Feature
Information Security From a
Christos K. Dimitriadis,
Ph.D., CISA, CISM,
is head of information
security at INTRALOT S.A.,
a multinational supplier
of integrated gaming and
transaction processing
systems based in Greece.
In this role, he manages
information security in more
than 50 countries in all
continents. Dimitriadis is a
vice president on ISACAs
Board of Directors. He has
served ISACA as chair of the
External Relations Committee
and as a member of the
Relations Board, Academic
Relations Committee,
Journal Editorial Committee
and Business Model for
Information Security (BMIS)
Workgroup. He has worked
in the area of information
security for 10 years and has
65 publications in the field.
 o you have
D This approach, though, has proven to be
something
to say about
this article?
Visit the Journal pages
of the ISACA web site
(www.isaca.org/journal),
find the article, and
choose the Comments
tab to share your
thoughts.
Business Perspective
A Lottery Sector Case Study
As enterprises struggle to remain profitable in
an ever-changing risk environment, the current
economic crisis has elevated the need for
effective business risk management. Information
security, as explained in this article, acts as a
key parameter that affects business risk. This is
explored in this article in the context of the
lottery sector.
The academic definition of information
security is the preservation of confidentiality,
integrity and availability of information.1
Confidentiality is the preservation of secrecy of
information (e.g., business reports, technical
designs or financial projections) by ensuring that
viewing is conducted solely by authorized people.
Integrity is ensuring that information is accurate
and consistent and has not been manipulated.
Availability ensures that information is accessible
to authorized people when needed.
Historically, information security has
been addressed primarily as a technical issue.
Preventive controlssuch as firewalls, user
access control mechanisms, encryption of data
and communications, digital signatures, data
backup systems, and detective controls such as
intrusion detection systems or security monitoring
platformshave formed the basic components of
security architecture. Often, the technical controls
were complemented by a set of security policies,
procedures and guidelines aimed at controlling
the actions of personnel.
insufficient. Security incidents continue to rise
and security problems seem unsolved while
information security experts have been challenged
to effectively communicate the value of
information security to enterprise management.
The root cause of these problems may be the
definition of information security itself. There is
a lack of consistency as each sector, industry and
even enterprise has had to define information
security uniquely, based on very specific business
needs. This lack of consistency has contributed to
a lack of understanding and a lack of appreciation
for the value of information security.
This article presents the definition of
information security in the lottery sector and,
specifically, in a case study of GIDANI, the
National Lottery of South Africa.
Information Security Defined
To define information security in the lottery
sector, one must understand its business
objectives, identify stakeholders and link them to
information protection attributes.
Lotteries sell games to the public. These games
have to be trusted to achieve customer (player)
acquisition and retention, which directly affect
the lotterys revenue. Player trust is a key success
factor that is directly related to:
Game integrityEach game is conducted as
described in its official rules. It is fair to the
players, the draw results are integral, and
winners are selected and paid according to the
game rules. Information integrity (avoiding
data manipulation) is a key information security
component related to player trust.
Player asset protectionPlayers need to be
confident that their money, credit card numbers
and bank account numbers are safe. Especially
in online gaming, in which player participation
is conducted with electronic funds, players have
to trust the lottery for securing their financial
assets. Confidentiality, integrity and availability
are crucial security parameters.
Player privacyPlayers, and especially winners,
provide their personally identifiable information
(PII) to lotteries. As in player asset protection,
trust in the lottery is important for making
the player feel comfortable with sharing such
information. Trust is particularly important
when dealing with large winning amounts
because players have to feel safe and their
personal data have to be protected.
ISACA JOURNAL VOLUME 1, 2011 1
 Providing lottery games to the public also has societal and
political facets. Lotteries are usually controlled directly by
the local government and are always subject to a regulatory
and legal framework. The provision of secure and fair
lottery games to citizens is a matter of social responsibility.
Moreover, the government is a shareholder of the lottery
(directly or indirectly though taxing); thus, a lotterys business
success affects the corresponding governmental revenue.
The aforementioned facts are clarified in relation to
information security when the drivers of shareholders trust
are studied in more detail. For example:
Each licensed lottery has to comply with rules and terms
of the license, which in turn have general or more detailed
information protection requirements. These vary from
general statements for game fairness, antifraud rules and
service availability requirements to more detailed technical
controls such as network security rules, operating security
policies or certification requirements. Shareholders need
to be confident that the lottery complies with the license
