about it, it can lead to a little bit of panic. Jeez, how do I know what Idon’t know? Where do you go to find the answer when you don’teven know the question to ask? When I do training on technologyrisk assessments, I start by asking this question. People don’t knowhow to answer and sit there with a puzzled look on their face. Itcould be that it’s usually morning and they have not had enoughcaffeine yet, but I’d like to think it truly challenges them to thinkabout what they don’t know. And to be fair, I do put the question inthe context of gaming systems and technology, because I’m notprepared to discuss quantum physics or the genesis of the universethat early in the morning, either.
Here are some samples of questions that highlight systems
technology risks within a casino operation. Do you know the answerto the following questions about your casino operation?
1. How often are your system passwords changed?2. How often do player’s club points expire?3. How much can a casino employee can comp a guest?4. How many people does it takes to authorize a $2,500
5. What is the maximum amount of points that can be adjusted
So while you’re scrambling now to find the answers to these
questions, calling your IT department, your internal audit andcompliance departments, your marketing department, and your slotdirector, stop and think about why these questions are important.
While the answers are important, the questions are designed toshow casino management and regulators where risk lies within theiroperations. As part of our risk assessments, we examine variousaspects of the casino’s operation to highlight opportunities forfraudulent or improper transactions and risks to your data andnetwork infrastructure.
How often is your system access password changed? Passwords
points-based scams evolve from incorrect point adjustment
can be the weakest link in a computer security scheme. Shared or
configurations and user access to adjustment and account merges.
copied passwords are one of the easiest ways to create a false
Ask the IT and marketing departments to review their user access
transaction. If one employee knows another employee or
parameters to see who has conflicting access to adjustment and
supervisor’s login and password, they can create bogus transactions,
authorize fraudulent transactions or place the blame on an innocent
Gaming commissioners, state and tribal regulators, internal
employee. Many systems require password changes every 90 days;
auditors and compliance personnel are responsible for reviewing
however many systems allow the user to re-use their previous
gaming operations and ensuring the assets of the organization are
password, which really isn’t a change, it’s just changing the password
protected. When a business completes a financial audit, they
updated date. Password security is one of the primary safeguards for
typically utilize external auditors to review the financials as an
your data. Ask your IT department to confirm that you have a
independent and impartial auditor. There is just as much financial
password security policy in place that defines how often and how
exposure through gaming management systems. In many instances,
passwords are changed for all operational systems.
it benefits the organization as a whole to utilize external technology
How often do player’s club points expire? Player’s club points can
auditors who can provide impartial system configuration and
be converted to cash in many casinos where they can be redeemed
at the gaming device for credits as well as utilized at locations
Technology risk originates from many sources. Internal risks come
throughout your resort for goods and services. Player tracking
not only from blatant theft, but also from unskilled and untrained
systems allow many levels of casino employee’s access to points for
employees. Many employees think just because they have
redemption, adjustment, expiration and revival. Employees in
permissions to perform a specific function, they need to try it, even
collusion with each other and with guests can easily steal funds with
though they may not understand the implications of their actions.
these system tools. Timely expiration of points is one line of defense
External risks can come from your vendors having unmonitored
against the creation of improper redemption transactions. Ask your
access to your systems. And, of course, the casino’s own customers
marketing department how often they expire player’s club points
can be a threat alone, or in collusion with internal employee
and how they handle unused accounts.
How much can a casino employee comp a guest? A wide-open
Understanding the source of technology risks and threats lays the
and generous comp authorization matrix creates the opportunity for
foundation for closing the gaps within the operation. While a system
excessive comp issuance and redemption transactions. Additionally,
audit is the first step to identify issues within technology system
without proper comp audit procedures, casino employees and
configurations, training and re-training on system configuration,
guests can take advantage of the free goods and services they
operations and audit is key to ensuring that system risks are
receive. We’ve seen systems configured where employees with
resolved. New hires, turnover and promotions each create
player tracking system access could comp guests up to
educational opportunities for systems training, job skills training and
$5,000,000,000 (yes, that is $5 billion). Yes, this is an extreme
an overall re-education on the casino’s operational practices.
example, but since complimentary dollars can be equivalent to cash,
Learning “what you don’t know” is important and scary at the
this is essentially the same as leaving the door to the vault open. Ask
same time. External resources for systems auditing are available and
your audit department how often they review complimentary
these experts can provide a thorough review of your technology
transactions and who maintains and authorizes changes to the
configurations. A successful technology audit must include a review
of casino operations and a review of system technology
How many people does it take to authorize a $2,500 jackpot?
configurations and then a comparison of these two to identify gaps
Incorrect jackpot payout limits provide the opportunity for
and provide mitigating strategies to minimize or eliminate risks.
employees to generate jackpot transactions that are greater than the
Because systems are ever-changing with upgrades, new modules,
amounts in the casino’s Minimum Internal Control Standards.
and new interfaces, risk assessments are best performed at least
Improper jackpot authorizations can create collusion opportunities
quarterly, in conjunction with daily, weekly and monthly audit
between casino employees. Interfaces between jackpot payout
procedures to review transactions on a timely basis.
software and jackpot payout kiosks can result in improper funds
While I might not be an expert on quantum physics (thank
being dispensed from kiosks. These are just three examples of
goodness!), I do know that protection of a casino’s assets and
jackpot scams. And now we’re talking about real money
integrity are essential to successful casino operation. It is possible to
jackpot payouts are made in cash. Ensuring that passwords are
know what you don’t know. Just ask.
secure and jackpot authorization levels are maintained within theguidelines of internal controls and operational integrity isparamount. Some of the largest system scams to date have involvedfraudulent jackpot transactions. Ask your slot department not onlywhat the jackpot authorization matrix looks like, but how theyschedule their employees to avoid collusion relationships.
What is the maximum amount of points that can be adjusted onto
a player’s account in a day? As mentioned above, points are
Stephanie Maddocks is President of Power Strategies,
equivalent to cash in many casino marketing configurations. If
a Las Vegas-based technology consulting company
player’s balances can changed, the proper controls must be in place
that provides technology selection, planning and
to ensure that only supervisory personnel have access and that the
implementation, and business operations services.
audit department is reviewing transactions on a daily basis.
She can be reached at (702) 460-6600 or
Additionally, automated programs that update points, such as
double bonus point times, or group events, or external third partysoftware systems can also impact player’s point balances. Many
Generic Quantitative Risk Assessment Report, Bishopton Redrow Group & BAE Systems Property Investments Ltd. Appendix 5; Eco-toxicity of Nitroguanidine (Picrite) and its Degradation Products 1.0 Background Nitroguanidine is a constituent of some gun propellants. This substance was manufactured at the now decommissioned Royal Ordnance Factory, Bishopton. Relatively high concen
AF 100 Regulatory Compliance Letter EU Directive 2011/65/EU & 2012/19/EU Shurtape® AF 100 Pressure Sensitive Tape is outside the scope of the requirements set forth by European Union Directive 2011/65/EU – ROHS II and the European Union Directive 2012/19/EU – WEEE relating to electronics and electrical equipment which bans or limits certain heavy metals and polybrominated flame