New Mexico Administrative Code
Title 1 - GENERAL GOVERNMENT ADMINISTRATION
Chapter 12 - INFORMATION TECHNOLOGY
Part 20 - INFORMATION SECURITY OPERATION MANAGEMENT
Section 1.12.20.16 - USER AUTHENTICATION FOR EXTERNAL CONNECTIONS (REMOTE ACCESS CONTROL)
Current through Register Vol. 35, No. 18, September 24, 2024
A. To maintain information security, agency must require through published policies and procedures consistent with these rules, that individual accountability shall be maintained at all times, including during remote access.
B. Connection to the agency's networks shall be provided in a secure manner to preserve the integrity of the network, to preserve the data transmitted over that network, and to maintain the availability of the network. Security mechanisms shall be in place to control remote access to agency systems and networks from fixed or mobile locations.
C. Approval for any such remote connection shall first be obtained from the agency management and the agency CIO or ISO. Prior to approval being granted, the CIO shall review the request to determine what needs to be accessed and what method of access is desired and document the risks involved and technical controls required for such connection to take place.
D. Because of the level of risk inherent with remote access, the agency shall require use of a stronger password or another comparable method of protection prior to allowing connection to any agency network. Users shall be informed that all sessions performed remotely are subject to periodic and random monitoring by the agency.
E. When accessing an agency network remotely, identification and authentication of the user shall be performed by the remote access system (VPN) in such a manner as to not disclose the password or other authentication information that could be intercepted and used by a third-party.
F. All remote connections to an agency computer shall be made through managed central points-of-entry or "common access point." Using this type of entry system to access an agency computer provides simplified and cost effective security, maintenance, and support.
G. Vendors which may be provided access to agency computers or software, will be required to have individual accountability. For any agency system (hardware or software) for which there is a default user ID or password that came with the system for use in set up or periodic maintenance of the system , that account shall be disabled until the user ID is needed and requested. Any activity performed while a vendor user ID is in use shall be logged on the remote access system by an external logger. Since such maintenance accounts are not regularly used, the vendor user ID shall be disabled, the password changed, and other controls shall be implemented by the agency to prevent or monitor unauthorized use of these privileged accounts during periods of inactivity.
H. In special cases wherein servers, storage devices, or other computer equipment has the capability to automatically connect to a vendor in order to report problems or suspected problems, the agency ISO shall review any such connection and process to report certain events back to the system's manufacturer for performance "tuning" to ensure that such connectivity does not compromise the agency or other third-party connections.
I. Agency personnel will only be allowed to work from a remote location upon authorization by the CIO and agency management. Once approved, appropriate arrangements shall be made pursuant to agency written policy and procedures, consistent with this rule, to ensure the work environment at the remote location provides adequate security for transmission of agency data and protection of computing resources. The agency shall identify to the user the appropriate protection mechanisms necessary to protect against theft of agency equipment, unauthorized disclosure of agency information, misuse of agency equipment, unauthorized access to the agency internal network, or facilities by anyone besides the specifically identified and approved user, including family and friends. To ensure the proper security controls are in place and all state security standards are followed, the agency will approve remote access after consideration and documentation of their review following:
J. The following access system controls shall be implemented. Agency ISO or CIO shall monitor and audit their use: