3772-9-11 Remote systems access.

(A) In emergency situations or as an element of technical support, an employee of a licensed gaming-related vendor may perform analysis of, or render technical support with regard to, a licensed casino operator, management company or holding company's electronic gaming monitoring system, casino management system, player tracking system, external bonusing system, cashless funds transfer system, wide-area progressive system, ticket-in ticket-out system or other approved system from a remote location.

(B) All remote access to these systems shall be performed in accordance with the following procedures:

(1) A casino operator shall establish a unique system account for each gaming-related vendor providing technical support from a remote location;

(2) All system access afforded pursuant to this rule shall meet the following requirements:

(a) Be restricted in a manner that requires the casino operator's management information systems department, or the equivalent thereof, to receive prior notice from the licensed gaming-related vendor of that vendor's intent to remotely access a designated system;

(b) Require the casino operator to take affirmative steps, for each instance of access, to activate the licensed gaming-related vendor's access privileges; and

(c) Be designed to appropriately limit the ability of any person authorized under this rule to deliberately or inadvertently interfere with the normal operation of the system or its data.

(3) Separate logs shall be maintained, and kept in accordance with rule 3772-3-05 of the Administrative Code, by the licensed gaming-related vendor and casino operator's management information systems department, or the equivalent thereof, and include, at a minimum, the following information:

(a) The system accessed, including manufacturer, and version number;

(b) The type of connection;

(c) The name of the employee remotely accessing the system or tracking number assigned by the licensed gaming-related vendor for the service request;

(d) The name and license number of the employee in the management information systems department, or the equivalent thereof, activating the vendor's access to the system;

(e) The date, time and duration of the connection;

(f) The reason for the remote access, including a description of the symptoms or malfunction prompting the need for remote access to the system; and

(g) Any action taken or further action required.

(4) All communications between the licensed gaming-related vendor and any of the systems identified in paragraph (A) of this rule shall occur using a dedicated and secure communication facility that may consist of a leased line approved in writing by the executive director of the commission.

(C) Each casino operator authorizing access to a system by a licensed gaming-related vendor under this rule shall implement a system of access protocols and other controls over the physical integrity and the remote access process of that system sufficient to ensure appropriately limited access to software and the system-wide reliability of data.

Effective: 9/26/2015
Five Year Review (FYR) Dates: 06/30/2015 and 09/26/2020
Promulgated Under: 119.03
Statutory Authority: 3772.03
Rule Amplifies: 3772.03
Prior Effective Dates: 5/19/12