t really discuss best practices in security in the overall gaming environment. Gaming operators should approach security of their systems and network within a larger view, or framework, of security best practices.
It’s important to take a holistic approach that takes into account security from a program perspective that includes: operations and monitoring, maintenance and change control, access control, testing, incident management and repeatable security processes. Approaching it holistically has been proven to improve operational efficiency, increase security and, in the end, save money.
The first place to start is to ensure you have a security program that encompasses regulatory and corporate standards, policies and procedures that your organization can use to maintain security throughout the organization. It’s developed against frameworks such as ISO 27001:2005 or COBIT. You may not have to start from scratch, though, as there are numerous standards (like PCI) and frameworks that are used in many industries and perhaps in your own company, which can be the basis for building your security program when implementing G2S.
While I won’t cover the how to develop a security program in this article, at a minimum a security program needs to assess the risk to an organization, identify those responsible for maintaining it, and have standard, documented ways to monitor the effectiveness of the program.
I do want to touch on some key points you need to keep in mind in assessing your security program’s effectiveness against those standards.
- Identify and document all standards and requirements:
- Ensure you have identified all standards and requirements, including but not limited to G2S/GSA, and others specific to your industry or company, as well as general security best practices that will need to be included in the program.
- Beyond gaming and regulatory standards reporting and requirements, take a look deep into your company, including portions you might not normally look at (e.g., hotel, retail, HR, accounting, third-party providers) and ensure that any security standards they have are taken into consideration for you as well, or at least identified that they are there.
- You can create a matrix that identifies all included standards requirements and align them with the framework you’re going to use. This can save you time and resources and may identify areas to reduce duplication of effort on standards, policies and processes.
- Identify and corral all the policies, standards and processes that will need to be assessed against your program and maintained. At a minimum, identify owners of these and document this information for future assessments.
- If assessing controls being used (e.g., configuration controls) against the standards or policies, identify how these controls will be assessed and add those to your matrix. For instance, do you have a gold standard for builds for your G2S systems? If so, what are they, are they being used, who maintains the gold standard and what are the policies and processes for changing and then implementing gold standard updates?
- Perform a Gap Analysis
- Perform a gap analysis of the current state of the program by assessing standards, policies, procedures against the framework and identifying positive practices and areas of improvement.
- If this is your first time through this, don’t get too down in the weeds. Pick your most critical standards (usually regulatory) and do those first. Prioritize the gaps and remediate.
- If you have multiple standards to assess against, you may find that there are cost savings in time/resources if you perform your gap analysis against more than one regulatory standard at a time. Many standards use a security best practices model and have very similar requirements.
- Create a roadmap that identifies priorities and timelines for remediating those areas in need of improvement. This roadmap should be a high level with timelines, and use it as a template for products, resources and budgets that you need to remediate those gaps.
- Finally, be sure to train your personnel to manage and understand the framework, standards, policies and processes.