Skip to main content
Back To Top Top Back To Top
This website publishes administrative rules on their effective dates, as designated by the adopting state agencies, colleges, and universities.

Rule 3772-10-12 | Access controls.

 

(A) Each casino operator's internal controls must establish procedures for sensitive keys and securing access to assets and restricted areas.

(B) Each casino operator must maintain automated systems approved by the executive director designed to control and record access to assets and restricted areas.

(C) Unless otherwise required by the executive director, all sensitive keys, locks, access cards, biometric access, and all other methods used to grant access to assets and restricted areas must be controlled and managed by the security department. The IT department may provide assistance with management of automated systems.

(D) Inventory ledgers must be maintained for all sensitive keys and locks. Key and lock inventory ledgers must detail the following information:

(1) The acquisition of sensitive keys and locks;

(2) The placement into service or removal from service of sensitive keys and locks including the current location; and

(3) The destruction or disposal of sensitive keys and locks.

(E) Database records must be maintained documenting the assigned access for sensitive keys, access cards, biometric access, and all other methods used to grant access.

(F) The automated system in which sensitive keys are kept must be continuously covered by a fixed surveillance camera.

(G) Access to assets and restricted areas must be assigned to employees by position type.

(H) Additions or deletions of employee access to assets or restricted areas must be recorded in the automated systems and properly supported by personnel action documentation.

(I) The casino operator's automated systems must track and record when sensitive keys are checked out by employees.

(J) The casino operator's automated systems must track and record employee access to restricted areas secured by the automated systems.

(K) The casino operator's internal audit team must, at least semi-annually, complete an audit or analytical procedures designed to test the physical inventory count of sensitive keys and locks and assigned access to assets and restricted areas.

(L) Procedures for the destruction of sensitive keys and locks must be approved by the executive director.

(M) If a sensitive key or lock is lost, becomes missing, or is otherwise compromised, the casino operator must notify the commission in writing and investigate the incident. After receiving the results of the investigation from the casino operator, the executive director will determine if all associated sensitive keys and locks must be changed in order to maintain access restrictions.

(N) If an access card, biometric access, or other electronic access is lost, becomes missing, or is otherwise compromised, the casino operator must immediately remove all compromised access.

Last updated February 28, 2022 at 8:50 AM

Supplemental Information

Authorized By: 3772.03
Amplifies: 3772.03, 3772.033
Five Year Review Date: 2/28/2027
Prior Effective Dates: 5/12/2012, 6/1/2014, 7/30/2017