Section R. 432.739 - Sports betting operators and internet sports betting platform provider technical and security standards (controls)Rule 739.
(1) A sports betting operator or its internet sports betting platform provider, or both must adopt, implement, and maintain technical security standards (controls) that meet or exceed those adopted in R 432.733(2). The technical security standards must apply, at a minimum, to all the following critical components of the internet sports betting platform: (a) Components that record, store, process, share, transmit or retrieve sensitive information (e.g., validation numbers, personal identification number (PIN), individual and authorized participant data).(b) Components that store results or the current state of an authorized participants internet sports betting wager.(c) Points of entry to and exit from the components provided for in subdivisions (a) to (c) of this subrule and other systems that are able to communicate directly with core critical internet sports betting platform components.(d) Communication networks that transmit sensitive information involving sports betting under the act.(2) The following technical security standards are the minimum standards a sports betting operator or internet sports betting platform provider must incorporate into its internal controls: (a) Technical security standards addressing internet sports betting platform operations and security include, but are not limited to, all of the following: (i) Internet Sports Betting Platform Operations and Security. The sports betting operator or internet sports betting platform provider must adopt, implement, and maintain procedures for, at a minimum, the following: (A) Monitoring the critical components and the transmission of data of the entire internet sports betting platform.(B) Maintenance of all aspects of security of the internet sports betting platform to ensure secure and reliable communications.(C) Defining, monitoring, documenting, reporting, investigating, responding to, and resolving security incidents.(D) Monitoring and adjusting resource consumption and maintaining a log of the internet sports betting platform performance.(E) Investigating, documenting, and resolving malfunctions.(ii) Physical Location of Servers and Security. The internet sports betting platform must be housed in secure locations. Sports betting operators and their internet sports betting platform providers must provide the board with information on the location of all internet sports betting platform servers. The secure locations must have sufficient protection from unauthorized access and physical and environmental hazards and be equipped with surveillance and security systems that meet or exceed industry standards.(iii) Internet Sports Betting Platform Logical Access Controls. The internet sports betting platform must be logically secured against unauthorized access.(iv) Internet Sports Betting Platform User Authorization. The internet sports betting platform must be subject to user authorization requirements as required by the board.(v) Server Programming. The internet sports betting platform must be sufficiently secure to prevent any user-initiated programming capabilities on the server that may result in unauthorized modifications to the database.(vi) Verification Procedures. Procedures must be in place for verifying on demand that the critical control program components of the internet sports betting platform in the production environment are identical to those approved by the board.(vii) Electronic Document Retention System. The sports betting operator or internet sports betting platform provider must establish procedures that ensure that all reports required under the act and these rules are stored in an electronic document retention system.(viii) Asset Management. All assets that house, process, or communicate sensitive information, including those comprising the operating environment of the internet sports betting platform, or its components, or both must be accounted for and have a nominated owner or designated management official that is responsible for each asset.(b) Technical security standards addressing data security and backup and recovery include, but are not limited to, all of the following: (i) Data Security. The internet sports betting platform must provide a logical means for securing individual and authorized participant data and wagering data, including accounting, reporting, significant event, or other sensitive information, against alteration, tampering, or unauthorized access.(ii) Data Alteration. The alteration of any accounting, reporting, or significant event data relating to sports betting under the act is not permitted without supervised access controls. If any data is changed, all information required by the board must be documented or logged.(iii) Backup Frequency. Backup scheme implementation relating to information involving sports betting under the act must occur at least once every day or as otherwise specified by the board.(iv) Storage Medium Backup. Audit logs, internet sports betting platform databases, and any other pertinent individual and authorized participant data and wagering data must be stored using reasonable protection methods. The internet sports betting platform must be designed to protect the integrity of this data if there is a failure. Redundant copies of this data must be kept on the internet sports betting platform with open support for backups and restoration, so that no single failure of any portion of the internet sports betting platform would cause the loss or corruption of the data.