25 CFR 543.20 – What are the minimum internal control standards for information technology and information technology data?
(a) Supervision. (1) Controls must identify the supervisory agent in the department or area responsible for ensuring that the department or area is operating in accordance with established policies and procedures.
Terms Used In 25 CFR 543.20
- Evidence: Information presented in testimony or in documents that is used to persuade the fact finder (judge or jury) to decide the case for one side or the other.
- Fraud: Intentional deception resulting in injury to another.
(2) The supervisory agent must be independent of the operation of Class II games.
(3) Controls must ensure that duties are adequately segregated and monitored to detect procedural errors and to prevent the concealment of fraud.
(4) Information technology agents having access to Class II gaming systems may not have signatory authority over financial instruments and payout forms and must be independent of and restricted from access to:
(i) Financial instruments;
(ii) Accounting, audit, and ledger entries; and
(iii) Payout forms.
(b) As used in this section only, a system is any computerized system that is integral to the gaming environment. This includes, but is not limited to, the server and peripherals for Class II gaming system, accounting, surveillance, essential phone system, and door access and warning systems.
(c) Class II gaming systems’ logical and physical controls. Controls must be established and procedures implemented to ensure adequate:
(1) Control of physical and logical access to the information technology environment, including accounting, voucher, cashless and player tracking systems, among others used in conjunction with Class II gaming;
(2) Physical and logical protection of storage media and its contents, including recovery procedures;
(3) Access credential control methods;
(4) Record keeping and audit processes; and
(5) Departmental independence, including, but not limited to, means to restrict agents that have access to information technology from having access to financial instruments.
(d) Physical security. (1) The information technology environment and infrastructure must be maintained in a secured physical location such that access is restricted to authorized agents only.
(2) Access devices to the systems’ secured physical location, such as keys, cards, or fobs, must be controlled by an independent agent.
(3) Access to the systems’ secured physical location must be restricted to agents in accordance with established policies and procedures, which must include maintaining and updating a record of agents granted access privileges.
(4) Network Communication Equipment must be physically secured from unauthorized access.
(e) Logical security. (1) Controls must be established and procedures implemented to protect all systems and to ensure that access to the following is restricted and secured:
(i) Systems’ software and application programs;
(ii) Data associated with Class II gaming; and
(iii) Communications facilities, systems, and information transmissions associated with Class II gaming systems.
(2) Unused services and non-essential ports must be disabled whenever possible.
(3) Procedures must be implemented to ensure that all activity performed on systems is restricted and secured from unauthorized access, and logged.
(4) Communications to and from systems via Network Communication Equipment must be logically secured from unauthorized access.
(f) User controls. (1) Systems, including application software, must be secured with passwords or other means for authorizing access.
(2) Management personnel or agents independent of the department being controlled must assign and control access to system functions.
(3) Access credentials such as passwords, PINs, or cards must be controlled as follows:
(i) Each user must have his or her own individual access credential;
(ii) Access credentials must be changed at an established interval approved by the TGRA; and
(iii) Access credential records must be maintained either manually or by systems that automatically record access changes and force access credential changes, including the following information for each user:
(A) User’s name;
(B) Date the user was given access and/or password change; and
(C) Description of the access rights assigned to user.
(4) Lost or compromised access credentials must be deactivated, secured or destroyed within an established time period approved by the TGRA.
(5) Access credentials of terminated users must be deactivated within an established time period approved by the TGRA.
(6) Only authorized agents may have access to inactive or closed accounts of other users, such as player tracking accounts and terminated user accounts.
(g) Installations and/or modifications. (1) Only TGRA authorized or approved systems and modifications may be installed.
(2) Records must be kept of all new installations and/or modifications to Class II gaming systems. These records must include, at a minimum:
(i) The date of the installation or modification;
(ii) The nature of the installation or change such as new software, server repair, significant configuration modifications;
(iii) Evidence of verification that the installation or the modifications are approved; and
(iv) The identity of the agent(s) performing the installation/modification.
(3) Documentation must be maintained, such as manuals and user guides, describing the systems in use and the operation, including hardware.
(h) Remote access. (1) Agents may be granted remote access for system support, provided that each access session is documented and maintained at the place of authorization. The documentation must include:
(i) Name of agent authorizing the access;
(ii) Name of agent accessing the system;
(iii) Verification of the agent’s authorization;
(iv) Reason for remote access;
(v) Description of work to be performed;
(vi) Date and time of start of end-user remote access session; and
(vii) Date and time of conclusion of end-user remote access session.
(2) All remote access must be performed via a secured method.
(i) Incident monitoring and reporting. (1) Procedures must be implemented for responding to, monitoring, investigating, resolving, documenting, and reporting security incidents associated with information technology systems.
(2) All security incidents must be responded to within an established time period approved by the TGRA and formally documented.
(j) Data backups. (1) Controls must include adequate backup, including, but not limited to, the following:
(i) Daily data backup of critical information technology systems;
(ii) Data backup of critical programs or the ability to reinstall the exact programs as needed;
(iii) Secured storage of all backup data files and programs, or other adequate protection;
(iv) Mirrored or redundant data source; and
(v) Redundant and/or backup hardware.
(2) Controls must include recovery procedures, including, but not limited to, the following:
(i) Data backup restoration;
(ii) Program restoration; and
(iii) Redundant or backup hardware restoration.
(3) Recovery procedures must be tested on a sample basis at specified intervals at least annually. Results must be documented.
(4) Backup data files and recovery components must be managed with at least the same level of security and access controls as the system for which they are designed to support.
(k) Software downloads. Downloads, either automatic or manual, must be performed in accordance with 25 CFR 547.12.
(l) Verifying downloads. Following download of any Class II gaming system software, the Class II gaming system must verify the downloaded software using a software signature verification method. Using any method it deems appropriate, the TGRA must confirm the verification.