SlideShare a Scribd company logo

SWEDEN ONLINE - CERTIFICATION PROCESS

F
Filippo Ferri

This is the presentation that BMM testlab gave in March 2019 in Stockholm to an audience of gaming operators. It explains the process of having a gaming platform certified by by an accredited laboratory. It also looks at the paragraphs from the new regulations that specify requirements for risk assessment and change management. It also answers some frequently asked questions.

Technology
1 of 18
company confidential CERTIFICATION PROCESS THE SWEDISH LICENSE DAY March 2019
company confidential The Role of the Laboratory
company confidential Certification Process SWEEP OF TESTING Submission Testing Results SubmissionTesting Results … Sweep 1 Sweep 2 • Submission: Provision to BMM of the Object of Testing • Testing: activities performed by BMM to evaluate the Object of Testing for compliance • Results: BMM’s recap of testing results A sequence of submission, testing and results is referred to as Sweep of testing
company confidential Certification Process SUBMISSION – SUBMISSION MATERIAL The Submission represents the action, by the Operator (B2C/B2B), of providing BMM with the Object of Testing, meaning all the material needed in order to kick off the Testing phase. Depending on scope, technology used and Jurisdiction, the submission material may correspond to the following: • Complete Source Code and Binaries; • Access to the system (links, credentials); • Creation of accounts on the back office application/s to be used for tests purposes; • Test accounts with money available that can be used for testing purposes; • Documents/internal procedures based on Jurisdictional specific requirements; • Math documents (par-sheets); • Results forcing tool (if any).
company confidential Certification Process SUBMISSION – SUPERVISED BUILD AND INSTALL The Supervised Build and Install (SBI) is a process aiming to allow BMM to “take a picture” of the Object of Testing. The goal is to identify and track the direct relationship between: • The Object of Testing • The Results The need for a Supervised Build and Install is not related to a specific Jurisdictional Requirement. The Supervised Build and Install is necessary to satisfy BMM’s accreditation requirements derived from the ISO standards 17020/17025 The process consists of 2 subsequent steps: 1. The Supervised Compilation (Build) process; 2. The Supervised Deployment (install) process. Depending on the Technology used, The Supervised build and process is performed using different tools, i.e.: • Remote Desktop connection/sharing (VNC, Skype, TeamViewer etc.) • BMM Signatures tool (BMM digital signatures calculation tool, provided by BMM) • Secure transfer protocol (SFTP or other)
company confidential Certification Process SUBMISSION – SUPERVISED BUILD The Supervised Build is the process during which the Source code is located, hashed, built and provided. Through a recorded Remote Desktop Sharing session, a member of the BMM’s delivery team will observe the compilation (build) process performed by the Operator’s technical team. The source code object of the Supervised Build will be the one implementing the system modules responsible to fulfil the Jurisdictional Requirements in scope. For each part of the source code, the following steps will be performed: 1. Locate the source code root directory. Locate the destination folder, where the compilation output files (binaries) will be generated; 2. Hash the source code using one of the following algorithms: SHA-1, MD5; 3. Build (compile) the source code. The compilation process need to be run only on the source code files, not on any pre-compiled class or object files. Additionally, the compilation command need to be run in a verbose mode and the output need to be redirected to a .txt file (where applicable); 4. Hash the binaries output of the build (compilation) process; 5. Provide the source code, binaries and hashes to BMM (through SFTP, etc.). The above is a generic process. Alternative approaches can be discussed in order to accommodate needs deriving from specific technologies used or implementation.
company confidential Certification Process SUBMISSION – SUPERVISED INSTALL The Supervised Install is the process during which the Binaries, generated during the Supervised Build process, are deployed (installed) on the testing environment for BMM to access and commence the Testing phase. The Supervised Install process is performed during a recorded Remote Desktop Sharing session. A member of the BMM’s delivery team will observe the deployment (install) process performed by the Operator’s technical team. In case the Supervised Install process is performed through a different supervised session from the one used to perform the Supervised build, an additional step will occur. An additional “signatures check” will be performed on the deployed packages, to ensure the Binaries installed on the test environment match the ones produced during the Supervised build process. The above is a generic process. Alternative approaches can be discussed in order to accommodate needs deriving from specific technologies used or implementation.
company confidential Certification Process SUBMISSION – TO REMEMBER When it comes to a Certification Process based on Sweep of Tests, it’s important to remember: • the first step of the certification process is always the Supervised Build and Install. Beside few exceptions (i.e. documental reviews) the Testing phase cannot commence before the Supervised Build and Install is completed. • during the Testing phase, time between the Submission and Results phases, no changes are allowed to the supervised system. However, If urgent updates have to be applied to the supervised system during the sweep of tests, they have to be announced and agreed with BMM in advance; In case Non Compliances (DIRTS/ISSUES) have been discovered during a sweep of tests, the Operator has the right to modify the supervised platform in order to fix them, as long as the current Sweep of tests has been completed
company confidential Certification Process TESTING PHASE The Testing phase defines the activities performed between the Submission and Results phases. During the Testing phase, BMM Engineers commence the actual evaluation (functional and security) of the Object of Testing provided during the Submission phase. During this process, a specific set of testing activities are ran on the Object of Testing in order to verify the compliance against the Jurisdictional Requirements in scope. Depending on the product submitted and the overall scope, the activities could vary among: • Source code review • Artwork review • Combination testing (Emulation) • Math evaluation (RTP% calculation) • Random Number Generator (RNG) mathematical evaluation • Registration/Transactions • Games deactivation/interruption • Generation of data reports (account related, gaming related, finance related, etc.) • Documentation review • Security audits (on-site / remote) • Security assessments During the Testing phase, no changes are allowed to the supervised system (except pre-agreed monitored exceptions). Applying uncontrolled and unsupervised changes on the Object of Testing during the Testing phase might result on the invalidation of the related results, with the consequent need of repeating the testing already performed.
company confidential Certification Process RESULTS PHASE The Results phase is the last phase of the Sweep of Tests and consists of a combined analysis, between BMM and the Operator, on the non-conformities (DIRTS/ISSUE) eventually discovered during the Testing phase. Non-conformities could be of different kind: • DIRTs (issue): this type of non-conformity defines aspects of the system that does not comply with a specific Jurisdictional Requirement in scope. The Operator is forced to fix these non-conformities in order to obtain the final Certification Report (except particular scenarios for specific Jurisdictions). • Observations: This type of non-conformity defines aspects of the system that: • Either partially comply with a specific Jurisdictional Requirement in scope • Either are not clear or do not properly function but do not affect any of the Jurisdictional Requirements in scope The Operator is not forced to fix these non-conformities in order to obtain the final Certification Report. During the Sweep of Tests the Non-conformities are communicated to the Operator in two different moments: • Regularly (monthly weekly, every other day, etc.) during the Sweep of tests • Through a non-conformity Report at the end of the Sweep of Test The Operator is not allowed to deploy the fixes on the testing environment until the current Sweep of Tests is completed.
