11 VAC 5-70-200 System Integrity and Security Assessment.

GLI Recommendations

1. Before beginning operations and Annually thereafter, the permit holder shall engage an independent testing laboratory or an independent professional approved by the Director to perform a system integrity and security assessment of its sports betting operations. Newly-licensed permit holders shall submit a system integrity and security assessment within six (6) months of beginning its sports betting operations.
2. The scope of the integrity and security assessment shall include, at a minimum, all of the following:
   1. A vulnerability assessment of internal, external and wireless networks with the intent of identifying vulnerabilities of all devices, internet sports betting platforms, and applications transferring, storing and/or processing personally identifiable information (PII) and/or other sensitive information connected to or present on the networks; and
   2. A penetration test of all internal, external and wireless networks to confirm if identified vulnerabilities of all devices, internet sports betting platforms, and applications are susceptible to compromise.
   3. A technical security control assessment against the provisions of the sports betting law and this chapter, and the appendices of the GLI-33 Standards for Event Wagering Systems or other generally accepted standards;
   4. An evaluation of information security services, cloud services, payment services (financial institutions, payment processors, etc.), location services, and any other services which may be offered directly by the permit holder or involve the use of third-parties; and
   5. Any other specific criteria or standards for the integrity and security assessment as prescribed by the Director

GLI recommends updating the section based on what has been seen for other markets. This will also allow for new operators to commence operations without having to wait for their first assessment to be completed.