Skip to main content
 
CFRTitle 25Chapter IIISubchapter DPart 543 › Section 543.16

25 CFR 543.16 - What are the minimum internal controls for information technology?

There are 2 Updates appearing in the Federal Register for 25 CFR 543. Select the tab below to view, or View eCFR (GPOAccess)
prev | next
§ 543.16
What are the minimum internal controls for information technology?
(a) Physical security measures restricting access to agents, including vendors, must exist over the servers, including computer terminals, storage media, software and data files to prevent unauthorized access and loss of integrity of data and processing.
(b) Unauthorized individuals must be precluded from having access to the secured computer area(s).
(c) User controls. (1) Computer systems, including application software, must be secured through the use of passwords or other approved means.
(2) Procedures must be established and implemented to ensure that management or independent agents assign and control access to computer system functions.
(3) Passwords must be controlled as follows unless otherwise addressed in the standards in this section.
(i) Each user must have his or her own individual user identification and password.
(ii) When an individual has multiple user profiles, only one user profile per application may be used at a time.
(iii) Passwords must be changed at least quarterly with changes documented. Documentation is not required if the system prompts users to change passwords and then denies access if the change is not completed.
(iv) The system must be updated to change the status of terminated users from active to inactive status within 72 hours of termination.
(v) At least quarterly, independent agents must review user access records for appropriate assignment of access and to ensure that terminated users do not have access to system functions.
(vi) Documentation of the quarterly user access review must be maintained.
(vii) System exception information (e.g., changes to system parameters, corrections, overrides, voids, etc.) must be maintained.
(4) Procedures must be established and implemented to ensure access listings are maintained which include at a minimum:
(i) User name or identification number (or equivalent); and
(ii) Listing of functions the user can perform or equivalent means of identifying same.
(d) Adequate backup and recovery procedures must be in place that include:
(1) Daily backup of data files— (i) Backup of all programs. Backup of programs is not required if the program can be reinstalled.
(ii) Secured storage of all backup data files and programs, or other adequate protection to prevent the permanent loss of any data.
(iii) Backup data files and programs may be stored in a secured manner in another building that is physically separated from the building where the system's hardware and software are located. They may also be stored in the same building as the hardware/software as long as they are secured in a fireproof safe or some other manner that will ensure the safety of the files and programs in the event of a fire or other disaster.
(2) Recovery procedures must be tested on a sample basis at least annually with documentation of results.
(e) Access records. (1) Procedures must be established to ensure computer access records, if capable of being generated by the computer system, are reviewed for propriety for the following at a minimum:
(i) Class II gaming systems;
(ii) Accounting/auditing systems;
(iii) Cashless systems;
(iv) Voucher systems;
(v) Player tracking systems; and
(vi) External bonusing systems.
(2) If the computer system cannot deny access after a predetermined number of consecutive unsuccessful attempts to log on, the system must record unsuccessful log on attempts.
(f) Remote access controls. (1) For computer systems that can be accessed remotely, the written system of internal controls must specifically address remote access procedures including, at a minimum:
(i) Record the application remotely accessed, authorized user's name and business address and version number, if applicable;
(ii) Require approved secured connection;
(iii) The procedures used in establishing and using passwords to allow authorized users to access the computer system through remote access;
(iv) The agents involved and procedures performed to enable the physical connection to the computer system when the authorized user requires access to the system through remote access; and
(v) The agents involved and procedures performed to ensure the remote access connection is disconnected when the remote access is no longer required.
(2) In the event of remote access, the information technology employees must prepare a complete record of the access to include:
(i) Name or identifier of the employee authorizing access;
(ii) Name or identifier of the authorized user accessing system;
(iii) Date, time, and duration of access; and
(iv) Description of work performed in adequate detail to include the old and new version numbers, if applicable of any software that was modified, and details regarding any other changes made to the system.

Title 25 published on 2011-04-01

The following are only the Rules published in the Federal Register after the published date of Title 25.

For a complete list of all Rules, Proposed Rules, and Notices view the Rulemaking tab.

  • 2012-10-04; vol. 77 # 193 - Thursday, October 4, 2012
    1. 77 FR 60625 - Minimum Internal Control Standards for Class II Gaming
      GPO FDSys XML | Text
      DEPARTMENT OF THE INTERIOR, National Indian Gaming Commission
      Final rule; delay of effective date; suspension.
      The effective date for amendments to §§ 542.7 and 542.16 in the final rule published October 10, 2008, 73 FR 60492, delayed October 9, 2009, at 74 FR 52138, September 10, 2010, at 75 FR 55269, and August 30, 2011, at 76 FR 53817, is further delayed until April 22, 2014. Section 543.3(c)(3) is suspended until 11:59 p.m. October, 21, 2012. Submit comments on or before October 11, 2012.
      25 CFR Parts 542 and 543

This is a list of United States Code sections, Statutes at Large, Public Laws, and Presidential Documents, which provide rulemaking authority for this CFR Part.

This list is taken from the Parallel Table of Authorities and Rules provided by GPO [Government Printing Office].

It is not guaranteed to be accurate or up-to-date, though we do refresh the database weekly. More limitations on accuracy are described at the GPO site.

United States Code
USC : Title 25 - INDIANS

§ 2701 - Findings

§ 2702 - Declaration of policy

§ 2703 - Definitions

§ 2704 - National Indian Gaming Commission

§ 2705 - Powers of Chairman

§ 2706 - Powers of Commission

§ 2707 - Commission staffing

§ 2708 - Commission; access to information

§ 2709 - Interim authority to regulate gaming

§ 2710 - Tribal gaming ordinances

§ 2711 - Management contracts

§ 2712 - Review of existing ordinances and contracts

§ 2713 - Civil penalties

§ 2714 - Judicial review

§ 2715 - Subpoena and deposition authority

§ 2716 - Investigative powers

§ 2717 - Commission funding

§ 2717a - Availability of class II gaming activity fees to carry out duties of Commission

§ 2718 - Authorization of appropriations

§ 2719 - Gaming on lands acquired after October 17, 1988

§ 2720 - Dissemination of information

§ 2721 - Severability

Title 25 published on 2011-04-01

The following are ALL rules, proposed rules, and notices (chronologically) published in the Federal Register relating to 25 CFR 543 after this date.

  • 2013-02-20; vol. 78 # 34 - Wednesday, February 20, 2013
    1. 78 FR 11793 - Minimum Internal Control Standards
      GPO FDSys XML | Text
      DEPARTMENT OF THE INTERIOR, National Indian Gaming Commission
      Proposed rule.
      Submit comments on or before April 22, 2013.
      25 CFR Part 543