36.07.06.09

.09 Remote Access.

A. A manufacturer may not perform from a remote location analysis of, or technical support with regard to, an instant bingo machine or instant bingo validation and accounting system without:

(1) Submission of a written request to the Commission; and

(2) The written approval of the Commission.

B. A facility operator intending to authorize remote access to an instant bingo validation and accounting system under this regulation shall include in its internal controls submitted for Commission approval under a written system of access protocols which require:

(1) A unique system account for each employee of a manufacturer identified by the manufacturer as potentially required to perform technical support from a remote location;

(2) Use of a dedicated and secure communication facility;

(3) Prior notice by the manufacturer of intent to remotely access a system to the:

(a) Facility operator; and

(b) Commission;

(4) The facility operator to take affirmative steps, on a per access basis, to activate a manufacturer’s access privileges;

(5) Imposition of limits on the ability of any individual authorized under this regulation to deliberately or inadvertently interfere with:

(a) The normal operation of the system; and

(b) Its data;

(6) An access log:

(a) Maintained by both the:

(i) Manufacturer; and

(ii) Facility operator’s information technology department;

(b) Maintained in:

(i) A book with bound numbered pages that cannot be readily removed; or

(ii) An electronic format equipped with software that prevents modification of an entry after it has been initially entered into the system; and

(c) Documenting the:

(i) Manufacturer version number of the system accessed;

(ii) Type of connection as leased line, dial in modem, or private WAN;

(iii) Name of the manufacturer employee remotely accessing the system;

(iv) Name of the information technology department employee activating the manufacturer's access to the system;

(v) Date and time of the connection;

(vi) Duration of the connection;

(vii) Reason for the remote access including a description of the symptoms or malfunction prompting the need for remote access to the system; and

(viii) Any action taken or further action required.

C. A facility operator may not authorize a manufacturer to remotely access an instant bingo validation and accounting system until its system access protocols are approved in writing by the Commission.

D. Any modification to a system required to be tested, certified and approved by the Commission shall be processed as:

(1) An emergency modification under Regulation .05 of this chapter; or

(2) A standard modification under Regulations .02(B) and .03(B) of this chapter.

E. If an employee of a manufacturer is no longer employed or authorized by a manufacturer to remotely access a system pursuant to this regulation, the manufacturer shall:

(1) Immediately notify in writing:

(a) Any facility operator that has established a unique system account for that employee of the change in authorization; and

(b) The Commission; and

(2) Verify with each facility operator notified of the change in authorization that the access privileges of the individual have been revoked.