58 Pa. Code § 1408a.7 - Sports wagering certificate holder's or sports wagering operator's organization

(a) A sports wagering certificate holder's or sports wagering operator's systems of internal controls must include organization charts depicting segregation of functions and responsibilities and descriptions of the duties and responsibilities for each position shown on each organization chart. Sports wagering certificate holder or sports wagering operator shall be permitted, except as otherwise provided in this section, to tailor organizational structures to meet the needs or policies of a particular management philosophy. A sports wagering certificate holder's or sports wagering operator's organization charts must provide for:

(1) A system of personnel and chain of command which permits management and supervisory personnel to be held accountable for actions or omissions within their areas of responsibility.

(2) The segregation of incompatible functions, duties and responsibilities so that no employee is in a position to both commit an error or perpetrate a fraud and to conceal the error or fraud in the normal course of the employee's duties.

(3) The performance of all functions, duties and responsibilities in accordance with sound financial practices by qualified personnel.

(4) The areas of responsibility which are not so extensive as to be impractical for an individual to monitor.

(b) In addition to other positions required as part of a sports wagering certificate holder's or sports wagering operator's internal controls, a sports wagering certificate holder or sports wagering operator must maintain an information technology department supervised by an individual and licensed as a key employee who functions, for regulatory purposes, as the information technology director. A sports wagering certificate holder or sports wagering operator shall employ an information technology security officer and, if the certificate holder or licensee offers interactive or mobile sports wagering, an interactive gaming manager, both of whom shall be licensed as a key employee.

(c) The information technology director shall be responsible for the integrity of all data, the quality, reliability and accuracy of all computer systems and software used by the sports wagering certificate holder or sports wagering operator in the conduct of sports wagering activities, whether the data and software are located within or outside the certificate holder's or operator's facility, including, without limitation, specification of appropriate computer software, hardware, and procedures for security, physical integrity, audit and maintenance of:

(1) Access codes and other computer security controls used to insure appropriately limited access to computer software and data.

(2) Monitoring logs of user access, security incidents and unusual transactions.

(3) Logs used to document and maintain the details of any hardware and software modifications.

(4) Computer tapes, disks or other electronic storage media containing data relevant to sports wagering operations.

(5) Computer hardware, communications equipment and software used in the conduct of sports wagering.

(d) The information technology security officer shall report to the information technology director and be responsible for:

(1) Maintaining access codes and other computer security controls used to insure appropriately limited access to computer software and data.

(2) Reviewing logs of user access, security incidents and unusual transactions.

(3) Coordinating the development of the sports wagering certificate holder's or sports wagering operator's information security policies, standards and procedures.

(4) Coordinating the development of an education and training program on information security and privacy matters for employees and other authorized users.

(5) Ensuring compliance with all State and Federal information security policies and rules.

(6) Preparing and maintaining security-related reports and data.

(7) Working with internal and external audit personnel to ensure all findings are addressed in a timely and effective manner.

(8) Developing and implementing an Incident Reporting and Response System to address security breaches, policy violations and complaints from external parties.

(9) Serving as the official contact for information security and data privacy issues, including reporting to law enforcement.

(10) Developing and implementing an ongoing risk assessment program that targets information security and privacy matters by identifying methods for vulnerability detection and remediation and overseeing the testing of those methods.

(11) Remaining current with the latest information technology security and privacy legislation, rules, advisories, alerts, and vulnerabilities to ensure the sports wagering certificate holder's security program and security software is effective.

(e) The interactive gaming manager shall report to the information technology director, or other department manager as approved by the Board, and be responsible for ensuring the proper operation and integrity of interactive or mobile sports wagering and reviewing all reports of suspicious behavior. The interactive gaming manager shall immediately notify the Bureau upon detecting any person participating in interactive or mobile sports wagering who is:

(1) Engaging in or attempting to engage in, or who is reasonably suspected of cheating, theft, embezzlement, collusion, money laundering or any other illegal activities.

(2) A self-excluded person.

(3) A person that is prohibited by the sports wagering certificate holder or sports wagering operator from sports wagering.

Notes

58 Pa. Code § 1408a.7