51,436 sections across 3,184 New Mexico regulatory chapters.
R.1.12.2-1.12.2.3 STATUTORY AUTHORITY
0.0K chars
NMSA 1978 Section 15-1C-5.
R.1.12.2-1.12.2.4 DURATION
0.0K chars
Permanent.
R.1.12.2-1.12.2.5 EFFECTIVE DATE
0.1K chars
February 1, 2000, unless a later date is cited at the end of a section or paragraph.
R.1.12.2-1.12.2.6 OBJECTIVE
0.1K chars
The purpose of this rule is to establish the procedures by which the commission will operate in carrying out its responsibilities under the Act.
R.1.12.2-1.12.2.7 DEFINITIONS
0.7K chars
As used in this rule: A. "advisory member" means a person appointed to the commission pursuant to NMSA 1978 Section 15-1C-4 B; B. "comment draft" means the draft of a proposed rule or guideline approved by the Commission for publication for the limited purpose of receiving commen…
R.1.12.2-1.12.2.8 MEMBERS
1.0K chars
A. Terms. Public members shall serve for staggered three-year terms or until they resign. All other members shall serve until they resign or are replaced by their appointing authority. B. Vacancies. A member may resign or a member's position on the commission may be deemed vacant…
R.1.12.2-1.12.2.9 OFFICERS
1.8K chars
A. Chairperson. The chairperson shall preside at meetings of the commission and shall assume all duties designated from time to time by the commission. B. Vice-chairperson. The vice-chairperson shall perform the duties and assume the obligations of the chairperson when the chairp…
R.1.12.20-1.12.20.1 ISSUING AGENCY
0.0K chars
Department of Information Technology.
R.1.12.20-1.12.20.10 NETWORK MANAGEMENT
2.5K chars
All agencies shall implement a range of network controls to maintain security in its trusted, internal network, and to ensure the protection of connected services and networks. Such controls help prevent unauthorized access and use of the agencies' private networks. The following…
R.1.12.20-1.12.20.11 PRIVILEGED ACCOUNTS MANAGEMENT
0.6K chars
The issuance and use of privileged accounts in agencies shall be restricted and controlled by system administrator management in the agency. A. Agencies shall develop processes to ensure that if a privilege account is issued, the use of such privileged accounts is monitored by th…
R.1.12.20-1.12.20.12 ACCESS CONTROL POLICY
0.8K chars
To preserve the integrity, confidentiality, and availability of the system and the data, the agency's information assets shall be protected by logical as well as physical access control mechanisms commensurate with the value and sensitivity of the system, the ease of recovery of …
R.1.12.20-1.12.20.13 OPERATING SYSTEM ACCESS CONTROL
1.7K chars
A. Access to agency operating system code, commands and services shall be restricted to individuals with specialized skills such as systems programmers, database administrators, network, and security administrators who require access to perform their daily job responsibilities. (…
R.1.12.20-1.12.20.14 APPLICATION ACCESS CONTROL
0.5K chars
A. Access to agency business and systems applications shall be restricted to those individuals who have an identified business need to access those applications or systems in the performance of their job responsibilities. B. Access to source code for applications and systems shal…
R.1.12.20-1.12.20.15 NETWORK ACCESS CONTROL
0.5K chars
Access to an agency's trusted internal network shall require all agency authorized users to authenticate themselves through use of an individually assigned user ID or other agency approved authentication mechanism (e.g., password, token, smart card). Network controls shall be dev…
R.1.12.20-1.12.20.16 USER AUTHENTICATION FOR EXTERNAL CONNECTIONS (REMOTE ACCESS CONTROL)
5.4K chars
A. To maintain information security, agency must require through published policies and procedures consistent with these rules, that individual accountability shall be maintained at all times, including during remote access. B. Connection to the agency's networks shall be provide…
R.1.12.20-1.12.20.17 DEDICATED NETWORK CONNECTIONS
3.0K chars
A. The internet is inherently insecure, access to the internet is prohibited from any device that is connected (wired or wireless) to any part of the state network unless such access is authorized via exception signed by the state CIO. Such access includes accounts with third-par…
R.1.12.20-1.12.20.18 NETWORK SEGREGATION
0.6K chars
