3772-10-15 Information technology controls.

(A) The casino operator's information technology ("IT") department shall be responsible for the quality, reliability, accuracy, security, and integrity of all gaming-related computer systems, regardless of the system's location.

(B) IT department personnel shall be prohibited from having a signatory ability on gaming-related documents affecting gross casino revenue and initiating general or subsidiary ledger entries.

(C) Each casino operator's internal control system shall contain provisions for information technology, which include, but are not limited to:

(1) Procedures for the control and installation of gaming-related system software. A software control log evidencing all authorized changes to software shall be maintained and reviewed for accuracy and completion by a member of the IT department, as designated by the casino operator's internal controls;

(2) Procedures for the examination of gaming-related system software to detect changes, whether authorized or not. The examination shall occur at least monthly and shall be logged and reviewed for accuracy and completion by a member of the IT department, as designated by the casino operator's internal controls;

(3) A description of the secured area where the gaming-related system servers and core components are located, including the physical security measures implemented to prevent unauthorized access and loss of data integrity. Non-IT department personnel shall be prohibited from having unrestricted access to gaming-related system servers. Access to the secured area shall be logged. The log shall be reviewed for accuracy and completion by a member of the IT department, as designated in the casino operator's internal controls, at least monthly. At a minimum, the log shall include the following information:

(a) Date and time the secured area was entered;

(b) Date and time the secured area was exited;

(c) Reason for access;

(d) First and last name of individual entering the area; and

(e) License number of individual entering the area, if applicable;

(4) A description of the logical access and security measures implemented to segregate incompatible functions, prohibit unauthorized access, and prevent loss of data integrity. The measures shall include, but are not limited to:

(a) Creation and maintenance of gaming-related system user accounts.

Accounts shall be reviewed for appropriate access levels at least quarterly. The review shall be documented and checked for accuracy and completion by a member of the IT department, as designated in the casino operator's internal controls; and

(b) Gaming-related system user accounts must be authenticated prior to being given access. A description of the authentication mechanism (passwords, biometrics, etc.) and the associated security policies shall be included.

(5) Procedures for back-up and recovery of gaming-related system data. The back-up and recovery process shall be logged and reviewed for completion and accuracy by a member of the IT department, as designated in the casino operator's internal controls;

(6) Procedures for monitoring and reviewing gaming-related system security event logs for suspicious activity and abnormal operation. Completion of the procedures shall be logged. The log shall be reviewed for accuracy and completion by a member of the IT department, as designated in the casino operator's internal controls;

(7) Procedures for allowing remote access to gaming-related systems. The procedures shall include, but are not limited to:

(a) The process for establishing a unique gaming-related system user account for each vendor requesting remote access;

(b) A description of the dedicated and secure communication mechanism used to provide remote access, including applicable security and encryption parameters;

(c) Steps taken to activate remote access capability for each instance of remote access;

(d) Steps taken to deactivate remote access capability at the conclusion of each instance of remote access; and

(e) Logging of each instance of remote access. At a minimum, the log shall include the following information:

(i) Date and time remote access capability was activated;

(ii) Date and time remote access capability was deactivated;

(iii) System accessed, including manufacturer and version number;

(iv) First and last name of the individual or unique service request tracking number assigned by the licensed gaming-related vendor remotely accessing the system;

(v) First name, last name, and license number of the IT department member who activated the remote access capability;

(vi) First name, last name, and license number of the IT department member who deactivated the remote access capability; and

(vii) The reason for remote access, including a description of the actions taken during the remote access session.

(D) Licensed gaming-related vendors shall maintain a log of each remote access session established with a gaming-related system. At a minimum, the log shall include:

(1) Date and time the remote access session started;

(2) Date and time the remote access session ended;

(3) Name of the casino the session was established with;

(4) System accessed, including manufacturer and version number;

(5) First and last name of the individual or unique service request tracking number assigned by the licensed gaming-related vendor remotely accessing the system; and

(6) The reason for remote access, including a description of the actions taken during the remote access session.

Replaces: 3772-10-15

Effective: 10/1/2016
Five Year Review (FYR) Dates: 10/01/2021
Promulgated Under: 119.03
Statutory Authority: 3772.03
Rule Amplifies: 3772.03; 3772.033
Prior Effective Dates: 4/1/12