(v) Internet Sports Betting Platform Failure. The internet sports betting platform must have sufficient redundancy and modularity so that if any single component or part of a component fails, the functions of the internet sports betting platform and the process of auditing those functions can continue with no critical data loss. If 2 or more components are linked, the process of all internet sports betting operations between the components must not be adversely affected by restart or recovery of either component and upon restart or recovery, the components must immediately synchronize the status of all transactions, data, and configurations with one another.(vi) Accounting and Master Resets. The sports betting operator or internet sports betting platform provider must be able to identify and properly handle the situation where a master reset has occurred on any component that affects internet sports betting under the act.(vii) Recovery Requirements. If there is a catastrophic failure when the internet sports betting platform cannot be restarted in any other way, it must be possible to restore the internet sports betting platform from the last backup point and fully recover. The contents of that backup must contain critical information as required by the board.(viii) Uninterrupted Power Supply (UPS) Support. All internet sports betting platform components must be provided with adequate primary power. If the server is a stand-alone application, it must have a UPS connected and must have sufficient capacity to permit a methodical shut-down that retains all individual and authorized participant data and wagering data during a power loss. It is acceptable that the internet sports betting platform may be a component of a network that is supported by a network-wide UPS if the server is included as a device protected by the UPS. There must be a surge protection system in use if not incorporated into the UPS itself.(ix) Business Continuity and Disaster Recovery Plan. A business continuity and disaster recovery plan must be in place to recover internet sports betting operations conducted under the act if the internet sports betting platforms production environment is rendered inoperable.(c) Technical security standards addressing communications include, but are not limited to, all of the following:(i) Connectivity. Only authorized sports betting wagering devices are permitted to establish communications between any internet sports betting platform components.(ii) Communication Protocol. Each component of the internet sports betting platform must function as indicated by a documented secure communication protocol.(iii) Communication Over Internet/Public Network. Communications between internet sports betting platform components must be secure. Individual and authorized participant data, sensitive information, internet sports betting wagers, results, financial information, and individual and authorized participant transaction information related to sports betting conducted under the act must always be encrypted and protected from incomplete transmissions, misrouting, unauthorized message modification, disclosure, duplication, or replay.(iv) Wireless Local Area Network (WLAN) Communications. The use of WLAN communications must adhere to applicable requirements specified for wireless devices and is subject to approval by the board.(v) Network Security Management. Networks must be logically separated to ensure that there is no network traffic on a network link that cannot be serviced by hosts on that link.(vi) Mobile Computing and Communications. Formal policies shall be in place, and appropriate security measures shall be adopted to protect against the risk of using mobile computing and communication facilities. Telecommuting shall not be permitted except under circumstances where the security of the endpoint can be guaranteed (d) Technical security standards addressing third party service providers include, but are not limited to, all of the following:(i) Third-Party Service Communications. Where communications related to sports betting conducted under the act are implemented with third-party service providers, the internet sports betting platform must securely communicate with all third-party service providers utilizing encryption and strong authentication, ensure that all login events are recorded to an audit file, and ensure that all communications do not interfere or degrade normal internet sports betting platform functions.(ii) Third-Party Services. The roles and responsibilities of each third-party service provider engaged by the sports betting operator or internet sports betting platform provider must be defined and documented in a manner approved by the board. The sports betting operator or internet sports betting platform provider must have policies and procedures in place for managing third-party service providers and monitoring their adherence to relevant security requirements.(e) Technical security standards addressing technical controls include, but are not limited to, all of the following:(i) Domain Name Service (DNS) Requirements. A sports betting operator or internet sports betting platform provider must establish requirements that apply to servers used to resolve DNS queries used in association with the internet sports betting platform.(ii) Cryptographic Controls. A sports betting operator or internet sports betting platform provider must establish and implement a policy for the use of cryptographic controls that ensures the protection of information.(iii) Encryption Key Management. The management of encryption keys must follow defined processes established by the sports betting operator or internet sports betting platform provider and approved by the board.