New Mexico Administrative Code
Title 1 - GENERAL GOVERNMENT ADMINISTRATION
Chapter 12 - INFORMATION TECHNOLOGY
Part 20 - INFORMATION SECURITY OPERATION MANAGEMENT
Section 1.12.20.10 - NETWORK MANAGEMENT
Current through Register Vol. 35, No. 18, September 24, 2024
All agencies shall implement a range of network controls to maintain security in its trusted, internal network, and to ensure the protection of connected services and networks. Such controls help prevent unauthorized access and use of the agencies' private networks. The following controls, at minimum, shall be implemented:
A. individuals with operational responsibility for networks shall be separate from those with computer operations responsibility; responsibilities and procedures for remote access shall be established;
B. controls, such as data encryption, shall be implemented to safeguard data integrity and the confidentiality of data passing over public networks (internet);
C. all client-based VPN connections shall have split tunneling disabled; VPN connections to the agency are only permitted from agency managed VPN devices;
D. agencies' networks shall implement private address routing to public addresses when sending over the internet to minimize the exposure of public routable addresses;
E. firewall policies shall be configured to accept only inbound and outbound data traffic which is required based on business needs; all other data traffic should be denied;
F. firewall policies shall take into account the source and destination of the traffic in addition to the content;
G. data traffic with invalid or private addresses shall be default blocked from delivery;
H. proposed modifications to network and security equipment must be requested and approved for implementation through the agency change management procedure;
I. to prevent unauthorized modifications of the firewall configuration, the firewall administrator must review the firewall configuration quarterly;
J. any form of cross-connection, which bypasses the firewall, is strictly prohibited;
K. remote firewall administration must be performed over secure channels (e.g., encrypted network connections using SSH or IPSEC) or console access;
L. details of firewall, and security devices type, software versions, and configuration data will not be disclosed without the permission of the agency CIO;
M. agencies shall define security zones and create logical entities and rules for what comprises permissible data and network traffic between different agency business units; and
N. agencies shall perform network segmentation to control the flow of data between hosts on different segments of the network to provide enhanced security, network performance, and connectivity.