N.M. Admin. Code § 1.12.7.14

Current through Register Vol. 35, No. 24, December 23, 2024
Section 1.12.7.14 - BUSINESS ANALYSIS AND RISK ASSESSMENT
A. The selection of an electronic signature process is a business decision involving more than technical consideration. State agencies are strongly encouraged to complete and document a business analysis and risk assessment. The extent, level of detail, and format of the business analysis and risk assessment is up to the state agency. The goal is to implement a signing process that is reliable as is appropriate for the purpose in question.
B. A state agency may evaluate each factor differently and accord them different weights based on the nature and specifics of the underlying transaction. A state agency may also devise its own process for conducting and documenting a business analysis and risk assessment in the selection of an electronic signature process.
C. Business analysis. The focus of the business analysis is the business transaction that the electronic signature will support and the larger related business process. The business analysis may include the following components: overview of the business process, analysis of legal and regulatory requirement specifically related to the transaction, identification of industry standards or generally accepted practices related to the transaction, analysis of those who will use electronically signed records and related requirements, and determination of interoperability requirements including those of business partners, determination of the cost of alternative approaches.
D. Risk Assessment. The selection of an appropriate electronic signature process includes identifying the potential risks involved in a signed electronic transaction and how various electronic signature approaches can address those risks. This paragraph draws upon the national institute of standards (NIST) approach to risk assessment but is more narrowly focused on the risks inherent in a signed electronic transaction. To assess risks, a state agency should identify and analyze: sources of threats, vulnerabilities (such as repudiation, intrusion, loss of access to records for business and legal purposes), potential impacts (such as financial, reputation and credibility, productivity), and likelihood that a threat will actually materialize.
E. Risk Matrix. A state agency may wish to develop a matrix in which risk level for each threat is determined by the relationship between the threat's likelihood and the degree of impact against the background of existing risk reduction measures. The greatest risks are those that have extreme consequences and almost certain to occur. Conversely, a rare event with negligible consequences may be considered trivial.
F. Both the analysis of the likelihood of a successful challenge to the enforceability of a signature and the analysis of the cost or impact of an unenforceable signature should result in a "Low," "Moderate" or "High" determination.
G. The Department of Information Technology has statutory responsibility for all state-wide, executive agency information and computer systems. Given the specific and particular expertise of the Department, any state agency may defer to any determination made by the Secretary of the Department of Information and Technology as to 'business analysis', 'risk assessment', or constructing a 'risk matrix'.

N.M. Admin. Code § 1.12.7.14

Adopted by New Mexico Register, Volume XXVI, Issue 13, July 15, 2015, eff. 7/1/2015