egislative Audit Division StateofMontana ReporttotheLegislature October2001 Information System Audit Montana Lottery Security DepartmentofCommerce,throughJune30,2001 DepartmentofAdministration,effectiveJuly1,2001 Thisreportcontainsinformationregardingthesecuritycontrolsover MontanaLotteryoperations. Thereportconcludescontrolsareinplace, whichensuretheoverallsecurityofMontanaLotteryoperations. STATEDOCUMENTS COLLECTION iAfl 28 2002 HMEOLNENT1/A5>N15A'E-STeA.tT-^ErI'- MO^;TAf«ASTATEL»«ARy Directcomments^nquiriesto: LegislativeAuditDivision Room160,StateCapitol POBox201705 OlDP-07 HelenaMT 59620-1705 Helpeliminatefraud,waste,andabuseinstategovernment CalltheFraudHotlineat1-800-222- statewideor444-4446inHelena. 3 0864 0015 aits'; INFORMATIONSYSTEMAUDITS InformationSystem(IS)auditsconductedbytheLegislativeAuditDivisionaredesignedtoassess controlsinanISenvironment. IScontrolsprovideassuranceovertheaccuracy,reliability,andintegrity oftheinformationprocessed. Fromtheauditwork,adeterminationismadeastowhethercontrolsexist andareoperatingasdesigned. Inperformingtheauditwork,theauditstaffusesauditstandardssetforth bytheUnitedStatesGeneralAccountingOffice. MembersoftheISauditstaffholddegreesindisciplinesappropriatetotheauditprocess. Areasof expertiseincludebusiness,accountingandcomputerscience. ISauditsareperformedasstand-aloneauditsofIScontrolsorinconjunctionwithfinancial-compliance and/orperformanceauditsconductedbytheoffice. Theseauditsaredoneundertheoversightofthe LegislativeAuditCommitteewhichisabicameralandbipartisanstandingcommitteeoftheMontana Legislature. ThecommitteeconsistsofsixmembersoftheSenateandsixmembersoftheHouseof Representatives. MEMBERSOFTHELEGISLATIVEAUDITCOMMITTEE LEGISLATIVEAUDITDIVISION ScottA.Seacat,LegislativeAuditor m1^ ^Ix\ DeputyLegislativeAuditors: JohnW.Northey,LegalCounsel |s^^^CS^^¥l •''"^Pellegrini,PerformanceAudit ToriHunthausen,ISAudit&Operations JamesGillett,Financial-ComplianceAudit October2001 TheLegislativeAuditCommittee OftheMontanaStateLegislature: ThisisthereportofoursecurityauditovertheoperationoftheMontanaLottery. Thereport concludescontrolsareinplacetoensurethesecurityoftheMontanaLotteryoperationsand includesfourrecommendationsforimprovingcompliancewithinternalpoliciesandprocedures. TheLotteryresponsetotheauditreportiscontainedattheendofthereport. WewishtoexpressourappreciationtothestaffoftheLotteryfortheircooperationand assistance. Respectfullysubmitted. /' ScottA.Seacat LegislativeAuditor Room160,StateCapitolBuildingPOBox201705Helena.MT 59620-1705 Phone(406)444-3122 FAX(406)[email protected] Legislative Audit Division InformationSystemAudit Montana Lottery Security MembersoftheauditstaffinvolvedinthisauditwereDebraBlossom andJessicaSolem. 1 TableofContents AppointedandAdministrativeOfficials ii ChapterI-Introduction 1 Introduction 1 AuditObjectives 1 AuditScopeandMethodology 1 Conclusion 2 ChapterII-Background 5 Background 5 InstantGames 5 On-LineGames 5 ComputerOperations 6 GMS 6 InternalControlSystem 7 PriorAuditRecommendations 7 RecommendationsImplemented 7 RecommendationsPartiallyImplemented 8 ChapterIII-SecurityControls 9 Introduction 9 CompliancewithInternalProcedures 9 On-LinePaperTicketStockSecurity 10 Non-PlayersDatabase 1 AccessSecurityControls 12 ICSAccess 13 GMSAccess 13 AgencyResponse A-1 MontanaLottery A-3 Pagei AppointedandAdministrativeOfficials MontanaLotteryCommission Chapter I - Introduction Introduction StatelawrequirestheLegislativeAuditDivisiontoconducta comprehensiveauditofallaspectsofsecurityintheoperationofthe