company confidential Certification Process SECURITY – INFORMATION SECURITY MANAGEMENT SYSTEM The Information Security Management System (ISMS) audit is an activity, usually performed on-site, performed to verify that the Operator’s Information Security framework complies with a combination of the ISO 27001 standard and, eventually, additional specific Jurisdictional Requirements. The ISMS audit is not a technical audit. It is conducted through a combination of policies/procedures/samples review and face to face interviews with relevant Operator’s staff responsible for Information Security. The audit spread across the following areas: • Protection of information • Personnel administration • Access restrictions • Authentication • Communication and operation • Storage of registered inforamtion, events and logs • Time reference According to the Swedish Regulation, an organization holding a valid ISO/IEC 27001:2013, covers all the areas above, will be considered compliant, as long as the certificate, associated risk assessment and Scope of Applicability are evaluated by an accredited laboratory.
company confidential Certification Process SECURITY – VULNERABILITY AND RISK ASSESSMENT The Vulnerability and risk assessment process consists in the Operator evaluating and rating the criticality of the Components baseline according to best industry practices. The Swedish regulator suggests the use of the technique described in the ISO 31000:2009 standard. BMM will review two aspects: • the documents framework describing the technique used for vulnerability and risk assessment; • the Components baseline according to Chapter 5 of the LIFS 2018:8, to verify the following information is provided for each component included in the baseline:  a definition of the information asset;  a unique identification number;  a version number;  identifying features of the information asset;  decision maker entitled to make decisions regarding changes in the information asset;  internal risk evaluation;  checksum for information assets classified as some relevance or high relevance.  the geographical location of physical information assets. According to the Swedish Regulation, an organization holding a valid ISO/IEC 27001:2013, covers all the areas above, will be considered compliant, as long as the certificate, associated risk assessment and Scope of Applicability are evaluated by an accredited laboratory.
company confidential Certification Process SECURITY – VULNERABILITY AND RISK ASSESSMENT – COMPONENTS CRITICALITY According to ISO 31000:2009 and the Swedish standard, when rating the criticality of a component, 4 attributes need to be taken into account: • Integrity - the integrity of the gambling system, it’s functionality and the information stored in the gambling system. • Availability - the availability of information concerning the customer. • Confidentiality - confidential information concerning the customer (e.g. identification and transaction information). • Accountability - user activity (including customers, personnel and third parties) in relation to the component. Each component shall be assigned a relevance code on the scale below based on the component’s role in achieving or ensuring each of the above criteria: • 1: no relevance - the component can have no negative impact on the criteria, • 2: some relevance - the component can have an impact on the criteria, • 3: substantial relevance - the criteria is related to or dependent on the component. The highest relevance code of the four criteria determines the classification of the component The classification of the Components is Operator’s responsibility.
company confidential Certification Process SECURITY – VULNERABILITY AND RISK ASSESSMENT – ISO VALIDATION According to the Swedish Regulation, an Operator holding a valid ISO/IEC 27001:2013, covering all the requirements of Chapter 4, 5 and 6 of the LIFS 2018:8, will be considered compliant, as long as the certificate, associated risk assessment and Scope of Applicability are evaluated by an accredited laboratory. What does BMM do to validate an Operator that is already ISO 27001:2013 certified? • BMM requests the ISO certificate, associated Risk Assessment and Scope of Applicability; • BMM evaluates the validity of the ISO certificate • BMM determines if the implemented ISMS covers (based on the Scope of Applicability) every requirement for the chapters 4, 5 and 6 of the LIFS 2018:8.
company confidential Certification Process CHANGE MANAGEMENT 1 Year L H Production Environment Testing Environment 1.0 1.0 L 1.1 H 1.1 L 1.1 L H 1.1 1.1 L H 1.1 1.3 L H 1.1 1.4 L 1.3 L 1.4 C 1.2 L H 1.2 1.4 L 2.0 H 2.0 L H 2.0 2.0 • Any change to High Relevant Components needs to be certified before the deployment to Production Env. • Changes to Low Relevance Components can be deployed to Production Env. without certification • After 1 year, both High and Low relevance components must be re-certified This didn’t change and remained the old version because the new one needs certification before going to production! Now it changes cause the new version has been certified
company confidential FAQ SECURITY – VULNERABILITY AND RISK ASSESSMENT – CLOUD SYSTEMS The Swedish regulation does not provide much information with regards the classification of components in case of CLOUD solutions are adopted. The only paragraph available in LIFS 2018:8 on this regard states: “Depending on whether and how virtualization, e.g. cloud services, is used in the gambling and ERP systems, redundancy and availability of data may be affected. Different methods of virtualization may entail different classifications of an information asset. The license holder should be attentive to how the classification of a hardware information asset is affected and possibly changed depending on the internal or external selection or development of virtualization. If an external cloud service provider is used, it should be ensured that they meet the requirements set out in the regulations.” Due to the similarities between the Swedish and Danish standards, a good practice to assess Components residing on CLOUD solutions can be found in the Danish standard SCP.06.00.EN.1.1, specifically paragraph 3.3.4. The Danish regulation distinguishes between 2 CLOUD solutions: PRIVATE and PUBLIC. For further information on the Danish standard with regards CLOUD solutions, please contact Francesco Bianchi at Francesco.bianchi@bmm.com
company confidential FAQ SECURITY – COMPONENTS REGISTER AND B2B PROVIDERS “If a B2B game supplier is NOT certified according to chapter 4-6 in LIFS 2018:8, does all the Information Assets of the B2B supplier need to be incorporated in the operators’ IA register, and does changes to these Information Assets need to be handled within the operators certified change process? If yes, do you see this to be possible to execute in practice? Not the least, since a B2B supplier can have multiple operators as customers” What are the advantages of a B2B that was independently tested against chapters 4-6 of LIFS 2018:9? • The IA register of the B2B is already defined and can be incorporated as is in the Operator’s one; • Whenever the B2B provider proposes a change to a component in the IA Register, the Operator will have a higher confidence that the risk assessment and criticality evaluation of the change has been performed following a change management process compliant with the Swedish regulation. • Last but not least, the Information Security Management System (Chapter 4) that will be performed on the Operator’s system will not have to include the infrastructure of the B2B provider Also in this case, the Danish regulation provides a definition of good practices to be applied to properly manage the relationship between B2Cs and B2Bs in the context of the change management: SCP.06.00.EN.1.1, specifically paragraphs 4.3.1 and 4.3.2. For further information please contact Francesco Bianchi at Francesco.bianchi@bmm.com
company confidential Questions?

