Section 238.07 - Information Security ResponsibilitiesA system of Internal Controls submitted by a Sports Wagering Operator in accordance with 205 CMR 238.02 shall ensure that an Information Security Management System (ISMS) is effectively implemented and information security function responsibilities are effectively allocated.
(1) The Sports Wagering Operator shall implement, maintain, and comply with a comprehensive ISMS, the purpose of which shall be to take reasonable steps to protect the confidentiality, integrity, and availability of Confidential Information and Personally Identifiable Information of individuals that place a Sports Wager or have an account with the Sports Wagering Operator, including all measures required by 205 CMR, M.G.L. c. 93H, M.G.L. c. 93I, 201 CMR 17.00: Standards for the Protection of Personal Information of Residents of the Commonwealth, and any other applicable law, regulation or order of a governmental body regarding data privacy and security.(2) The ISMS shall contain administrative, technical, and physical safeguards appropriate to the size, complexity, nature, and scope of the operations and the sensitivity of the Confidential Information and Personally Identifiable Information owned, licensed, maintained, handled, or otherwise in the possession of the Sports Wagering Operator.(3) The Sports Wagering Operator shall establish an information security forum or other organizational structure to monitor and review the ISMS to ensure its continuing suitability, adequacy and effectiveness. The information security forum or other organization structure shall maintain formal minutes of meetings, and convene at least every six months.(4) The Sports Wagering Operator shall maintain an information security department responsible for developing a security strategy in accordance with the overall operation of the Sports Wagering Operation in the Commonwealth. The information security department shall subsequently work with the other departments of the Sports Wagering Operator to implement any plans relative to the protection of Confidential Information and Personally Identifiable Information of individuals that place a Sports Wager or have an account with the Sports Wagering Operator. The information security department shall be involved in reviewing all tasks and processes that are necessary for the Sports Wagering Operator to maintain the security of Personally Identifiable Information and Confidential Information of individuals that place a Sports Wager or have an account with the Sports Wagering Operator, including, but not limited to, the protection of information and data, communications, physical, virtual, personnel, and overall business operational security.(5) The information security department shall report to executive level management or higher and shall be independent of the IT department with regard to the management of security risk.(6) The information security department shall have access to all necessary resources to enable the adequate assessment, management, and reduction of risk.(7) The head of the information security department shall be a full member of the information security forum and be responsible for recommending information security policies and changes to the Sports Wagering Operator.Adopted by Mass Register Issue 1486, eff. 12/21/2022 (EMERGENCY).Amended by Mass Register Issue 1492, eff. 3/9/2023 (EMERGENCY).Amended by Mass Register Issue 1494, eff. 3/9/2023 (COMPLIANCE).Amended by Mass Register Issue 1498, eff. 6/7/2023 (EMERGENCY).Amended by Mass Register Issue 1503, eff. 6/7/2023 (COMPLIANCE).