IT Governance helps Harino win its regulatory race
This case study shows how IT Governance helped Harino achieve compliance with the Gambling Commission and PCI DSS requirements. Enter your email address at the bottom of this page if you would like a PDF version of this case study. Call us on +44 (0) 845 070 1750 to discuss your own data security consultancy requirements.
Harino Case Study
To bring its mould-breaking virtual horse racing game to market, online gaming company Harino had first to comply with the UK Gambling Commission’s data security requirements and payment card processing standard PCI DSS. IT Governance helped the company address both issues in record time, thanks to an innovative programme of consultancy and security awareness training, paving the way for an eagerly anticipated product launch.
Harino sets a totally new standard for horse racing games, with exciting, realistic graphics. It features a minutely researched user experience, with elements such as the horses’ draw, rating, handicap, form, jockey, training input and condition all positively contributing to the computer generated result. The tightly policed, secure gaming interface allows eligible gamers to play for real money using credit and debit cards; alternatively, users can choose just to “Play for Fun”.
Harino is primarily targeted at players from the UK and Ireland, and the company decided to physically base its operations within the UK as well. This was quite unusual, as many online gaming and betting companies targeting the UK base themselves instead in offshore centres such as Alderney or Gibraltar, thereby avoiding the oversight of the UK Gambling Commission. In contrast, Harino opted for the more regulated and financially onerous onshore location as part of a strategy to establish the credibility of its product, using the Gambling Commission’s stamp of approval to reassure gamers that Harino is a reliable business operated responsibly.
To be awarded a Remote Gambling Operational Licence, Harino had to comply with the Gambling Commission’s many regulations, including 58 information security controls taken from the global best practice standard, ISO27001. In order to demonstrate compliance with these controls, Harino had to submit to and pass a demanding audit by a third party inspector approved by the Gambling Commission.
Click here to read more »
Furthermore, in order to process electronic payments from players, Harino also had to comply with PCI DSS (the Payment Card Industry Data Security Standard), a set of security controls that merchants must operate to be recognised by payment card issuers. Harino expected initially to fall into the lowest category of compliance, required of merchants making fewer than 20,000 transactions annually. To comply at this level, Harino would have to complete an annual self-assessment questionnaire and undergo quarterly assessment scans of their systems by an Approved Scanning Vendor.
Harino’s game was being developed and launched within a very tight time frame. In order to begin beta testing in May 2008 (when members of the public would play and comment upon a prelaunch version to help fine-tune its features) Harino had first to meet the Gambling Commission’s requirements. Around the same time, it would also have to work towards PCI DSS compliance, as this would be required before the full launch of Harino, complete with full payment facilities, which was planned for Summer 2008.
‘We began to research the subject online and soon came across the IT Governance website. It had a lot of very helpful information on ISO27001 and PCI DSS, so that quickly gave us an understanding of what had to be achieved.’
IT Governance’s extensive experience of ISO27001 and PCI DSS, and of how they overlap, enabled it to suggest an innovative approach that would simultaneously meet both sets of regulatory goals.
‘Our launch deadline meant we were effectively learning to swim at the deep end when it came to compliance,’ says administration manager Eric Hwang.
This in turn led to a conversation with IT Governance about its compliance consultancy and training services. Although Harino had approached several consultancies, it was quickly attracted to IT Governance’s comprehensive approach and affordable fee levels. In particular, IT Governance’s extensive experience of ISO27001 and PCI DSS, and of how they overlap, enabled it to suggest an innovative approach that would simultaneously meet both sets of regulatory goals.
To meet the demanding deadlines for the project, IT Governance assigned a consultant to work full- time with Harino for extended periods. As Harino was a new business with few existing policies and procedures, the consultant’s task was effectively to build a new compliance regime from the ground up.
Using a proactive approach, IT Governance drew upon its extensive practical experience to create a comprehensive set of documentation that was cross-mapped to the requirements of the Gambling Commission and PCI DSS. As part of the process, Harino had purchased IT Governance’s ISO27001 Toolkit, which is designed to help organisations create their own best practice Information Security Management Systems (ISMSs). The IT Governance consultant was able to tailor this to the particular requirement of Harino, ensuring that work was completed in the shortest possible time.
In addition to creating the required policies and procedures, IT Governance delivered a staff awareness training session for the growing Harino team. The purpose of this training was to establish an information security mindset as part of the company’s culture, particularly important given the Gambling Commission’s annual audits and the PCI DSS quarterly scans and annual questionnaires. The session included a classroom-style test, designed to enable managers to measure their employees’ levels of security awareness, and to form a benchmark for future checks.
The acid test was faced when Harino’s independent auditors visited to assess the company’s controls against the Gambling Commission’s requirements. They were similarly complimentary and Harino passed the audit with flying colours, paving the way for beta testing to begin on schedule.
Reflecting on Harino’s experience with IT Governance, general manager Harold Kim said, ‘It was a very successful relationship. IT Governance took us from almost zero knowledge and were able to accommodate our particular business requirements. We particularly liked the way they used their experience to offer practical examples of how other organisations had achieved compliance.’
‘We not only feel fully prepared for our immediate needs, but well positioned for when we pursue ISO27001 certification for the entire business.’
Download this case study now
To get a PDF version of this case study enter your email address below and we will send you a copy straight away.
Just as we have helped Harino achieve compliance with the Gambling Commission and PCI DSS requirements on time and within budget so we can help you. Call us now on 00 800 48 484 484.