N.M. Code R. § 1.11.2.11
Security procedures shall be implemented to ensure the authenticity and integrity of the electronically filed instrument, including the ability to verify the identity of the filer, as well as the ability to verify that an instrument has not been altered since it was transmitted or filed. In order to protect the integrity of instruments to be recorded electronically, a participating county clerk and authorized filers shall meet the security procedure requirements set forth below.
B. Security standards implemented by county clerks shall accommodate electronic signatures and notarization of documents in a manner that complies with 12.9.2 NMAC, Performing Electronic Notarial Acts and that address the following encryption requirements. The electronic recording delivery system shall:
(1) support, at a minimum, 128-bit file and image encryption over a secure network;
(2) provide for periodic updates to encryption by the electronic recording delivery system vendor;
(3) advise the authorized filer of its liabilities and responsibilities for keeping its keys secure;
(4) provide a secure key management system for the administration and distribution of cryptographic keys; and
(5) require all encryption keys to be generated through an approved encryption package and securely stored.
C. The electronic recording delivery system shall control interactive access to the system through authentication processes that:
(1) utilize a process of requesting, granting, administering and terminating accounts;
(2) address the purpose, scope, responsibilities and requirements for managing accounts;
(3) designate one or more individuals to manage accounts; and
(4) provide for secure delivery of the authorized filer (s) initial password(s) and prohibit the transmission of identification and authentication information (password) without the use of industry-accepted encryption standards.
D. County clerks shall have a key management system in place for the secure administration and distribution of cryptographic keys.
(1) The electronic recording delivery system shall authenticate the authorized filer's private key.
(2) Authorized filers shall establish internal controls to assure the security of the private key is not compromised and certify compliance with the county clerk as part of the MOU.
(3) Security of private keys compromised within the electronic recording delivery system shall be promptly addressed by the clerk.
E. A risk analysis to identify potential threats to the electronic recording delivery system and the environment in which it operates shall be conducted at least once every three years by the county clerk and shall be submitted to the department of information technology and the commission of public records. The purpose of the risk analysis is to prevent the filing and recording of fraudulent instruments or alteration of instruments that were previously filed and recorded electronically. A risk analysis shall identify and evaluate system and environmental vulnerabilities and determine the loss impact if one or more vulnerabilities are exploited by a potential threat. The risk analysis shall include:
(1) a risk mitigation plan that defines the process for evaluating the system;
(2) documentation of management decisions regarding actions to be taken to mitigate vulnerabilities;
(3) identification and documentation of implementation of security controls as approved by management; and
(4) a reassessment of the electronic recording delivery system security after recommended controls have been implemented or in response to newly discovered threats and vulnerabilities.
[1.11.2.11 NMAC - N, 9/15/2008]