Public Gaming November/December 2020

21 PUBLIC GAMING INTERNATIONAL • NOVEMBER/DECEMBER 2020 A new collaboration between the Multi-State Lottery Association (MUSL) and the World Lottery Association (WLA) has advanced a common goal of more uniform security and risk management standards across the lottery industry. So what does it mean for U.S. lotteries that sell Powerball? More efficient Rule 2 reviews and, for Rule 2-compliant lotteries, the opportunity to apply for WLA Security Control Standard Level 1 certification. The discussion between the two Associations began last year when the WLA began a scheduled review of its Security Control Standard (SCS). The WLA Security and Risk Management Committee invited MUSL’s Information Security Director, Robert Nitz, to join talks with its Technical Working Group on how to expand the SCS to include more U.S. lotteries. The expansion would require the two Associations to fully understand the similarities and differences between the WLA SCS and MUSL Rule 2, the security and risk management standards for U.S. lotteries to sell Powerball®. Working group members undertook the tedious task of mapping all 300 requirements in MUSL Rule 2 to the WLA SCS and ISO 27001, a framework of internationally- accepted information security standards that forms the base of the SCS. According to Nitz, two-thirds of MUSL Rule 2 requirements are covered by ISO 27001, and of the remaining requirements, half are covered by the WLA SCS. In many cases, the duplication was the result of Rule 2 predating the now well-established security standards. MUSL Rule 2 was developed during a time when there were no commonly-established information security standards, and was, during most of its history, an innovative and critical way of ensuring security between lottery partners. However, due to evolving technology and best practices, sections of Rule 2 required continuous review and updates to ensure requirements met modern standards. As a result, MUSL found itself turning to more contemporary standards for guidance. “By accepting the WLA SCS and ISO 27001 standards, MUSL can focus its efforts and time on maintaining the Rule 2 requirements not covered by either framework,” Nitz said. “These requirements are multi- jurisdictional game specific such as balancing and ticket validation.” In August, MUSL’s Security and Integrity Committee, which oversees Rule 2 compliance, voted to accept ISO 27001 or WLA SCS certification as evidence of compliance with portions of Rule 2. The remaining Rule 2 requirements will still require a biennial review by MUSL’s Information Security team. The alternative method of attaining Rule 2 compliance will streamline reviews for MUSL member and licensee lotteries that have already undergone an ISO 27001 or WLA SCS audit. “This has been a huge step forward in modernizing Rule 2,” said Barry Pack, MUSL Security and Integrity Committee Chair and Oregon Lottery Director. “Not only does this ensure that our security standards are up to date, it allows us to focus on those security features unique to multi- jurisdictional games, and it puts MUSL in closer alignment with other lotteries for further collaboration and future partnerships.” For its part, the WLA has added a new multi-jurisdictional subhead to its SCS and implemented a new multi-level certification system, which allows lotteries that are Rule 2 compliant to apply for WLA SCS Level 1 certification. The Missouri Lottery, which is both a MUSL and WLA member, will be the first U.S. lottery to achieve WLA SCS Level 1 certification under this new agreement. “This is meaningful,” said May Scheve Reardon, executive director of the Missouri Lottery and Powerball Product Group Chair. “It’s forward-looking as it provides even further levels of transparency and consistency in lottery security standards.” The dialogue on security and risk management standards will remain open between MUSL and the WLA. The WLA Security Risk and Management Committee has invited Robert Nitz to join its Technical Working Group as a member. The line of communication and transfer of knowledge is expected to benefit the member lotteries of both Associations. “Part of WLA’s charter is to develop worldwide standards every lottery can follow, regardless of country,” said Rebecca Paul Hargrove, WLA President and Tennessee Education Lottery President and CEO. “Our ultimate goal is to share best practices so lotteries across all jurisdictions continue to be innovative in their efforts to raise money for good causes and beneficiaries. ” n MUSL NEWS MULTI -STATE LOTTERY ASSOCIATION Robert Nitz, Information Security Director, MUSL Barry Pack, Director, regon Lottery and Chair of MUSL Security & Integrity Committee MUSL & WLA COLLABORATE TO EXPAND UNIFORM SECURITY STANDARDS