(a) The primary database must meet the following security requirements:
(1) All access, activities, and data entries must be date, time, user identification, and terminal identification stamped and logged.
(2) All communications between the database and any terminal, including the playing book devices, must be encrypted.
(3) The database must have anti-virus, firewall, and unauthorized software installation protection.
(4) The physical database must be surge protected and uninterrupted power supply (UPS) protected.
(5) The database must be able to identify and log the date, time, and terminal of any unauthorized access, system error, or connectivity failure and notify a licensed IT technician.
(b) The database must control system access through the following authentications and permissions:
(1) All users require a minimum of two methods of authentication at login, including but not limited to the options in paragraph (5) of subsection (c) of Section 12262. The database must only allow active authentications to access the device. After three failed attempts by a user to access the system, the database must log the failed attempts and must not permit access under that user's authentications until the login account has been reset.
(2) An IT technician requires a minimum of three methods of authentication for login to access the database, including but not limited to the options in paragraph (5) of subsection (c) of Section 12262. The database must only allow IT technicians with active authentications to access the database. If an IT technician has three failed attempts and is denied access to the database, the database must log the failed attempts, notify the TPPPS business licensee, and not permit access under that individual authentication until reset by another person with IT technician permissions.
(3) The authentication for any person losing permission to use the system must be made inactive within 24 hours of the loss of permission.
(4) The database must not allow a user to be active on more than one terminal or device at a time without specific permissions as indicated on the chart of system access for the electronic playing book system. The database must be able to identify the terminal and user accessing the system at all times.
(c) The primary database must meet the following information storage and retrieval requirements:
(1) Original data stored in the system cannot be edited, deleted, or replaced. If a change to the data is made, all original data must be preserved, with a notation or documentation of any change, and the reasons therefore.
(2) The database must have the ability to generate the following information:
(A) A system report, including, but not limited to, errors, failed login attempts, and successful logins.
(B) A list of all notations as required in paragraph (1).
(3) The database must have the capability to retrieve or display system information for system integrity and certification confirmation.
(d) A backup of the system and database must be performed daily and documentation maintained in a physically secured location in accordance with paragraph (2) of subsection (f) for five years.
(e) The database must have date and time synchronization for all playing book devices, terminals, and the database, controlled or updated by a network time protocol server.
(f) The database must meet the following location requirements:
(1) The location of the database must be in California and disclosed to the Bureau in accordance with Section 12003; and,
(2) A backup storage location must be at a site other than where the primary database is located for increased protection. A backup storage location must be in California and disclosed to the Bureau with consent to entry and administrative inspection by the Bureau.
(g) If access to the database must be made by a non-licensed party, an IT technician must monitor and be responsible for this access at all times.
Credits
Note: Authority cited: Sections 19840, 19841 and 19984, Business and Professions Code. Reference: Sections 19826, 19841 and 19984, Business and Professions Code.
2. Amendment of subsections (a)(5) and (b)(2) filed 12-12-2020; operative 1-1-2021 pursuant to Government Code section 11343.4(b) (Register 2020, No. 51). Filing deadline specified in Government Code section 11349.3(a) extended 60 calendar days pursuant to Executive Order N-40-20.
This database is current through 4/19/24 Register 2024, No. 16.
