Iowa Admin. Code r. 491-13.6

Current through Register Vol. 47, No. 8, October 30, 2024
Rule 491-13.6 - Testing
(1)Initial testing. All equipment and systems integral to the conduct of sports wagering and advance deposit sports wagering shall be tested and certified for compliance with commission rules and the standards required by a commission-designated independent testing laboratory. Certification and commission approval must be received prior to the use of any equipment or system to conduct sports wagering. The commission may designate more than one independent testing laboratory.
(2)Change control. The licensees and advance deposit sports wagering operators shall submit change control processes that detail evaluation procedures for all updates and changes to equipment and systems to the administrator for approval at least 30 days prior to operation. These processes shall include, at a minimum, descriptions of the following areas of licensee operations:
a. Process to classify all changes according to organizational risk.
b. Process to designate whether changes must be submitted to an independent testing laboratory for review and certification.
c. Process for emergency change determination and implementation.
d. Process to log or note changes. Must include the details logged for each change, including but not limited to the following areas:
(1) Date and time of change or proposed date and time of change.
(2) Basic description of changes to be implemented.
(3) Change classification of change or changes, determined in accordance with the process established by paragraph 13.6(2)"a." If emergency designation is separate from other change classifications, this shall also be included in the log or note.
(4) Identification of whether a change was submitted to an independent testing laboratory, and the certification report number of any testing.
e. Process to maintain logs or notify the commission of changes.
(3)Annual testing.
a. A system integrity and security risk assessment shall be performed annually on the advance deposit sports wagering system.
(1) The testing organization must be independent of the licensee and shall be qualified by the administrator.
(2) The system integrity and security risk assessment shall be completed no later than March 31 of each year.
(3) Results from the risk assessment shall be submitted to the administrator no later than 60 days after the assessment is completed. Results shall include a remediation plan to address any risks identified during the risk assessment.
(4) The risk assessment shall be conducted in accordance with current and accepted industry standard review requirements for risk assessments.
(5) The risk assessment shall include a review of licensee controls. Review of controls shall include but not be limited to a comparison of licensee controls to industry standard and best practice controls, and an audit of the licensee processes for compliance with those controls.
b. A geolocation system and integrity test shall be performed annually on the advance deposit wagering system.
(1) The testing organization must be independent of the licensee and the licensed geolocation vendor and shall be qualified by the administrator.
(2) The geolocation test shall be completed and the results submitted no later than March 31 of each year.
(3) Geolocation testing shall review existing licensee procedures for detecting and reporting fraudulent activity associated with any account activity detected by the geolocation system, and shall recommend updates to those procedures to align with any current or updated industry standard or commission guidance.
c. At the discretion of the administrator, additional assessments or specific testing criteria may be required.

Iowa Admin. Code r. 491-13.6

Adopted by IAB August 28, 2019/Volume XLII, Number 5, effective 7/31/2019
Amended by IAB April 8, 2020/Volume XLII, Number 21, effective 5/13/2020
Amended by IAB February 9, 2022/Volume XLIV, Number 16, effective 3/16/2022
Amended by IAB February 22, 2023/Volume XLV, Number 17, effective 3/29/2023
Amended by IAB February 21, 2024/Volume XLVI, Number 17, effective 3/27/2024