(1) The Licensee shall have policies and procedures for managing third parties who provide information system services, hardware, and/or software or interact with the Sports Gaming System. Licensees are responsible for monitoring their adherence to relevant security requirements, including:
- (a) Agreements with third-party service providers involving accessing, processing, communicating, or managing the system and/or its components, or adding products or services to the system and/or its components shall cover all relevant security requirements.
- (b) The services, reports, and records provided by the third-party service providers shall be monitored and reviewed annually.
- (c) Changes to the provision of third-party service providers, including maintaining and improving existing security policies, procedures, and controls, shall be managed, taking account of the criticality of systems and processes involved and re-assessment of risks.
- (d) The access rights of third-party service providers to the system and/or its components shall be removed upon termination of their contract or agreement or adjusted upon change.
- (e) Verification that third-party service providers are registered as a Vendor in accordance with the Rules as may be required.
- (2) Third parties who provide information system services and/or software must comply with the requirements set forth in Sections 1350-03-.12 and 1350-03-.13.
Authority: T.C.A. §§ 4-49-106, 4-49-110, 4-49-115, and 4-49-125. Administrative History: Emergency rules filed December 22, 2021 to become effective January 1, 2022; effective through June 30, 2022. New rules filed March 22, 2022; effective June 20, 2022.