Statutes, codes, and regulations
New York Codes, Rules and Regulations
Title 9 - EXECUTIVE DEPARTMENTSubtitle T - New York State Gaming CommissionChapter IV - Division of GamingSubchapter B - Casino Gaming
Part 5317 - Monitoring and Control Systems and Validation
Section 5317.40 - Electronic table games system

N.Y. Comp. Codes R. & Regs. tit. 9 § 5317.40

Download
PDF
Current through Register Vol. 46, No. 45, November 2, 2024
Section 5317.40 - Electronic table games system
(a) This section shall apply when an electronic table game (ETG) or games operate as a part of a table game system that is independent of any external gaming system.
(b) All electronic table games systems shall meet the requirements set forth in sections 5317.15, 5317.16, 5317.25, 5317.32, and 5317.35 of this Part.
(c) All communications in ETGs shall pass through at least one application-level firewall approved by the commission and shall not have a facility that allows for an alternate network path.
(1) A firewall application shall:
(i) maintain an audit log of the following information:
(a) all changes to configuration of the firewall;
(b) all successful and unsuccessful connection attempts through the firewall; and
(c) the source and destination IP addresses, port numbers and MAC addresses; and
(ii) disable all communications and generate an error event if the audit log becomes full.
(2) The system shall provide for interrogation that enables online comprehensive searching of the significant-event log.
(3) The system shall contain an access-level control structure that is capable of limiting access to programs, menu items or other secure areas of the system by means of a user name and login combination, personal identification number or other equivalent means.
(4) The system shall not permit the alteration of any significant log information without supervised access control.
(5) There shall be a system administrator notification and user lockout or audit trail entry after a set number of unsuccessful login attempts.
(6) The system shall record:
(i) date and time of the login attempt;
(ii) username supplied; and
(iii) success or failure.
(7) The use of generic user accounts on servers is not permitted.
(8) The system shall not permit the alteration of any accounting or significant event log information without supervised access controls. In the event financial data is changed, an audit log shall be capable of being produced to document:
(i) data element altered;
(ii) data element value prior to alteration;
(iii) data element value after alteration;
(iv) time and date of alteration; and
(v) user login.
(d) In addition to the requirements set forth in section 5317.36 of this Part, a gaming facility licensee or a licensed manufacturer shall submit to the commission for review and approval procedures to be established in the use of remote access as set forth in section 5321.10(b) of this Title. Such procedures shall designate, at a minimum, authorized users and authorized settings of the electronic table game or games.
(1) Remote access shall authenticate all computer systems based on the authorized settings of the electronic table game and firewall application that establishes a connection with the electronic table game pursuant to the following requirements:
(i) a remote access user activity log is maintained by both the gaming facility and the licensed manufacturer, depicting the following information:
(a) authorizing individual;
(b) purpose;
(c) user login;
(d) time and date; and
(e) duration and activity while logged in;
(ii) unauthorized remote user administration functionality is prohibited;
(iii) unauthorized access to the database is prohibited;
(iv) unauthorized access to the operating system is prohibited; and
(v) if remote access is to be on a continuous basis, then a network filter shall be installed to protect access, as approved by the commission.
(2) The system shall implement self-monitoring of all critical interface elements and shall have the ability to notify effectively the system administrator of any error condition, provided the condition is not catastrophic.
(3) The system shall be able to perform the operation prescribed in paragraph (2) of this subdivision with a frequency of at least once in every 24-hour period and during each power-up and power reset.
(e) A gaming facility licensee shall report any requirements that cannot be met as a result of manual intervention from a live dealer to the commission prior to submission for required testing as set forth in Part 5318 of this Title.

N.Y. Comp. Codes R. & Regs. Tit. 9 § 5317.40