Current through Register Vol. 50, No. 9, September 20, 2024
A. A licensee and casino operator shall:
1. ensure that individuals occupying
positions with access to sensitive computer hardware, software, or business
personnel or patron data including, but not limited to, third-party service
providers meet documented security criteria for such positions;
2. ensure that information and information
systems remain protected during and after all personnel actions including, but
not limited to, terminations and transfers; and
3. implement formal sanctions for the failure
of personnel to comply with security policies and procedures.
B. Access to systems, data, and
information shall be restricted by job functions. A licensee and casino
operator shall establish security groups to ensure that access to computer
systems shall be granted to authorized users only and be used solely for the
types of transactions and functions that an authorized user is permitted to
exercise.
1. A licensees or casino operators
information technology (IT) department shall review the system access logs at
the end of each month. Discrepancies shall be investigated, documented, and
maintained for a period of five years.
2. A licensee and casino operator shall
maintain personnel access listings that include, at a minimum, the employee's
name, position, identification number, and a list of functions the employee is
authorized to perform, including the date that authorization is granted. These
files shall be updated as employees or the functions they perform
change.
3. All changes to the
system and the name of the individual who made the change shall be
documented.
4. Reports and all
other output generated from the system(s) shall only be available and
distributed to authorized personnel.
C. All access to the server areas shall be
documented on a log maintained by IT. Such logs shall be available at all
times. The logs shall contain entries with the following information:
1. name of each person entering the
room;
2. reason each person entered
the room;
3. date and time each
person enters and exits the room;
4. date, time, and type of any equipment
malfunction in the room;
5. a
description of any unusual events occurring in the room; and
6. such other information required in the
internal controls.
AUTHORITY NOTE:
Promulgated in accordance with
R.S.
27:15 and 24.
