3772-10-26 Key controls.

(A) Each casino operator's internal controls shall establish procedures for securing and accurately tracking keys and locks. The key and lock inventory controls shall include procedures for:

(1) Establishing a key custodian who is responsible, along with the casino operator itself, for maintaining the casino operator's keys and locks;

(2) Maintenance of inventory ledgers by identified, authorized personnel for purposes of documenting:

(a) The identification of the key;

(b) Licensed employees who are authorized to use the key;

(c) The requisitioning of keys and locking devices from vendors;

(d) The receipt of blank key stock;

(e) The storage and issuance of keys and locking devices;

(f) Any loss, removal from service, and subsequent replacement of keys and locking devices;

(g) The destruction of keys and locking devices; and

(h) The results of physical inventories;

(3) The storage of duplicate keys and locking devices, including a physical description of any storage location and the identification of authorized personnel in control of such location;

(4) The destruction of keys and locking devices, including documentation detailing in whose presence any destruction shall occur; and

(5) Physical inventories of all keys and locking devices at least once every three months by a licensed employee who would not be acting in an incompatible function.

(B) The plan shall include procedures for securing sensitive keys. Sensitive keys include:

(1) Drop box content keys;

(2) Bill validator canister content keys;

(3) Drop box table slide release keys;

(4) Drop and bill validator canister reset keys;

(5) Drop trolley door keys;

(6) Slot machine access keys;

(7) Count room door key;

(8) Card and dice storage room keys (dual access required);

(9) Table game chip inventory cover key;

(10) Pit stand keys;

(11) Keys to areas housing a computer that controls table game progressive payout wager systems;

(12) The slot management system access key;

(13) The jackpot or slot re-impressment kiosk keys;

(14) The self-redemption or bill breaker kiosk keys;

(15) The change cart key;

(16) The key for each table game's drop box;

(17) The key for the table game drop box release;

(18) The keys for the bill validator and table drop storage cart;

(19) The key for each table game's chip bank cover;

(20) The key for each progressive game's controller;

(21) The keys for the reserve chip storage;

(22) The keys for the card and dice storage area;

(23) The keys for the secondary chip storage area;

(24) The access door key to any cage, slot bank, or redemption booth;

(25) The window key to any cage, slot bank, or redemption booth;

(26) The keys to the vault;

(27) The keys to the count room; and

(28) Any key not listed in this paragraph that controls access to any cash or chip storage area.

(C) If a sensitive key is lost or becomes missing, all locks that the key fits shall be changed immediately.

(D) Each casino operator's internal controls shall include the following information:

(1) The location of each sensitive key and key box;

(2) Each employee or contract job title who is authorized to access the sensitive key boxes;

(3) The procedure for issuing and controlling sensitive keys;

(4) The sensitive key names, location, and persons authorized to sign out each sensitive key;

(5) The location and custodian of each duplicate sensitive key; and

(6) Continuous surveillance coverage of each key box.

(E) If a casino operator chooses to use an automated key control system, the casino operator's internal control system shall include the following information:

(1) A description of the automated system and its configuration, including how access is controlled;

(2) The system's ability to provide scheduled and on-demand reports for a complete audit trail of all access, including the following:

(a) The identity of the key box;

(b) The identity of the keys;

(c) The date and time a key was removed;

(d) The date and time a key was returned;

(e) Any unauthorized attempts to access the key box;

(f) All entries, changes, or deletions in the system and the name of the employee performing the entry, change, or deletion; and

(g) The employee position that is in charge of any automated key control system;

(3) Each employee position that is authorized to enter, modify, and delete any keys;

(4) Each employee position that is authorized to access the system;

(5) Details about the alarms being used to signal for the following events:

(a) Overdue keys;

(b) Open key box doors;

(c) Unauthorized attempts to access; and

(d) Any other unusual activities;

(6) Any system override procedures; and

(7) A procedure for the notification of a commission gaming agent on duty if a partial or complete system failure occurs.

(F) All sensitive keys may only be issued after proper completion of a sensitive key log, which shall include:

(1) The date;

(2) The key number or ring number;

(3) The name of the individual or the automated key box issuing the key;

(4) The name of the individual receiving key;

(5) The time the key was signed out;

(6) The time the key was signed in;

(7) The name of the individual returning key; and

(8) The name of the individual or the automated key box receiving the returned key.

(G) The licensed employee who signs out a sensitive key shall maintain custody of the key until the key is returned to the sensitive key box. Keys shall not be passed to other individuals.

(H) An inventory log of duplicate keys shall be maintained documenting the current issuance, receipt and inventory of all duplicate sensitive keys. The duplicate key inventory log shall include the following information:

(1) The date and time;

(2) The key name that shall be identical to the key name on the sensitive key access list;

(3) The key number;

(4) The number of keys in the beginning inventory;

(5) The number of keys added or removed;

(6) The number of keys in the ending inventory;

(7) The reason for adding or removing keys;

(8) The signatures of the two licensed individuals accessing the key box; and

(9) The signature of the individual receiving the key.

Effective: 06/01/2014
R.C. 119.032 review dates: 03/14/2014 and 06/01/2019
Promulgated Under: 119.03
Statutory Authority: 3772.03
Rule Amplifies: 3772.03
Prior Effective Dates: 05/12/2012