Transcription
Information Technology – Audit25 CFR 543.20 fVeteransAffairsNa onalIndianGAamingCommissionVeteransHealthdministra onNational Indian Gaming rectorofComplianceNa onalAudi ngandMonitoring,Educa onandCommunica onsTrainingDepartment
NIGC Information Technology Audit–25 CFR 543.20 ToolkitOver twenty five years ago Congress adopted the Indian Gaming Regulatory Act (IGRA) to provide a statutorybasis for gaming by Indian tribes. The National Indian Gaming Commission (NIGC) was created by IGRA toregulate gaming activities conducted by sovereign Indian tribes on Indian lands. The mission of the NIGC isto fully realize IGRA’s goals of: (1) promoting tribal economic development, self-sufficiency and strong tribalgovernments; (2) maintaining the integrity of the Indian gaming industry; and (3) ensuring that tribes are theprimary beneficiaries of their gaming activities. One of the primary ways the NIGC does this is by providingtraining and technical assistance to Indian tribes and their gaming regulators.The National Indian Gaming Commission (NIGC) is pleased to present this Toolkit to all Compliance andAuditing staff. This reference guide is intended to assist IT Auditor(s), Gaming Commissioner(s) and Operationspersonnel in the performance of measuring compliance of their operation(s) with 25 CFR 543.20. The toolkitis designed to provide each standard as it relates to 543.20, the language of the standard, the intent of thestandard, and then a recommended testing step which will ensure minimum regulatory compliance.This Toolkit is designed to meet the minimum requirements of the NIGC MICS and does not take into accountoperations Tribal Internal Controls Standards (TICS) and or System of Internal Controls Standards (SICS), whichmay require further testing. The NIGC encourages Operations to develop standards that exceed the MinimumInternal Control Standards , because each operation is unique, therefore a robust set of controls is warranted.If you have questions or comments about this guide, please contact the NIGC Compliance Division attraining@nigc.gov. For more information, visit the NIGC website at http://www.nigc.gov.
CitationLanguageIntent and Testing§ 543.20 (a-b)543.20 (a)(1)543.20(a)(2)Supervision. (1) Controls must identify thesupervisory agent in the department or arearesponsible for ensuring that the department orarea is operating in accordance with establishedpolicies and procedures.The supervisory agent must be independent ofthe operation of Class II games.Intent: To ensure that the TICS identify who is thesupervisory agent in the department and is responsiblefor ensuring the IT Department is operating in accordancewith established policy and procedures.Testing: 1. Review TICS to identify controls with respectto the supervision of the IT Department. 2. Identify anyadditional controls required by the TGRA with regards tosupervision. 3. Review SICS to ensure that operationshave identified and implemented controls with regards tothe TGRA requirements in their TICS.Intent: To ensure proper segregation of duties that the ITsupervision is independent of all Class II Games. Bestpractices suggests that the IT department should beindependent of all casino departments and should reportdirectly to the General Manager.Testing: 1. Review Information TechnologyOrganizational Chart. 2. Inquire with IT supervision todetermine who they report to.543.20(a)(3)Controls must ensure that duties are adequatelysegregated and monitored to detect proceduralerrors and to prevent the concealment of fraud.Intent: To ensure that IT personnel are not to be assignedconflicting roles, i.e., financial, accounting and gamingresponsibilities that cannot be effectively monitored forthe detection of fraud or the concealment of proceduralerrors.Testing: 1. Review Human Resources job descriptionsin IT personnel files in addition to IT user groups andaccounts. 2. Flag instances of computerized IT access tofinancial, accounting or gaming roles.OVERVIEW543.20 (a-b)
CitationLanguageIntent and Testing§ 543.20 (a-b)543.20(a)(4)(i-iii)543.20(b)Information technology agents having access toClass II gaming systems may not have signatoryauthority over financial instruments and payoutforms and must be independent of and restrictedfrom access to:(i) Financial instruments;(ii) Accounting, audit, and ledger entries; and(iii) Payout forms.Intent: IT personnel who possess access to Class IIgaming shall not have access to or signatory authorityover financial instruments, accounting, audit, ledgerentries and payout forms.As used in this section only, a system is anycomputerized system that is integral to thegaming environment. This includes, but is notlimited to, the server and peripherals for ClassII gaming system, accounting, surveillance,essential phone system, and door access andwarning systems.Intent: Computerized ‘systems’ are defined ascomputerized systems integral to the operation of thegaming environment. Systems include electronic /electrical networked-system environments.Testing: 1. Review system user access accounts of ITpersonnel for financial, accounting, ledger and payoutform access. 2. Review physical payout forms forwinners. 3. Review SICS to verify that IT personnel are notauthorized to signTesting: Review gaming operations architectural plansand computerized network system design layout andapplications system inventory.
