Code of Massachusetts Regulations
205 CMR - MASSACHUSETTS GAMING COMMISSION
Title 205 CMR 238.00 - Additional Uniform Standards of Accounting Procedures and Internal Controls for Sports Wagering
Section 238.44 - Data and Network Security Requirements

Universal Citation: 205 MA Code of Regs 205.238

Current through Register 1537, December 20, 2024

(1) A system of Internal Controls submitted by a Sports Wagering Operator in accordance with 205 CMR 238.02 shall ensure compliance with all applicable state and federal requirements for data and network security including 205 CMR, M.G.L. c. 93H, M.G.L. c. 93I, 201 CMR 17.00: Standards for the Protection of Personal Information of Residents of the Commonwealth, and any other applicable law, regulation or order of a governmental body.

(2) Pursuant to M.G.L. c. 23N, § 11(a)(v), a Sports Wagering Operator shall employ commercially reasonable methods to maintain the security of Wagering data, Confidential Information and other Personally Identifiable Information from unauthorized access and dissemination; provided, however, that nothing in M.G.L. c. 23N or 205 CMR shall preclude the use of internet or cloud-based hosting of such data and information or disclosure as required by court order, other law or M.G.L. c. 23N; and provided further, that such data and information shall be hosted in the United States.

(3) Internal and external network vulnerability scans shall be run at least quarterly and after any significant change to the Sports Wagering Platform or network infrastructure. Testing procedures must verify that four quarterly internal and scans took place in the past 12 months and that re-scans occurred until all "Medium Risk" (CVSS 4.0 or Higher) vulnerabilities were resolved or accepted via a formal risk acceptance program. Internal scans should be performed from an authenticated scan perspective. External scans can be performed from an uncredentialed perspective.

(a) The quarterly scans may be performed by either a qualified employee of the Sports Wagering Operator or a qualified independent technical expert selected by the Sports Wagering Operator and subject to approval of the Commission in accordance with 205 CMR 243.01: Standards for Sports Wagering Equipment.

(b) Verification of scans must be submitted to the Commission on a quarterly basis and must include a remediation plan and any risk mitigation plans for those vulnerabilities not able to be resolved.

Disclaimer: These regulations may not be the most recent version. Massachusetts may have more current or accurate information. We make no warranties or guarantees about the accuracy, completeness, or adequacy of the information contained on this site or the information linked to on the state site. Please check official sources.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.