Recommended

019113
019113019113
019113Gholamhossain Emami
 
Qualification
QualificationQualification
QualificationAsad Mulla
 
Kelis king - a storehouse of vast knowledge on software testing and quality ...
Kelis king - a storehouse of vast knowledge on software testing and quality ...Kelis king - a storehouse of vast knowledge on software testing and quality ...
Kelis king - a storehouse of vast knowledge on software testing and quality ...KelisKing
 
Computer System Validation - The Validation Master Plan
Computer System Validation - The Validation Master PlanComputer System Validation - The Validation Master Plan
Computer System Validation - The Validation Master PlanWolfgang Kuchinke
 
computer system validation
computer system validationcomputer system validation
computer system validationGopal Patel
 
Executing Validation of GxP Systems Electronically using SharePoint
Executing Validation of GxP Systems Electronically using SharePointExecuting Validation of GxP Systems Electronically using SharePoint
Executing Validation of GxP Systems Electronically using SharePointMontrium
 
Ispe sf ch_gamp
Ispe sf ch_gampIspe sf ch_gamp
Ispe sf ch_gampJeetesh kumar singh
 
Gamp Riskbased Approch To Validation
Gamp Riskbased Approch To ValidationGamp Riskbased Approch To Validation
Gamp Riskbased Approch To ValidationRajendra Sadare
 

Recommended

019113
019113019113
019113Gholamhossain Emami
 
Qualification
QualificationQualification
QualificationAsad Mulla
 
Kelis king - a storehouse of vast knowledge on software testing and quality ...
Kelis king - a storehouse of vast knowledge on software testing and quality ...Kelis king - a storehouse of vast knowledge on software testing and quality ...
Kelis king - a storehouse of vast knowledge on software testing and quality ...KelisKing
 
Computer System Validation - The Validation Master Plan
Computer System Validation - The Validation Master PlanComputer System Validation - The Validation Master Plan
Computer System Validation - The Validation Master PlanWolfgang Kuchinke
 
computer system validation
computer system validationcomputer system validation
computer system validationGopal Patel
 
Executing Validation of GxP Systems Electronically using SharePoint
Executing Validation of GxP Systems Electronically using SharePointExecuting Validation of GxP Systems Electronically using SharePoint
Executing Validation of GxP Systems Electronically using SharePointMontrium
 
Ispe sf ch_gamp
Ispe sf ch_gampIspe sf ch_gamp
Ispe sf ch_gampJeetesh kumar singh
 
Gamp Riskbased Approch To Validation
Gamp Riskbased Approch To ValidationGamp Riskbased Approch To Validation
Gamp Riskbased Approch To ValidationRajendra Sadare
 
ISPE-CCPIE China Conference 2010 (Stokes-GAMP Legacy Systems - English)
ISPE-CCPIE China Conference 2010 (Stokes-GAMP Legacy Systems - English)ISPE-CCPIE China Conference 2010 (Stokes-GAMP Legacy Systems - English)
ISPE-CCPIE China Conference 2010 (Stokes-GAMP Legacy Systems - English)David Stokes
 
Practical Testing Definition for Mobile Devices
Practical Testing Definition for Mobile DevicesPractical Testing Definition for Mobile Devices
Practical Testing Definition for Mobile DevicesJohan Hoberg
 
Network Infrastructure Validation Conference @UPRA (2003)
Network Infrastructure Validation Conference @UPRA (2003)Network Infrastructure Validation Conference @UPRA (2003)
Network Infrastructure Validation Conference @UPRA (2003)Raul Soto
 
SharePoint for Pharma - Computer System Life Cycle Management
SharePoint for Pharma - Computer System Life Cycle ManagementSharePoint for Pharma - Computer System Life Cycle Management
SharePoint for Pharma - Computer System Life Cycle ManagementMontrium
 
Bli.it concepts-regarding-gamp-guide-en
Bli.it concepts-regarding-gamp-guide-enBli.it concepts-regarding-gamp-guide-en
Bli.it concepts-regarding-gamp-guide-enBLI.IT
 
