Current through Register Vol. 41, No. 3, September 23, 2024
A. Within 90 days after beginning operations
and annually thereafter, a facility operator shall engage an independent
certified testing laboratory to perform a system integrity and security
assessment of its casino gaming operations, including any sports betting
operations not already reviewed in compliance with 11VAC5-70-200.
B. The scope of the integrity and security
assessment shall include, at a minimum:
1. A
vulnerability assessment of internal, external, and wireless networks with the
intent of identifying vulnerabilities of all devices, systems, and applications
transferring, storing, or processing personally identifiable information or
other sensitive information connected to or present on the networks;
2. A penetration test of all internal,
external, and wireless networks to confirm if identified vulnerabilities of all
devices, systems, platforms, and applications are susceptible to
compromise;
3. A technical security
control assessment against the provisions of the gaming law and this chapter
consistent with generally accepted professional standards and as approved by
the director;
4. An evaluation of
information security services, cloud services, payment services (financial
institutions, payment processors, etc.), location services, and any other
services that may be offered directly by the facility operator or involve the
use of third parties; and
5. Any
other specific criteria or standards for the integrity and security assessment
required by the director.
C. The independent certified testing
laboratory shall issue a report on its assessment and submit it to the
director. The report shall include, at a minimum the:
1. Scope of review;
2. Name and company affiliation of any
individual who conducted the assessment;
3. Date of assessment;
4. Findings;
5. Recommended corrective action, if any;
and
6. Facility operator's response
to the findings and recommended corrective action.
Statutory Authority: §§ 58.1-4101 and 58.1-4102
of the Code of Virginia.
