Section R. 432.639 - Internet gaming operators and internet gaming platform provider technical and security standards (controls)Rule 639.
(1) An internet gaming operator or its internet gaming platform provider, or both must adopt, implement, and maintain technical security standards (controls) that meet or exceed those adopted in R 432.633(2). The technical security standards must apply, at a minimum, to all the following critical components of the internet gaming platform: (a) Components that record, store, process, share, transmit, or retrieve sensitive information (e.g., validation numbers, personal identification numbers (PIN), and individual and authorized participant data).(b) Components that generate, transmit, or process random numbers used to determine the outcome of games or virtual events.(c) Components that store results or the current state of an authorized participants internet wager.(d) Points of entry to and exit from the components provided for in subdivisions (a) to (c) of this subrule and other systems that are able to communicate directly with core critical internet gaming platform components.(e) Communication networks that transmit sensitive information involving internet gaming under the act.(2) The following technical security standards are the minimum standards an internet gaming operator or internet gaming platform provider must incorporate into its internal controls: (a) Technical security standards addressing internet gaming platform operations and security include, but are not limited to all of the following:(i) Internet Gaming Platform Operations and Security. The internet gaming operator or internet gaming platform provider must adopt, implement, and maintain procedures for, at a minimum, the following: (A) Monitoring the critical components and the transmission of data of the entire internet gaming platform.(B) Maintenance of all aspects of security of the internet gaming platform to ensure secure and reliable communications.(C) Defining, monitoring, documenting, reporting, investigating, responding to, and resolving security incidents.(D) Monitoring and adjusting resource consumption and maintaining a log of the internet gaming platform performance.(E) Investigating, documenting, and resolving malfunctions.(ii) Physical Location of Servers and Security. The internet gaming platform must be housed in secure locations. Internet gaming operators and their internet gaming platform providers must provide the board with information on the location of all internet gaming platform servers. The secure locations must have sufficient protection from unauthorized access and physical and environmental hazards and be equipped with surveillance and security systems that meet or exceed industry standards.(iii)Internet Gaming Platform Logical Access Controls. The internet gaming platform must be logically secured against unauthorized access.(iv) Internet Gaming Platform User Authorization. The internet gaming platform must be subject to user authorization requirements as required by the board.(v) Server Programming. The internet gaming platform must be sufficiently secure to prevent any user-initiated programming capabilities on the server that may result in unauthorized modifications to the database.(vi) Verification Procedures. Procedures must be in place for verifying on demand that the critical control program components of the internet gaming platform in the production environment are identical to those approved by the board.(vii) Electronic Document Retention System. The internet gaming operator or internet gaming platform provider must establish procedures that ensure that all reports required under the act and these rules are stored in an electronic document retention system.(viii) Asset Management. All assets that house, process, or communicate sensitive information, including those comprising the operating environment of the internet gaming platform or its components, or both, must be accounted for and have a nominated owner or designated management official that is responsible for each asset.(b) The technical security standards addressing data security and backup recovery include, but are not limited to, all of the following: (i) Data Security. The internet gaming platform must provide a logical means for securing individual and authorized participant data and wagering data, including accounting, reporting, significant event, or other sensitive information, against alteration, tampering, or unauthorized access.(ii) Data Alteration. The alteration of any accounting, reporting, or significant event data relating to internet wagering under the act is not permitted without supervised access controls. If any data is changed, all information required by the board must be documented or logged.(iii)Backup Frequency. Backup scheme implementation relating to information involving internet wagering under the act must occur at least once every day or as otherwise specified by the board.(iv) Storage Medium Backup. Audit logs, internet gaming platform databases, and any other pertinent individual and authorized participant data and wagering data must be stored using reasonable protection methods. The internet gaming platform must be designed to protect the integrity of this data if there is a failure. Redundant copies of this data must be kept on the internet gaming platform with open support for backups and restoration, so that no single failure of any portion of the internet gaming platform would cause the loss or corruption of the data.