Professional Documents
Culture Documents
ITE
U
LT
UR
E
How much would this cost the lottery in monetary terms? PROCESS
ENA
What would be the indirect costs (e.g., from reputation E BLI
ENC NG
RG &S
loss) if the stolen tickets are sold? EME UPP
ORT
What would be the legal implications, if any? PEOPLE TECHNOLOGY
HUMAN FACTORS
Business processes are then prioritized based on an impact
scale that identifies the most critical issues.
Step 2: Risk analysisDuring this process, the possibility
Source: ISACA, An Introduction to the Business Model for Information Security,
for the occurrence of a security incident is calculated, based USA, 2009; adapted from the University of Southern California (USC) Marshall
on a database of security weaknesses. The risk analysis School of Business Institute for Critical Information Infrastructure Protection
and strategy, people, process, processes as identified through governing. For example,
and technology. The following there are technical controls in place for protecting game
To understand the case study provides an example integrity, controlling access to lottery business reports,
operation of BMIS of the operation of the model in securely managing game configuration, establishing secure
the lottery sector. communication lines for game transactions (communication
in practice, it is
between the central system and terminals at the point of sale),
important to study Following a Holistic Approach isolating the computer room physically and ensuring game
the links connecting As an innovator in the lottery continuity by the implementation of a disaster recovery site.
organization design information security field, Enabling and support represents how security processes
GIDANI has implemented a are automated by the use of technology, and also which
and strategy, business model to understand processes are used to complement automated security controls
people, process, and
and to more deeply address its and to evaluate and improve them. GIDANI has automated
technology. information security needs and all lottery-related processes by the deployment of the lottery
to make them an integral part of system. Transaction engine (ticket processing) security
its business processes. configuration, support and operation are implemented by
GIDANI has deployed a customized ISMS, following a a number of written and continuously improved processes.
combination of international security standards. The GIDANI Simultaneously, there is a security technology evaluation
ISMS includes all rules, procedures and information security process in place that is used for calibrating and extending
management principles regarding security organization, lottery system security for addressing business needs. For
asset management, human resources security, access control, example, the business need for providing Internet gaming
physical security, communications security, operations goes through a security assessment of the current technology.
security, compliance, incident management, business In this assessment, automation controls are identified
continuity management and system security, covering its (such as the player identity management mechanism) and
whole development life cycle. Moreover, specific procedures complemented by manual procedures (e.g., review of player
have been applied regarding lottery game integrity and instant access rights) following official GIDANI rules. Since selling
ticket security. The following paragraphs outline how the lottery games through the Internet has been identified as a key
dynamic interconnections of BMIS (noted in bold) relate to business enabler in governing, information security controls
the GIDANI ISMS. have become a priority.
Information security at GIDANI is an integral part of the Human factors affect both architecture and enabling and
business strategy of the lottery. Governing all information support. For example, if an operator at GIDANI is managing
security activities is the responsibility of an executive roles within the lottery ticket sales monitoring application,
committee chaired by the chief executive officer (CEO). this operator may find the role management system too
by the governing dynamic a signed form is required). One could assume that this was an
While no one can interconnection, encourages unpredictable event (stressed employee). The truth, however,
free communication at all levels may relate to an increased workload in defining access rights
ensure the absence of personnel, and especially caused by a major change in the lottery system, which, in turn,
of security incidents, encourages feedback on the makes the user access management procedure too difficult
there are solutions security operations. That to implement and no longer effective. Through the study of
means that GIDANI has low emergence, within the framework of the model, GIDANI is in
through the study of power distance in terms place to link architectural changes with human factors (usability
emergence that limit of free communication of of security controls), enabling and support (combination of
the possibilities to a information security matters technical and procedural controls), and governing (limited
from the bottom to the top of number of employees in relation to the workload), and to
minimum level.
the hierarchy. For example, if correct the user access management procedure on time.
employees identify difficulties Even then, people will continue to insert uncertainty in the
in implementing a security process or using a security security processes, and some security incidents will still be
technology, they freely report it to the security officer to unavoidable. Through the operation of the model, however,
investigate the improvement of the process. At the same time, the whole picture of information security will become clear,
if employees identify a security incident (e.g., confidential providing the opportunity to security experts to learn more
gaming information left in a meeting room), they report accurately from mistakes and improve information security.
it immediately as a security incident. This reporting is not
translated as an offensive action between employees, but Conclusion
instead as a collective action, giving the opportunity to Information security will be understood, provide added value
management to take preventive or corrective actions. and effectively contribute to the operation of an organization
Emergence is one of the most important dynamic only if it is designed and implemented as a core ingredient
interconnections of the business model since it deals with the of the business strategy. Stakeholder, shareholder and player
uncertainty factor in information security at GIDANI. Due to trust are the key ingredients of information security in the
human nature, the execution by people of processes within a lottery sector, unveiling its societal, business and legal nature.
corporation cannot be characterized as deterministic. Despite Organizations from other sectors should identify such key
the detailed procedures, people sometimes act in an ad hoc ingredients similarly for providing a business definition to
manner and make mistakes. Emergence can be defined as the information security.