(a) The interactive gaming certificate holder and interactive gaming operator shall limit and control access to the primary server and any secondary servers by ensuring all of the following:
- (1) Maintain access codes and other computer security controls.
- (2) Maintain logs of user access, security incidents and unusual transactions.
- (3) Coordinate and develop an education and training program on information security and privacy matters for employees and other authorized users.
- (4) Ensure compliance with all State and Federal information security policies and rules.
- (5) Prepare and maintain security-related reports and data.
- (6) Develop and implement an incident reporting and response system to address security breaches, policy violations and complaints from external parties.
- (7) Develop and implement an ongoing risk assessment program that targets information security and privacy matters by identifying methods for vulnerability detection and remediation and overseeing the testing of those methods.