(A) Each casino operator's internal controls shall establish procedures for sensitive keys and securing access to assets and restricted areas.
(B) Each casino operator shall maintain automated systems approved by the commission designed to control and record access to assets and restricted areas.
(C) Unless otherwise required by rules adopted by the commission, all sensitive keys, locks, access cards, biometric access, and all other methods used to grant access to assets and restricted areas shall be controlled and managed by the casino security department. The information technology department may provide assistance with management of automated systems.
(D) Inventory ledgers shall be maintained for all sensitive keys and locks. Key and lock inventory ledgers shall detail the following information:
(1) The acquisition of sensitive keys and locks;
(2) The placement into service or removal from service of sensitive keys and locks including the current location; and
(3) The destruction or disposal of sensitive keys and locks.
(E) Database records shall be maintained documenting the assigned access for sensitive keys, access cards, biometric access, and all other methods used to grant access.
(F) The automated system in which sensitive keys are kept shall be continuously covered by a fixed surveillance camera.
(G) Access to assets and restricted areas shall be assigned to employees by position type and the access by position type shall be detailed in the position descriptions in the casino operator's internal controls.
(H) Additions or deletions of employee access to assets or restricted areas shall be recorded in the automated systems and properly supported by personnel action documentation.
(I) The casino operator's automated systems shall track and record when sensitive keys are checked out by employees.
(J) The casino operator's automated systems shall track and record employee access to restricted areas, except for pit areas, as defined in paragraph (F) of rule 3772-11-01 of the Administrative Code.
(K) The casino operator's revenue audit team or internal audit team shall, semi-annually, complete an audit or analytical procedures designed to test the physical inventory count of sensitive keys and locks and assigned access to assets and restricted areas.
(L) Procedures for the destruction of sensitive keys and locks shall be approved by the commission and detailed in the internal controls.
(M) If a sensitive key or lock is lost, becomes missing, or is otherwise compromised, the casino operator shall notify the commission in writing and investigate the incident. After receiving the results of the investigation from the casino operator, the executive director or executive director's designee shall determine if all associated sensitive keys and locks shall be changed in order to maintain access restrictions.
(N) If an access card, biometric access, or other electronic access is lost, becomes missing, or is otherwise compromised, the casino operator shall immediately remove all compromised access and notify the commission in writing.
Cite as Ohio Admin. Code 3772-10-26