ebook img

Montana Lottery security PDF

28 Pages·2001·0.59 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Montana Lottery security

egislative Audit Division StateofMontana ReporttotheLegislature October2001 Information System Audit Montana Lottery Security DepartmentofCommerce,throughJune30,2001 DepartmentofAdministration,effectiveJuly1,2001 Thisreportcontainsinformationregardingthesecuritycontrolsover MontanaLotteryoperations. Thereportconcludescontrolsareinplace, whichensuretheoverallsecurityofMontanaLotteryoperations. STATEDOCUMENTS COLLECTION iAfl 28 2002 HMEOLNENT1/A5>N15A'E-STeA.tT-^ErI'- MO^;TAf«ASTATEL»«ARy Directcomments^nquiriesto: LegislativeAuditDivision Room160,StateCapitol POBox201705 OlDP-07 HelenaMT 59620-1705 Helpeliminatefraud,waste,andabuseinstategovernment CalltheFraudHotlineat1-800-222- statewideor444-4446inHelena. 3 0864 0015 aits'; INFORMATIONSYSTEMAUDITS InformationSystem(IS)auditsconductedbytheLegislativeAuditDivisionaredesignedtoassess controlsinanISenvironment. IScontrolsprovideassuranceovertheaccuracy,reliability,andintegrity oftheinformationprocessed. Fromtheauditwork,adeterminationismadeastowhethercontrolsexist andareoperatingasdesigned. Inperformingtheauditwork,theauditstaffusesauditstandardssetforth bytheUnitedStatesGeneralAccountingOffice. MembersoftheISauditstaffholddegreesindisciplinesappropriatetotheauditprocess. Areasof expertiseincludebusiness,accountingandcomputerscience. ISauditsareperformedasstand-aloneauditsofIScontrolsorinconjunctionwithfinancial-compliance and/orperformanceauditsconductedbytheoffice. Theseauditsaredoneundertheoversightofthe LegislativeAuditCommitteewhichisabicameralandbipartisanstandingcommitteeoftheMontana Legislature. ThecommitteeconsistsofsixmembersoftheSenateandsixmembersoftheHouseof Representatives. MEMBERSOFTHELEGISLATIVEAUDITCOMMITTEE LEGISLATIVEAUDITDIVISION ScottA.Seacat,LegislativeAuditor m1^ ^Ix\ DeputyLegislativeAuditors: JohnW.Northey,LegalCounsel |s^^^CS^^¥l •''"^Pellegrini,PerformanceAudit ToriHunthausen,ISAudit&Operations JamesGillett,Financial-ComplianceAudit October2001 TheLegislativeAuditCommittee OftheMontanaStateLegislature: ThisisthereportofoursecurityauditovertheoperationoftheMontanaLottery. Thereport concludescontrolsareinplacetoensurethesecurityoftheMontanaLotteryoperationsand includesfourrecommendationsforimprovingcompliancewithinternalpoliciesandprocedures. TheLotteryresponsetotheauditreportiscontainedattheendofthereport. WewishtoexpressourappreciationtothestaffoftheLotteryfortheircooperationand assistance. Respectfullysubmitted. /' ScottA.Seacat LegislativeAuditor Room160,StateCapitolBuildingPOBox201705Helena.MT 59620-1705 Phone(406)444-3122 FAX(406)[email protected] Legislative Audit Division InformationSystemAudit Montana Lottery Security MembersoftheauditstaffinvolvedinthisauditwereDebraBlossom andJessicaSolem. 1 TableofContents AppointedandAdministrativeOfficials ii ChapterI-Introduction 1 Introduction 1 AuditObjectives 1 AuditScopeandMethodology 1 Conclusion 2 ChapterII-Background 5 Background 5 InstantGames 5 On-LineGames 5 ComputerOperations 6 GMS 6 InternalControlSystem 7 PriorAuditRecommendations 7 RecommendationsImplemented 7 RecommendationsPartiallyImplemented 8 ChapterIII-SecurityControls 9 Introduction 9 CompliancewithInternalProcedures 9 On-LinePaperTicketStockSecurity 10 Non-PlayersDatabase 1 AccessSecurityControls 12 ICSAccess 13 GMSAccess 13 AgencyResponse A-1 MontanaLottery A-3 Pagei AppointedandAdministrativeOfficials MontanaLotteryCommission Chapter I - Introduction Introduction StatelawrequirestheLegislativeAuditDivisiontoconducta