Mich. Admin. Code R. 432.639 - Internet gaming operators and internet gaming platform provider technical and security standards (controls)
Rule 639.
(1) An
internet gaming operator or its internet gaming platform provider, or both must
adopt, implement, and maintain technical security standards (controls) that
meet or exceed those adopted in R 432.633(2). The technical security standards
must apply, at a minimum, to all the following critical components of the
internet gaming platform:
(a) Components that
record, store, process, share, transmit, or retrieve sensitive information
(e.g., validation numbers, personal identification numbers (PIN), and
individual and authorized participant data).
(b) Components that generate, transmit, or
process random numbers used to determine the outcome of games or virtual
events.
(c) Components that store
results or the current state of an authorized participants internet
wager.
(d) Points of entry to and
exit from the components provided for in subdivisions (a) to (c) of this
subrule and other systems that are able to communicate directly with core
critical internet gaming platform components.
(e) Communication networks that transmit
sensitive information involving internet gaming under the act.
(2) The following technical
security standards are the minimum standards an internet gaming operator or
internet gaming platform provider must incorporate into its internal controls:
(a) Technical security standards addressing
internet gaming platform operations and security include, but are not limited
to all of the following:
(i) Internet Gaming
Platform Operations and Security. The internet gaming operator or internet
gaming platform provider must adopt, implement, and maintain procedures for, at
a minimum, the following:
(A) Monitoring the
critical components and the transmission of data of the entire internet gaming
platform.
(B) Maintenance of all
aspects of security of the internet gaming platform to ensure secure and
reliable communications.
(C)
Defining, monitoring, documenting, reporting, investigating, responding to, and
resolving security incidents.
(D)
Monitoring and adjusting resource consumption and maintaining a log of the
internet gaming platform performance.
(E) Investigating, documenting, and resolving
malfunctions.
(ii)
Physical Location of Servers and Security. The internet gaming platform must be
housed in secure locations. Internet gaming operators and their internet gaming
platform providers must provide the board with information on the location of
all internet gaming platform servers. The secure locations must have sufficient
protection from unauthorized access and physical and environmental hazards and
be equipped with surveillance and security systems that meet or exceed industry
standards.
(iii)Internet Gaming
Platform Logical Access Controls. The internet gaming platform must be
logically secured against unauthorized access.
(iv) Internet Gaming Platform User
Authorization. The internet gaming platform must be subject to user
authorization requirements as required by the board.
(v) Server Programming. The internet gaming
platform must be sufficiently secure to prevent any user-initiated programming
capabilities on the server that may result in unauthorized modifications to the
database.
(vi) Verification
Procedures. Procedures must be in place for verifying on demand that the
critical control program components of the internet gaming platform in the
production environment are identical to those approved by the board.
(vii) Electronic Document Retention System.
The internet gaming operator or internet gaming platform provider must
establish procedures that ensure that all reports required under the act and
these rules are stored in an electronic document retention system.
(viii) Asset Management. All assets that
house, process, or communicate sensitive information, including those
comprising the operating environment of the internet gaming platform or its
components, or both, must be accounted for and have a nominated owner or
designated management official that is responsible for each asset.
(b) The technical security
standards addressing data security and backup recovery include, but are not
limited to, all of the following:
(i) Data
Security. The internet gaming platform must provide a logical means for
securing individual and authorized participant data and wagering data,
including accounting, reporting, significant event, or other sensitive
information, against alteration, tampering, or unauthorized access.
(ii) Data Alteration. The alteration of any
accounting, reporting, or significant event data relating to internet wagering
under the act is not permitted without supervised access controls. If any data
is changed, all information required by the board must be documented or
logged.
(iii)Backup Frequency.
Backup scheme implementation relating to information involving internet
wagering under the act must occur at least once every day or as otherwise
specified by the board.
(iv)
Storage Medium Backup. Audit logs, internet gaming platform databases, and any
other pertinent individual and authorized participant data and wagering data
must be stored using reasonable protection methods. The internet gaming
platform must be designed to protect the integrity of this data if there is a
failure. Redundant copies of this data must be kept on the internet gaming
platform with open support for backups and restoration, so that no single
failure of any portion of the internet gaming platform would cause the loss or
corruption of the data.