Computerized System Validation : Understanding basics
Computerized System Validation : Understanding basics Computerized System Validation : Understanding basics
Computerized System Validation : Understanding basics Anand Pandya
 
Analytical Instrument Qualification and System Validation
Analytical Instrument Qualification and System ValidationAnalytical Instrument Qualification and System Validation
Analytical Instrument Qualification and System ValidationComplianceOnline
 
Validating SharePoint for Regulated Life Sciences Applications
Validating SharePoint for Regulated Life Sciences ApplicationsValidating SharePoint for Regulated Life Sciences Applications
Validating SharePoint for Regulated Life Sciences ApplicationsMontrium
 
IT Validation Training
IT Validation TrainingIT Validation Training
IT Validation TrainingRobert Sturm
 
Difference Between Quality Control Inspection and Commissioning Inspection
Difference Between Quality Control Inspection and Commissioning InspectionDifference Between Quality Control Inspection and Commissioning Inspection
Difference Between Quality Control Inspection and Commissioning InspectionOlivia Wilson
 
Overview of Computerized Systems Compliance Using the GAMP® 5 Guide
Overview of Computerized Systems Compliance Using the GAMP® 5 GuideOverview of Computerized Systems Compliance Using the GAMP® 5 Guide
Overview of Computerized Systems Compliance Using the GAMP® 5 GuideProPharma Group
 
Myths of validation
Myths of validationMyths of validation
Myths of validationJeff Thomas
 
Mi audit checklist
Mi audit checklistMi audit checklist
Mi audit checklistNor Dalalina Musa
 
Validation : Project Management
Validation : Project ManagementValidation : Project Management
Validation : Project ManagementDipen Shroff
 
Continuous validation of office 365
Continuous validation of office 365Continuous validation of office 365
Continuous validation of office 365Montrium
 
Qualification for validation
Qualification for validationQualification for validation
Qualification for validationInstitute Of Pharmacy, Nirma University
 
Michael Monaghan - Evolution of New Feature Verification in 3G Networks
Michael Monaghan - Evolution of New Feature Verification in 3G NetworksMichael Monaghan - Evolution of New Feature Verification in 3G Networks
Michael Monaghan - Evolution of New Feature Verification in 3G NetworksTEST Huddle
 
Managing software project, software engineering
Managing software project, software engineeringManaging software project, software engineering
Managing software project, software engineeringRupesh Vaishnav
 
CSV Audit Presentation
CSV Audit PresentationCSV Audit Presentation
CSV Audit PresentationRobert Ruemer
 
MOC2016_v2
MOC2016_v2MOC2016_v2
MOC2016_v2Sean Cull
 
Testing Process
Testing ProcessTesting Process
Testing Processmaheshpadwal
 
The good the bad and the ugly - final
The good the bad and the ugly - finalThe good the bad and the ugly - final
The good the bad and the ugly - finalAndre Verschelling
 

More Related Content

What's hot

ISPE-CCPIE China Conference 2010 (Stokes-GAMP Legacy Systems - English)
ISPE-CCPIE China Conference 2010 (Stokes-GAMP Legacy Systems - English)ISPE-CCPIE China Conference 2010 (Stokes-GAMP Legacy Systems - English)
ISPE-CCPIE China Conference 2010 (Stokes-GAMP Legacy Systems - English)David Stokes
 
Practical Testing Definition for Mobile Devices
Practical Testing Definition for Mobile DevicesPractical Testing Definition for Mobile Devices
Practical Testing Definition for Mobile DevicesJohan Hoberg
 
Network Infrastructure Validation Conference @UPRA (2003)
Network Infrastructure Validation Conference @UPRA (2003)Network Infrastructure Validation Conference @UPRA (2003)
Network Infrastructure Validation Conference @UPRA (2003)Raul Soto
 
SharePoint for Pharma - Computer System Life Cycle Management
SharePoint for Pharma - Computer System Life Cycle ManagementSharePoint for Pharma - Computer System Life Cycle Management
SharePoint for Pharma - Computer System Life Cycle ManagementMontrium
 
Bli.it concepts-regarding-gamp-guide-en
Bli.it concepts-regarding-gamp-guide-enBli.it concepts-regarding-gamp-guide-en
Bli.it concepts-regarding-gamp-guide-enBLI.IT
 
Computerized System Validation : Understanding basics
Computerized System Validation : Understanding basics Computerized System Validation : Understanding basics
Computerized System Validation : Understanding basics Anand Pandya
 
Analytical Instrument Qualification and System Validation
Analytical Instrument Qualification and System ValidationAnalytical Instrument Qualification and System Validation
Analytical Instrument Qualification and System ValidationComplianceOnline
 
Validating SharePoint for Regulated Life Sciences Applications
Validating SharePoint for Regulated Life Sciences ApplicationsValidating SharePoint for Regulated Life Sciences Applications
Validating SharePoint for Regulated Life Sciences ApplicationsMontrium
 
IT Validation Training
IT Validation TrainingIT Validation Training
IT Validation TrainingRobert Sturm
 
Difference Between Quality Control Inspection and Commissioning Inspection
Difference Between Quality Control Inspection and Commissioning InspectionDifference Between Quality Control Inspection and Commissioning Inspection
Difference Between Quality Control Inspection and Commissioning InspectionOlivia Wilson
 
Overview of Computerized Systems Compliance Using the GAMP® 5 Guide
Overview of Computerized Systems Compliance Using the GAMP® 5 GuideOverview of Computerized Systems Compliance Using the GAMP® 5 Guide
Overview of Computerized Systems Compliance Using the GAMP® 5 GuideProPharma Group
 
Myths of validation
Myths of validationMyths of validation
Myths of validationJeff Thomas
 
Validation : Project Management
Validation : Project ManagementValidation : Project Management
Validation : Project ManagementDipen Shroff
 
