1.1 There shall be a commitment to character, integrity and high ethical values demonstrated through attitude and actions.
Requirements – At a minimum:
1.2 Formal control activities shall be submitted to the Registrar which have been assessed by an independent oversight function acceptable to the Registrar for alignment with the Standards and Requirements and authorized by the appropriate level of management.
Requirements – At a minimum:
1.3 Operators and gaming-related suppliers shall comply with their control activities and shall have in place measures to monitor compliance and to address failures to comply.
1.4 Employees shall comply with the control activities established by their employer to achieve the Standards and Requirements.
1.5 Operators and gaming-related suppliers are accountable for compliance with control activities by employees and those providing goods and service to operators and gaming-related suppliers, and should have in place measures to monitor compliance and to address failures to comply.
1.6 Employees shall inform their employer if control activities are ineffective in achieving compliance with the Standards and Requirements.
1.7 Management overrides of the control activities shall be clearly documented and communicated to the Registrar.
Requirements – At a minimum:
Guidance: The intent of this Standard is to allow senior-level management to override controls on a one-off basis in necessary circumstances and to ensure that appropriate documentation is maintained for auditing purposes. This Standard is not intended to address permanent changes to the control environment.
1.8 Operators must establish, implement and maintain controls to support preparation of financial reports which comply with all applicable accounting standards and rules and good practices.
1.9 Employees must have the competence, skills, experience and training required to execute control activities that are relevant to their responsibilities.
Requirements – At a minimum:
1.10 Organizational structures shall be designed to promote a sound control environment and proper segregation of duties to ensure that the possibility for collusion or unauthorized or illegal activities is minimized.
Requirements – At a minimum:
1.11 Management clearly understands its accountability and authority for the control environment.
Requirements – At a minimum:
1.12 Information, including logs, related to compliance with the law, the Standards and Requirements and/or adherence with control activities shall be retained for a minimum of three (3) years, unless otherwise stated.
1.13 All surveillance recordings shall be retained for a minimum period as specified by the Registrar.
1.14 Compliance with the Standards and Requirements shall be documented in an organized manner to ensure that the information is capable of being reviewed and audited by an independent oversight function.
Requirements – At a minimum:
1.15 Primary accountability for compliance resides with the Board, or other governance structure, where a Board does not exist, and there shall be evidence that the Board, or other governance structure, has carried out its responsibility in this respect.
Requirements – At a minimum:
1.16 There shall be an independent “whistleblowing” process to allow employees to anonymously report deficiencies or gaps in the control environment as well as incidents of possible non-compliance with the controls, Standards and Requirements, or the law.
Requirements – At a minimum:
1.17 Registrants shall engage with the Registrar in a transparent way.
Requirements – At a minimum, Operators shall:
1.18 A recognized industry standard framework shall be used to manage the information technology (IT) control environment to support compliance with the Standards and Requirements.
1.19 Users shall be granted access to the gaming system based on business need.
Requirements – At a minimum:
1.20 Access to gaming information systems shall be monitored, logged and shall be traceable to a specific individual.
Requirements – At a minimum:
1.21 Processes shall be in place to ensure that only authorized individuals are permitted to open system accounts.
1.22 Industry accepted components, both hardware and software, shall be used where possible.
1.23 Any connection or interface between the gaming system and any other system, whether internal or external third party, shall be monitored, hardened and regularly assessed to ensure the integrity and security of the gaming system.
1.24 Mechanisms shall be in place to ensure the reliability, integrity and availability of the gaming system.
1.25 There shall be a suitably secure physical environment in place to prevent unauthorized access to the gaming system and to ensure the protection of assets.
1.26 Gaming systems, infrastructure, data, activity logs and all other related components shall be protected from threats, vulnerabilities, attacks or breaches.
Requirements – At a minimum:
1.27 Security activities shall be logged in an auditable manner, monitored, promptly analyzed and a report prepared and escalated as appropriate.
Requirements – At a minimum:
1.28 Independent assessments shall be regularly performed by a qualified individual to verify the adequacy of gaming system security and all of its related components.
1.29 Operators and gaming-related suppliers shall stay current on security trends, issues and solutions.
1.30 A system development lifecycle that considers security and processing integrity shall be in place for gaming system technology developed in-house.
1.31 Due diligence must be performed on all acquired gaming system technology to ensure security and processing integrity requirements are met.
1.32 A testing strategy to address changes in technology shall be in place to ensure that deployed gaming systems operate as intended.
1.33 All gaming system changes shall be appropriately, consistently and clearly documented, reviewed, tested and approved.
Requirements – At a minimum:
1.34 The gaming system shall be able to detect unauthorized changes.
1.35 Data governance shall be in place to address data processing integrity and protection of sensitive data.
1.36 Sensitive data, including player information and data relevant to determining game outcomes, shall be secured and protected from unauthorized access or use at all times.
Requirements – At a minimum:
1.37 Player information shall be securely protected and its usage controlled by OLG.
Requirements – At a minimum:
1.38 Removed January 2022
1.39 Communication of sensitive game data shall be protected for integrity.
1.40 Procedures shall be established and documented for IT operations and incident management, including managing, monitoring, and responding to security and processing integrity events.
Requirements – At a minimum:
1.41 Gaming applications on all portable devices shall be appropriately secured.
Guidance: This Standard is not intended to capture players using their own portable devices such as their smartphones, but rather employees or players using portable devices to access the Operator’s gaming system.
1.42 Operators and gaming-related suppliers shall only contract with reputable suppliers.
1.43 Service levels for management of suppliers shall be established.
Requirements – At a minimum:
1.44 Operators and gaming-related suppliers shall provide the Registrar with a list of suppliers that provide them with goods or services in relation to lottery schemes and shall ensure that this list is kept up to date.
1.45 Operators and gaming-related suppliers shall comply with applicable technical standards issued by the Registrar.
1.46 All registrants and non-gaming-related suppliers who are exempt from registration will comply with all applicable OLG policies and procedures to the extent that they are consistent with these Standards and Requirements.
1.47 The Operator shall develop policies and procedures regarding Sellers and Sellers’ employees’ roles and responsibilities to achieve the desired outcomes set out in the Standards that apply to Sellers:
1.48 Sellers and Sellers’ employees shall comply with the Operator’s policies and procedures and the Seller’s contract with the Operator.