Current through December 10, 2024
Section 1350-03-.03 - USER ACCESS CONTROLS FOR ALL INTERACTIVE SPORTS GAMING PERSONNEL(1) A system administrator shall establish user accounts for all new employees responsible for or with duties relating to Interactive Sports Gaming in the State of Tennessee. Provisioning for user accounts consists of assigning application functions matching the employee's job responsibilities, unless otherwise authorized by management personnel, to ensure adequate separation of duties.(2) The access provisioning process must be documented. Documentation must evidence authorization by the appropriate management personnel, original user access, and each subsequent change to the user account. Documentation must be maintained and made available upon request to the Council.(3) A Sports Gaming System must store "User Access Listing" information and contain at a minimum: (a) Employee name and title or position;(c) Full list and description of application functions that each group/user account may execute;(d) Date and time account created;(e) Date and time of last login;(f) Date of last password change;(g) Date and time account disabled/deactivated; and(h) Group membership of user account, if applicable.(4) "User Access Listing" information for the Sports Gaming System is to be retained for the most recent five (5) years. The information may be archived electronically if the listing is written to unalterable media (secured to preclude alteration). The list of users and user access for a Sports Gaming System must be available in electronic format that can be analyzed by analytical tools (e.g., spreadsheet or database) that may be employed by the Council.(5) When multiple user accounts are used for one employee within a single application, only one user account may be active (enabled) at a time if the concurrent use of the multiple accounts by the employee could create a segregation of duties deficiency. Additionally, the user account must have a unique prefix/suffix to easily identify the users with multiple user accounts within one application.(6) The system administrator must be notified Immediately when an employee, including one who has a user account with remote access capability, is known to be no longer employed (e.g., voluntary or involuntary termination of employment). Hostile terminations require immediate notification to the system administrator who must promptly disable/remove access rights to the system(s). Upon notification, the system administrator must change the status of the employee's user account from active to inactive (disabled) status. The period of time for notification of the system administrator is to be set such that it is unlikely that the terminated employee would gain access, remote or otherwise, within the notification period.
(7) The "User Access Listing" information must be reviewed at least quarterly by personnel independent of the authorization and user provisioning processes. The reviewer must maintain adequate evidence to support the review process, which includes the selected user accounts reviewed, documentation of the results of the review, and e-mails or signatures and dates indicating the individual(s) performing the review and when the user access listing was reviewed. For each of the randomly selected users, confirm that:(a) The assigned system functions are being used as authorized (i.e., system functions are appropriate for user's job position);(b) The assigned functions provide an adequate segregation of duties;(c) Terminated employees' user accounts have been changed to inactive (disabled) status;(d) Passwords have been changed within the last 60-90 days; and(e) There are no inappropriate assigned functions for group membership, if applicable.Tenn. Comp. R. & Regs. 1350-03-.03
Emergency rules filed December 22, 2021 to become effective January 1, 2022; effective through June 30, 2022. New rules filed March 22, 2022; effective 6/20/2022.Authority: T.C.A. §§ 4-49-106, 4-49-110, 4-49-115, and 4-49-125.