A. A manufacturer may not perform from a remote location analysis of, or technical support with regard to, an instant bingo machine or instant bingo validation and accounting system without:
(1) Submission of a written request to the Commission; and
(2) The written approval of the Commission.
B. A facility operator intending to authorize remote access to an instant bingo validation and accounting system under this regulation shall include in its internal controls submitted for Commission approval under a written system of access protocols which require:
(1) A unique system account for each employee of a manufacturer identified by the manufacturer as potentially required to perform technical support from a remote location;
(2) Use of a dedicated and secure communication facility;
(3) Prior notice by the manufacturer of intent to remotely access a system to the:
(a) Facility operator; and
(4) The facility operator to take affirmative steps, on a per access basis, to activate a manufacturer’s access privileges;
(5) Imposition of limits on the ability of any individual authorized under this regulation to deliberately or inadvertently interfere with:
(a) The normal operation of the system; and
(b) Its data;
(6) An access log:
(a) Maintained by both the:
(i) Manufacturer; and
(ii) Facility operator’s information technology department;
(b) Maintained in:
(i) A book with bound numbered pages that cannot be readily removed; or
(ii) An electronic format equipped with software that prevents modification of an entry after it has been initially entered into the system; and
(c) Documenting the:
(i) Manufacturer version number of the system accessed;
(ii) Type of connection as leased line, dial in modem, or private WAN;
(iii) Name of the manufacturer employee remotely accessing the system;
(iv) Name of the information technology department employee activating the manufacturer's access to the system;
(v) Date and time of the connection;
(vi) Duration of the connection;
(vii) Reason for the remote access including a description of the symptoms or malfunction prompting the need for remote access to the system; and
(viii) Any action taken or further action required.
C. A facility operator may not authorize a manufacturer to remotely access an instant bingo validation and accounting system until its system access protocols are approved in writing by the Commission.
D. Any modification to a system required to be tested, certified and approved by the Commission shall be processed as:
(1) An emergency modification under Regulation .05 of this chapter; or
(2) A standard modification under Regulations .02(B) and .03(B) of this chapter.
E. If an employee of a manufacturer is no longer employed or authorized by a manufacturer to remotely access a system pursuant to this regulation, the manufacturer shall:
(1) Immediately notify in writing:
(a) Any facility operator that has established a unique system account for that employee of the change in authorization; and
(b) The Commission; and
(2) Verify with each facility operator notified of the change in authorization that the access privileges of the individual have been revoked.