(v)
Internet Gaming Platform Failure. The internet gaming platform must have
sufficient redundancy and modularity so that if any single component or part of
a component fails, the functions of the internet gaming platform and the
process of auditing those functions can continue with no critical data loss. If
2 or more components are linked, the process of all internet gaming operations
between the components must not be adversely affected by restart or recovery of
either component and upon restart or recovery, the components must immediately
synchronize the status of all transactions, data, and configurations with one
another.
(vi) Accounting and Master
Resets. The internet gaming operator or internet gaming platform provider must
be able to identify and properly handle the situation where a master reset has
occurred on any component that affects internet gaming under the act.
(vii) Recovery Requirements. If there is a
catastrophic failure when the internet gaming platform cannot be restarted in
any other way, it must be possible to restore the internet gaming platform from
the last backup point and fully recover. The contents of that backup must
contain critical information as required by the board.
(viii) Uninterrupted Power Supply (UPS)
Support. All internet gaming platform components must be provided with adequate
primary power. If the server is a stand-alone application, it must have a UPS
connected and must have sufficient capacity to permit a methodical shut-down
that retains all individual and authorized participant data and wagering data
during a power loss. It is acceptable that the internet gaming platform may be
a component of a network that is supported by a network-wide UPS if the server
is included as a device protected by the UPS. There must be a surge protection
system in use if not incorporated into the UPS itself.
(ix) Business Continuity and Disaster
Recovery Plan. A business continuity and disaster recovery plan must be in
place to recover internet gaming operations conducted under the act if the
internet gaming platforms production environment is rendered
inoperable.
(c)
Technical security standards addressing communications include, but are not
limited to, all of the following:
(i)
Connectivity. Only authorized devices are permitted to establish communications
between any internet gaming platform components.
(ii) Communication Protocol. Each component
of the internet gaming platform must function as indicated by a documented
secure communication protocol.
(iii) Communication Over Internet/Public
Network. Communications between internet gaming platform components must be
secure. Individual and authorized participant data, sensitive information,
internet wagers, results, financial information, and individual and authorized
participant transaction information related to internet gaming conducted under
the act must always be encrypted and protected from incomplete transmissions,
misrouting, unauthorized message modification, disclosure, duplication, or
replay.
(iv) Wireless Local Area
Network (WLAN) Communications. The use of WLAN communications must adhere to
applicable requirements specified for wireless devices and is subject to
approval by the board.
(v) Network
Security Management. Networks must be logically separated to ensure that there
is no network traffic on a network link that cannot be serviced by hosts on
that link.
(vi) Mobile Computing
and Communications. Formal policies shall be in place, and appropriate security
measures shall be adopted to protect against the risk of using mobile computing
and communication facilities. Telecommuting shall not be permitted except under
circumstances where the security of the endpoint can be guaranteed.
(d) Technical security standards
addressing third party service providers include, but are not limited to, all
of the following:
(i) Third-Party Service
Communications. Where communications related to internet gaming conducted under
the act are implemented with third-party service providers, the internet gaming
platform must securely communicate with all third-party service providers
utilizing encryption and strong authentication, ensure that all login events
are recorded to an audit file, and ensure that all communications do not
interfere or degrade normal internet gaming platform functions.
(ii) Third-Party Services. The roles and
responsibilities of each third-party service provider engaged by the internet
gaming operator or internet gaming platform provider must be defined and
documented in a manner approved by the board. The internet gaming operator or
internet gaming platform provider must have policies and procedures in place
for managing third-party service providers and monitoring their adherence to
relevant security requirements.
(e) Technical security standards addressing
technical controls include, but are not limited to, all of the following:
(i) Domain Name Service (DNS) Requirements.
An internet gaming operator or internet gaming platform provider must establish
requirements that apply to servers used to resolve DNS queries used in
association with the internet gaming platform.
(ii) Cryptographic Controls. An internet
gaming operator or internet gaming platform provider must establish and
implement a policy for the use of cryptographic controls that ensures the
protection of information.
(iii)
Encryption Key Management. The management of encryption keys must follow
defined processes established by the internet gaming operator or internet
gaming platform provider and approved by the board.
(f) The technical security standards
addressing remote access and firewalls include, but are not limited to, all of
the following:
(i) Remote Access Security.