(v) Internet Gaming Platform Failure. The internet gaming platform must have sufficient redundancy and modularity so that if any single component or part of a component fails, the functions of the internet gaming platform and the process of auditing those functions can continue with no critical data loss. If 2 or more components are linked, the process of all internet gaming operations between the components must not be adversely affected by restart or recovery of either component and upon restart or recovery, the components must immediately synchronize the status of all transactions, data, and configurations with one another.(vi) Accounting and Master Resets. The internet gaming operator or internet gaming platform provider must be able to identify and properly handle the situation where a master reset has occurred on any component that affects internet gaming under the act.(vii) Recovery Requirements. If there is a catastrophic failure when the internet gaming platform cannot be restarted in any other way, it must be possible to restore the internet gaming platform from the last backup point and fully recover. The contents of that backup must contain critical information as required by the board.(viii) Uninterrupted Power Supply (UPS) Support. All internet gaming platform components must be provided with adequate primary power. If the server is a stand-alone application, it must have a UPS connected and must have sufficient capacity to permit a methodical shut-down that retains all individual and authorized participant data and wagering data during a power loss. It is acceptable that the internet gaming platform may be a component of a network that is supported by a network-wide UPS if the server is included as a device protected by the UPS. There must be a surge protection system in use if not incorporated into the UPS itself.(ix) Business Continuity and Disaster Recovery Plan. A business continuity and disaster recovery plan must be in place to recover internet gaming operations conducted under the act if the internet gaming platforms production environment is rendered inoperable.(c) Technical security standards addressing communications include, but are not limited to, all of the following:(i) Connectivity. Only authorized devices are permitted to establish communications between any internet gaming platform components.(ii) Communication Protocol. Each component of the internet gaming platform must function as indicated by a documented secure communication protocol.(iii) Communication Over Internet/Public Network. Communications between internet gaming platform components must be secure. Individual and authorized participant data, sensitive information, internet wagers, results, financial information, and individual and authorized participant transaction information related to internet gaming conducted under the act must always be encrypted and protected from incomplete transmissions, misrouting, unauthorized message modification, disclosure, duplication, or replay.(iv) Wireless Local Area Network (WLAN) Communications. The use of WLAN communications must adhere to applicable requirements specified for wireless devices and is subject to approval by the board.(v) Network Security Management. Networks must be logically separated to ensure that there is no network traffic on a network link that cannot be serviced by hosts on that link.(vi) Mobile Computing and Communications. Formal policies shall be in place, and appropriate security measures shall be adopted to protect against the risk of using mobile computing and communication facilities. Telecommuting shall not be permitted except under circumstances where the security of the endpoint can be guaranteed.(d) Technical security standards addressing third party service providers include, but are not limited to, all of the following:(i) Third-Party Service Communications. Where communications related to internet gaming conducted under the act are implemented with third-party service providers, the internet gaming platform must securely communicate with all third-party service providers utilizing encryption and strong authentication, ensure that all login events are recorded to an audit file, and ensure that all communications do not interfere or degrade normal internet gaming platform functions.(ii) Third-Party Services. The roles and responsibilities of each third-party service provider engaged by the internet gaming operator or internet gaming platform provider must be defined and documented in a manner approved by the board. The internet gaming operator or internet gaming platform provider must have policies and procedures in place for managing third-party service providers and monitoring their adherence to relevant security requirements.(e) Technical security standards addressing technical controls include, but are not limited to, all of the following: (i) Domain Name Service (DNS) Requirements. An internet gaming operator or internet gaming platform provider must establish requirements that apply to servers used to resolve DNS queries used in association with the internet gaming platform.(ii) Cryptographic Controls. An internet gaming operator or internet gaming platform provider must establish and implement a policy for the use of cryptographic controls that ensures the protection of information.(iii) Encryption Key Management. The management of encryption keys must follow defined processes established by the internet gaming operator or internet gaming platform provider and approved by the board.