Current through Register Vol. 54, No. 25, June 22, 2024
Section 809a.8 - Security policy requirements Interactive gaming certificate holders and interactive gaming operators shall adopt and maintain a Board-approved information security policy which describes the certificate holder's or licensee's approach to managing information security and its implementation. This policy is required in addition to any similar requirements that may be imposed as part of the certificate holder's or licensee's internal controls. The information security policy must:
(1) Conform to the standards of the most recent version of the NIST cybersecurity framework. (2) Be reviewed annually as well as when significant changes occur to the interactive gaming system or the processes which alter the risk profile of the interactive gaming system. (3) Be approved annually by the certificate holder's or operator's management. (4) Be communicated to all employees and relevant external parties. (5) Delineate the responsibilities of the certificate- holder's or licensee's staff and the staff of any third parties for the operation, service and maintenance of the interactive gaming system and its components.