Continuous validation of office 365
Continuous validation of office 365Continuous validation of office 365
Continuous validation of office 365Montrium
 
Michael Monaghan - Evolution of New Feature Verification in 3G Networks
Michael Monaghan - Evolution of New Feature Verification in 3G NetworksMichael Monaghan - Evolution of New Feature Verification in 3G Networks
Michael Monaghan - Evolution of New Feature Verification in 3G NetworksTEST Huddle
 
Managing software project, software engineering
Managing software project, software engineeringManaging software project, software engineering
Managing software project, software engineeringRupesh Vaishnav
 
CSV Audit Presentation
CSV Audit PresentationCSV Audit Presentation
CSV Audit PresentationRobert Ruemer
 

What's hot (20)

ISPE-CCPIE China Conference 2010 (Stokes-GAMP Legacy Systems - English)
ISPE-CCPIE China Conference 2010 (Stokes-GAMP Legacy Systems - English)ISPE-CCPIE China Conference 2010 (Stokes-GAMP Legacy Systems - English)
ISPE-CCPIE China Conference 2010 (Stokes-GAMP Legacy Systems - English)
 
Practical Testing Definition for Mobile Devices
Practical Testing Definition for Mobile DevicesPractical Testing Definition for Mobile Devices
Practical Testing Definition for Mobile Devices
 
Network Infrastructure Validation Conference @UPRA (2003)
Network Infrastructure Validation Conference @UPRA (2003)Network Infrastructure Validation Conference @UPRA (2003)
Network Infrastructure Validation Conference @UPRA (2003)
 
SharePoint for Pharma - Computer System Life Cycle Management
SharePoint for Pharma - Computer System Life Cycle ManagementSharePoint for Pharma - Computer System Life Cycle Management
SharePoint for Pharma - Computer System Life Cycle Management
 
Bli.it concepts-regarding-gamp-guide-en
Bli.it concepts-regarding-gamp-guide-enBli.it concepts-regarding-gamp-guide-en
Bli.it concepts-regarding-gamp-guide-en
 
Computerized System Validation : Understanding basics
Computerized System Validation : Understanding basics Computerized System Validation : Understanding basics
Computerized System Validation : Understanding basics
 
Analytical Instrument Qualification and System Validation
Analytical Instrument Qualification and System ValidationAnalytical Instrument Qualification and System Validation
Analytical Instrument Qualification and System Validation
 
Validating SharePoint for Regulated Life Sciences Applications
Validating SharePoint for Regulated Life Sciences ApplicationsValidating SharePoint for Regulated Life Sciences Applications
Validating SharePoint for Regulated Life Sciences Applications
 
IT Validation Training
IT Validation TrainingIT Validation Training
IT Validation Training
 
Difference Between Quality Control Inspection and Commissioning Inspection
Difference Between Quality Control Inspection and Commissioning InspectionDifference Between Quality Control Inspection and Commissioning Inspection
Difference Between Quality Control Inspection and Commissioning Inspection
 
Overview of Computerized Systems Compliance Using the GAMP® 5 Guide
Overview of Computerized Systems Compliance Using the GAMP® 5 GuideOverview of Computerized Systems Compliance Using the GAMP® 5 Guide
Overview of Computerized Systems Compliance Using the GAMP® 5 Guide
 
Myths of validation
Myths of validationMyths of validation
Myths of validation
 
Mi audit checklist
Mi audit checklistMi audit checklist
Mi audit checklist
 
Validation : Project Management
Validation : Project ManagementValidation : Project Management
Validation : Project Management
 
Continuous validation of office 365
Continuous validation of office 365Continuous validation of office 365
Continuous validation of office 365
 
Qualification for validation
Qualification for validationQualification for validation
Qualification for validation
 
Michael Monaghan - Evolution of New Feature Verification in 3G Networks
Michael Monaghan - Evolution of New Feature Verification in 3G NetworksMichael Monaghan - Evolution of New Feature Verification in 3G Networks
Michael Monaghan - Evolution of New Feature Verification in 3G Networks
 
Managing software project, software engineering
Managing software project, software engineeringManaging software project, software engineering
Managing software project, software engineering
 
CSV Audit Presentation
CSV Audit PresentationCSV Audit Presentation
CSV Audit Presentation
 
MOC2016_v2
MOC2016_v2MOC2016_v2
MOC2016_v2
 

Similar to SWEDEN ONLINE - CERTIFICATION PROCESS

The good the bad and the ugly - final
The good the bad and the ugly - finalThe good the bad and the ugly - final
The good the bad and the ugly - finalAndre Verschelling
 
E Com Security solutions hand book on Firewall security management in PCI Com...
E Com Security solutions hand book on Firewall security management in PCI Com...E Com Security solutions hand book on Firewall security management in PCI Com...
E Com Security solutions hand book on Firewall security management in PCI Com...Dolly Juhu
 
unit-2_20-july-2018 (1).pptx
unit-2_20-july-2018 (1).pptxunit-2_20-july-2018 (1).pptx
unit-2_20-july-2018 (1).pptxPriyaFulpagare1
 
Validation strategies for cloud-based EDCs: more innovation, less effort
Validation strategies for cloud-based EDCs: more innovation, less effortValidation strategies for cloud-based EDCs: more innovation, less effort
Validation strategies for cloud-based EDCs: more innovation, less effortVeeva Systems
 
Manual testing concepts course 1
Manual testing concepts course 1Manual testing concepts course 1
Manual testing concepts course 1Raghu Kiran
 
Equipment qualification of medical device
Equipment qualification of medical deviceEquipment qualification of medical device
Equipment qualification of medical deviceNahri Musyrif
 
Health Care Project Testing Process
Health Care Project Testing ProcessHealth Care Project Testing Process
Health Care Project Testing ProcessH2Kinfosys
 
