Statutes, codes, and regulations
Code of Massachusetts Regulations
Department 205 CMR - MASSACHUSETTS GAMING COMMISSION
Title 205 CMR 238.00 - Additional Uniform Standards of Accounting Procedures and Internal Controls for Sports Wagering
Section 238.44 - Data and Network Security Requirements

205 Mass. Reg. 238.44

Download
PDF
Current through Register 1523, June 7, 2024
Section 238.44 - Data and Network Security Requirements
(1) A system of Internal Controls submitted by a Sports Wagering Operator in accordance with 205 CMR 238.02 shall ensure compliance with all applicable state and federal requirements for data and network security including 205 CMR, M.G.L. c. 93H, M.G.L. c. 93I, 201 CMR 17.00: Standards for the Protection of Personal Information of Residents of the Commonwealth, and any other applicable law, regulation or order of a governmental body.
(2) Pursuant to M.G.L. c. 23N, § 11(a)(v), a Sports Wagering Operator shall employ commercially reasonable methods to maintain the security of Wagering data, Confidential Information and other Personally Identifiable Information from unauthorized access and dissemination; provided, however, that nothing in M.G.L. c. 23N or 205 CMR shall preclude the use of internet or cloud-based hosting of such data and information or disclosure as required by court order, other law or M.G.L. c. 23N; and provided further, that such data and information shall be hosted in the United States.
(3) Internal and external network vulnerability scans shall be run at least quarterly and after any significant change to the Sports Wagering Platform or network infrastructure. Testing procedures must verify that four quarterly internal and scans took place in the past 12 months and that re-scans occurred until all "Medium Risk" (CVSS 4.0 or Higher) vulnerabilities were resolved or accepted via a formal risk acceptance program. Internal scans should be performed from an authenticated scan perspective. External scans can be performed from an uncredentialed perspective.
(a) The quarterly scans may be performed by either a qualified employee of the Sports Wagering Operator or a qualified independent technical expert selected by the Sports Wagering Operator and subject to approval of the Commission in accordance with 205 CMR 243.01: Standards for Sports Wagering Equipment.
(b) Verification of scans must be submitted to the Commission on a quarterly basis and must include a remediation plan and any risk mitigation plans for those vulnerabilities not able to be resolved.

205 CMR 238.44

Adopted by Mass Register Issue 1486, eff. 12/21/2022 (EMERGENCY).
Amended by Mass Register Issue 1492, eff. 3/9/2023 (EMERGENCY).
Amended by Mass Register Issue 1494, eff. 3/9/2023 (COMPLIANCE).
Amended by Mass Register Issue 1498, eff. 6/7/2023 (EMERGENCY).
Amended by Mass Register Issue 1503, eff. 6/7/2023 (COMPLIANCE).