CitationLanguageIntent and Testing§ 543.20 (c)543.20 (c)Class II gaming systems’ logical and physicalcontrols. Controls must be established andprocedures implemented to ensure adequate:Intent: To ensure that operational SICS have identifiedand implemented controls with regards to the TGRArequirements in their TICS.Testing: Review IT TICS, SICS and Policies andProcedures.543.20(c)(1)543.20(c)(2)Control of physical and logical access to theinformation technology environment, includingaccounting, voucher, cashless and playertracking systems, among others used inconjunction with Class II gaming;Intent: To ensure both physical and logical accessto critical computerized environments, networks andapplication system are restricted to authorized users.Physical and logical protection of storage mediaand its contents, including recovery procedures;Intent: To ensure that stored and archived financial,accounting and gaming data can be readily restored tothe gaming operations ‘live’ environment during or after acritical system failure.Testing: Review IT TICS, SICS and Policies andProcedures for verification of controls in place forthe control of both physical and logical access to theinformation technology environment used in conjunctionwith Class II gaming by reviewing the user access listagainst the current HR list.Testing: 1. Review IT TICS, SICS and Policies andProcedures for data recovery controls and processes. 2.Review data backup and recovery scheduling, testing andphysical assessment of the data storage facility.543.20(i)543.20 (c)
CitationLanguageIntent and Testing§ 543.20 (c)543.20(c)(3)Access credential control methods;Intent: To ensure that only properly vetted and authorizedpersonnel have access to the gaming operations securedlogical and physical environments.Testing: Review IT TICS, SICS and Policies andProcedures for effective logical and physical accesscontrol methods and reviewing the user access listagainst the current HR list.543.20(c)(4)Record keeping and audit processes; andIntent: To ensure that administrative bookkeeping andaccurate and timely documentation supporting auditprocesses is maintained.Testing: Review SICS and audit results with findings fromprevious internal and external audits and also any recordskept by the IT operation.543.20(c)(5)Departmental independence, including, but notlimited to, means to restrict agents that haveaccess to information technology from havingaccess to financial instruments.Intent: To ensure that technical departments and technical personnel are restricted from access to financialinstruments.Testing: Review SICS and organizational chart structure.Perform review of financial logical access permissionsand authorizations of technical personnel. Flag accessaccounts authorizing IT personnel to financial instruments.
CitationLanguageIntent and Testing§ 543.20 (d-e)543.20(d)Physical security. (1) The information technologyenvironment and infrastructure must bemaintained in a secured physical location suchthat access is restricted to authorized agentsonly.Intent: To ensure that the information technologyenvironment and supporting environments are maintainedin a secured physical location. Access is to be restrictedto authorized personnel in a secured physical locationthat is accessible only to authorized personnel.Testing: Conduct physical walkthrough inspection notingthe access / denial methods to restrict physical access tocritical locations, i.e., HID card, hard-key, biometrics, pincode, password, etc.543.20(d)(2)Access devices to the systems’ secured physical Intent: To ensure that those who are recipients of thelocation, such as keys, cards, or fobs, must besecurity access tools, are not the same as those whocontrolled by an independent agent.authorize, manage and assign the security access tools.Testing: 1. Verify roles, responsibilities and organizationalpositions of the personnel responsible for physical accessmanagement. 2. Note any potential independent conflictsand effectiveness of managerial oversight.543.20(d)(3)Access to the systems’ secured physical locationmust be restricted to agents in accordance withestablished policies and procedures, which mustinclude maintaining and updating a record ofagents granted access privileges.Intent: To ensure only authorized agents gain accessto secured physical locations, in accordance withestablished Policies and Procedures to includemaintaining and updating a ledger or listing of thoseagents granted access privileges.Testing: Review SICS, TICS, Policies and Proceduresalso spot check any access logs and review ofmanagement’s approved Authorized User AccessListing(s).DEFINITIONS543.20 (d-e)
