58 Pa. Code § 461a.19 - Remote system access

(a) In emergency situations or as an element of technical support, an employee of a licensed manufacturer may perform analysis of, or render technical support with regard to, a slot machine licensee's slot monitoring system, casino management system, player tracking system, external bonusing system, cashless funds transfer system, wide area progressive system, gaming voucher system or other Board-approved system from a remote location.

(b) Remote system access shall be performed in accordance with all of the following procedures:

(1) Only an employee of a licensed manufacturer who is licensed as a gaming employee or key employee in this Commonwealth may remotely access a system sold, leased or otherwise distributed by that licensed manufacturer for use at a licensed facility.

(2) The slot machine licensee shall establish a unique system account for each employee of a licensed manufacturer identified by his employer as potentially required to perform technical support from a remote location. System access afforded under this section shall:

(i) Be restricted in a manner that requires the slot machine licensee's information technology department to receive prior notice from the licensed manufacturer of its intent to remotely access a designated system.

(ii) Require the slot machine licensee to take affirmative steps, on a per access basis, to activate the licensed manufacturer's access privileges.

(iii) Be designed to appropriately limit the ability of a person authorized under this section to deliberately or inadvertently interfere with the normal operation of the system or its data.

(3) A log shall be maintained by both the licensed manufacturer and the slot machine licensee's information technology department. Each of the two logs must contain, at a minimum, all of the following information:

(i) The system accessed, including manufacturer and version number.

(ii) The type of connection (that is, leased line, dial in modem or private WAN).

(iii) The name and license number of the employee remotely accessing the system.

(iv) The name and license number of the information technology department employee activating the licensed manufacturer's access to the system.

(v) The date, time and duration of the connection.

(vi) The reason for the remote access including a description of the symptoms or malfunction prompting the need for remote access to the system.

(vii) Action taken or further action required.

(4) Communications between the licensed manufacturer and any of the systems identified in subsection (a) shall occur using a dedicated and secure communication facility such as a leased line approved in writing by the Board.

(c) Prior to granting remote system access, a slot machine licensee shall establish a system of internal controls applicable to remote system access. The internal controls shall be submitted to and approved by the Board under § 465a.2 (relating to internal control systems and audit protocols). The internal control procedures submitted by the slot machine licensee shall be designed to protect the physical integrity of the systems listed in subsection (a) and the related data and be capable of limiting the remote access to the system or systems requiring technical support.

(d) Any modification of, or remedial action taken with respect to, an approved system shall be processed and approved by the Board in accordance with the standard modification provisions submitted under § 461a.4(h) (relating to submission for testing and approval) or the emergency modification provisions of § 461a.4(l).

(e) If an employee of a licensed manufacturer is no longer employed by, or authorized by, that manufacturer to remotely access a system under this section, the licensed manufacturer shall immediately notify the Bureau of Gaming Laboratory Operations and each slot machine licensee that has established a unique system account for that employee of the change in authorization and shall timely verify with each slot machine licensee that any access privileges previously granted have been revoked.

(f) The Executive Director may waive one or more of the technical requirements applicable to remote computer access adopted by the Board upon a determination that the nonconforming remote access procedures nonetheless meet the integrity requirements of the act and this part.

Notes

58 Pa. Code § 461a.19

The provisions of this § 461a.19 amended May 14, 2010, effective 5/15/2010, 40 Pa.B. 2535; amended November 1, 2019, effective 11/2/2019, 49 Pa.B. 6676.

The provisions of this § 461a.19 amended under 4 Pa.C.S. §§ 1202(b)(30), 1207(3), (5), (9) and (11), 1322, 13A02(1) and (2), 13A27, 1602, 1604 and 1608.

This section cited in 58 Pa. Code § 461a.20 (relating to server supported slot systems); and 58 Pa. Code § 1112a.12 (relating to remote system access).