Remote access, if approved by the board, must be performed via a secured
method, must have the option to be disabled, may accept only the remote
connections permissible by the firewall application and internet gaming
platform settings, and must be limited to only the application functions
necessary for users to perform their job duties.
(ii) Remote Access and Guest Accounts
Procedures. Remote access and guest accounts procedures must be established
that ensure that remote access is strictly controlled.
(iii)Remote Access Activity Log. The remote
access application must maintain an activity log that updates automatically and
records and maintains all remote access information.
(iv) Firewalls. All communications, including
remote access, must pass through at least 1 approved application-level
firewall. This includes connections to and from any non-internet gaming
platform hosts used by the internet gaming operator or internet gaming platform
provider.
(v) Firewall Audit Logs.
The firewall application must maintain an audit log and must disable all
communications and generate an error if the audit log becomes full. The audit
log must contain, at a minimum, all the following information:
(A) All changes to configuration of the
firewall.
(B) All successful and
unsuccessful connection attempts through the firewall.
(C) The source and destination IP Addresses,
Port Numbers, Protocols, and, where possible, MAC Addresses.
(vi) Firewall Rules Review. The
firewall rules must be periodically reviewed by the internet gaming operator or
internet gaming platform provider to verify the operating condition of the
firewall and the effectiveness of its security configuration and rule sets and
must be performed on all the perimeter firewalls and the internal
firewalls.
(g) Technical
security standards addressing change management include, but are not limited
to, all of the following:
(i) Program Change
Control Procedures. Program change control procedures must ensure that only
authorized versions of programs are implemented on the production
environment.
(ii) Software
Development Life Cycle. The acquisition and development of new software must
follow defined processes established by the internet gaming operator or
internet gaming platform provider and subject to review by the board.
(iii) Patches. All patches should be tested,
as applicable, in a development and test environment configured to match the
target production environment before being deployed into production. Permitted
exceptions and related procedures and controls must be fully
addressed.
(h) Technical
security standards addressing periodic security testing include, but are not
limited to, all of the following:
(i)
Technical Security Testing. Periodic technical security tests on the production
environment must be performed quarterly or as required by the board to
guarantee that no vulnerabilities putting at risk the security and operation of
the internet gaming platform exist.
(ii) Vulnerability Assessment. The internet
gaming operator or the internet gaming platform provider must conduct
vulnerability assessments. The purpose of the vulnerability assessment is to
identify vulnerabilities, which could be later exploited during penetration
testing by making basic queries relating to services running on the internet
gaming platform concerned.
(iii)Penetration Testing. The internet gaming
operator or the internet gaming platform provider must conduct penetration
testing. The purpose of the penetration testing is to exploit any weaknesses
uncovered during the vulnerability assessment on any publicly exposed
applications or internet gaming platform hosting applications processing,
transmitting, or storing sensitive information.
(iv) Information Security Management System
(ISMS) Audit. An audit of the ISMS will be periodically conducted, including
all the locations where sensitive information is accessed, processed,
transmitted, or stored. The ISMS will be reviewed against common information
security principles in relation to confidentiality, integrity, and
availability.
(v) Cloud Service
Audit. An internet gaming operator and its internet gaming platform provider
that utilizes a cloud service provider (CSP), if approved by the board, to
store, transmit, or process sensitive information must undergo a specific audit
as required by the board. The CSP must be reviewed against common information
security principles in relation to the provision and use of cloud services,
such as ISO/IEC 27017 and ISO/IEC 27018, or equivalent.
(3) The internet gaming operator
or its internet gaming platform provider, or both must include the technical
security standards (controls) in the internal controls and internet gaming
platform submitted to the board for approval.
(4) The technical security standards
(controls) must:
(a) Have a provision
requiring review when changes occur to the internet gaming platform.
(b) Be approved by the internet gaming
operators or internet gaming platform providers senior management.
(c) Be communicated to all affected employees
and relevant external parties.
(d)
Undergo review at planned intervals.
(e) Delineate the responsibilities of the
internet gaming operators staff, the internet gaming platform providers staff,
and the staff of any third parties for the operation, service, and maintenance
of the internet gaming platform or its components, or both.
Notes
State regulations are updated quarterly; we currently have two versions available. Below is a comparison between our most recent version and the prior quarterly release. More comparison features will be added as we have more versions to compare.
No prior version found.