obligations and, more generally, the legal and regulatory
framework, since this is a main corporate viability factor.
In competitive environments where more than one lottery
operates in the same region or illegal gambling is present,
information security acts as a competitive advantage that,
in turn, ensures customer acquisition. Shareholders trust
the lottery if it operates as a competitive corporation, and
due to the importance of protecting the game and lottery
information from breaches, information security becomes a
competitive parameter.
Shareholders are risk-averse entities in relation to the
lotterys brand name. They need to be assured that the
lottery brand name is resilient to information security
threats that may cause reputation loss.
In relation to the business role of information security in
the lottery sector, the following definition can be deduced:
Information security is defined as a driver of:
Stakeholders trust, driven by:
Shareholders trust, driven by:
. Corporate viability, which is driven by compliance of
lottery license terms
. Competitive advantage, which ensures customer
acquisition
. Brand name value preservation, which ensures customer
retention
2 ISACA JOURNAL VOLUME 1, 2011
. Legal and regulatory compliance (e.g., the integrity of
financial records and PII protection)
Players trust, driven by:
. Game integrity
. Service availability
. Protection of the confidentiality of customers
sensitive information
Using this definition of information security for the lottery
sector, a holistic approach is required for addressing the
information security requirements of each unique lottery.
This, in turn, requires a detailed lottery business analysis for
embedding information security into the specific business
processes of the lottery and for addressing the human factor
and minimizing the uncertainty it introduces. International
security standards provide the basis toward that direction.
Lotteries and the Information Security
Standards Landscape
In 2006, the Security and Risk Management Committee of
the World Lottery Association (WLA)2 published the most
recent version of its Security Control Standard (SCS). This
standard describes a number of information security controls
(technical and procedural) tailored to the lottery sector.
Indicatively, it includes rules regarding the management of
lottery draws and protection of prize money and Internet
gaming systems. WLA SCS is an extension of the globally
recognized information security standard ISO 27001 of
the International Organization for Standardization (ISO),3
which is related to the establishment of information security
management systems (ISMSs). Such systems provide the
framework for managing information security from planning
to implementation, monitoring and improvement.
ISACA has published a set of information technology
(IT) auditing standards and the Risk IT: Based on COBIT
framework,4 which provides a set of guiding principles for
effective management of IT risk. Risk IT complements COBIT,5
a comprehensive framework developed by ISACA for the
governance and control of business-driven, IT-based solutions
and services. In 2009, ISACA published An Introduction to the
Business Model for Information Security, the first publication
released under the Business Model for Information SecurityTM
(BMISTM),6 which addresses information security from a
business perspective, and in 2010, the full model was published
as The Business Model for Information Security.
 Other standards include the Payment Card Industry Data
Security Standard (PCI DSS),7 a set of requirements for
enhancing payment account data security, and the Special
Publications (800 series) of the US National Institute of
Standards and Technology (NIST),8 which are documents of
general interest to the computer security community.
The aforementioned standards provide an indicative
view of the information security standards landscape. Other
standardization bodies and associations provide their own
guidelines in the field. In addition, technical security best
practices of system vendors provide additional guidelines.
The modern lottery sector has to select the information
security standards to use as a basis for its security
architecture, and it must customize this selection according
to its specific business needs.
Basic Processes
Studying the information security standards horizontally, a
number of basic processes/steps that lead to the identification
of information security requirements are identified, including:
Step 1: Business impact analysisEach lottery business
process is recorded and analyzed in terms of business
impact from the realization of a possible security threat.
For example, the monetary, reputational or legal impact is
calculated in the scenario that a container of instant tickets
(also known as scratch cards, used for games in which the
Step 3: Risk managementThe result of the risk analysis
is a prioritization of risk in relation to the impact level
(the result of the business impact analysis) and the
identification of possible security measures for addressing
the risk. The risk management processthe selection of
appropriate security measures for addressing the risk or
for risk transferring or acceptanceis determined by the
management of the lottery.
Step 4: ISMS implementationAfter the controls have
been selected, they should be correlated under a common
ISMS. This correlation requires deep understanding of the
operation of the lottery; consideration of human, cultural,
technical, business and external factors; and continuous
improvements.
BMIS
One of the most recent information security frameworks that
addresses information security from a business point of view
is ISACAs BMIS, illustrated in figure 1.
Figure 1BMIS
ORGANISATION
Design/Strategy
GOVERNING

