Current through all regulations passed and filed through December 2, 2024
Section 3772-10-12 - Access controls(A) Each casino operator's internal controls must establish procedures for sensitive keys and securing access to assets and restricted areas.(B) Each casino operator must maintain automated systems approved by the executive director designed to control and record access to assets and restricted areas.(C) Unless otherwise required by the executive director, all sensitive keys, locks, access cards, biometric access, and all other methods used to grant access to assets and restricted areas must be controlled and managed by the security department. The IT department may provide assistance with management of automated systems.(D) Inventory ledgers must be maintained for all sensitive keys and locks. Key and lock inventory ledgers must detail the following information:(1) The acquisition of sensitive keys and locks;(2) The placement into service or removal from service of sensitive keys and locks including the current location; and(3) The destruction or disposal of sensitive keys and locks.(E) Database records must be maintained documenting the assigned access for sensitive keys, access cards, biometric access, and all other methods used to grant access.(F) The automated system in which sensitive keys are kept must be continuously covered by a fixed surveillance camera.(G) Access to assets and restricted areas must be assigned to employees by position type.(H) Additions or deletions of employee access to assets or restricted areas must be recorded in the automated systems and properly supported by personnel action documentation.(I) The casino operator's automated systems must track and record when sensitive keys are checked out by employees.(J) The casino operator's automated systems must track and record employee access to restricted areas secured by the automated systems.(K) The casino operator's internal audit team must, at least semi-annually, complete an audit or analytical procedures designed to test the physical inventory count of sensitive keys and locks and assigned access to assets and restricted areas.(L) Procedures for the destruction of sensitive keys and locks must be approved by the executive director.(M) If a sensitive key or lock is lost, becomes missing, or is otherwise compromised, the casino operator must notify the commission in writing and investigate the incident. After receiving the results of the investigation from the casino operator, the executive director will determine if all associated sensitive keys and locks must be changed in order to maintain access restrictions.(N) If an access card, biometric access, or other electronic access is lost, becomes missing, or is otherwise compromised, the casino operator must immediately remove all compromised access. Replaces: 3772-10-26
Ohio Admin. Code 3772-10-12
Effective: 2/28/2022
Five Year Review (FYR) Dates: 02/28/2027
Promulgated Under: 119.03
Statutory Authority: 3772.03
Rule Amplifies: 3772.03, 3772.033
Prior Effective Dates: 05/12/2012, 06/01/2014, 07/30/2017