CitationLanguageIntent and Testing§ 543.20 (d-e)543.20(d)(4)Network Communication Equipment must bephysically secured from unauthorized access.Intent: To ensure the network infrastructure andequipment, organizational intranet and all incoming andoutgoing network communications are secured fromunauthorized access.Testing: 1. Verify the software application affected hasthe proper physical security measures in place that canbe tested over the Network Communication Equipmentenvironment. 2. Obtain network communicationsdiagrams to include flow of internal and external dataflows, hardware topology and system applicationflows. 3. Perform physical walkthrough of networkcommunications architecture and facilities to includesurveillance and security measures.543.20(e)(i-iii)543.20(e)(2)Logical security. (1) Controls must be establishedand procedures implemented to protect allsystems and to ensure that access to thefollowing is restricted and secured:(i) Systems’ software and application programs;(ii) Data associated with Class II gaming; and(iii) Communications facilities, systems, andinformation transmissions associated with ClassII gaming systems.Intent: To ensure that all organizational software systemsand data and communication systems are restricted fromunauthorized access.Unused services and non-essential ports mustbe disabled whenever possible.Intent: To ensure the deactivation or isolation of unusedservices and non-essential communication and computerports. Non-essential ports are to be disabled wheneverpossible.Testing: Verify the effectiveness of security andoperational controls supporting the physical and logicalsegregation of the organizational intranet and externalinternet. This can be accomplished by reviewingdiagrams and technical documents along with any logsTesting: Review IT Policies and Procedures and performwalkthrough of open ports in vacated offices, cubicles,conference rooms, etc.
CitationLanguageIntent and Testing§ 543.20 (e-f)543.20 (e)(3)543.20(e)(4)Procedures must be implemented to ensure thatall activity performed on systems is restrictedand secured from unauthorized access, andlogged.Intent: To ensure that procedures are in place thatall activity performed on the computerized system isrecorded and / or logged.Communications to and from systems viaNetwork Communication Equipment must belogically secured from unauthorized access.Intent: To ensure that electronic communications, toinclude wireless, copper wire, satellite or cellular, islogically secured from unauthorized access.Testing: Review SICS and IT Policies and Procedures.Review change management documentation, i.e., workrequests, job orders, work orders and review access logs.Testing: 1. Review TICS and SICS and Policies andProcedures. 2. Verify that network security measuresare in place to include any necessary routers, firewalls,switches and encryption. 3. Verify that software upgradesto communications equipment is current.543.20(f)User controls. (1) Systems, including applicationsoftware, must be secured with passwords orother means for authorizing access.Intent: To ensure that only authorized system accountholders have access to computerized systems, includingapplication software.Testing: 1. Verify that all critical accounting, financial andgaming systems are secured with passwords or othermeans to limit logical system access. 2. Review useraccess listings.SEVERITYMATRIX543.20 (e-f)
CitationLanguageIntent and Testing§ 543.20 (e-f)543.20(f)(2)Management personnel or agents independentof the department being controlled must assignand control access to system functions.Intent: To ensure that procedures are in place thatall activity performed on the computerized system isrecorded and / or logged.Testing: Review SICS and IT Policies and Procedures.Review change management documentation, i.e., workrequests, job orders, work orders and review access logs.543.20(f) 3)(i-iii)(A-C)Access credentials such as passwords, PINs, orcards must be controlled as follows:(i) Each user must have his or her ownindividual access credential;(ii) Access credentials must be changed at anestablished interval approved by the TGRA;and(iii) Access credential records must bemaintained either manually or by systemsthat automatically record access changesand force access credential changes,including the following information for eachuser:(A) User’s name;(B) Date the user was given access and/or password change; and(C) Description of the access rightsassigned to user.Intent: To ensure that all authorized access holders meetminimum credential requirements to retain their accesspermissions.Testing: 1. Review TICS, SICS and group user accountholders. 2. Review administrator account parametersettings for group and individual user access settings.