comprehensiveauditofallaspectsofsecurityintheoperationofthe MontanaLottery(Lottery)everytwoyears. Thisisthesixthaudit completedsincetheLottery'sinceptionin 1987. AuditObjectives Asrequiredbystatelaw,weevaluatedthesecuritycontrolsoverthe MontanaLotteryoperations. Ourprimaryobjectivewastoevaluate whethersecuritycontrolsexistovertheareasspecifically enumeratedinsection23-7-411.MCA. a) personnelsecurity; b) lotterysalesagentsecurity; c) lotterycontractorsecurity; d) securityofmanufacturingoperationsoflotterycontractors; e) securityagainstticketorchancecounterfeitingandalterationand othermeansoffraudulentlywinning; f) securityofdrawingsamongentriesorfinalists; g) computersecurity; h) datacommunicationssecurity; i) databasesecurity; j) systemssecurity; k) lotterypremisesandwarehousesecurity; 1) securityindistribution; m) securityinvolvingvalidationandpaymentprocedures; n) securityinvolvingunclaimedprized; o) securityaspectsapplicabletoeachparticularlotterygame; p) securityofdrawingsingameswheneverwinnersaredetermined bydrawings; q) thecompletenessofsecurityagainstlocatingwinnersinlottery gameswithpreprintedwinnersbypersonsinvolvedintheir production,storage,distribution,administration,orsales;and r) anyotheraspectsofsecurityapplicabletoanyparticularlottery gameandtothelotteryanditsoperations. AuditScopeand Theauditwasconductedinaccordancewithgovernmentalauditing Methodology standardspublishedbytheUnitedStatesGeneralAccountingOffice. Anumberofprocedureswereperformedtoevaluateallaspectsof securityoverLotteryoperationsasrequiredbystatelaw,including reviewofsecuritypoliciesandprocedures,interviewingLottery managementandstaff,andreviewingdocumentation. Weevaluated compliancewithinternalsecuritypoliciesandprocedures,Multi- StateLotteryAssociation(MUSL)MinimumGameSecurity Pagel ChapterI-Introduction Standards.MontanaCashdrawingprocedures,andelectronicaccess controls. Wedeterminedtheimplementationstatusoftheprioraudit recommendationsregarding:contractoraccesstoGameManagement System(GMS);securityinvolvingvalidationandpayment procedures;computerandnetworksecurity;GMSUserAccess;and GMSPasswordSecurity. Employeefileswerereviewedtoensurecompliancewiththeinternal hiringprocedures,confirmingwhetherfiledocumentationis complete. OneoftheLottery'sprimarycontractorsisScientific GamesIncorporated(SGI). SGIprovidessupportformarketing,on- lineandinstantgames,retailernetworkcommunications,andsystem support. SGIalsohousestheequipmentthatpowerstheLottery operations. WeevaluatedphysicalsecurityovertheLottery premises,warehouseandSGIfacilities;andidentifiedaccess controlsinplacetoensurecontractorchangestothesystemare appropriateandauthorized. Weverifiedsecuritycontrolsoverthe proceduresforcommunicatingwinningnumbersfromLottery headquarterstoSGI. LotterypersonnelusetheGameManagement SystemtoaccessinformationmaintainedatSGI. Lotteryprocedures forestablishingandauthorizingaccesstoGMSwereexaminedto determinechangeaccesstocriticalGMSprocessesiscontrolled. Bothon-lineandinstantticketsmustbeinitiatedthroughalicensed terminalinorderforawinningtickettobevalidforpayout. We evaluatedticketvalidationproceduresandverifiedtheprocedures ensureticketsareauthentic. Weobservedticketredemptionand payouts,andverifiedcompliancewithvalidationandpayment procedures. Weidentifiedcontrolstoensureunclaimedprizesare transferredtothegeneralfund. Conclusion TheLotteryisinsubstantialcompliancewithstatelawandindustry standards,andsecuritycontrolsareinplacetoensuresecurityof Lotteryoperations. Thefollowingchaptersdiscussareasthatwould provideformoreeffectiveLotterysecurityoperations. Theareas include: Page2

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.