Statutes, codes, and regulations
Arizona Administrative Code
Title 19 - ALCOHOL, HORSE AND DOG RACING, LOTTERY, AND GAMINGChapter 4 - DEPARTMENT OF GAMING
Article 1 - EVENT WAGERING
Section R19-4-123 - Change Management

Ariz. Admin. Code § 19-4-123

Download
PDF
Current through Register Vol. 30, No. 44, November 1, 2024
Section R19-4-123 - Change Management

Responsible parties shall implement a change management process that details evaluation procedures for all updates and changes to an event wagering system and event wagering platforms. The change management process shall address at a minimum:

1. A clear and transparent framework to assist in managing deployments and other changes in the regulated live production environment.
2. A description of the process, to include roles in the change management process, handling requests for change, and the change classification categories.
3. The categories of requests for change which shall be based on their impact to the security, integrity, recovery, confidentiality, accountability, and availability of an event wagering system:
a. High impact changes which have a high impact on regulated components or reporting of the event wagering system. Responsible parties shall not implement these changes without the written approval of the Department. The Department shall provide a written response to the responsible party within five days of the notification. The Department will determine if additional testing or certification is required by an independent test laboratory. Examples include:
i. Implementation of a new wagering feature or a change which impacts wagering logic;
ii. A change impacting required regulatory reports or data used for financial reconciliation;
iii. A change implemented by the responsible party that impacts geolocation services; or
iv. A change impacting the handling or storage of personally identifiable information.
b. Low impact changes. Responsible parties may implement these changes with prior notification to the Department. Examples include:
i. Firewall rule changes;
ii. Database maintenance;
iii. Changes to the physical location of backup data;
iv. Any change or addition of physical hardware component or components; or
v. Changes to non-wagering logic components.
c. No impact changes. Responsible parties may implement these changes without prior notification to the Department. Examples include:
i. Installation or changes to backup software and/or hardware;
ii. Adding or removing users;
iii. Database maintenance that modifies or deletes non-critical data;
iv. Installation of operating system security patches; or
v. Background images, color schemes, or similar ancillary front-end updates.
vi. Emergency changes. Responsible parties may implement these changes immediately without prior notification to the Department to deal with open threats or liabilities. Responsible parties shall notify the Department as soon as practically possible of the necessity of the emergency and its resolution.
4. The use of a change management log, which shall include at a minimum:
a. Date and time that a change is internally approved for release;
b. Components to be changed;
c. Details of the change;
d. Anticipated release date of the change;
e. Category of the change; and
f. Name of the authorized employee or employees.
5. Implementation procedures to include notification to system users, scheduling, project planning, and recovery.

Ariz. Admin. Code § R19-4-123

Adopted by final exempt rulemaking at 27 A.A.R. 1167, effective 7/26/2021.