players instantly know if they have won or not) is stolen.

AR

The lottery must answer a number of questions to calculate

CH
RE

ITE
U
LT

the impact, for example:

CT
CU

UR
E

How much would this cost the lottery in monetary terms? PROCESS

ENA
What would be the indirect costs (e.g., from reputation E BLI
ENC NG
RG &S
loss) if the stolen tickets are sold? EME UPP
ORT
What would be the legal implications, if any? PEOPLE TECHNOLOGY
HUMAN FACTORS
Business processes are then prioritized based on an impact
scale that identifies the most critical issues.
Step 2: Risk analysisDuring this process, the possibility
Source: ISACA, An Introduction to the Business Model for Information Security,
for the occurrence of a security incident is calculated, based USA, 2009; adapted from the University of Southern California (USC) Marshall
on a database of security weaknesses. The risk analysis School of Business Institute for Critical Information Infrastructure Protection

takes into account technical and procedural parameters,

for example:
Are there technical controls in place to cancel the set of
stolen instant tickets?
Do procedures exist to complement the technical security
controls (e.g., timely theft identification during the
shipment process)?
The following definitions of the BMIS elements (derived
from An Introduction to the Business Model for Information
Security)9 are necessary for understanding how BMIS works:
Organization design and strategyAn organization is a
network of people, assets and processes interacting with each
other in defined roles and working toward a common goal.
ISACA JOURNAL VOLUME 1, 2011 3
 PeopleThe people element represents the human
resources and the security issues that surround them. It
defines who implements (through design) each part of the
strategy. It represents a human collective and must take into
account values, behaviors and biases.
ProcessProcess includes formal and informal mechanisms
(large and small, simple and complex) to get things done.
TechnologyThe technology element is composed of all
of the tools, applications and infrastructure that make
processes more efficient.
To understand the operation of BMIS in practice, it is
important to study the links connecting organization design
and strategy, people, process,
and technology. The following
To understand the case study provides an example
operation of BMIS of the operation of the model in
the lottery sector.
in practice, it is
important to study Following a Holistic Approach
the links connecting As an innovator in the lottery
organization design information security field,
GIDANI has implemented a
and strategy, business model to understand
people, process, and
and to more deeply address its
technology. information security needs and
to make them an integral part of
its business processes.
GIDANI has deployed a customized ISMS, following a
combination of international security standards. The GIDANI
ISMS includes all rules, procedures and information security
management principles regarding security organization,
asset management, human resources security, access control,
physical security, communications security, operations
security, compliance, incident management, business
continuity management and system security, covering its
whole development life cycle. Moreover, specific procedures
have been applied regarding lottery game integrity and instant
ticket security. The following paragraphs outline how the
dynamic interconnections of BMIS (noted in bold) relate to
the GIDANI ISMS.
Information security at GIDANI is an integral part of the
business strategy of the lottery. Governing all information
security activities is the responsibility of an executive
committee chaired by the chief executive officer (CEO).
4 ISACA JOURNAL VOLUME 1, 2011
Strategic plan execution, including a strategy definition as a
result of business analysis (e.g., information security analysis
in the life cycle of a new game development); resource
management; and lottery operations are controlled by the
executive committee that monitors security performance,
value delivery and risk levels of all integrated information
security controls. This structure provides a good practice
for expressing management commitment and control, having
information security as a top priority in the operation of
the lottery.
Architecture is based on a lottery-specific threat model
that serves the security requirements of all critical business
processes as identified through governing. For example,
there are technical controls in place for protecting game
integrity, controlling access to lottery business reports,
securely managing game configuration, establishing secure
communication lines for game transactions (communication
between the central system and terminals at the point of sale),
isolating the computer room physically and ensuring game
continuity by the implementation of a disaster recovery site.
Enabling and support represents how security processes
are automated by the use of technology, and also which
processes are used to complement automated security controls
and to evaluate and improve them. GIDANI has automated
all lottery-related processes by the deployment of the lottery
system. Transaction engine (ticket processing) security
configuration, support and operation are implemented by
a number of written and continuously improved processes.
Simultaneously, there is a security technology evaluation
process in place that is used for calibrating and extending
lottery system security for addressing business needs. For
example, the business need for providing Internet gaming
goes through a security assessment of the current technology.
In this assessment, automation controls are identified
(such as the player identity management mechanism) and
complemented by manual procedures (e.g., review of player
access rights) following official GIDANI rules. Since selling
lottery games through the Internet has been identified as a key
business enabler in governing, information security controls
have become a priority.
Human factors affect both architecture and enabling and
support. For example, if an operator at GIDANI is managing
roles within the lottery ticket sales monitoring application,
this operator may find the role management system too
