Md. Code Regs. 36.04.01.31
Current through Register Vol. 52, No. 1, January 10, 2025
Section 36.04.01.31 - Remote AccessA. A manufacturer may not perform from a remote location analysis of, or technical support with regard to, a video lottery terminal without: (1) Submission of a written request to the Commission; and(2) The written approval of the Commission.B. A manufacturer may perform from a remote location analysis of, or technical support with regard to, a facility operator's video lottery systems including, but not limited to, a: (1) Gaming ticket system;(2) Promotional play system;(3) Player tracking system;(4) External bonusing system;(5) Cashless funds transfer system; and(6) Wide area progressive system.C. A facility operator intending to authorize remote access to a video lottery system under this regulation shall include in its internal controls submitted for Commission approval under COMAR 36.03.10.05 a written system of access protocols which require: (1) A unique system account for each employee of a manufacturer identified by the manufacturer as potentially required to perform technical support from a remote location;(2) Use of a dedicated and secure communication facility;(3) The facility operator to provide the Commission with notice of access within 4 hours after a person remotely accesses a system;(4) The facility operator to take affirmative steps, on a per access basis, to activate a manufacturer's access privileges;(5) Imposition of limits on the ability of any individual authorized under this regulation to deliberately or inadvertently interfere with: (a) The normal operation of the system; and(6) An access log: (a) Maintained by both the: (ii) Facility operator's information technology department;(b) Maintained in: (i) A book with bound numbered pages that cannot be readily removed; or(ii) An electronic format equipped with software that prevents modification of an entry after it has been initially entered into the system; and(c) Documenting the: (i) Manufacturer version number of the system accessed;(ii) Type of connection as leased line, dial in modem, or private WAN;(iii) Name of the manufacturer employee remotely accessing the system;(iv) Name of the information technology department employee activating the manufacturer's access to the system;(v) Date and time of the connection;(vi) Duration of the connection;(vii) Reason for the remote access including a description of the symptoms or malfunction prompting the need for remote access to the system; and(viii) Any action taken or further action required.D. A facility operator may not authorize a manufacturer to remotely access a video lottery system until its system access protocols are approved in writing by the Commission.E. Any modification to a system required to be tested, certified, and approved by the Commission under Regulation .02E of this chapter shall be processed as:(1) An emergency modification under Regulation .07 of this chapter; or(2) A standard modification under Regulations .03C and .04C of this chapter.F. If an employee of a manufacturer is no longer employed or authorized by a manufacturer to remotely access a system pursuant to this regulation, the manufacturer shall: (1) Immediately notify in writing: (a) Any facility operator that has established a unique system account for that employee of the change in authorization; and(2) Verify with each facility operator notified of the change in authorization that the access privileges of the individual have been revoked.Md. Code Regs. 36.04.01.31
Regulations .31 adopted as an emergency provision effective March 1, 2013 (40:6 Md. R. 470); amended effective 44:21 Md. R. 985, eff. 10/23/2017; amended effective 45:21 Md. R. 973, eff. 10/22/2018; amended effective 46:20 Md. R. 843, eff. 10/7/2019