Shielding Patron & Employee Data: Cybersecurity for Gaming Entities in Nevada
Brian Grayek , CISSP, CMMC-RP, CCSK, ITIL
The new Nevada gaming cybersecurity rule (NRS 463.0129 ) went into effect in January with novel and specific requirements for casino operators. As the gambling industry handles enormous amounts of sensitive patron and employee data, gaming entities are a prime target for data breaches and identity theft. So, in addition to securing and protecting their own records and operations, gaming operators must shield personal information of their patrons and employees. The consequences for failing to do so could be substantial according to this new regulation.
Assuming that you, as a casino operator, have fulfilled the first of the new cybersecurity rule’s requirements – an initial security risk assessment conducted by an outside party – what else do you need to do? Simply understanding your organization’s risks and potential security gaps and vulnerabilities is not enough to ensure compliance.
Proof of Action Items from The Security Risk Assessment
Naturally, addressing any security risk assessment action items is good business practice, and can mean the difference between a costly data breach or conducting business as usual. The key to compliance for this part of the new Nevada gaming rule is proof of action. Not only must your gaming operation continue to monitor cybersecurity risks, but you must also develop a plan and address risks when they arise.
Any cybersecurity risk assessment should include a “treatment plan” to effectively bring your operation to an acceptable risk level in a timely manner. This should include:
·??????Listing all the cybersecurity risks
·??????Steps necessary to address each action item
·??????Timelines for completion
·??????Parties responsible for ensuring completion of each step
·??????Budgets necessary to mitigate these risks
Documenting your completion of these steps, or noting progress in implementing them, is how your operation can prove you have addressed the required action items.
Additional Requirements
In addition to the areas mentioned above, casino gaming operations subject to Nevada's gaming cybersecurity rule have four more requirements:
领英推荐
Developing Cybersecurity Best Practices
Beyond documenting that you have addressed any security risks, your compliance with the new rule includes developing cybersecurity best practices – the policies and procedures your operation will take to secure customer and employee data. Mitigating cybersecurity risks is an ongoing task requiring time and resources to monitor, respond and adjust as needed. Written and widely distributed best practices provide a repeatable model for reducing chances of a cyberattack and conducting future assessments.
Consider that if you don’t develop and follow these policies and procedures, you will not be able to prove your gaming operation is within compliance with the new cybersecurity rule in Nevada.
So, what exactly does the rule mean by “best practices” and how many policies and procedures are required to prove compliance?
According to the United States Cybersecurity & Infrastructure Security Agency , cybersecurity best practices start with requiring strong passwords and multi-factor authentication, the most up to date software, and training users to question and report suspicious links. These basics form the minimum level of “cyber hygiene,” and should already be part of your operation’s cybersecurity practice. They should also be incorporated in any best practices document.
Implementing tailored cybersecurity practices is just as vital to protecting and maintaining your gaming operation. Consider these additional best practices to strengthen security:
Embracing a Security First Outlook
Adopting these (and other) policies, procedures, and additional security solutions as they arise, your Nevada gaming operation can better safeguard your employee and customer data as you align operational practices with the new gaming cybersecurity rule. A security first mindset provides crucial confidence and better enables the gaming industry to thrive in a world of high stakes.
Our expert cybersecurity advisors have decades of trusted experience to help you and your gaming operation get cybersmart.
Looking for a quick, holistic analysis of your organization's cybersecurity risk? Ask about REDW's Security Scorecard. Our best-in-class information security platform evaluates 10 vital risk factors from an attacker's perspective and delivers a clear, concise report card with actionable details that reveal just where —and how— you can strengthen your defenses across the board.