cumbersome and complex to use (human factors). This is
reported as feedback to the security officer, who asks for the
assessment of the whole process and technology (enabling
and support) to identify opportunities for improvement. This
assessment will take into account the whole architecture
as well, identifying the impact on other components of the
system. One improvement may relate to the extension of the
security training program of GIDANI. Another may relate to
the reconfiguration of the security control or its replacement.
Culture is an element of the GIDANI security model
that has a tremendous positive effect in making information
security work in practice. GIDANI is characterized by a
clear set of hierarchy levels with the roles of each level
having been defined accurately and supported by specific
operational procedures. The management model, as defined
by the governing dynamic
While no one can interconnection, encourages
free communication at all levels
ensure the absence of personnel, and especially
of security incidents, encourages feedback on the
there are solutions security operations. That
means that GIDANI has low
through the study of power distance in terms
emergence that limit of free communication of
the possibilities to a information security matters
from the bottom to the top of
minimum level.
the hierarchy. For example, if
employees identify difficulties
in implementing a security process or using a security
technology, they freely report it to the security officer to
investigate the improvement of the process. At the same time,
if employees identify a security incident (e.g., confidential
gaming information left in a meeting room), they report
it immediately as a security incident. This reporting is not
translated as an offensive action between employees, but
instead as a collective action, giving the opportunity to
management to take preventive or corrective actions.
Emergence is one of the most important dynamic
interconnections of the business model since it deals with the
uncertainty factor in information security at GIDANI. Due to
human nature, the execution by people of processes within a
corporation cannot be characterized as deterministic. Despite
the detailed procedures, people sometimes act in an ad hoc
manner and make mistakes. Emergence can be defined as the
developments and patterns that arise in the course of process
execution by people.10 While no one can ensure the absence
of security incidents, there are solutions through the study of
emergence that limit the possibilities to a minimum level. For
example, a strong security culture, as described previously,
permits GIDANI to have on-time reporting of security
incidents. After reporting, the root-cause analysis process, in
which the actual reasons for the realization of the incident are
identified and corrective actions are implemented, takes over.
For example, a security operator, due to increased stress,
may assign incorrect access rights to a retailer manager (one
who monitors the status of retailers). This will be reported to
the security officer through the processing of alerts and logs
(potential access to critical information) and by the role that
monitors security records (for every change in user access rights
a signed form is required). One could assume that this was an
unpredictable event (stressed employee). The truth, however,
may relate to an increased workload in defining access rights
caused by a major change in the lottery system, which, in turn,
makes the user access management procedure too difficult
to implement and no longer effective. Through the study of
emergence, within the framework of the model, GIDANI is in
place to link architectural changes with human factors (usability
of security controls), enabling and support (combination of
technical and procedural controls), and governing (limited
number of employees in relation to the workload), and to
correct the user access management procedure on time.
Even then, people will continue to insert uncertainty in the
security processes, and some security incidents will still be
unavoidable. Through the operation of the model, however,
the whole picture of information security will become clear,
providing the opportunity to security experts to learn more
accurately from mistakes and improve information security.
Conclusion
Information security will be understood, provide added value
and effectively contribute to the operation of an organization
only if it is designed and implemented as a core ingredient
of the business strategy. Stakeholder, shareholder and player
trust are the key ingredients of information security in the
lottery sector, unveiling its societal, business and legal nature.
Organizations from other sectors should identify such key
ingredients similarly for providing a business definition to
information security.
ISACA JOURNAL VOLUME 1, 2011 5
 While technical security controls are important, what 2
 orld Lottery Association, www.world-lotteries.org
W
distinguishes a typical information security management 3
International Organization for Standardization, www.iso.org
system from an effective one is the ability to correlate all 4
ISACA, Risk IT: Based on COBIT, www.isaca.org/riskit
parameters in the operation of an organization, especially 5
ISACA, COBIT, www.isaca.org/cobit
the human factor. While absolute information security is 6
ISACA, Business Model for Information Security (BMIS),
theoretically unachievable, lotteries and organizations alike www.isaca.org/bmis
have the ability to reduce uncertainty and to continuously 7
PCI Security Standards Council, Payment Card
improve their approaches to making information security a Industry Data Security Standard (PCI DSS), www.
business enabler. pcisecuritystandards.org/security_standards/pci_dss.shtml
8
National Institute of Standards and Technology (NIST),
Endnotes Computer Security Division, Computer Security Resource
1
International Organization for Standardization, Center, Special Publications (800 Series), http://csrc.nist.
ISO/IEC 27001:2005, Information technologySecurity gov/publications/PubsSPs.html
techniquesInformation security management systems 9
Op cit, ISACA, BMIS
Requirements, 2005 10
Op cit, ISACA, BMIS

6 ISACA JOURNAL VOLUME 1, 2011