New Mexico Administrative Code
Title 1 - GENERAL GOVERNMENT ADMINISTRATION
Chapter 12 - INFORMATION TECHNOLOGY
Part 11 - ENTERPRISE ARCHITECTURE
Section 1.12.11.16 - SECURITY
Current through Register Vol. 35, No. 18, September 24, 2024
Password policy.
A. This policy establishes a standard for creation of strong passwords, the protection of those passwords, and the frequency of change.
B. Passwords must be at least eight (8) alphanumeric characters long.
C. All system-level passwords (e.g., root, enable, NT admin, application administration accounts, etc.) must be changed at least every 6 months. Password changes will be addressed immediately by the password authority when personnel changes are made to staff that have root access.
D. Passwords must not be stored on unencrypted or other insecure forms (i.e., word document, post-its, labels, etc.).
E. All user-level passwords (e.g., email, web, desktop computer, etc.) must be changed periodically. The minimum change interval is every 4 months.
F. User accounts that have system-level privileges granted through group memberships or programs such as "sudo" must have a unique password from all other accounts held by that user.
G. Passwords must not be inserted into email messages or other forms of electronic communication.
H. All user-level and system-level passwords must conform to the guidelines described below.
I. A password authority shall be established by the agency CIO or IT lead to disseminate passwords, facilitate as the gatekeeper for system-level passwords, and be the point of contact for password-related security breaches. Password may only be obtained or requested from the password authority of the agency.