Check List

System documents on game data generation program, printing machine, monitoring control device must be protected from unauthorized personnel

Purpose

To ensure that all system documents and manuals on instant lottery must be arranged and safely kept and used. Such system documents and manuals must be updated, and preserved for reference if necessary

Audit resources

Procedure

Verification

Document

System document list, game data generation program output, printing machine system document, monitoring device system (barcode, Optic camera, etc.) document

Product

Detailed study list and method

-    related system documents are kept at a safe place

-    Check if access to system documents by unauthorized personnel is being controlled

-    Check if instant lottery-related crucial electronic documents are saved to departmental file servers and managed (only applicable when file server exists)

-    Check if crucial documents are encrypted so that they can be controlled according to the access right

-    Check if lottery-related system documents are encrypted to control unauthorized leakage

-    Check if crucial database are encrypted and managed

-    Check if fax-transmitted documents are controlled

-    Check if print marking is applied to the printed materials by marking the information of the printing personnel to prevent them being neglected (left unattended)

Check List

Lottery information released externally must be restricted and when released, appropriate security measure must be established.

Purpose

To assure that external supply of lottery information is prohibited must be supplied via organization. In such as case, organization approval is mandatory, and the following procedures must be followed before the supplied information is disseminated

Audit resources

Procedure

Verification

Document

Information release management register, Supplied document list, document received/sent register

Product

Detailed study list and method

-    Check if necessary procedures are established to supply internal information to external organization (organization and contractors)

-    Check if a password is set and used when documents are transmitted to outside

-    Check if the externally supplied documents are encrypted to control user rights

-    Check if user rights is controlled by encryption when lottery information and documents are shared with vendors

Check List

Email, P2P are susceptible to information leakage hence a suitable control is required

Purpose

To assure that instant lottery ticketing system must not be connected to the network. If unavoidable, the use of electronic mail, P2P and messenger must be prohibited.

Audit resources

Procedure

Verification

Document

Electronic mail log

Product

Detailed study list and method

-    Check if information leakage through email is controlled (email activity content logging)

-    Check if information leakage through messenger is controlled (messenger activity content logging)

-    Check if information leakage through file sharing such as P2P, Webhard

-    Check if use of FTP is restricted