CitationLanguageIntent and Testing§ 543.20 (f-g)543.20 (f)(4)Lost or compromised access credentials mustbe deactivated, secured or destroyed within anestablished time period approved by the TGRA.Intent: To ensure that lost or stolen user accesscredentials are deactivated in the minimum time periodstated by the TGRA.Testing: Review TICS, SICS, Policies and Proceduresand Employee Manuals for employee and IT Managementaction when compromised credentials are reported.543.20(f)(5)Access credentials of terminated users must bedeactivated within an established time periodapproved by the TGRA.Intent: To ensure that access credentials of terminatedusers are deactivated in the minimum time period statedby the TGRA.Testing: 1. Review TICS, SICS, Policies and Proceduresand Employee Manuals for employee, IT Managementand Human Resources action when compromisedcredentials are reported. 2. Review user access lists forformer employees543.20(f)(6)OVERVIEW543.20 (f-g)Only authorized agents may have access toinactive or closed accounts of other users, suchas player tracking accounts and terminated useraccounts.Intent: To ensure that terminated, transferred or resignedpersonnel accounts are only accessible by, or approvedby, TGRA authorized agents.Testing: 1. Review TICS, SICS and IT Policies andProcedures regarding User Network Security and Accessactivity. 2. Verify appropriate access by comparing accesslogs/permissions to TICS/SICS/Policies & Procedures.
CitationLanguageIntent and Testing§ 543.20 (f-g)543.20(g)Installations and/or modifications. (1) OnlyTGRA authorized or approved systems andmodifications may be installed.Intent: To ensure that organizational personnel must firstseek approvals of TGRA and IT Management prior to theintroduction of outside software or modifications to thenetwork or computerized systems.Testing: Review TICS, SICS and IT Policies andProcedures. Review a sampling of previous changemanagement request forms for proper approvals andsignatures.543.20(g)(2)(i-iv)Records must be kept of all new installationsand/or modifications to Class II gaming systems.These records must include, at a minimum:(i) The date of the installation or modification;(ii) The nature of the installation or changesuch as new software, server repair,significant configuration modifications;(iii) Evidence of verification that theinstallation or the modifications are approved;and(iv) The identity of the agent(s) performing theinstallation/modification.Intent: To ensure that evidential and supportingdocumentation is retained for all new installations andmodifications to Class II gaming systems.Testing: 1. Review TICS, SICS and IT Policies andProcedures regarding change management and assetmanagement. 2. Review sampling of records retained ofrecords of installations and / or modifications.
CitationLanguageIntent and Testing§ 543.20 (g-i)543.20 (g)(3)Documentation must be maintained, suchas manuals and user guides, describing thesystems in use and the operation, includinghardware.Intent: To ensure that documentation accompanyingnew or used hardware is retained describing said systemin use and it’s proper operation, to include hardwaresystems.Testing: 1. Review sampling of supporting systemuser manuals, specification sheets, build sheets, etc.,and a walkthrough or the secured location(s) wheremaintained. 2. Documentation may be stored or archivedin an approved documentation storage file onsite, or onthe vendor / manufacturers website.543.20(h)(1)(i–vii)Remote access. (1) Agents may be grantedremote access for system support, providedthat each access session is documented andmaintained at the place of authorization. Thedocumentation must include:(i) Name of agent authorizing the access;(ii) Name of agent accessing the system;(iii) Verification of the agent’s authorization;(iv) Reason for remote access;(v) Description of work to be performed;(vi) Date and time of start of end-user remoteaccess session; and(vii) Date and time of conclusion of end-userremote access session.543.20(i)543.20 (g-i)Intent: To ensure remote access connections are secure,approved and accurately recorded / logged.Testing: Review SICS, TICS and IT Policies andProcedures and sampling of remote access sessionlogs. Remote access logs at a minimum must providebullet points (i) through (vii).
CitationLanguageIntent and Testing§ 543.20 (g-i)543.20(h)(2)All remote access must be performed via asecured method.Intent: To ensure that lost or stolen user accesscredentials are deactivated in the minimum time periodstated by the TGRA.Testing: Review TICS, SICS, Policies and Proceduresand Employee Manuals for employee and IT Managementaction when compromised credentials are reported.543.20(i)543.20(i)(2)Incident monitoring and reporting. (1) Proceduresmust be implemented for respondingto, monitoring, investigating, resolving,documenting, and reporting security incidentsassociated with information technology systems.Intent: To ensure expedient and appropriate response tocomputerized incidents, faults, errors or cyber attacks.All security incidents must be responded towithin an established time period approved bythe TGRA and formally documented.Intent: To ensure all security incidents are responded toand addressed within a practical time period to mitigatethe associated incident risk.Testing: 1. Review TICS, SICS, IT Policies andProcedures and review sampling of Incident Responsesand the courses of action taken. 2. Review relevant workorders, job orders or work requests completed to addressthe incident(s).Testing: Review TICS, SICS, or P&P for a time periodestablished by security incidents should be responded toas soon as possible from the moment of notification.