(f) Technical security standards addressing remote access and firewalls include, but are not limited to, all of the following:(i) Remote Access Security. Remote access, if approved by the board, must be performed via a secured method, must have the option to be disabled, may accept only the remote connections permissible by the firewall application and internet sports betting platform settings, and must be limited to only the application functions necessary for users to perform their job duties.(ii) Remote Access and Guest Accounts Procedures. Remote access and guest accounts procedures must be established that ensure that remote access is strictly controlled.(iii) Remote Access Activity Log. The remote access application must maintain an activity log that updates automatically and records and maintains all remote access information.(iv) Firewalls. All communications, including remote access, must pass through at least 1 approved application-level firewall. This includes connections to and from any non-internet sports betting platform hosts used by the sports betting operator or internet sports betting platform provider.(v) Firewall Audit Logs. The firewall application must maintain an audit log and must disable all communications and generate an error if the audit log becomes full. The audit log must contain, at a minimum, all the following information: (A) All changes to configuration of the firewall.(B) All successful and unsuccessful connection attempts through the firewall.(C) The source and destination IP Addresses, Port Numbers, Protocols, and where possible, MAC Addresses.(vi) Firewall Rules Review. The firewall rules must be periodically reviewed by the sports betting operator or internet sports betting platform provider to verify the operating condition of the firewall and the effectiveness of its security configuration and rule sets and must be performed on all the perimeter firewalls and the internal firewalls.(g) Technical security standards addressing change management include, but are not limited to, all of the following:(i) Program Change Control Procedures. Program change control procedures must ensure that only authorized versions of programs are implemented on the production environment.(ii) Software Development Life Cycle. The acquisition and development of new software must follow defined processes established by the sports betting operator or internet sports betting platform provider and subject to review by the board.(iii) Patches. All patches should be tested, as applicable, in a development and test environment configured to match the target production environment before being deployed into production. Permitted exceptions and related procedures and controls must be fully addressed.(h) Technical security standards addressing periodic security testing include, but are not limited to, all of the following: (i) Technical Security Testing. Periodic technical security tests on the production environment must be performed quarterly or as required by the board to guarantee that no vulnerabilities putting at risk the security and operation of the internet sports betting platform exist.(ii) Vulnerability Assessment. The sports betting operator or the internet sports betting platform provider must conduct vulnerability assessments. The purpose of the vulnerability assessment is to identify vulnerabilities, which could be later exploited during penetration testing by making basic queries relating to services running on the internet sports betting platform concerned.(iii) Penetration Testing. The sports betting operator or the internet sports betting platform provider must conduct penetration testing. The purpose of the penetration testing is to exploit any weaknesses uncovered during the vulnerability assessment on any publicly exposed applications or internet sports betting platform hosting applications processing, transmitting, or storing sensitive information.(iv) Information Security Management System (ISMS) Audit. An audit of the ISMS will be periodically conducted, including all the locations where sensitive information is accessed, processed, transmitted, or stored. The ISMS will be reviewed against common information security principles in relation to confidentiality, integrity, and availability.(v) Cloud Service Audit. A sports betting operator and its internet sports betting platform provider that utilizes a cloud service provider (CSP), if approved by the board, to store, transmit, or process sensitive information must undergo a specific audit as required by the board. The CSP must be reviewed against common information security principles in relation to the provision and use of cloud services, such as ISO/IEC 27017 and ISO/IEC 27018, or equivalent.(3) The sports betting operator or its internet sports betting platform provider, or both must include the technical security standards (controls) in the internal controls and internet sports betting platform submitted to the board for approval.(4) The technical security standards (controls) must: (a) Have a provision requiring review when changes occur to the internet sports betting platform.(b) Be approved by the sports betting operators or internet sports betting platform providers senior management.(c) Be communicated to all affected employees and relevant external parties.(d) Undergo review at planned intervals.(e) Delineate the responsibilities of the sports betting operators staff, the internet sports betting platform providers staff, and the staff of any third parties for the operation, service, and maintenance of the internet sports betting platform or its components, or both.Mich. Admin. Code R. 432.739
2020 MR 22, Eff. 12/2/2020