New Mexico Administrative Code
Title 1 - GENERAL GOVERNMENT ADMINISTRATION
Chapter 12 - INFORMATION TECHNOLOGY
Part 20 - INFORMATION SECURITY OPERATION MANAGEMENT
Section 1.12.20.16 - USER AUTHENTICATION FOR EXTERNAL CONNECTIONS (REMOTE ACCESS CONTROL)

Universal Citation: 1 NM Admin Code 1.12.20.16

Current through Register Vol. 35, No. 18, September 24, 2024

A. To maintain information security, agency must require through published policies and procedures consistent with these rules, that individual accountability shall be maintained at all times, including during remote access.

B. Connection to the agency's networks shall be provided in a secure manner to preserve the integrity of the network, to preserve the data transmitted over that network, and to maintain the availability of the network. Security mechanisms shall be in place to control remote access to agency systems and networks from fixed or mobile locations.

C. Approval for any such remote connection shall first be obtained from the agency management and the agency CIO or ISO. Prior to approval being granted, the CIO shall review the request to determine what needs to be accessed and what method of access is desired and document the risks involved and technical controls required for such connection to take place.

D. Because of the level of risk inherent with remote access, the agency shall require use of a stronger password or another comparable method of protection prior to allowing connection to any agency network. Users shall be informed that all sessions performed remotely are subject to periodic and random monitoring by the agency.

E. When accessing an agency network remotely, identification and authentication of the user shall be performed by the remote access system (VPN) in such a manner as to not disclose the password or other authentication information that could be intercepted and used by a third-party.

F. All remote connections to an agency computer shall be made through managed central points-of-entry or "common access point." Using this type of entry system to access an agency computer provides simplified and cost effective security, maintenance, and support.

G. Vendors which may be provided access to agency computers or software, will be required to have individual accountability. For any agency system (hardware or software) for which there is a default user ID or password that came with the system for use in set up or periodic maintenance of the system , that account shall be disabled until the user ID is needed and requested. Any activity performed while a vendor user ID is in use shall be logged on the remote access system by an external logger. Since such maintenance accounts are not regularly used, the vendor user ID shall be disabled, the password changed, and other controls shall be implemented by the agency to prevent or monitor unauthorized use of these privileged accounts during periods of inactivity.

H. In special cases wherein servers, storage devices, or other computer equipment has the capability to automatically connect to a vendor in order to report problems or suspected problems, the agency ISO shall review any such connection and process to report certain events back to the system's manufacturer for performance "tuning" to ensure that such connectivity does not compromise the agency or other third-party connections.

I. Agency personnel will only be allowed to work from a remote location upon authorization by the CIO and agency management. Once approved, appropriate arrangements shall be made pursuant to agency written policy and procedures, consistent with this rule, to ensure the work environment at the remote location provides adequate security for transmission of agency data and protection of computing resources. The agency shall identify to the user the appropriate protection mechanisms necessary to protect against theft of agency equipment, unauthorized disclosure of agency information, misuse of agency equipment, unauthorized access to the agency internal network, or facilities by anyone besides the specifically identified and approved user, including family and friends. To ensure the proper security controls are in place and all state security standards are followed, the agency will approve remote access after consideration and documentation of their review following:

(1) the physical security of the remote location, including the use of any portable devices at any location other than an employee's approved work station;

(2) the method of transmitting information given the sensitivity of agency's internal system; and

(3) clearly defined business continuity procedures, including the capability of backing up critical information.

J. The following access system controls shall be implemented. Agency ISO or CIO shall monitor and audit their use:

(1) a definition of the type of information accessed (such as sensitive or confidential information under HIPAA) and the systems and services that the remote user is authorized to access;

(2) procedures and end user system requirements for secure remote access, such as authentication tokens or passwords, shall be documented by the agency including provisions for revocation of authorization and return of equipment to the agency;

(3) access system support and usage procedures provided to the users;

(4) implementation of suitable network boundary controls to prevent unauthorized information exchange between agency networks connected to remote computers and externally connected networks, such as the internet; such measures shall include firewalls and intrusion detection techniques at the remote location; and

(5) physical security of the equipment used for remote access (e.g. such as cable locking device, or locking computer cabinet/secure storage area).

Disclaimer: These regulations may not be the most recent version. New Mexico may have more current or accurate information. We make no warranties or guarantees about the accuracy, completeness, or adequacy of the information contained on this site or the information linked to on the state site. Please check official sources.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.