La. Admin. Code tit. 42 § III-2809

Current through Register Vol. 50, No. 11, November 20, 2024
Section III-2809 - Limited Access to Information Systems and Networking Devices
A. A licensee and casino operator shall:
1. ensure that individuals occupying positions with access to sensitive computer hardware, software, or business personnel or patron data including, but not limited to, third-party service providers meet documented security criteria for such positions;
2. ensure that information and information systems remain protected during and after all personnel actions including, but not limited to, terminations and transfers; and
3. implement formal sanctions for the failure of personnel to comply with security policies and procedures.
B. Access to systems, data, and information shall be restricted by job functions. A licensee and casino operator shall establish security groups to ensure that access to computer systems shall be granted to authorized users only and be used solely for the types of transactions and functions that an authorized user is permitted to exercise.
1. A licensees or casino operators information technology (IT) department shall review the system access logs at the end of each month. Discrepancies shall be investigated, documented, and maintained for a period of five years.
2. A licensee and casino operator shall maintain personnel access listings that include, at a minimum, the employee's name, position, identification number, and a list of functions the employee is authorized to perform, including the date that authorization is granted. These files shall be updated as employees or the functions they perform change.
3. All changes to the system and the name of the individual who made the change shall be documented.
4. Reports and all other output generated from the system(s) shall only be available and distributed to authorized personnel.
C. All access to the server areas shall be documented on a log maintained by IT. Such logs shall be available at all times. The logs shall contain entries with the following information:
1. name of each person entering the room;
2. reason each person entered the room;
3. date and time each person enters and exits the room;
4. date, time, and type of any equipment malfunction in the room;
5. a description of any unusual events occurring in the room; and
6. such other information required in the internal controls.

La. Admin. Code tit. 42, § III-2809

Promulgated by the Department of Public Safety and Corrections, Gaming Control Board, LR 442017 (11/1/2018).
AUTHORITY NOTE: Promulgated in accordance with R.S. 27:15 and 24.