Specifications include, but are not limited to: The overall objective of this audit is to provide the Lottery with an assessment of the adequacy of
security controls in place that support the security, integrity, confidentiality, and availability of
Lottery products, operations, and gaming services. Suggestions for improving the controls shall be
provided in the final audit report. It is expected that the Successful Bidder will spend some amount
of time on-site reviewing controls, interviewing employees, and performing other actions such as
possible penetration testing of the Lottery network. The audit should address both physical controls
as well as information security controls.
A. A comprehensive audit of the Lottery’s security controls includes the following
• Security Department Management, Duties, and Procedures;
• Physical Security;
• Information Systems Security (including ICS System, Firewalls, etc.);
• Security Surrounding Draw Game Drawings;
• Business Continuity Planning (as it relates to Hoosier Lottery, only – not specific to IGT
Indiana, unless explicitly stated)
• A best-practices assessment of Lottery practices investigating potential fraud
C. The development of plans for improving the Lottery’s overall security.
D. The security audit must, to the extent possible, be performed on Lottery premises in
the Indianapolis area. This would primarily involve Lottery Headquarters, but may
likely also include locations such as the Fox59 television studio (northwest side of
Indianapolis, site of drawings) as well as the Central Region and Distribution Center,
which are located on the southwest side of Indianapolis. The Lottery reserves the right
to deny removal of data and other information. The Lottery also has regional offices in
Mishawaka and Evansville, although it is not a requirement that site visits be made to
E. The security audit must commence as soon as possible after the Contract has been
fully executed, and conclude with the delivery of the final audit report to the Lottery no
later than 4:00 P.M. EST, December 20, 2019.
F. Vendor’s response shall include a plan for conducting the audit with specific
attention to each of the areas listed in Section 1.4, Section A. Vendor’s plan shall also
include applicable audit plans, including control objectives and the audit procedures
that will be used to conclude upon those objectives. The plan shall also include hours
budgeted to complete the review of each area described in the Specifications.