S.D. Admin. R. 20:18:18:24.03
Each production network (live network) serving on-line monitoring and control systems shall be secured from outside traffic. A firewall or other equipment used to secure the network from outside traffic shall maintain a 30-day audit log. The audit log shall record all changes to the configuration of the firewall or other equipment and shall be reviewed for unauthorized configuration changes. This review shall be documented. If a guest network is offered that provide internet access for patrons, hotel guests, or vendors, the guest network shall be physically or logically segregated from the network used to serve the on-line monitoring and control system. Network traffic on guest network shall be non-routable to the on-line monitoring and control system network. Any third party software application reading or writing to an on-line monitoring and control system must be approved by the commission, and a laboratory designated by the executive secretary. The commission may require a perimeter network (DMZ) or other approved secure method for any connection between a third-party software application and the approved on-line monitoring and control system. If an outside connection is allowed, an annual security assessment by an independent information technology security professional is required. This security assessment shall include an evaluation of the licensee's network security and have, at a minimum, a vulnerability scan approved by the commission. The results of the security assessment scan shall be included in the licensee's system audit.
S.D. Admin. R. 20:18:18:24.03
General Authority: SDCL 42-7B-7.
Law Implemented: SDCL 42-7B-7, 42-7B-11(11)(13), 42-7B-43.