New Mexico Administrative Code
Title 1 - GENERAL GOVERNMENT ADMINISTRATION
Chapter 12 - INFORMATION TECHNOLOGY
Part 20 - INFORMATION SECURITY OPERATION MANAGEMENT
Section 1.12.20.23 - VULNERABILITY SCANNING
Current through Register Vol. 35, No. 18, September 24, 2024
A. All state owned computing devices that are, or will be, accessible from outside the agency network shall be scanned by DoIT, DoIT-approved contractor or DoIT-approved agency IT staff for vulnerabilities and weaknesses prior to installation on the state network and following any changes made to the software, operating system, or configuration.
B. For both internal and external systems, scans shall be performed at least annually by DoIT or a DoIT-approved contractor to ensure that no major vulnerabilities have been introduced into the environment. The frequency of additional scans shall be determined by the agency ISO; such determination shall depend upon the criticality and sensitivity of the information on the system.
C. Network vulnerability scanning shall be conducted after any new network software or hardware has been installed and after major configuration changes have been made on critical and essential agency systems.
D. Output from the scans shall be reviewed immediately by the agency IT staff or agency ISO and the results communicated to the agency CIO.
E. Any vulnerability detected as a result of a scan shall be immediately evaluated for risk and actions shall be taken by the agency to mitigate such risk.
F. Tools used to scan for vulnerabilities shall be updated quarterly to ensure that any recently discovered vulnerabilities are included in any scans.
G. If an agency has outsourced a server, application, or network services to another agency, the responsibility for vulnerability scanning shall be coordinated by both agencies.
H. Anyone authorized to perform vulnerability scanning shall have its process defined, documented, tested, and followed at all times to minimize the possibility of disruption of services. Reports of exposures to vulnerabilities shall immediately be forwarded to the agency CIO and agency general counsel.
I. Any vulnerability scanning other than that performed by an agency ISO shall be conducted only by qualified individuals or organizations contracted with or otherwise authorized in writing by the agency's CIO.