Specifications include, but are not limited to: The overall objective of this audit is to provide the Lottery with an assessment of the adequacy of security controls in place that support the security, integrity, confidentiality, and availability of Lottery products, operations, and gaming services. Suggestions for improving the controls shall be provided in the final audit report. It is expected that the Successful Bidder will spend some amount of time on-site reviewing controls, interviewing employees, and performing other actions such as possible penetration testing of the Lottery network. The audit should address both physical controls as well as information security controls. A. A comprehensive audit of the Lottery’s security controls includes the following areas: • Security Department Management, Duties, and Procedures; • Physical Security; • Information Systems Security (including ICS System, Firewalls, etc.); • Security Surrounding Draw Game Drawings; • Business Continuity Planning (as it relates to Hoosier Lottery, only – not specific to IGT Indiana, unless explicitly stated) • A best-practices assessment of Lottery practices investigating potential fraud improvements. C. The development of plans for improving the Lottery’s overall security. D. The security audit must, to the extent possible, be performed on Lottery premises in the Indianapolis area. This would primarily involve Lottery Headquarters, but may likely also include locations such as the Fox59 television studio (northwest side of Indianapolis, site of drawings) as well as the Central Region and Distribution Center, which are located on the southwest side of Indianapolis. The Lottery reserves the right to deny removal of data and other information. The Lottery also has regional offices in Mishawaka and Evansville, although it is not a requirement that site visits be made to these locations. E. The security audit must commence as soon as possible after the Contract has been fully executed, and conclude with the delivery of the final audit report to the Lottery no later than 4:00 P.M. EST, December 20, 2019. F. Vendor’s response shall include a plan for conducting the audit with specific attention to each of the areas listed in Section 1.4, Section A. Vendor’s plan shall also include applicable audit plans, including control objectives and the audit procedures that will be used to conclude upon those objectives. The plan shall also include hours budgeted to complete the review of each area described in the Specifications.