N.M. Code R. § 1.12.20.17
C. Dedicated network connections shall be allowed after the requesting agency has presented its proposed network architecture for approval by the DoIT; DoIT will approve if the proposal has acceptable security controls and procedures in place, and appropriate security measures have been implemented by the agency to protect state network resources. The agency shall perform a risk analysis of the connection to ensure that the connection to the external network shall not compromise the agency’s private network. The agency may require that additional controls, such as the establishment of firewalls and a DMZ (demilitarized zone) be implemented between the third-party connection and the agency.
(1) The business case for the dedicated connection is still valid and the dedicated connection is still required.
(2) The security controls are in place (e.g., filters, rules, access control lists) are current and are functioning correctly.
F. Any agency-approved third-party network or workstation connection to an agency network shall:
(1) have written justification in the form of a clear business case provided to the agency CIO for any such network connection;
(2) sign an agency non-disclosure agreement (“NDA”); the non-disclosure agreement shall be signed by a duly appointed representative from the third-party organization who is legally authorized to sign such an agreement;
(3) have equipment in place that conforms to this rule and any other applicable state security standards, complies with the agency’s technical architecture, and be approved in writing by the agency CIO; and
(4) use encryption to ensure the confidentiality and integrity of any sensitive or confidential data passing over the external network connection.
[1.12.20.17 NMAC - N/E, 04/14/2010]