New Mexico Administrative Code
Title 1 - GENERAL GOVERNMENT ADMINISTRATION
Chapter 12 - INFORMATION TECHNOLOGY
Part 20 - INFORMATION SECURITY OPERATION MANAGEMENT
Section 1.12.20.13 - OPERATING SYSTEM ACCESS CONTROL
Current through Register Vol. 35, No. 18, September 24, 2024
A. Access to agency operating system code, commands and services shall be restricted to individuals with specialized skills such as systems programmers, database administrators, network, and security administrators who require access to perform their daily job responsibilities.
B. To allow administrator activities to be tracked to the individual responsible for the work or changes to the system, such as system programmers, database administrators, network administrators and security administrators, a second user ID shall be provided for use when the particular individual performs necessary business transactions unrelated to his or her regular job functions (operating system, database, network and security functions), such as accessing an employee's electronic records.
C. Under some agency specific circumstances, where there is a clear business requirement or system limitation, the use of a shared user ID/password for a group of users or a specific job can be used by obtaining written approval by the agency ISO and agency CIO. In such situations, additional controls shall be implemented by the agency to ensure accountability of the device operating system is maintained.
D. Where technically feasible, default administrator accounts shall be renamed, removed, or disabled. The default passwords for these accounts shall be changed if the account is retained, even if the account is renamed or disabled.