(f) The technical security standards addressing remote access and firewalls include, but are not limited to, all of the following: (i) Remote Access Security. Remote access, if approved by the board, must be performed via a secured method, must have the option to be disabled, may accept only the remote connections permissible by the firewall application and internet gaming platform settings, and must be limited to only the application functions necessary for users to perform their job duties.(ii) Remote Access and Guest Accounts Procedures. Remote access and guest accounts procedures must be established that ensure that remote access is strictly controlled.(iii)Remote Access Activity Log. The remote access application must maintain an activity log that updates automatically and records and maintains all remote access information.(iv) Firewalls. All communications, including remote access, must pass through at least 1 approved application-level firewall. This includes connections to and from any non-internet gaming platform hosts used by the internet gaming operator or internet gaming platform provider.(v) Firewall Audit Logs. The firewall application must maintain an audit log and must disable all communications and generate an error if the audit log becomes full. The audit log must contain, at a minimum, all the following information: (A) All changes to configuration of the firewall.(B) All successful and unsuccessful connection attempts through the firewall.(C) The source and destination IP Addresses, Port Numbers, Protocols, and, where possible, MAC Addresses.(vi) Firewall Rules Review. The firewall rules must be periodically reviewed by the internet gaming operator or internet gaming platform provider to verify the operating condition of the firewall and the effectiveness of its security configuration and rule sets and must be performed on all the perimeter firewalls and the internal firewalls.(g) Technical security standards addressing change management include, but are not limited to, all of the following:(i) Program Change Control Procedures. Program change control procedures must ensure that only authorized versions of programs are implemented on the production environment.(ii) Software Development Life Cycle. The acquisition and development of new software must follow defined processes established by the internet gaming operator or internet gaming platform provider and subject to review by the board.(iii) Patches. All patches should be tested, as applicable, in a development and test environment configured to match the target production environment before being deployed into production. Permitted exceptions and related procedures and controls must be fully addressed.(h) Technical security standards addressing periodic security testing include, but are not limited to, all of the following: (i) Technical Security Testing. Periodic technical security tests on the production environment must be performed quarterly or as required by the board to guarantee that no vulnerabilities putting at risk the security and operation of the internet gaming platform exist.(ii) Vulnerability Assessment. The internet gaming operator or the internet gaming platform provider must conduct vulnerability assessments. The purpose of the vulnerability assessment is to identify vulnerabilities, which could be later exploited during penetration testing by making basic queries relating to services running on the internet gaming platform concerned.(iii)Penetration Testing. The internet gaming operator or the internet gaming platform provider must conduct penetration testing. The purpose of the penetration testing is to exploit any weaknesses uncovered during the vulnerability assessment on any publicly exposed applications or internet gaming platform hosting applications processing, transmitting, or storing sensitive information.(iv) Information Security Management System (ISMS) Audit. An audit of the ISMS will be periodically conducted, including all the locations where sensitive information is accessed, processed, transmitted, or stored. The ISMS will be reviewed against common information security principles in relation to confidentiality, integrity, and availability.(v) Cloud Service Audit. An internet gaming operator and its internet gaming platform provider that utilizes a cloud service provider (CSP), if approved by the board, to store, transmit, or process sensitive information must undergo a specific audit as required by the board. The CSP must be reviewed against common information security principles in relation to the provision and use of cloud services, such as ISO/IEC 27017 and ISO/IEC 27018, or equivalent.(3) The internet gaming operator or its internet gaming platform provider, or both must include the technical security standards (controls) in the internal controls and internet gaming platform submitted to the board for approval.(4) The technical security standards (controls) must: (a) Have a provision requiring review when changes occur to the internet gaming platform.(b) Be approved by the internet gaming operators or internet gaming platform providers senior management.(c) Be communicated to all affected employees and relevant external parties.(d) Undergo review at planned intervals.(e) Delineate the responsibilities of the internet gaming operators staff, the internet gaming platform providers staff, and the staff of any third parties for the operation, service, and maintenance of the internet gaming platform or its components, or both.Mich. Admin. Code R. 432.639
2020 MR 22, Eff. 12/2/2020