Current through Register Vol. 54, No. 49, December 7, 2024
Section 809a.5 - Access to equipment(a) The interactive gaming certificate holder and interactive gaming operator shall limit and control access to the primary server and any secondary servers by ensuring all of the following: (1) Maintain access codes and other computer security controls. (2) Maintain logs of user access, security incidents and unusual transactions. (3) Coordinate and develop an education and training program on information security and privacy matters for employees and other authorized users. (4) Ensure compliance with all State and Federal information security policies and rules. (5) Prepare and maintain security-related reports and data. (6) Develop and implement an incident reporting and response system to address security breaches, policy violations and complaints from external parties. (7) Develop and implement an ongoing risk assessment program that targets information security and privacy matters by identifying methods for vulnerability detection and remediation and overseeing the testing of those methods. (b) Remote access to an interactive gaming certificate holder or interactive gaming operator's interactive gaming system is only permitted as follows: (1) To Board employees upon request and without limitation. (2) For testing purposes with prior approval from and as limited by the Board. (3) By employees of an interactive gaming certificate holder or an interactive gaming operator with prior approval from and as limited by the Board. (c) All interactive gaming certificate holder's or interactive gaming operator's interactive gaming systems must be available for independent testing by the Board, without limitation.