Project Pluto Will Adopt The Incremental Build Model Essay
Project Pluto Will Adopt The Incremental Build Model EssayProject Pluto Will Adopt The Incremental Build Model Essay
Project Pluto Will Adopt The Incremental Build Model EssayDiane Allen
 
Software testing methods, levels and types
Software testing methods, levels and typesSoftware testing methods, levels and types
Software testing methods, levels and typesConfiz
 
SOC Verification using SystemVerilog
SOC Verification using SystemVerilog SOC Verification using SystemVerilog
SOC Verification using SystemVerilog Ramdas Mozhikunnath
 
Pwc systems-implementation-lessons-learned
Pwc systems-implementation-lessons-learnedPwc systems-implementation-lessons-learned
Pwc systems-implementation-lessons-learnedAvi Kumar
 
Taking the Mystery Out of CMMS Validation
Taking the Mystery Out of CMMS ValidationTaking the Mystery Out of CMMS Validation
Taking the Mystery Out of CMMS ValidationSmartware Group, Inc.
 
Role of Testing
Role of Testing Role of Testing
Role of Testing Rishu Seth
 

Similar to SWEDEN ONLINE - CERTIFICATION PROCESS (20)

Testing Process
Testing ProcessTesting Process
Testing Process
 
The good the bad and the ugly - final
The good the bad and the ugly - finalThe good the bad and the ugly - final
The good the bad and the ugly - final
 
E Com Security solutions hand book on Firewall security management in PCI Com...
E Com Security solutions hand book on Firewall security management in PCI Com...E Com Security solutions hand book on Firewall security management in PCI Com...
E Com Security solutions hand book on Firewall security management in PCI Com...
 
unit-2_20-july-2018 (1).pptx
unit-2_20-july-2018 (1).pptxunit-2_20-july-2018 (1).pptx
unit-2_20-july-2018 (1).pptx
 
Equipment qualification
Equipment qualificationEquipment qualification
Equipment qualification
 
Equipment qualification
Equipment qualificationEquipment qualification
Equipment qualification
 
T24 Temenos Methodology Overview
T24 Temenos Methodology OverviewT24 Temenos Methodology Overview
T24 Temenos Methodology Overview
 
Cloud Testing Research
Cloud Testing ResearchCloud Testing Research
Cloud Testing Research
 
Validation strategies for cloud-based EDCs: more innovation, less effort
Validation strategies for cloud-based EDCs: more innovation, less effortValidation strategies for cloud-based EDCs: more innovation, less effort
Validation strategies for cloud-based EDCs: more innovation, less effort
 
Manual testing concepts course 1
Manual testing concepts course 1Manual testing concepts course 1
Manual testing concepts course 1
 
Equipment qualification of medical device
Equipment qualification of medical deviceEquipment qualification of medical device
Equipment qualification of medical device
 
Testing Standards List
Testing Standards ListTesting Standards List
Testing Standards List
 
Health Care Project Testing Process
Health Care Project Testing ProcessHealth Care Project Testing Process
Health Care Project Testing Process
 
Verification process
Verification processVerification process
Verification process
 
Project Pluto Will Adopt The Incremental Build Model Essay
Project Pluto Will Adopt The Incremental Build Model EssayProject Pluto Will Adopt The Incremental Build Model Essay
Project Pluto Will Adopt The Incremental Build Model Essay
 
Software testing methods, levels and types
Software testing methods, levels and typesSoftware testing methods, levels and types
Software testing methods, levels and types
 
SOC Verification using SystemVerilog
SOC Verification using SystemVerilog SOC Verification using SystemVerilog
SOC Verification using SystemVerilog
 
Pwc systems-implementation-lessons-learned
Pwc systems-implementation-lessons-learnedPwc systems-implementation-lessons-learned
Pwc systems-implementation-lessons-learned
 
Taking the Mystery Out of CMMS Validation
Taking the Mystery Out of CMMS ValidationTaking the Mystery Out of CMMS Validation
Taking the Mystery Out of CMMS Validation
 
Role of Testing
Role of Testing Role of Testing
Role of Testing
 

Recently uploaded

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetEnjoy Anytime
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 

Recently uploaded (20)

