New Mexico Administrative Code
Title 1 - GENERAL GOVERNMENT ADMINISTRATION
Chapter 12 - INFORMATION TECHNOLOGY
Part 20 - INFORMATION SECURITY OPERATION MANAGEMENT
Section 1.12.20.24 - PENETRATION AND INTRUSION TESTING

Universal Citation: 1 NM Admin Code 1.12.20.24

Current through Register Vol. 35, No. 18, September 24, 2024

All state computing infrastructures that provide information through a public network, either directly or through another dedicated circuit, and that provide information externally (such as through the world-wide web), shall be subject to annual independent penetration analysis and intrusion testing by qualified, independent third-party contractor approved by DoIT.

A. Penetration analysis and testing shall be used to determine whether:

(1) a user can make an unauthorized change to an application;

(2) a user can access the application and cause it to perform unauthorized tasks;

(3) an unauthorized individual can access, destroy or change any data;

(4) an unauthorized individual may access the application and cause it to take actions unintended by the application designer(s).

B. The output of the penetration testing and intrusion testing shall be reviewed by the agency ISO and any vulnerability detected shall be evaluated for risk and steps taken to mitigate the risk.

C. Any tools used to perform the penetration testing shall be kept updated to ensure that recently discovered vulnerabilities are included in any future testing.

D. Where an agency has outsourced a server, application, or network services to another agency, independent penetration testing shall be coordinated by both agencies.

E. Only an individual or individuals authorized in writing by the agency shall perform penetration testing. The agency ISO shall notify DoIT security staff two business days prior to any penetration test. Any attempt by the agency to perform penetration testing without prior notice to DoIT shall be deemed an unauthorized access attack which shall be reported to the state CIO.

F. All documents pertaining to security penetration tests, security investigations, security data and reports shall be categorized as sensitive and protected from public disclosure. Counsel for the agency shall review and approve such information to ensure compliance with state law.

Disclaimer: These regulations may not be the most recent version. New Mexico may have more current or accurate information. We make no warranties or guarantees about the accuracy, completeness, or adequacy of the information contained on this site or the information linked to on the state site. Please check official sources.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.