11 Va. Admin. Code § 20-20-500

Current through Register Vol. 41, No. 8, December 2, 2024
Section 11VAC20-20-500 - Security requirements
A. A network bingo system shall not permit the alteration of any accounting or significant event information that was communicated from a point-of-sale terminal without supervised access controls. In the event financial data is changed, an automated audit log must be capable of being produced to document the following:
1. Data element altered;
2. Data element value prior to alteration;
3. Data element value after alteration;
4. Time and date of alteration; and
5. Personnel that performed alteration.
B. A network bingo system must provide password security or other secure means of ensuring data integrity and enforcing user permissions for all system components through the following means:
1. All programs and data files must only be accessible via the entry of a password that will be known only to authorized personnel;
2. The network bingo system must have multiple security access levels to control and restrict different classes;
3. The network bingo system access accounts must be unique when assigned to the authorized personnel and shared accounts amongst authorized personnel must not be allowed;
4. The storage of passwords and personal identification numbers (PINs) must be in an encrypted, nonreversible form; and
5. A program or report must be available that will list all registered users on the network bingo system, including their privilege level.
C. All components of a network bingo system that allow access to users, other than the player, must have a password sign-on with at least two-level codes comprising the personal identification code and a personal password.
1. The personal identification code must have a length of at least six American Standard Code for Information Interchange (ASCII) characters; and
2. The personal password must have a minimum length of six alphanumeric characters, which should include at least one nonalphabetic character.
D. A network bingo system must have the capability to control potential data corruption that can be created by multiple simultaneous log-ons by system management personnel.
1. A network bingo system shall specify which of the access levels allow for multiple simultaneous sign-ons by different users and which of the access levels do not allow for multiple sign-ons, and if multiple sign-ons are possible, what restrictions, if any, exist; or
2. If a network bingo system does not provide adequate control, a comprehensive procedural control document must be drafted for the department's review and approval.
E. Network bingo system software components or modules shall be verifiable by a secure means at the system level. A network bingo system shall have the ability to allow for an independent integrity check of the components or modules from an outside source and an independent integrity check is required for all control programs that may affect the integrity of the network bingo system. This must be accomplished by being authenticated by a third-party device, which may be embedded within the network bingo system software or having an interface or procedure for a third-party application to authenticate the component. This integrity check will provide a means for field verification of the network bingo system components.
F. A network bingo system may be used to configure and perform security checks on the point-of-sale terminals, provided such functions do not affect the security, integrity, or outcome of any game and meets the requirements set forth in this chapter regarding program storage devices.

11 Va. Admin. Code § 20-20-500

Derived from Virginia Register Volume 39, Issue 14, eff. 3/29/2023.

Statutory Authority: § 18.2-340.15 of the Code of Virginia.