MontanaLottery(Lottery)everytwoyears. Thisisthesixthaudit completedsincetheLottery'sinceptionin 1987. AuditObjectives Asrequiredbystatelaw,weevaluatedthesecuritycontrolsoverthe MontanaLotteryoperations. Ourprimaryobjectivewastoevaluate whethersecuritycontrolsexistovertheareasspecifically enumeratedinsection23-7-411.MCA. a) personnelsecurity; b) lotterysalesagentsecurity; c) lotterycontractorsecurity; d) securityofmanufacturingoperationsoflotterycontractors; e) securityagainstticketorchancecounterfeitingandalterationand othermeansoffraudulentlywinning; f) securityofdrawingsamongentriesorfinalists; g) computersecurity; h) datacommunicationssecurity; i) databasesecurity; j) systemssecurity; k) lotterypremisesandwarehousesecurity; 1) securityindistribution; m) securityinvolvingvalidationandpaymentprocedures; n) securityinvolvingunclaimedprized; o) securityaspectsapplicabletoeachparticularlotterygame; p) securityofdrawingsingameswheneverwinnersaredetermined bydrawings; q) thecompletenessofsecurityagainstlocatingwinnersinlottery gameswithpreprintedwinnersbypersonsinvolvedintheir production,storage,distribution,administration,orsales;and r) anyotheraspectsofsecurityapplicabletoanyparticularlottery gameandtothelotteryanditsoperations. AuditScopeand Theauditwasconductedinaccordancewithgovernmentalauditing Methodology standardspublishedbytheUnitedStatesGeneralAccountingOffice. Anumberofprocedureswereperformedtoevaluateallaspectsof securityoverLotteryoperationsasrequiredbystatelaw,including reviewofsecuritypoliciesandprocedures,interviewingLottery managementandstaff,andreviewingdocumentation. Weevaluated compliancewithinternalsecuritypoliciesandprocedures,Multi- StateLotteryAssociation(MUSL)MinimumGameSecurity Pagel ChapterI-Introduction Standards.MontanaCashdrawingprocedures,andelectronicaccess controls. Wedeterminedtheimplementationstatusoftheprioraudit recommendationsregarding:contractoraccesstoGameManagement System(GMS);securityinvolvingvalidationandpayment procedures;computerandnetworksecurity;GMSUserAccess;and GMSPasswordSecurity. Employeefileswerereviewedtoensurecompliancewiththeinternal hiringprocedures,confirmingwhetherfiledocumentationis complete. OneoftheLottery'sprimarycontractorsisScientific GamesIncorporated(SGI). SGIprovidessupportformarketing,on- lineandinstantgames,retailernetworkcommunications,andsystem support. SGIalsohousestheequipmentthatpowerstheLottery operations. WeevaluatedphysicalsecurityovertheLottery premises,warehouseandSGIfacilities;andidentifiedaccess controlsinplacetoensurecontractorchangestothesystemare appropriateandauthorized. Weverifiedsecuritycontrolsoverthe proceduresforcommunicatingwinningnumbersfromLottery headquarterstoSGI. LotterypersonnelusetheGameManagement SystemtoaccessinformationmaintainedatSGI. Lotteryprocedures forestablishingandauthorizingaccesstoGMSwereexaminedto determinechangeaccesstocriticalGMSprocessesiscontrolled. Bothon-lineandinstantticketsmustbeinitiatedthroughalicensed terminalinorderforawinningtickettobevalidforpayout. We evaluatedticketvalidationproceduresandverifiedtheprocedures ensureticketsareauthentic. Weobservedticketredemptionand payouts,andverifiedcompliancewithvalidationandpayment procedures. Weidentifiedcontrolstoensureunclaimedprizesare transferredtothegeneralfund. Conclusion TheLotteryisinsubstantialcompliancewithstatelawandindustry standards,andsecuritycontrolsareinplacetoensuresecurityof Lotteryoperations. Thefollowingchaptersdiscussareasthatwould provideformoreeffectiveLotterysecurityoperations. Theareas include: Page2