La. Admin. Code tit. 42 § III-2821

Current through Register Vol. 50, No. 11, November 20, 2024
Section III-2821 - Remote Access Requirements
A. Each licensee and casino operator shall establish and maintain a remote access policy that controls access to the slot monitoring system (SMS), casino management system (CMS), gaming equipment, and other related systems. This includes, but is not limited to, computer controlled key control devices and ticket cashing kiosks. Access shall be controlled from any terminal that is not physically located within or adjacent to the casino property. Write access to gaming systems shall only be provided to gaming permitted employees or controlled on a per access basis by a gaming permitted employee. "Read only" access is not prohibited by this policy. A help desk may remotely login to other user accounts in accordance with corporate IT policies to provide assistance as necessary. The remote access policy shall, at a minimum, contain these requirements:
1. login and transaction security shall be in accordance with a licensee or casino operators remote access policy;
2. all remote access must be traceable to an authorized individual. There shall be no sharing of accounts or passwords that would result in ambiguity as to which person was involved in any remote access;
3. accounts shall be set up to allow only access to those applications, functions, or accounts necessary. selective access shall be as specific and limited as the operating system or security system will allow;
4. all security related events shall be logged, and any unusual event must be investigated including, but not limited to, failed login attempts and attempts to access restricted assets; and
5. access shall be blocked immediately when it is no longer required by an individual to complete the job function.
B. A record shall be made and kept of any and all changes made and actions taken during each remote access. IT help desk activity shall be in accordance with the companys IT policy and help desk logs (help tickets, help desk activity reports, etc.) shall meet the requirements of this Section. The record shall be clear, comprehensible, and thorough, and shall record all configuration and activity details of remote access connectivity. If remote access activity is related to normal system transactions, audit logs of the transactions will meet the requirement of recording activity. The record shall be reviewed quarterly by appropriate personnel to confirm that the authorized task was completed. Discrepancies shall be investigated.
C. The system access log, change log, security log, and investigation results shall be documented in a way that can be displayed or printed upon request by the board or division and shall be maintained for a period of five years.
D. A backup of system data, gaming data, and software shall be completed prior to remote access if any anticipated action is expected to endanger the system or data. The backup shall contain no less than the previous days data.

La. Admin. Code tit. 42, § III-2821

Promulgated by the Department of Public Safety and Corrections, Gaming Control Board, LR 442018 (11/1/2018).
AUTHORITY NOTE: Promulgated in accordance with R.S. 27:15 and 24.