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 

SWEDEN ONLINE - CERTIFICATION PROCESS

  • 1. company confidential CERTIFICATION PROCESS THE SWEDISH LICENSE DAY March 2019
  • 2. company confidential The Role of the Laboratory
  • 3. company confidential Certification Process SWEEP OF TESTING Submission Testing Results SubmissionTesting Results … Sweep 1 Sweep 2 • Submission: Provision to BMM of the Object of Testing • Testing: activities performed by BMM to evaluate the Object of Testing for compliance • Results: BMM’s recap of testing results A sequence of submission, testing and results is referred to as Sweep of testing
  • 4. company confidential Certification Process SUBMISSION – SUBMISSION MATERIAL The Submission represents the action, by the Operator (B2C/B2B), of providing BMM with the Object of Testing, meaning all the material needed in order to kick off the Testing phase. Depending on scope, technology used and Jurisdiction, the submission material may correspond to the following: • Complete Source Code and Binaries; • Access to the system (links, credentials); • Creation of accounts on the back office application/s to be used for tests purposes; • Test accounts with money available that can be used for testing purposes; • Documents/internal procedures based on Jurisdictional specific requirements; • Math documents (par-sheets); • Results forcing tool (if any).
  • 5. company confidential Certification Process SUBMISSION – SUPERVISED BUILD AND INSTALL The Supervised Build and Install (SBI) is a process aiming to allow BMM to “take a picture” of the Object of Testing. The goal is to identify and track the direct relationship between: • The Object of Testing • The Results The need for a Supervised Build and Install is not related to a specific Jurisdictional Requirement. The Supervised Build and Install is necessary to satisfy BMM’s accreditation requirements derived from the ISO standards 17020/17025 The process consists of 2 subsequent steps: 1. The Supervised Compilation (Build) process; 2. The Supervised Deployment (install) process. Depending on the Technology used, The Supervised build and process is performed using different tools, i.e.: • Remote Desktop connection/sharing (VNC, Skype, TeamViewer etc.) • BMM Signatures tool (BMM digital signatures calculation tool, provided by BMM) • Secure transfer protocol (SFTP or other)
  • 6. company confidential Certification Process SUBMISSION – SUPERVISED BUILD The Supervised Build is the process during which the Source code is located, hashed, built and provided. Through a recorded Remote Desktop Sharing session, a member of the BMM’s delivery team will observe the compilation (build) process performed by the Operator’s technical team. The source code object of the Supervised Build will be the one implementing the system modules responsible to fulfil the Jurisdictional Requirements in scope. For each part of the source code, the following steps will be performed: 1. Locate the source code root directory. Locate the destination folder, where the compilation output files (binaries) will be generated; 2. Hash the source code using one of the following algorithms: SHA-1, MD5; 3. Build (compile) the source code. The compilation process need to be run only on the source code files, not on any pre-compiled class or object files. Additionally, the compilation command need to be run in a verbose mode and the output need to be redirected to a .txt file (where applicable); 4. Hash the binaries output of the build (compilation) process; 5. Provide the source code, binaries and hashes to BMM (through SFTP, etc.). The above is a generic process. Alternative approaches can be discussed in order to accommodate needs deriving from specific technologies used or implementation.
  • 7. company confidential Certification Process SUBMISSION – SUPERVISED INSTALL The Supervised Install is the process during which the Binaries, generated during the Supervised Build process, are deployed (installed) on the testing environment for BMM to access and commence the Testing phase. The Supervised Install process is performed during a recorded Remote Desktop Sharing session. A member of the BMM’s delivery team will observe the deployment (install) process performed by the Operator’s technical team. In case the Supervised Install process is performed through a different supervised session from the one used to perform the Supervised build, an additional step will occur. An additional “signatures check” will be performed on the deployed packages, to ensure the Binaries installed on the test environment match the ones produced during the Supervised build process. The above is a generic process. Alternative approaches can be discussed in order to accommodate needs deriving from specific technologies used or implementation.
  • 8. company confidential Certification Process SUBMISSION – TO REMEMBER When it comes to a Certification Process based on Sweep of Tests, it’s important to remember: • the first step of the certification process is always the Supervised Build and Install. Beside few exceptions (i.e. documental reviews) the Testing phase cannot commence before the Supervised Build and Install is completed. • during the Testing phase, time between the Submission and Results phases, no changes are allowed to the supervised system. However, If urgent updates have to be applied to the supervised system during the sweep of tests, they have to be announced and agreed with BMM in advance; In case Non Compliances (DIRTS/ISSUES) have been discovered during a sweep of tests, the Operator has the right to modify the supervised platform in order to fix them, as long as the current Sweep of tests has been completed
  • 9. company confidential Certification Process TESTING PHASE The Testing phase defines the activities performed between the Submission and Results phases. During the Testing phase, BMM Engineers commence the actual evaluation (functional and security) of the Object of Testing provided during the Submission phase. During this process, a specific set of testing activities are ran on the Object of Testing in order to verify the compliance against the Jurisdictional Requirements in scope. Depending on the product submitted and the overall scope, the activities could vary among: • Source code review • Artwork review • Combination testing (Emulation) • Math evaluation (RTP% calculation) • Random Number Generator (RNG) mathematical evaluation • Registration/Transactions • Games deactivation/interruption • Generation of data reports (account related, gaming related, finance related, etc.) • Documentation review • Security audits (on-site / remote) • Security assessments During the Testing phase, no changes are allowed to the supervised system (except pre-agreed monitored exceptions). Applying uncontrolled and unsupervised changes on the Object of Testing during the Testing phase might result on the invalidation of the related results, with the consequent need of repeating the testing already performed.
  • 10. company confidential Certification Process RESULTS PHASE The Results phase is the last phase of the Sweep of Tests and consists of a combined analysis, between BMM and the Operator, on the non-conformities (DIRTS/ISSUE) eventually discovered during the Testing phase. Non-conformities could be of different kind: • DIRTs (issue): this type of non-conformity defines aspects of the system that does not comply with a specific Jurisdictional Requirement in scope. The Operator is forced to fix these non-conformities in order to obtain the final Certification Report (except particular scenarios for specific Jurisdictions). • Observations: This type of non-conformity defines aspects of the system that: • Either partially comply with a specific Jurisdictional Requirement in scope • Either are not clear or do not properly function but do not affect any of the Jurisdictional Requirements in scope The Operator is not forced to fix these non-conformities in order to obtain the final Certification Report. During the Sweep of Tests the Non-conformities are communicated to the Operator in two different moments: • Regularly (monthly weekly, every other day, etc.) during the Sweep of tests • Through a non-conformity Report at the end of the Sweep of Test The Operator is not allowed to deploy the fixes on the testing environment until the current Sweep of Tests is completed.