When an agency desires to connect its network to any other third party network or its network becomes a segment on a larger network, controls shall be in place to prevent access by users from other connected networks to sensitive areas of the agency's private network. Such connec…
R.1.12.20-1.12.20.19 WIRELESS NETWORKS, BLUETOOTH, AND RADIO FREQUENCY IDENTIFICATION
1.0K chars
A. No wireless network or wireless access point shall be installed prior to an agency performed risk assessment and the written approval of the agency CIO. B. Suitable controls, such as media access control (MAC), address restriction, authentication, and encryption, shall be impl…
R.1.12.20-1.12.20.2 SCOPE
0.4K chars
This rule applies to all executive branch agencies, and any other state entity which utilizes the state information technology (IT) infrastructure, contractors and subcontractors and any other non-state government staff members, and outsourced third parties, who have access to, s…
R.1.12.20-1.12.20.20 USER REGISTRATION AND MANAGEMENT
1.8K chars
A. A user management process shall be established, documented and provided to all IT staff of the agency which outlines and identifies all aspects of user management including the generation, distribution, modification, and deletion of user accounts. This process shall ensure tha…
R.1.12.20-1.12.20.21 USER PASSWORD MANAGEMENT
1.2K chars
Password protocols shall be developed consistent with state standards and implemented to ensure all authorized individuals accessing agency resources follow 1.12.11 NMAC Enterprise Architecture. Such password protocols shall be mandated by automated system controls whenever possi…
R.1.12.20-1.12.20.22 PROHIBITION OF USE OF PERSONAL COMPUTING DEVICES ON STATE EQUIPMENT OR SYSTEMS
0.8K chars
A. Connecting any computing device not owned by the state of New Mexico to a state network or to any state computing device is prohibited unless authorized in writing by the agency CIO. B. Installation of any software, executable or other file to any state computing device is pro…
R.1.12.20-1.12.20.23 VULNERABILITY SCANNING
2.1K chars
A. All state owned computing devices that are, or will be, accessible from outside the agency network shall be scanned by DoIT, DoIT-approved contractor or DoIT-approved agency IT staff for vulnerabilities and weaknesses prior to installation on the state network and following an…
R.1.12.20-1.12.20.24 PENETRATION AND INTRUSION TESTING
2.0K chars
All state computing infrastructures that provide information through a public network, either directly or through another dedicated circuit, and that provide information externally (such as through the world-wide web), shall be subject to annual independent penetration analysis a…
R.1.12.20-1.12.20.25 PROTECTION AGAINST MALICIOUS CODE
0.9K chars
A. Software and any other mechanism to prevent intrusions shall be implemented across agency systems to prevent as well as detect the introduction of malicious code. The introduction of malicious code can cause serious damage to networks, workstations, and business data. B. Agenc…
R.1.12.20-1.12.20.26 SYSTEM SECURITY CHECKING
1.1K chars
A. Systems that process or store sensitive or confidential information or services that provide support for critical services shall undergo technical security reviews by agency system administrators to ensure compliance with implementation standards and rules as promulgated by Do…
R.1.12.20-1.12.20.27 PORTABLE DEVICES AND REMOVABLE MEDIA
2.8K chars
A. All state owned portable computing resources and removable media shall be secured to prevent compromise of confidentiality or integrity of information. All portable computing devices and removable media must be protected by a password. B. No portable and removable media comput…
R.1.12.20-1.12.20.28 TELEPHONES AND FAX EQUIPMENT
0.8K chars
A. Users are prohibited from sending documents containing sensitive and confidential information via fax unless allowed by law. B. Users are prohibited from using fax services to send or receive sensitive and confidential information. C. Users are prohibited from using third-part…
R.1.12.20-1.12.20.29 MODEM USAGE
0.2K chars
Connecting any dial-up modem to any computer systems which are also connected to the agency's local area network, to the state network, or to another internal communication network shall first be approved in writing by the agency CIO.
R.1.12.20-1.12.20.3 STATUTORY AUTHORITY
0.0K chars
NMSA 1978 Section 9-27-6 F (3) and 9-27-6 I (1).
