Statutes, codes, and regulations
Maryland Administrative code
Title 36 - MARYLAND STATE LOTTERY AND GAMING CONTROL AGENCYSubtitle 04 - VIDEO LOTTERY TERMINALS
Chapter 36.04.01 - Video Lottery Technical Standards
Section 36.04.01.22 - Minimum Design Standards Applicable to Equipment, a System, or Software

Md. Code Regs. 36.04.01.22

Download
PDF
Current through Register Vol. 51, No. 22, November 1, 2024
Section 36.04.01.22 - Minimum Design Standards Applicable to Equipment, a System, or Software
A. Equipment, a system, or software required to be tested, certified, and approved under this chapter shall:
(1) Conform to the minimum design standards of this regulation; and
(2) If applicable, conform to any specific additional design standards enumerated in this chapter.
B. Equipment, a system, or software required to be tested, certified, and approved under this chapter shall, at a minimum, control logical access through:
(1) Generation of daily monitoring logs documenting:
(a) User access; and
(b) Security incidents;
(2) Assignment of rights and privileges to an individual user including specific protocols addressing:
(a) Creation, modification, and termination of a unique system account for each user;
(b) Password parameters which:
(i) Require a minimum length;
(ii) Incorporate an expiration interval; and
(iii) Result in lockout; and
(c) Administrator and override capabilities;
(3) Use of access permissions to restrict an unauthorized user from performing any the following with regard to critical files and directories:
(a) Reading;
(b) Altering; or
(c) Deleting; and
(4) Restricted access to critical files and directories through:
(a) Encryption; or
(b) If approved by the Commission, internal controls provided the internal controls include:
(i) The effective segregation of duties and responsibilities with regard to the system; and
(ii) The automatic monitoring and recording by the system of access by an individual to its files and directories.
C. Equipment, a system or software required to be tested, certified, and approved under this chapter shall, at a minimum, control system operations through:
(1) Generation of daily monitoring logs and alert messages documenting:
(a) System performance;
(b) Hardware problems; and
(c) Software errors;
(2) Authentication of the source of a data transmission;
(3) Transmission completeness and accuracy checks;
(4) Detection of corrupt or lost data packets;
(5) Rejection of a transmission;
(6) Use of cryptographic controls for critical transmissions of data; and
(7) Daily synchronization of its real time clock with that of equipment, systems, or software to which it is linked.
D. Equipment, a system, or software required to be tested, certified, and approved under this chapter shall, at a minimum, control the integrity of data through:
(1) Validation of inputs to critical fields including data:
(a) Type; and
(b) Format;
(2) Rejection of corrupt data;
(3) Automatic and independent recordation of critical data;
(4) Independent verification of the accuracy of data; and
(5) Segregation of all security critical system programs, files, and directories from other programs, files, and directories.
E. Equipment, a system, or software required to be tested, certified, and approved under this chapter shall, at a minimum, ensure continuity through:
(1) Data redundancy to permit a complete and prompt recovery of all information in the event of malfunction or power interruption; and
(2) Environmental protections, including an uninterruptible power supply to protect critical hardware.

Md. Code Regs. 36.04.01.22

Regulations .22 adopted as an emergency provision effective March 1, 2013 (40:6 Md. R. 470)