Cem_templates

gaming operations
Itsoundslikeafunnyquestion,butwhenyoustarttothink about it, it can lead to a little bit of panic. Jeez, how do I know what Idon’t know? Where do you go to find the answer when you don’teven know the question to ask? When I do training on technologyrisk assessments, I start by asking this question. People don’t knowhow to answer and sit there with a puzzled look on their face. Itcould be that it’s usually morning and they have not had enoughcaffeine yet, but I’d like to think it truly challenges them to thinkabout what they don’t know. And to be fair, I do put the question inthe context of gaming systems and technology, because I’m notprepared to discuss quantum physics or the genesis of the universethat early in the morning, either.
Here are some samples of questions that highlight systems technology risks within a casino operation. Do you know the answerto the following questions about your casino operation? 1. How often are your system passwords changed?2. How often do player’s club points expire?3. How much can a casino employee can comp a guest?4. How many people does it takes to authorize a $2,500 5. What is the maximum amount of points that can be adjusted So while you’re scrambling now to find the answers to these questions, calling your IT department, your internal audit andcompliance departments, your marketing department, and your slotdirector, stop and think about why these questions are important.
While the answers are important, the questions are designed toshow casino management and regulators where risk lies within theiroperations. As part of our risk assessments, we examine variousaspects of the casino’s operation to highlight opportunities forfraudulent or improper transactions and risks to your data andnetwork infrastructure.
gaming operations
How often is your system access password changed? Passwords points-based scams evolve from incorrect point adjustment can be the weakest link in a computer security scheme. Shared or configurations and user access to adjustment and account merges.
copied passwords are one of the easiest ways to create a false Ask the IT and marketing departments to review their user access transaction. If one employee knows another employee or parameters to see who has conflicting access to adjustment and supervisor’s login and password, they can create bogus transactions, authorize fraudulent transactions or place the blame on an innocent Gaming commissioners, state and tribal regulators, internal employee. Many systems require password changes every 90 days; auditors and compliance personnel are responsible for reviewing however many systems allow the user to re-use their previous gaming operations and ensuring the assets of the organization are password, which really isn’t a change, it’s just changing the password protected. When a business completes a financial audit, they updated date. Password security is one of the primary safeguards for typically utilize external auditors to review the financials as an your data. Ask your IT department to confirm that you have a independent and impartial auditor. There is just as much financial password security policy in place that defines how often and how exposure through gaming management systems. In many instances, passwords are changed for all operational systems.
it benefits the organization as a whole to utilize external technology How often do player’s club points expire? Player’s club points can auditors who can provide impartial system configuration and be converted to cash in many casinos where they can be redeemed at the gaming device for credits as well as utilized at locations Technology risk originates from many sources. Internal risks come throughout your resort for goods and services. Player tracking not only from blatant theft, but also from unskilled and untrained systems allow many levels of casino employee’s access to points for employees. Many employees think just because they have redemption, adjustment, expiration and revival. Employees in permissions to perform a specific function, they need to try it, even collusion with each other and with guests can easily steal funds with though they may not understand the implications of their actions.
these system tools. Timely expiration of points is one line of defense External risks can come from your vendors having unmonitored against the creation of improper redemption transactions. Ask your access to your systems. And, of course, the casino’s own customers marketing department how often they expire player’s club points can be a threat alone, or in collusion with internal employee and how they handle unused accounts.
How much can a casino employee comp a guest? A wide-open Understanding the source of technology risks and threats lays the and generous comp authorization matrix creates the opportunity for foundation for closing the gaps within the operation. While a system excessive comp issuance and redemption transactions. Additionally, audit is the first step to identify issues within technology system without proper comp audit procedures, casino employees and configurations, training and re-training on system configuration, guests can take advantage of the free goods and services they operations and audit is key to ensuring that system risks are receive. We’ve seen systems configured where employees with resolved. New hires, turnover and promotions each create player tracking system access could comp guests up to educational opportunities for systems training, job skills training and $5,000,000,000 (yes, that is $5 billion). Yes, this is an extreme an overall re-education on the casino’s operational practices.
example, but since complimentary dollars can be equivalent to cash, Learning “what you don’t know” is important and scary at the this is essentially the same as leaving the door to the vault open. Ask same time. External resources for systems auditing are available and your audit department how often they review complimentary these experts can provide a thorough review of your technology transactions and who maintains and authorizes changes to the configurations. A successful technology audit must include a review of casino operations and a review of system technology How many people does it take to authorize a $2,500 jackpot? configurations and then a comparison of these two to identify gaps Incorrect jackpot payout limits provide the opportunity for and provide mitigating strategies to minimize or eliminate risks.
employees to generate jackpot transactions that are greater than the Because systems are ever-changing with upgrades, new modules, amounts in the casino’s Minimum Internal Control Standards.
and new interfaces, risk assessments are best performed at least Improper jackpot authorizations can create collusion opportunities quarterly, in conjunction with daily, weekly and monthly audit between casino employees. Interfaces between jackpot payout procedures to review transactions on a timely basis.
software and jackpot payout kiosks can result in improper funds While I might not be an expert on quantum physics (thank being dispensed from kiosks. These are just three examples of goodness!), I do know that protection of a casino’s assets and jackpot scams. And now we’re talking about real money, because integrity are essential to successful casino operation. It is possible to jackpot payouts are made in cash. Ensuring that passwords are know what you don’t know. Just ask.
secure and jackpot authorization levels are maintained within theguidelines of internal controls and operational integrity isparamount. Some of the largest system scams to date have involvedfraudulent jackpot transactions. Ask your slot department not onlywhat the jackpot authorization matrix looks like, but how theyschedule their employees to avoid collusion relationships.
What is the maximum amount of points that can be adjusted onto STEPHANIE MADDOCKS
a player’s account in a day? As mentioned above, points are Stephanie Maddocks is President of Power Strategies, equivalent to cash in many casino marketing configurations. If a Las Vegas-based technology consulting company player’s balances can changed, the proper controls must be in place that provides technology selection, planning and to ensure that only supervisory personnel have access and that the implementation, and business operations services. audit department is reviewing transactions on a daily basis.
She can be reached at (702) 460-6600 or Additionally, automated programs that update points, such as double bonus point times, or group events, or external third partysoftware systems can also impact player’s point balances. Many

Source: http://powerstrategies.co/wp-content/uploads/2013/10/How-Do-You-Know-What-You-Dont-Know.pdf