Iowa Admin. Code r. 491-13.6 - Testing
(1)
Initial
testing. All equipment and systems integral to the conduct of sports
wagering and advance deposit sports wagering shall be tested and certified for
compliance with commission rules and the standards required by a
commission-designated independent testing laboratory. Certification and
commission approval must be received prior to the use of any equipment or
system to conduct sports wagering. The commission may designate more than one
independent testing laboratory.
(2)
Change control. The licensees and advance deposit sports
wagering operators shall submit change control processes that detail evaluation
procedures for all updates and changes to equipment and systems to the
administrator for approval at least 30 days prior to operation. These processes
shall include, at a minimum, descriptions of the following areas of licensee
operations:
a. Process to classify all
changes according to organizational risk.
b. Process to designate whether changes must
be submitted to an independent testing laboratory for review and
certification.
c. Process for
emergency change determination and implementation.
d. Process to log or note changes. Must
include the details logged for each change, including but not limited to the
following areas:
(1) Date and time of change
or proposed date and time of change.
(2) Basic description of changes to be
implemented.
(3) Change
classification of change or changes, determined in accordance with the process
established by paragraph 13.6(2)"a." If emergency designation
is separate from other change classifications, this shall also be included in
the log or note.
(4) Identification
of whether a change was submitted to an independent testing laboratory, and the
certification report number of any testing.
e. Process to maintain logs or notify the
commission of changes.
(3)
Annual testing.
a. A system integrity and security risk
assessment shall be performed annually on the advance deposit sports wagering
system.
(1) The testing organization must be
independent of the licensee and shall be qualified by the
administrator.
(2) The system
integrity and security risk assessment shall be completed no later than March
31 of each year.
(3) Results from
the risk assessment shall be submitted to the administrator no later than 60
days after the assessment is completed. Results shall include a remediation
plan to address any risks identified during the risk assessment.
(4) The risk assessment shall be conducted in
accordance with current and accepted industry standard review requirements for
risk assessments.
(5) The risk
assessment shall include a review of licensee controls. Review of controls
shall include but not be limited to a comparison of licensee controls to
industry standard and best practice controls, and an audit of the licensee
processes for compliance with those controls.
b. A geolocation system and integrity test
shall be performed annually on the advance deposit wagering system.
(1) The testing organization must be
independent of the licensee and the licensed geolocation vendor and shall be
qualified by the administrator.
(2)
The geolocation test shall be completed and the results submitted no later than
March 31 of each year.
(3)
Geolocation testing shall review existing licensee procedures for detecting and
reporting fraudulent activity associated with any account activity detected by
the geolocation system, and shall recommend updates to those procedures to
align with any current or updated industry standard or commission
guidance.
c. At the
discretion of the administrator, additional assessments or specific testing
criteria may be required.
Notes
State regulations are updated quarterly; we currently have two versions available. Below is a comparison between our most recent version and the prior quarterly release. More comparison features will be added as we have more versions to compare.
(1) Initial testing. All equipment and systems integral to the conduct of sports wagering and advance deposit sports wagering shall be tested and certified for compliance with commission rules and the standards required by a commission-designated independent testing laboratory. Certification and commission approval must be received prior to the use of any equipment or system to conduct sports wagering. The commission may designate more than one independent testing laboratory.
(2) Change control. The licensees and advance deposit sports wagering operators shall submit change control processes that detail evaluation procedures for all updates and changes to equipment and systems to the administrator for approval at least 30 days prior to operation. These processes shall include, at a minimum, descriptions of the following areas of licensee operations:
a. Process to classify all changes according to organizational risk.
b. Process to designate whether changes must be submitted to an independent testing laboratory for review and certification.
c. Process for emergency change determination and implementation.
d. Process to log or note changes. Must include the details logged for each change, including but not limited to the following areas:
(1) Date and time of change or proposed date and time of change.
(2) Basic description of changes to be implemented.
(3) Change classification of change or changes, determined in accordance with the process established by paragraph 13.6(2)"a." If emergency designation is separate from other change classifications, this shall also be included in the log or note.
(4) Identification of whether a change was submitted to an independent testing laboratory, and the certification report number of any testing.
e. Process to maintain logs or notify the commission of changes.
(3) Annual testing.
a. A system integrity and security risk assessment shall be performed annually on the advance deposit sports wagering system.
(1) The testing organization must be independent of the licensee and shall be qualified by the administrator.
(2) The system integrity and security risk assessment shall be completed no later than March 31 of each year.
(3) Results from the risk assessment shall be submitted to the administrator no later than 60 days after the assessment is completed. Results shall include a remediation plan to address any risks identified during the risk assessment.
(4) The risk assessment shall be conducted in accordance with current and accepted industry standard review requirements for risk assessments.
(5) The risk assessment shall include a review of licensee controls. Review of controls shall include but not be limited to a comparison of licensee controls to industry standard and best practice controls, and an audit of the licensee processes for compliance with those controls.
b. A geolocation system and integrity test shall be performed annually on the advance deposit wagering system.
(1) The testing organization must be independent of the licensee and the licensed geolocation vendor and shall be qualified by the administrator.
(2) The geolocation test shall be completed and the results submitted no later than March 31 of each year.
(3) Geolocation testing shall review existing licensee procedures for detecting and reporting fraudulent activity associated with any account activity detected by the geolocation system, and shall recommend updates to those procedures to align with any current or updated industry standard or commission guidance.
c. At the discretion of the administrator, additional assessments or specific testing criteria may be required.