1.18 A recognized industry standard framework shall be used to manage the information technology (IT) control environment to support compliance with the Standards and Requirements.
1.19 Users shall be granted access to the gaming system based on business need.
Requirements – At a minimum:
- Access privileges are granted, modified and revoked based on employment status and job requirements and all activities associated with these actions are logged.
- Access privileges are independently reviewed and confirmed on a periodic basis.
1.20 Access to gaming information systems shall be monitored, logged and shall be traceable to a specific individual.
Requirements – At a minimum:
- All accounts for business users shall be uniquely assigned to an individual.
- All system accounts (or other accounts with equivalent privileges) shall be restricted to staff that provide IT support, and mechanisms shall be in place to secure and monitor use of those accounts.
1.21 Processes shall be in place to ensure that only authorized individuals are permitted to open system accounts.
1.22 Industry accepted components, both hardware and software, shall be used where possible.
1.23 Any connection or interface between the gaming system and any other system, whether internal or external third party, shall be monitored, hardened and regularly assessed to ensure the integrity and security of the gaming system.
1.24 Mechanisms shall be in place to ensure the reliability, integrity and availability of the gaming system.
1.25 There shall be a suitably secure physical environment in place to prevent unauthorized access to the gaming system and to ensure the protection of assets.
1.26 Gaming systems, infrastructure, data, activity logs and all other related components shall be protected from threats, vulnerabilities, attacks or breaches.
Requirements – At a minimum:
- All users shall be authenticated.
- All components shall be hardened in accordance with industry and technology good practices prior to going live and prior to any changes.
- The appropriateness and effectiveness of steps taken to harden technology components shall be regularly assessed.
- Patches to correct any security risks shall be updated regularly.
1.27 Security activities shall be logged in an auditable manner, monitored, promptly analyzed and a report prepared and escalated as appropriate.
Requirements – At a minimum:
- Attempts to attack breach or access gaming system components in an unauthorized manner shall be responded to in a timely and appropriate manner.
- Intrusion attempts shall be actively detected and where possible prevented from causing disruption or outage of the gaming system.
- There shall be adequate logging to capture and monitor any attempts to attack, breach or access in an unauthorized manner any components of the gaming system. There shall be an appropriate escalation procedure.
1.28 Independent assessments shall be regularly performed by a qualified individual to verify the adequacy of gaming system security and all of its related components.
1.29 Operators and gaming-related suppliers shall stay current on security trends, issues and solutions.