Introduction
Scout Gaming Group AB (SGG) is a multi-award winning licensed and regulated provider of B2C and B2B sports and fantasy sports betting and gaming solutions. The company offers a flexible and customisable network-based fantasy sports solution, coupled with sports games innovations such as Player Matchups, Players Odds & Pick’em Jackpot. The Scout Gaming Platform (SGP) provides support for all major sports and leagues through an in-house StatCenter, which also provides real-time information to players. SGG is listed on the Nasdaq First North Growth Market and is the parent company of seven subsidiaries.
Scout holds B2B licenses with the Malta Gaming Authority and the Hellenic Gaming Authority, as well as B2C licenses with the Malta Gaming Authority and the United Kingdom Gambling Commission. Scout Ltd is based in Malta and holds the remote gambling license for FanTeam. Scout & Co has an agreement with Scout Ltd which grants it the right to operate in the UK using Scout’s license.
Whilst the UK Gambling Commission requires licensed gaming operators to complete an annual audit of the gambling system’s information security arrangements against its Remote Gambling and Software Technical Standards (GC RTS), other gambling authorities (e.g. in Greece), require license holders to secure certification to ISO/IEC 27001: 2013, the International Standard for Information Security Management (ISO 27001). To support its growth ambitions and to ensure it remains compliant with all relevant license conditions, SGG has determined to secure certification to ISO 27001.
Scope
Information takes many forms. The scope of this Information Security Policy includes, but is not limited to:
- All information processed by SGG in pursuit of its operational activities, regardless of whether it is processed electronically, or in paper form including but not limited to:
- External customer information;
- Operational documents, plans and minutes;
- Financial, compliance, and other company records;
- Employee records.
- All information processing facilities used in support of SGG’s operational activities to store, process, transmit or otherwise interact with information;
- All external organizations that provide services to SGG in respect of information processing facilities.
This Policy applies to all employees, consultants, contractors and third parties engaged by SGG (collectively referred to as “users”).
All users shall read, understand, and comply with this Policy when storing, processing, communicating or otherwise interacting with information in the course of performing their duties.
All users shall comply with all controls, practises, protocols, and training to ensure such compliance. Any breach of this Policy may result in disciplinary or regulatory action.
Definitions
Information security is aimed at protecting the following three attributes of SGG’s information:
- Confidentiality – ensuring information assets are not accessible by or disclosed to unauthorized individuals, entities, or processes;
- Integrity – ensuring the accuracy and completeness of information assets;
- Availability – ensuring information assets are accessible and usable upon demand by an authorised entity.
Information asset – any information and information processing facility that has value to SGG.
Information owner – an individual accountable for the information asset.
Information processing facilities – any information processing system, service, or infrastructure, or the physical locations housing them.
Risks
A lack of information security can lead to incidents such as breaches of confidentiality, corruption of information and availability issues which could adversely affect the reputation of SGG and its customers along with its ability to meet contractual, legal, and regulatory obligations. Without defined and measurable objectives, it is not possible to determine whether SGG’s information security activities meet their intended outcomes.
Objectives
The objective of this Information Security Policy is to enable SGG to effectively manage any identified and relevant information security threats in order to meet its strategic business goals and to maintain its legal, regulatory, and contractual compliance obligations. SGG’s security controls are designed to mitigate all information security-related threats, whether external or internal, as well as deliberate or accidental.
Compliance with this Information Security Policy is necessary to ensure business continuity, and minimize business damage by preventing or reducing the likelihood of information security incidents occurring, and minimizing their impact should they occur.
In support of this Information Security Policy, SGG’s Senior Management Team (SMT) accepts its role in being fully accountable for information security and is committed to:
- Managing and reducing information security risk in an informed manner;
- Minimizing the impact on SGG when information security incidents occur
- Ensuring SGG has identified applicable, legal, regulatory, and contractual requirements and that they are complied with.
Responsibilities
The Management of SGG shall be accountable for ensuring that appropriate security and compliance controls are identified, implemented and maintained by information asset owners. It shall be supported in this task by the Information Security Forum (ISF).
SGG’s ISMS manager (a role performed by Chief of Production (CoP) currently) shall be responsible for managing information security at an operational level. The Chief of Production has direct responsibility to the SMT for maintaining this Information Security Policy, and for providing advice and guidance on its implementation and is responsible for:
- Ensuring that the Information Security Policy is reviewed at least every 12 months and in response to any significant changes. Where significant changes do occur, these shall be made known to all users;
- Establishing procedures to implement this and other policies within the company and for monitoring compliance;
- Ensuring appropriate training is provided to information asset owners, custodians and users, as well as network and system administrators.
Unless explicitly delegated to another position, the CTO is the appointed decision maker (Manager) for risk and vulnerability analysis as well as the management of information and incidents. For each of these specific areas, dedicated policies and procedures shall provide greater detail on role requirements.
In the absence of the ISMS Manager, all of their responsibilities are transferred automatically to the Chief Technology Officer (CTO), unless explicitly delegated to another role.
Information asset owners (listed in Scout Gaming Group Assets Inventory) within SGG shall be responsible for the identification, implementation and maintenance of controls that are commensurate with the value of the information assets they own and the risks to which they are exposed, and for periodical review identified in the Scout Gaming Group Assets Inventory based on the asset value.
It is the responsibility of all users to adhere to this Information Security Policy and to report information security incidents and events to their closest leader and the CTO as soon as possible. Non-compliance with this Information Security Policy or other information security related policies by any user may result in disciplinary action being taken.
Policy
Under this Information Security Policy, SGG shall ensure that the following information security requirements are complied with:
- Information assets and information processing facilities are protected against unauthorized access;
- Information is protected from unauthorized disclosure;
- Confidentiality of information assets is maintained;
- Integrity of information assets is maintained;
- SGG requirements, as identified by information owners, for the availability of information assets and information processing facilities required for operational activities are met;
- Statutory and expressed or implied legal obligations are met;
- Regulatory, contractual, and internal compliance obligations are met;
- Requirements for the continuity of information security are determined and maintained within SGG’s business continuity arrangements;
- Unauthorized use of information assets and information processing facilities is prohibited, and the use of obscene, racist, or otherwise offensive statements is dealt with in accordance with other appropriate policies published by SGG;
- This Information Security Policy is communicated to all users, for whom information security training shall be provided where necessary;
- A systematic approach to information security risk management is followed and is a continual and dynamic process;
- Information security is managed through a formal information security management system (ISMS) that is defined within a documented framework;
- The performance of the ISMS and the effectiveness of information security controls is continuously improved;
- All breaches of information security, actual or suspected, are reported and investigated in line with SGG’s published policies and procedures;
- Controls are commensurate with the risks faced by SGG.
In support of this Information Security Policy, more detailed operational security policies and processes shall be developed for users, information assets and information processing facilities. These supporting policies shall be reviewed at planned intervals or if significant changes occur to ensure their continued suitability, adequacy, and effectiveness.
Any exceptions or deviations from the requirements of this Information Security Policy shall be authorised by the ISF. Any such deviations or exceptions shall be managed through SGG’s incident management or change management processes.
Compliance Monitoring
Information security objectives shall be agreed on an annual basis, supported by a set of key performance indicators (KPIs), with milestones and targets being set as appropriate. These measures shall be reported to the ISF for review.
Changes to this Policy
This Information Security Policy shall be reviewed on an annual basis by the ISF. The Policy may also be updated periodically when necessary to ensure that it remains up to date, appropriate and consistent with SGG’s strategic business objectives.
Changes to this Policy shall be communicated to all users.