Harrah’s Entertainment has every need to trust its employees, and every reason to be paranoid. Employees of the Las Vegas-based casino chain handle $10 million to $15 million in cash every day?as much as the country’s largest banks. About 12,000 of its 47,000 employees have access to the sensitive information housed in Harrah’s customer relationship management system, which keeps track of how customers have gambled and spent on previous visits to its casinos across the country.
“There’s an implicit trust that we have with our employees,” says CIO John Boushy. But there are also intense checks and balances to keep everyone honest?little ways that add up to robust security. Here’s a checklist.
From stairwells to the data center, cameras are installed practically everywhere except inside hotel rooms.
Employees must have IDs to be on the casino floor, and badges are revoked when employees leave the company.
User account monitoring Employee accounts are usually closed within a day of their leaving the company. Every quarter, managers compare personnel files with security files, looking for discrepancies.
Daily log reviews
Every night at each property, an IT employee reviews significant changes, such as a change to a customer’s credit limit.
Checks and balances
At least three people are involved whenever it’s time to replenish the supply of chips at a gambling table. Each employee’s step gets documented.
Limited access based on location
Systems are configured so that certain kinds of information can be accessed only in certain locations. For example, someone behind the front desk couldn’t submit a request to send more chips to a table.
Strict access to data centers To enter, an employee needs to type in a password that changes at least once a month. On the keypad, the way numbers are assigned to buttons is randomly generated so that no one can casually observe an employee punch in numbers.
Limited access to the production system When an IT employee needs to make a change to the production system, which handles transactions on the casino floor and houses the CRM loyalty program, he needs to call the help desk for a temporary user ID. The reason for the change is logged, and the changes are monitored.
Boushy says it was important to make sure Harrah’s built such security steps into its operations from the start. “It’s just been such a major component of the way we operate our business,” he says.