Statutes, codes, and regulations
New Mexico Administrative Code
Title 1 - GENERAL GOVERNMENT ADMINISTRATIONChapter 12 - INFORMATION TECHNOLOGY
Part 20 - INFORMATION SECURITY OPERATION MANAGEMENT
Section 1.12.20.24 - PENETRATION AND INTRUSION TESTING

N.M. Admin. Code § 1.12.20.24

Download
PDF
Current through Register Vol. 35, No. 24, December 23, 2024
Section 1.12.20.24 - PENETRATION AND INTRUSION TESTING

All state computing infrastructures that provide information through a public network, either directly or through another dedicated circuit, and that provide information externally (such as through the world-wide web), shall be subject to annual independent penetration analysis and intrusion testing by qualified, independent third-party contractor approved by DoIT.

A. Penetration analysis and testing shall be used to determine whether:
(1) a user can make an unauthorized change to an application;
(2) a user can access the application and cause it to perform unauthorized tasks;
(3) an unauthorized individual can access, destroy or change any data;
(4) an unauthorized individual may access the application and cause it to take actions unintended by the application designer(s).
B. The output of the penetration testing and intrusion testing shall be reviewed by the agency ISO and any vulnerability detected shall be evaluated for risk and steps taken to mitigate the risk.
C. Any tools used to perform the penetration testing shall be kept updated to ensure that recently discovered vulnerabilities are included in any future testing.
D. Where an agency has outsourced a server, application, or network services to another agency, independent penetration testing shall be coordinated by both agencies.
E. Only an individual or individuals authorized in writing by the agency shall perform penetration testing. The agency ISO shall notify DoIT security staff two business days prior to any penetration test. Any attempt by the agency to perform penetration testing without prior notice to DoIT shall be deemed an unauthorized access attack which shall be reported to the state CIO.
F. All documents pertaining to security penetration tests, security investigations, security data and reports shall be categorized as sensitive and protected from public disclosure. Counsel for the agency shall review and approve such information to ensure compliance with state law.

N.M. Admin. Code § 1.12.20.24

1.12.20.24 NMAC - N/E, 4/14/2010