3772-9-11 Remote systems access.

(A) In emergency situations or as an element of technical support, an employee of a licensed gaming-related vendor may perform analysis of, or render technical support with regard to, a licensed casino operator, management company or holding company's electronic gaming monitoring system, casino management system, player tracking system, external bonusing system, cashless funds transfer system, wide-area progressive system, ticket-in ticket-out system or other approved system from a remote location.

(B) All remote access to these systems shall be performed in accordance with the following procedures:

(1) A licensed gaming-related vendor shall establish a unique system account for each employee of that vendor that is identified as being potentially required to perform technical support from a remote location;

(2) All system access afforded pursuant to this rule shall meet the following requirements:

(a) Be restricted in a manner that requires the licensed casino operator, management company or holding company's management information systems department, or the equivalent thereof, to receive prior notice from the licensed gaming-related vendor of that vendor's intent to remotely access a designated system;

(b) Require the licensed casino operator, management company or holding company to take affirmative steps, for each instance of access, to activate the licensed gaming-related vendor's access privileges; and

(c) Be designed to appropriately limit the ability of any person authorized under this rule to deliberately or inadvertently interfere with the normal operation of the system or its data.

(3) Separate logs shall be maintained, and kept in accordance with rule 3772-3-05 of the Administrative Code, by the licensed gaming-related vendor and casino operator, management company or holding company's management information systems department, or the equivalent thereof, and include, at a minimum, the following information:

(a) The system accessed, including manufacturer, and version number;

(b) The type of connection;

(c) The name of the employee remotely accessing the system;

(d) The name and license number of the employee in the management information systems department, or the equivalent thereof, activating the vendor's access to the system;

(e) The date, time and duration of the connection;

(f) The reason for the remote access, including a description of the symptoms or malfunction prompting the need for remote access to the system; and

(g) Any action taken or further action required.

(4) All communications between the licensed gaming-related vendor and any of the systems identified in paragraph (A) of this rule shall occur using a dedicated and secure communication facility that may consist of a leased line approved in writing by the executive director of the commission.

(C) If an employee of a licensed gaming-related vendor is no longer employed by, or authorized by, that vendor to remotely access a system pursuant to this rule, the vendor shall:

(1) Notify, by the end of that business day, the commission, through its employees or agents, and each casino operator, management company or holding company that has established a unique system account for that employee of the change in authorization; and

(2) Verify with each casino operator, management company or holding company that any access privileges previously granted to that employee have been revoked.

(D) Each licensed casino operator, management company or holding company authorizing access to a system by a licensed gaming-related vendor under this rule shall implement a system of access protocols and other controls over the physical integrity and the remote access process of that system sufficient to ensure appropriately limited access to software and the system-wide reliability of data.

Effective: 05/19/2012
R.C. 119.032 review dates: 05/19/2017
Promulgated Under: 119.03
Statutory Authority: 3772.03
Rule Amplifies: 3772.03