Administrative Code

Creating a Report: Check the sections you'd like to appear in the report, then use the "Create Report" button at the bottom of the page to generate your report. Once the report is generated you'll then have the option to download it as a pdf, print or email the report.

Virginia Administrative Code
Title 11. Gaming
Agency 5. Virginia Lottery Board
Chapter 70. Sports Betting

11VAC5-70-200. System integrity and security assessment.

A. Within 90 days after beginning operations and annually thereafter, a permit holder shall engage an independent testing laboratory or an independent firm approved by the director to perform a system integrity and security assessment of its sports betting operations.

B. The scope of the integrity and security assessment shall include, at a minimum, all of the following:

1. A vulnerability assessment of internal, external, and wireless networks with the intent of identifying vulnerabilities of all devices, internet sports betting platforms, and applications transferring, storing, or processing personally identifiable information (PII) or other sensitive information connected to or present on the networks;

2. A penetration test of all internal, external, and wireless networks to confirm if identified vulnerabilities of all devices, internet sports betting platforms, and applications are susceptible to compromise;

3. A technical security control assessment against the provisions of the sports betting law and this chapter consistent with generally accepted professional standards and as approved by the director;

4. An evaluation of information security services, cloud services, payment services (financial institutions, payment processors, etc.), location services, and any other services that may be offered directly by the permit holder or involve the use of third parties; and

5. Any other specific criteria or standards for the integrity and security assessment required by the director.

C. The independent testing laboratory or independent firm shall issue a report on its assessment and submit it to the director. The report shall include, at a minimum:

1. The scope of review;

2. Name and company affiliation of any individual who conducted the assessment;

3. Date of assessment;

4. Findings;

5. Recommended corrective action, if any; and

6. Permit holder's response to the findings and recommended corrective action.

Statutory Authority

§§ 58.1-4007, 58.1-4015.1, and 58.1-4030 through 58.1-4047 of the Code of Virginia.

Historical Notes

Derived from Virginia Register Volume 37, Issue 4, eff. October 12, 2020.

Website addresses provided in the Virginia Administrative Code to documents incorporated by reference are for the reader's convenience only, may not necessarily be active or current, and should not be relied upon. To ensure the information incorporated by reference is accurate, the reader is encouraged to use the source document described in the regulation.

As a service to the public, the Virginia Administrative Code is provided online by the Virginia General Assembly. We are unable to answer legal questions or respond to requests for legal advice, including application of law to specific fact. To understand and protect your legal rights, you should consult an attorney.