58 Pa. Code § 811a.6

Current through Register Vol. 54, No. 49, December 7, 2024
Section 811a.6 - Interactive gaming certificate holder's or interactive gaming operator's organization
(a) An interactive gaming certificate holder's or interactive gaming operator's systems of internal controls must include organization charts depicting segregation of functions and responsibilities and descriptions of the duties and responsibilities for each position shown on each organization chart. Interactive gaming certificate holders and interactive gaming operators are permitted, except as otherwise provided in this section, to tailor organizational structures to meet the needs or policies of a particular management philosophy. An interactive gaming certificate holder's and interactive gaming operator's organization charts must provide for all of the following:
(1) A system of personnel and chain of command which permits management and supervisory personnel to be held accountable for actions or omissions within their areas of responsibility.
(2) The segregation of incompatible functions, duties and responsibilities so that an employee is not in a position to commit an error and perpetrate a fraud and to conceal the error or fraud in the normal course of the employee's duties.
(3) The performance of all functions, duties and responsibilities in accordance with sound financial practices by qualified personnel.
(4) The areas of responsibility which are not so extensive as to be impractical for an individual to monitor.
(b) In addition to other positions required as part of an interactive gaming certificate holder's or interactive gaming operator's internal controls, an interactive gaming certificate holder, interactive gaming operator, or other licensed entity involved in the operation of the interactive gaming system as approved by the Board, shall maintain an information technology department supervised by an individual licensed as a key employee who functions, for regulatory purposes, as the information technology director. An interactive gaming certificate holder, interactive gaming operator, or other licensed entity involved in the operation of the interactive gaming system as approved by the Board, shall employ an information technology security officer and an interactive gaming manager, both of whom shall be licensed as a key employee.
(c) The information technology director shall be responsible for the integrity of all data, and the quality, reliability and accuracy of all computer systems and software used by the interactive gaming certificate holder in the conduct of interactive gaming, whether the data and software are located within or outside the certificate holder's or interactive gaming operator's facility, including, without limitation, specification of appropriate computer software, hardware and procedures for security, physical integrity, audit and maintenance of all of the following:
(1) Access codes and other computer security controls used to insure appropriately limited access to computer software and data.
(2) Monitoring logs of user access, security incidents and unusual transactions.
(3) Logs used to document and maintain the details of any hardware and software modifications.
(4) Computer tapes, disks or other electronic storage media containing data relevant to interactive gaming operations.
(5) Computer hardware, communications equipment and software used in the conduct of interactive gaming.
(d) The information technology security officer, or other position as approved by the Board, shall report to the information technology director and be responsible for all of the following:
(1) Maintaining access codes and other computer security controls used to insure appropriately limited access to computer software and data.
(2) Reviewing logs of user access, security incidents and unusual transactions.
(3) Coordinating the development of the interactive gaming certificate holder's or interactive gaming operator's information security policies, standards and procedures.
(4) Coordinating the development of an education and training program on information security and privacy matters for employees and other authorized users.
(5) Ensuring compliance with all State and Federal information security policies and rules.
(6) Preparing and maintaining security-related reports and data.
(7) Working with internal and external audit personnel to ensure all findings are addressed in a timely and effective manner.
(8) Developing and implementing an Incident Reporting and Response System to address security breaches, policy violations and complaints from external parties.
(9) Serving as the official contact for information security and data privacy issues, including reporting to law enforcement.
(10) Developing and implementing an ongoing risk assessment program that targets information security and privacy matters by identifying methods for vulnerability detection and remediation and overseeing the testing of those methods.
(11) Remaining current with the latest information technology security and privacy legislation, rules, advisories, alerts and vulnerabilities to ensure the interactive gaming certificate holder's or interactive gaming operator's security program and security software is effective.
(e) The interactive gaming manager shall report to the information technology director, or other department manager as approved by the Board, and be responsible for ensuring the proper operation and integrity of interactive gaming and reviewing all reports of suspicious behavior. The interactive gaming manager shall immediately notify the Bureau upon detecting any person participating in interactive wagering who is:
(1) Engaging in or attempting to engage in, or who is reasonably suspected of cheating, theft, embezzlement, collusion, money laundering or any other illegal activities.
(2) A self-excluded person under the act and Board regulations.
(3) Prohibited by the interactive gaming certificate holder or interactive gaming operator from interactive gaming.

58 Pa. Code § 811a.6