3772-10-15 Information technology standards.

(A) Each casino operator licensee or casino operator applicant's internal control system shall include internal controls for information technology standards.

(B) The management information systems ("MIS") department shall be responsible for the quality, reliability, and accuracy of all slot computer systems used by the casino operator licensee regardless of whether data, software, or systems are located within or outside the casino facility. The MIS department shall be responsible also for the security and physical integrity of, and the accountability and maintenance of, the following:

(1) Access codes and other security controls used to ensure limited access to computer software and the system-wide reliability of data;

(2) Computer tapes, disks, or other electronic storage media containing data relevant to the casino operator licensee's operations;

(3) Computer hardware, communications equipment, and software used in the conduct of the casino operator licensee's operations; and

(4) The computerized slot monitoring system utilized by the casino operator licensee.

(C) The technology standards shall include general controls for gaming hardware and software, including:

(1) Procedures for the control and installation of software by the MIS department;

(2) The creation of a software control log by the MIS department evidencing all authorized changes to software;

(3) The review and comparison of the report and log required by the internal audit department for any deviations and investigation;

(4) Methods for detecting software changes, whether authorized or not; and

(5) Methods for generating reports from all computer systems.

(D) These general controls shall include all of the following requirements:

(1) The casino operator licensee's management shall ensure that physical and logical security measures are implemented, maintained, and adhered to by personnel to prevent unauthorized access that could cause errors or compromise data or processing integrity;

(2) The casino operator licensee's management shall ensure that all new gaming vendor hardware and software agreements and contracts contain language requiring the vendor to adhere to internal control standards applicable to the goods and services the vendor is providing;

(3) Physical security measures shall exist over computers, computer terminals, data lines, and storage media to prevent unauthorized access and loss of integrity of data and processing; and

(4) The requirements in paragraph (C)(1) of this rule shall apply to each applicable department within the casino facility. Only authorized personnel shall have access to the following:

(a) Systems software and application programs;

(b) Computer data;

(c) Computer communications facilities;

(d) The computer system; and

(e) Information transmissions.

(E) The main computers for each gaming application shall be located in a secured area with access restricted to authorized persons, including vendors. Non-MIS department personnel shall be precluded from having unrestricted access to the secured computer areas.

(F) Access to computer operations shall be restricted to authorized personnel.

(G) Incompatible functions shall be adequately segregated and monitored to prevent lapses in general information technology procedures that could allow errors to go undetected or fraud to be concealed.

(H) The computer systems, including application software, shall be secured through the use of passwords or other means approved by the commission, if applicable. MIS department personnel shall assign and control the access to system functions.

(I) Passwords shall be controlled.

(J) Data backup and recovery procedures shall be established and followed.

(K) Information technology system documentation shall be maintained, including descriptions of hardware and software, including current version numbers of approved software and licensee manuals.

(L) MIS department personnel shall meet the following requirements:

(1) Be precluded from unauthorized access to the following:

(a) Computers and terminals located in gaming areas;

(b) Source documents; and

(c) Live data files, which shall not contain test data; and

(2) Be restricted from the following:

(a) Having unauthorized access to cash or other liquid assets; and

(b) Initiating general or subsidiary ledger entries.

(M) All program changes for in-house developed systems shall be documented and controlled in the manner established by the MIS department.

(N) The MIS department shall maintain computer security logs. If computer security logs are generated by the system, the logs shall be reviewed by MIS department personnel for evidence of unauthorized access or irregularities.

(O) The MIS department shall create controls for remotely accessing and logging changes to the casino's computer systems.

(P) If a casino operator licensee employs computer applications to replace or to supplement manual procedures, the computer application procedures implemented shall provide the same level of documentation or procedures, or both, that manual procedures approved by the commission require.

Effective: 04/01/2012
R.C. 119.032 review dates: 04/01/2017
Promulgated Under: 119.03
Statutory Authority: 3772.03
Rule Amplifies: 3772.03, 3772.033