  • 11. company confidential Certification Process SECURITY – INFORMATION SECURITY MANAGEMENT SYSTEM The Information Security Management System (ISMS) audit is an activity, usually performed on-site, performed to verify that the Operator’s Information Security framework complies with a combination of the ISO 27001 standard and, eventually, additional specific Jurisdictional Requirements. The ISMS audit is not a technical audit. It is conducted through a combination of policies/procedures/samples review and face to face interviews with relevant Operator’s staff responsible for Information Security. The audit spread across the following areas: • Protection of information • Personnel administration • Access restrictions • Authentication • Communication and operation • Storage of registered inforamtion, events and logs • Time reference According to the Swedish Regulation, an organization holding a valid ISO/IEC 27001:2013, covers all the areas above, will be considered compliant, as long as the certificate, associated risk assessment and Scope of Applicability are evaluated by an accredited laboratory.
  • 12. company confidential Certification Process SECURITY – VULNERABILITY AND RISK ASSESSMENT The Vulnerability and risk assessment process consists in the Operator evaluating and rating the criticality of the Components baseline according to best industry practices. The Swedish regulator suggests the use of the technique described in the ISO 31000:2009 standard. BMM will review two aspects: • the documents framework describing the technique used for vulnerability and risk assessment; • the Components baseline according to Chapter 5 of the LIFS 2018:8, to verify the following information is provided for each component included in the baseline:  a definition of the information asset;  a unique identification number;  a version number;  identifying features of the information asset;  decision maker entitled to make decisions regarding changes in the information asset;  internal risk evaluation;  checksum for information assets classified as some relevance or high relevance.  the geographical location of physical information assets. According to the Swedish Regulation, an organization holding a valid ISO/IEC 27001:2013, covers all the areas above, will be considered compliant, as long as the certificate, associated risk assessment and Scope of Applicability are evaluated by an accredited laboratory.
  • 13. company confidential Certification Process SECURITY – VULNERABILITY AND RISK ASSESSMENT – COMPONENTS CRITICALITY According to ISO 31000:2009 and the Swedish standard, when rating the criticality of a component, 4 attributes need to be taken into account: • Integrity - the integrity of the gambling system, it’s functionality and the information stored in the gambling system. • Availability - the availability of information concerning the customer. • Confidentiality - confidential information concerning the customer (e.g. identification and transaction information). • Accountability - user activity (including customers, personnel and third parties) in relation to the component. Each component shall be assigned a relevance code on the scale below based on the component’s role in achieving or ensuring each of the above criteria: • 1: no relevance - the component can have no negative impact on the criteria, • 2: some relevance - the component can have an impact on the criteria, • 3: substantial relevance - the criteria is related to or dependent on the component. The highest relevance code of the four criteria determines the classification of the component The classification of the Components is Operator’s responsibility.
  • 14. company confidential Certification Process SECURITY – VULNERABILITY AND RISK ASSESSMENT – ISO VALIDATION According to the Swedish Regulation, an Operator holding a valid ISO/IEC 27001:2013, covering all the requirements of Chapter 4, 5 and 6 of the LIFS 2018:8, will be considered compliant, as long as the certificate, associated risk assessment and Scope of Applicability are evaluated by an accredited laboratory. What does BMM do to validate an Operator that is already ISO 27001:2013 certified? • BMM requests the ISO certificate, associated Risk Assessment and Scope of Applicability; • BMM evaluates the validity of the ISO certificate • BMM determines if the implemented ISMS covers (based on the Scope of Applicability) every requirement for the chapters 4, 5 and 6 of the LIFS 2018:8.
  • 15. company confidential Certification Process CHANGE MANAGEMENT 1 Year L H Production Environment Testing Environment 1.0 1.0 L 1.1 H 1.1 L 1.1 L H 1.1 1.1 L H 1.1 1.3 L H 1.1 1.4 L 1.3 L 1.4 C 1.2 L H 1.2 1.4 L 2.0 H 2.0 L H 2.0 2.0 • Any change to High Relevant Components needs to be certified before the deployment to Production Env. • Changes to Low Relevance Components can be deployed to Production Env. without certification • After 1 year, both High and Low relevance components must be re-certified This didn’t change and remained the old version because the new one needs certification before going to production! Now it changes cause the new version has been certified
  • 16. company confidential FAQ SECURITY – VULNERABILITY AND RISK ASSESSMENT – CLOUD SYSTEMS The Swedish regulation does not provide much information with regards the classification of components in case of CLOUD solutions are adopted. The only paragraph available in LIFS 2018:8 on this regard states: “Depending on whether and how virtualization, e.g. cloud services, is used in the gambling and ERP systems, redundancy and availability of data may be affected. Different methods of virtualization may entail different classifications of an information asset. The license holder should be attentive to how the classification of a hardware information asset is affected and possibly changed depending on the internal or external selection or development of virtualization. If an external cloud service provider is used, it should be ensured that they meet the requirements set out in the regulations.” Due to the similarities between the Swedish and Danish standards, a good practice to assess Components residing on CLOUD solutions can be found in the Danish standard SCP.06.00.EN.1.1, specifically paragraph 3.3.4. The Danish regulation distinguishes between 2 CLOUD solutions: PRIVATE and PUBLIC. For further information on the Danish standard with regards CLOUD solutions, please contact Francesco Bianchi at Francesco.bianchi@bmm.com
  • 17. company confidential FAQ SECURITY – COMPONENTS REGISTER AND B2B PROVIDERS “If a B2B game supplier is NOT certified according to chapter 4-6 in LIFS 2018:8, does all the Information Assets of the B2B supplier need to be incorporated in the operators’ IA register, and does changes to these Information Assets need to be handled within the operators certified change process? If yes, do you see this to be possible to execute in practice? Not the least, since a B2B supplier can have multiple operators as customers” What are the advantages of a B2B that was independently tested against chapters 4-6 of LIFS 2018:9? • The IA register of the B2B is already defined and can be incorporated as is in the Operator’s one; • Whenever the B2B provider proposes a change to a component in the IA Register, the Operator will have a higher confidence that the risk assessment and criticality evaluation of the change has been performed following a change management process compliant with the Swedish regulation. • Last but not least, the Information Security Management System (Chapter 4) that will be performed on the Operator’s system will not have to include the infrastructure of the B2B provider Also in this case, the Danish regulation provides a definition of good practices to be applied to properly manage the relationship between B2Cs and B2Bs in the context of the change management: SCP.06.00.EN.1.1, specifically paragraphs 4.3.1 and 4.3.2. For further information please contact Francesco Bianchi at Francesco.bianchi@bmm.com