18C-122. Independent audits.
(a) Biennially, at the beginning of the calendar year, the Commission shall engage an independent firm experienced in security procedures, including computer security and systems security, to conduct a comprehensive study and evaluation of all aspects of security in the operation of the Commission and of the Lottery. At a minimum, such a security assessment should include a review of network vulnerability, application vulnerability, application code review, wireless security, security policy and processes, security/privacy program management, technology infrastructure and security controls, security organization and governance, and operational effectiveness.
(b) The portion of the security audit report containing the overall evaluation of the Commission and of lottery games in terms of each aspect of security shall be presented to the Commission, to the Governor, and to the General Assembly.
(c) The portion of the security audit report containing specific recommendations shall be confidential, shall be presented only to the Director and to the Commission, and shall be exempt from Chapter 132 of the General Statutes. The Commission may hear the report of such an audit, discuss, and take action on any recommendations to address that audit under G.S. 143-318.11(a)(1).
(d) Biennially at the end of the fiscal year, in addition to the audits required by G.S. 18C-116 and by subsection (a) of this section, beginning in 2010, the Commission shall engage an independent auditing firm that has experience in evaluating the operation of lotteries to perform an audit of the Lottery. The results of this audit shall be presented to the Commission, to the Governor, and to the General Assembly.