R.1.12.20-1.12.20.30 PUBLIC WEBSITES CONTENT APPROVAL PROCESS
1.3K chars
A. Sensitive and confidential information shall not be available through a server accessible to a public network without appropriate safeguards in place as approved in writing by the agency CIO in consultation with the agency legal counsel. The agency ISO shall implement safeguar…
R.1.12.20-1.12.20.31 BUSINESS CONTINUITY
0.7K chars
This section is limited to the IT infrastructure and the data and applications of the local agency environment. A. A threat and risk assessment shall be performed by the agency to determine the criticality of business systems and the time frame required for recovery in the event …
R.1.12.20-1.12.20.32 LOG-ON BANNER
0.4K chars
A. Log-on banners shall be implemented on all state IT systems to inform all users that agency systems are only for agency business and other approved uses consistent with agency policy, to inform that users their activities may be monitored, and to inform the user that they have…
R.1.12.20-1.12.20.33 MONITORING SYSTEM ACCESS AND USE: NO EXPECTATION OF PRIVACY
1.1K chars
A. Consistent with applicable law, the agency reserves the right to monitor, inspect, and search at any time, all agency information systems and equipment used by agency users. Since agency computers and networks are provided for state business purposes, agency staff and any cont…
R.1.12.20-1.12.20.34 LOST OR STOLEN IT ASSET
0.9K chars
In the event of a lost or stolen IT asset, the user shall: A. immediately report the incident to the user's supervisor; B. immediately report the incident to the DoIT help desk at (505)827-2121 or EnterpriseSupportDesk@state.nm.us; a state IT asset incident form must be completed…
R.1.12.20-1.12.20.4 DURATION
0.0K chars
Permanent.
R.1.12.20-1.12.20.5 EFFECTIVE DATE
0.1K chars
April 14, 2010, unless a later date is cited at the end of a section.
R.1.12.20-1.12.20.6 OBJECTIVE
0.5K chars
The purpose of this rule is to establish security operation management practices for executive branch agencies and any other state entity which utilizes the state information technology (IT) infrastructure in the operation of their information technology (IT) systems and infrastr…
R.1.12.20-1.12.20.7 DEFINITIONS
5.8K chars
Defined terms apply to this rule and all other rules promulgated by the secretary and adopted by the information technology commission. A. "Act" means the Department of Information Technology Act, NMSA 1978 9-27-1 et seq. B. "Agency" means an executive branch agency of the state …
R.1.12.20-1.12.20.8 DOCUMENTATION OF SECURITY OPERATIONS
0.6K chars
A. All agency IT technical operations shall have documented security operating instructions, management processes, and formal incident management procedures in place that define roles and responsibilities of individuals who operate or use agency IT technical operations and facili…
R.1.12.20-1.12.20.9 SEGREGATION OF SECURITY DUTIES
0.4K chars
Segregation of duties is required to reduce the risk of accidental or deliberate damage to the state or agency IT system through misuse by a person or persons. In small agencies in which separation of duties is difficult to achieve, with the approval of DoIT, the agency shall imp…
R.1.12.21-1.12.21.1 ISSUING AGENCY
0.0K chars
Department of Information Technology ("DoIT")
R.1.12.21-1.12.21.10 ASSISTANCE GRANTS
2.9K chars
These additional rules apply to assistance grant programs. A. Authorization. An assistance grant is authorized if the: (1) total available program funding does not exceed $2,500,000, (2) funding source specifies the grantee or subrecipient; (3) funding source requires program fun…
R.1.12.21-1.12.21.13 CHALLENGES AND DISPUTES
7.5K chars
These rules apply when a person seeks to challenge any action or inaction authorized, taken, required or governed by these rules, by a funding source or by any state or federal law that governs a program and is not, by law or agreement, within the exclusive subject matter jurisdi…
R.1.12.21-1.12.21.14 DEFAULT, CURE AND AWARD TERMINATION
3.0K chars
A sponsoring body may unilaterally terminate an award only as authorized by, and subject to the requirements of, these rules. A. Uncured material default. A sponsoring body may terminate an award based on a grantee's uncured failure to comply with or satisfy a material term of an…
R.1.12.21-1.12.21.2 SCOPE
0.5K chars
These rules apply to the development, award and administration of grant programs within the jurisdiction of DoIT, the Office of Broadband Access and Expansion ("OBAE"), the Connect New Mexico Council ("Council"), or to any public body administratively attached to DoIT, directly o…
R.1.12.21-1.12.21.3 STATUTORY AUTHORITY
0.1K chars
Paragraphs A and B of Section 9-27-6 NMSA 1978; Paragraph C of Section 63-9K-4 NMSA 1978;
R.1.12.21-1.12.21.4 DURATION
0.0K chars
Permanent.
R.1.12.21-1.12.21.5 EFFECTIVE DATE
0.1K chars
April 11, 2023, unless a later date is cited at the end of a section.
R.1.12.21-1.12.21.6 OBJECTIVE
0.1K chars
These rules establish standards and practices for the development, challenge, application, award and administration of subject grant programs.