New Mexico Administrative Code
Title 1 - GENERAL GOVERNMENT ADMINISTRATION
Chapter 12 - INFORMATION TECHNOLOGY
Part 20 - INFORMATION SECURITY OPERATION MANAGEMENT
Section 1.12.20.24 - PENETRATION AND INTRUSION TESTING
Current through Register Vol. 35, No. 18, September 24, 2024
All state computing infrastructures that provide information through a public network, either directly or through another dedicated circuit, and that provide information externally (such as through the world-wide web), shall be subject to annual independent penetration analysis and intrusion testing by qualified, independent third-party contractor approved by DoIT.
A. Penetration analysis and testing shall be used to determine whether:
B. The output of the penetration testing and intrusion testing shall be reviewed by the agency ISO and any vulnerability detected shall be evaluated for risk and steps taken to mitigate the risk.
C. Any tools used to perform the penetration testing shall be kept updated to ensure that recently discovered vulnerabilities are included in any future testing.
D. Where an agency has outsourced a server, application, or network services to another agency, independent penetration testing shall be coordinated by both agencies.
E. Only an individual or individuals authorized in writing by the agency shall perform penetration testing. The agency ISO shall notify DoIT security staff two business days prior to any penetration test. Any attempt by the agency to perform penetration testing without prior notice to DoIT shall be deemed an unauthorized access attack which shall be reported to the state CIO.
F. All documents pertaining to security penetration tests, security investigations, security data and reports shall be categorized as sensitive and protected from public disclosure. Counsel for the agency shall review and approve such information to ensure compliance with state law.