Statutes, codes, and regulations
New Jersey Administrative Code
Title 13 - LAW AND PUBLIC SAFETYChapter 69D - GAMING OPERATION ACCOUNTING CONTROLS AND STANDARDS
Subchapter 2 - CASINO COMPUTER SYSTEMS
Section 13:69D-2.2 - Use of controlled computer systems

N.J. Admin. Code § 13:69D-2.2

Download
PDF
Current through Register Vol. 56, No. 12, June 17, 2024
Section 13:69D-2.2 - Use of controlled computer systems
(a) Prior to implementing a controlled computer system, each IT department shall employ internal controls which ensure the accuracy, reliability, and system integrity of their controlled computer systems and controlled data.
(b) Nothing in the Division's rules shall preclude a casino licensee, qualified affiliate or licensed affiliate from contracting the services of a third party for the operation of a controlled computer system, provided such third party is appropriately qualified, licensed or registered.
(c) Each casino licensee shall ensure its internal controls are current and adequately safeguard its controlled computer systems and controlled data.
(d) All critical software shall be approved by the Division prior to implementation and shall require the filing of Release Notes prior to installation. Additionally, critical software shall be designed with an approved method for software version verification.
(e) The initial installation and all material modifications to critical hardware shall be approved by the Division and shall require the filing of Release Notes prior to installation.
(f) Each casino licensee shall maintain documentation for all critical hardware and software. The documentation shall include, at a minimum, the make and model of hardware, the software version, and a copy of the Release Notes.
(g) Each critical location shall be approved by the Division and be designed to prevent unauthorized access. Each casino licensee shall ensure that:
1. An access log is utilized for non-IT department employees which identifies the date and time of each access and exit, as well as the name, company affiliation, and reason for entry in accordance with the IT department's internal controls; and
2. Surveillance camera coverage of all entryways and exits of the critical location is recorded and maintained in accordance with the Division's rules.
(h) Each controlled computer system shall be capable of recovering from an outage or loss of service and shall utilize, at a minimum, the following:
1. Data redundancy which permits the complete and prompt recovery of controlled data;
2. Environmental protection designed to protect critical hardware from a disaster; and
3. Backup capability that enables the casino licensee to create periodic copies of controlled data on a storage device which shall be maintained in a separate location.
(i) Each casino licensee shall ensure it is capable of recovering controlled systems after a disaster and have a current disaster recovery plan.
(j) Controlled computer systems shall be designed to protect the security, confidentiality, and unauthorized release of personal patron data. The casino licensee shall provide written notice to the Division within 72 hours of becoming aware that personal patron data may have been compromised or has been otherwise released without proper authorization. The casino licensee shall notify the patron(s) affected in a timely manner, if the compromise has been confirmed via the conclusion of internal investigation and if law enforcement permits.
(k) Logical access to a controlled computer system shall be governed by the internal controls of the casino licensee's IT department that shall ensure:
1. Access requests are reviewed and approved;
2. User accounts and passwords are securely issued and stored;
3. User access is limited to only those functions necessary to perform the user's specific job responsibilities;
4. Manufacturer default passwords are not used;
5. Accounts associated with users who no longer require access are deactivated or removed;
6. Security events are monitored and logged; and
7. Except as provided in (l) below, each active user account has a password associated with a specific person.
(l) A casino licensee may issue an account not associated with a specific person provided that:
1. The account cannot be used to add, modify, or delete controlled data and/or controlled software;
2. The account is temporarily assigned by the IT department and documented in accordance with this subsection; or
3. The account is a generic system account, access to which is controlled by a casino licensee's IT department.
(m) Critical software shall not permit critical data to be altered unless the critical software provides a record of the modification. The record shall include, at a minimum:
1. The user who made the adjustment;
2. The date of the adjustment; and
3. The result of the adjustment.
(n) Controlled software shall not permit controlled data that is associated with a serially numbered document to be altered once the serially numbered document has been generated. Serially numbered documents may be voided using controlled software provided the controlled computer system maintains the original record and identifies the user that voided the record.
(o) Casino licensees shall ensure the security and integrity of access codes associated with player accounts. Division best practice is to encrypt such data where it is stored and during transmission.
(p) Critical computer systems shall monitor and report to the casino licensee any malfunction or security incident that adversely affects the integrity of critical data or system functionality. The casino licensee shall provide notice to the Division within 24 hours of becoming aware of the malfunction or security event.
(q) The casino licensee shall monitor and control access to operating systems used in conjunction with controlled computer systems. Division best practice is to utilize a method to electronically monitor and record the actions of users that can bypass application controls to adjust, add or delete controlled data.
(r) User accounts that can bypass application controls to adjust, add or delete controlled data shall:
1. Be restricted to authorized IT department employees and authorized third parties;
2. Not be required for normal operation or routine maintenance of the controlled computer system;
3. Not be used unless authorized and documented. Such documentation shall include, at a minimum:
i. The name of the user;
ii. The name of authorizing employee;
iii. The date and time of access;
iv. The reason for access; and
v. A description of the data that was modified, if applicable.
(s) The casino licensee shall ensure the completion of the documentation required by (r) above. Division best practice is to utilize an electronic log that automatically records the account and date and time of access.
(t) The IT department shall be exclusively capable of booting critical hardware from more than one logical device.
(u) The casino licensee shall ensure that controlled data cannot be retrieved from decommissioned hardware.
(v) A casino licensee may provide remote access to its controlled computer system by an authorized user or computer system provided that:
1. The casino licensee has established a method to validate the identity of the user or system that is remotely connected. The validation method does not require a two-factor authentication;
2. The connection has been established using a methodology that prevents unauthorized access to the systems or to the data transmitted between the remote access user and the controlled computer system. The protection does not require data encryption;
3. A firewall or equivalent device is used by the casino licensee in conjunction with the connection;
4. Vendors which require temporary remote access to a casino licensee's controlled computer system may be issued an account in accordance with this section provided that the password is changed or the account is disabled after every use; and
5. Vendors that remotely access a casino licensee's controlled computer system using an account that can bypass application controls to adjust, add, or delete controlled data, shall maintain an independent record of such access documenting, at a minimum:
i. The date and time access was initiated and terminated;
ii. The name and business affiliation of the user who accessed the controlled computer system;
iii. The user account used during the remote session;
iv. The name of the casino licensee's IT department employee who granted access;
v. The reason for access; and
vi. Description of what was modified, if applicable.

N.J. Admin. Code § 13:69D-2.2

Amended by 49 N.J.R. 3781(a), effective 12/4/2017