What is RTS security compliance?
To operate a remote gambling product in the UK market, you need to be licensed by the Gambling Commission (UKGC) under sections 89 and section 97 of the Gambling Act 2005.
This act is supported by the Remote Gambling and Software Technical Standards (RTS) that detail the specific technical standards and the security requirements that licensed remote gambling operators and software gambling operators need to meet.
The standards are split into two key sections – the technical standard, which describes how betting games must be configured and provides rules for player safety and financial responsibility, and the security requirements, which outline the minimum expected information security standards that should be applied by any UKGC licence holder. For the purposes of this blog, we are focussing on security requirements only.
Under section 4 of the RTS, remote and software gambling operators must complete a third-party annual security audit against requirements that mirror specific sections of the ISO/IEC 27001:2013 standard. Newly licenced gambling organisations must complete this security audit and provide a copy of it to the UKGC within six months of being granted a licence, irrespective of whether they are trading or not.
What are the RTS security requirements?
The RTS security requirements utilise specific controls from Annex A of ISO 27001: 2013. Licensees do not need to be ISO 27001 certified but do need to undergo an independent audit annually. The audit report needs to be provided to the Gambling Commission.
Whilst the number of applicable controls appears extensive at first glance, the list is actually just a little over 50% (61 out of 114) of the controls that an organisation will need to consider (and more likely apply) if it plans to certify to ISO 27001. The control areas in scope are as follows:
A.5 – Information Security Policies
A.6 – Organisation of information security
A.7 – Human resource security
A.8 – Asset management
A.9 – Access control
A.10 – Cryptography
A.11 – Physical and environmental security
A.12 – Operations Security
A.13. Communications Security
A.14 – System acquisition, development and maintenance
A.15 – Supplier relationships
A.16 – Information security incident management
A.18 – Compliance
A detailed list of all available controls is available on the UK Gambling Commission website.
It is important to note that as the security requirements focus solely on specific controls, there is no requirement for RTS auditees to apply the framework elements of ISO 27001, found in clauses 4-10 and covering such things as risk assessments, internal audits and management reviews. However, the UKGC does permit any gambling operator that is certified to ISO 27001 to submit their ISO 27001 certificate and audit report in lieu of a focussed RTS audit. Gambling operators should carefully consider whether it may be worth certifying to ISO 27001 – not only will this meet the requirements of the UKGC regarding RTS, but there are also a whole host of other benefits to ISO certification and the risk-based approach to information security management that it supports. To take a deeper dive, you can download a copy of our free Guide to ISO 27001.
RTS audit scope – what is covered?
The UKGC’s aim in setting out the security standards is to “ensure customers are not exposed to unnecessary security risks by choosing to participate in remote gambling”. To that end, the UKGC has highlighted those systems that are most critical to achieving its aims, and the security standards must apply to these critical systems:
- Electronic systems that record, store, process, share, transmit or retrieve sensitive customer information, e.g. credit/debit card details, authentication information, customer account balances
- Electronic systems that generate, transmit, or process random numbers are used to determine the outcome of games or virtual events
- Electronic systems that store results or the current state of a customer’s gamble
- Points of entry to and exit from the above systems (other systems that are able to communicate directly with core critical systems)
- Communication networks that transmit sensitive customer information.
While the security requirements are focused on critical systems, the selected controls also cover requirements for processes outside of this scope such as HR Security, including requirements for information security training and the consideration of information security at termination or change of employment responsibilities, and aspects of Physical Security, including equipment citing and protection, secure disposal and reuse of equipment, and unattended user equipment.
How is an RTS security audit conducted?
The UKGC provide guidance and advice to security audit firms regarding how the audit should be conducted, and the audit report constructed. The methods used must include enquiry, evidence, and where possible, observation by being on-site. In special circumstances, such as during COVID-19 restrictions, audits may be conducted remotely. We have some advice when it comes to choosing an ISO certification body.
Enquiry-based audits involve discussion with, in the words of the Commission, “the key stakeholders responsible for establishing the information security framework and applying it”. During these discussions, requirements will be identified for evidence that must be provided by the licensee.
The evidence that will be required comprises policies, procedures and documents, including but not limited to:
- IT security policy
- User access
- Development and testing procedures
- Service level agreement
- Policy on the use of network services
- Detection, prevention, and recovery controls to protect against malicious code
- Data backup policy
- Procedures in place so that media is disposed of securely and safely
- Procedures for the handling and storage of information (to protect the information from unauthorised disclosure or misuse)
- Change management policy
- Procedures for monitoring the use of information processing facilities
- A policy, operational plans and procedures for teleworking [remote working] activities
- Policy on the use of cryptographic controls
- Network diagram.
The Commission also provides a list of audit areas from which evidence must be gathered, including:
- Applicable security settings in place (including network, database, operating systems and gambling applications)
- User access controls (both staff and player access)
- Software changes
- Reviews of any externally conducted penetration testing and vulnerability assessments performed
- Physical access
- Audit log reviews
- Information processing controls
- Backup recording
- Staff interviews and walkthroughs with evidence noted for selected processes
- Training records.
Audit results should be reported as per ISO 27001 audits, with observations, minor non-conformities and major non-conformities all detailed. Management plans to address identified issues should also be identified. More details on the audit requirements together with an example audit report are provided in the Gambling Commission’s Security Audit Advice document.
Who can perform an RTS Security Requirements Audit?
The UKGC has stated that they do not intend to approve security audit firms to perform the security audit, but that licensees must “satisfy themselves that the third-party security auditor is reputable, is suitably qualified to test compliance with ISO/IEC 27001:2013 and that the auditor is independent of the licensee.
“Suitably qualified” in this instance will generally mean that the auditor holds one or more of the following certifications:
- ISO 27001 Lead Auditor
- Certified Information Systems Auditor (CISA)
- Certified Information Security Manager (CISM)
- Certified Information Systems Security Professional (CISSP)
The audit report must also include information on the audit provider, the lead auditor, the operator, the locations audited and an executive summary.
Need an RTS Audit?
We will work with your organisation and all relevant stakeholders to ascertain your current level of compliance with the RTS standards and subsequently provide a report which outlines any identified gaps and remediation activity. Our approach is to work collaboratively with your teams through a combination of onsite and remote consultancy. Find out more on our service page.
Are you ready?
Our advice would be to start by meeting the RTS requirements by implementing an information security framework that covers the ‘critical systems’ and the Annex A controls listed by the Gambling Commission.
Thereafter we would recommend developing an Information Security Management System (ISMS) to cover your wider business and a ‘statement of applicability’ that considers all 114 Annex A controls. This will help demonstrate that you take security seriously, will embed a security culture, and help with other regulatory compliance requirements by ensuring ongoing risk management. It will also show credibility to customers and partners.
Need help with RTS security compliance?
Before your RTS security requirements audit, our team of expert ISO 27001 consultants can help you prepare. We can support you with all levels of readiness activities, including document creation, process review and pre-audit assessments to ensure that you have everything you need for a smooth audit experience.
Our team here at Evalian also includes certified ISO 27001 Lead Auditors with experience in conducting RTS security requirements audits for clients both large and small, so regardless of whether you’re a charity lottery or the next big online casino, speak to one of our friendly sales team now to see how we can help.