Current through Register Vol. 50, No. 11, November 20, 2024
Section III-2801 - Protection and Security of Information and Information SystemsA. This Chapter applies to all systems of an operation that includes a casino and common ownership, except that any non-gaming systems that are segregated from any and all gaming systems and from which one cannot access any gaming systems shall be exempt from the provisions of this section. The requirements in this Chapter are in addition to existing state and federal regulations. Unrelated third party operating systems independent from the licensee, casino operator, and other related businesses are responsible for protecting patron information in accordance with state and federal laws and regulations.B. Each licensee and casino operator shall: 1. implement an information security program that addresses the managerial, operational, and technical aspects of protecting information and information systems; and2. develop, document, audit, and enforce an information security plan consisting of policies, guidelines, standards, processes, and procedures in accordance with the law and regulation. The policy shall include a risk assessment designed to, among other things, identify threats and vulnerabilities and methods to mitigate the associated risks. Additionally, the policy shall include controls over both timing (preventive, detective, and corrective) and nature (administrative, technical, and physical).C. Computer systems shall be designed and implemented to safeguard the security, confidentiality, integrity, and availability of information systems and the information processed, stored, and transmitted by those systems to prevent security incidents. A security incident is any attempted or successful occurrence that jeopardizes the security, confidentiality, integrity, or availability of information systems and the information processed, stored, or transmitted by those systems. A security incident includes, but is not limited to: the unauthorized release of data (including personal patron data) collected, stored, and/or maintained by a licensee and casino operator; unavailability or degradation of services; misappropriation or theft of information or services; and modification or destruction of systems or information.D.1. A licensee and casino operator shall: a. identify and correct information and information system defects in a timely manner;b. provide protection from malicious code at appropriate locations within the casinos information systems; andc. monitor information system security alerts and advisories and take appropriate actions in response thereto.2. The network system shall have the capacity to detect and display the following conditions: a. power reset or failure of any network component;b. communication loss between any network components; andc. authentication failure.3. Any defects or anomalous conditions shall be recorded in an error log that shall be displayed or printed upon demand by the board or division and shall be maintained for a period of three years.La. Admin. Code tit. 42, § III-2801
Promulgated by the Department of Public Safety and Corrections, Gaming Control Board, LR 442015 (11/1/2018).AUTHORITY NOTE: Promulgated in accordance with R.S. 27:15 and 24.