CitationLanguageIntent and Testing§ 543.20 (j-l)543.20 (j)(1)(i-v)543.20(j)(2)(i-iii)543.20(j)(3)Data backups. (1) Controls must includeadequate backup, including, but not limited to,the following:(i) Daily data backup of critical informationtechnology systems;(ii) Data backup of critical programs or theability to reinstall the exact programs asneeded;(iii) Secured storage of all backup data filesand programs, or other adequate protection;(iv) Mirrored or redundant data source; and(v) Redundant and/or backup hardware.Intent: To ensure that adequate data and softwarebackup controls are in place to support expedientorganizational data restoration.Controls must include recovery procedures,including, but not limited to, the following:(i) Data backup restoration;(ii) Program restoration; and(iii) Redundant or backup hardwarerestoration.Intent: To ensure that organizational controls includedata, program, hardware and network restoration andrecovery procedures.Recovery procedures must be tested on asample basis at specified intervals at leastannually. Results must be documented.Testing: 1. Review TICS, SICS and data backupscheduling processes for all application systems hostedby the gaming operation. 2. Verify the secured storage ofall backup data files and backup media.Testing: 1. Review SICS, TICS and InformationTechnology Policies and Procedures regardingmanagement of system recovery processes. 2. Reviewrecovery and restoration documentation to include data,programs and redundant hardware.Intent: To ensure that organizational recovery proceduresare tested annually by Information Technology personneland IT Management.Testing: 1. Review TICS, SICS and IT Policies andProcedures to routine recovery procedures. 2. Reviewannual recovery testing documentation for performanceand results of recovery test.DEFINITIONS543.20 (j-l)
CitationLanguageIntent and Testing§ 543.20 (j-l)543.20(j)(4)Backup data files and recovery componentsmust be managed with at least the same level ofsecurity and access controls as the system forwhich they are designed to support.Intent: To ensure that backup data files and recoverycomponents are managed to at least the same stringentlevel of security as the systems for which they aresupporting.Testing: Perform walkthrough of the backup datafiles physical location for security access restrictions,surveillance monitoring, fire suppression systems andHVAC equipment function.543.20(k)Software downloads. Downloads, eitherautomatic or manual, must be performed inaccordance with 25 CFR 547.12.Intent: To ensure that software downloaded to thegaming operation from outside sources, either automaticor manual, is in strict compliance with 25 CFR 547.12.Testing: 1. Review TICS, SICS and Policies andProcedures. Verify that software downloads are deliveredthrough secure methods. 2. Review Class II systemrecords to verify that the Class II system has recordedthe (a) date and time of the initiation and (b) completionof any download, (c) the components that received it, (d)the version of the download package and any softwaredownloaded, (e) status of the download attempt (i.e.,success or failure), (f), unique identifier of individualconducting or scheduling the download.543.20(l)Verifying downloads. Following download ofany Class II gaming system software, the ClassII gaming system must verify the downloadedsoftware using a software signature verificationmethod. Using any method it deems appropriate,the TGRA must confirm the verification.Intent: To ensure that following the download of ClassII gaming system software, the gaming system mustverify the download with a software signature verificationmethod, approved by the TGRA.Testing: 1. Review TICS, SICS and Policies andProcedures and verify that software downloads meetrequirements. 2. Review records to confirm TGRAverification of software
THIS PAGE INTENTIONALLY LEFT BLANK
25 CFR 543.20 ToolkitVersion 1.0NIGC Compliance DivisionNational Indian Gaming Commission
NIGC Information Technology Audit-25 CFR 543.20 Toolkit Over twenty five years ago Congress adopted the Indian Gaming Regulatory Act (IGRA) to provide a statutory basis for gaming by Indian tribes. The National Indian Gaming Commission (NIGC) was created by IGRA to regulate gaming activities conducted by sovereign Indian tribes on Indian lands.
