N.M. Admin. Code § 1.12.20.20
Current through Register Vol. 35, No. 24, December 23, 2024
Section 1.12.20.20 - USER REGISTRATION AND MANAGEMENTA. A user management process shall be established, documented and provided to all IT staff of the agency which outlines and identifies all aspects of user management including the generation, distribution, modification, and deletion of user accounts. This process shall ensure that only authorized individuals have access to agency applications and information and that such users only have access to the resources required to perform authorized services.B. The user management process shall include the following sub-processes:(1) how to enroll new users;(2) how to remove user IDs;(3) how to grant a "privileged account" to a user;(4) how to remove "privileged accounts" from a user;(5) how the agency defines "periodic review" of "privileged accounts";(6) how the agency defines "periodic review" of users enrolled in any state IT system;(7) how to assign a new authentication token (e.g. password reset processing); and(8) how proper enforcement of user management shall be verified during an independent annual risk assessment.C. The appropriate information owner or other authorized officer shall make requests for the registration and granting of any data access rights.D. For applications that interact with individuals who are not employees of the agency, including but not limited to employees of other state agencies, approved contractors or approved vendors, the information owner is responsible for ensuring an appropriate user management process is implemented. Standards for the registration of such external users shall be defined by the agency CIO, to include what credentials shall be provided to prove the identity of the user requesting registration, validation of the request, and the scope of access that may be provided.N.M. Admin. Code § 1.12.20.20
1.12.20.20 NMAC - N/E, 4/14/2010