State of New Mexico

Public School Facilities Authority

Digital Computing Asset Management

Policy/Procedures

1. Users who use a digital computing asset are primarily responsible for its safekeeping and for the security of any information, it contains. Users must protect digital computing assets to minimize the possibility of loss or theft, unauthorized use, or tampering.

2. Users must follow all IST and Information Security rules, guidelines, limitations concerning the protection of digital computing assets and its content.

3. IST Information Security has the right to monitor the use of digital computing asset for purposes of security, compliance and administration purposes.

4. IST Information Security has the right to limit and control the scope of use of the digital computing assets to serve PSFA objectives efficiently and effectively.

5. IST Information Security has the right to install and enforce software packages and features changes for enabling/disabling features, limiting administrator privileges, measuring performance and applying security controls. Users do not have the right to disable, control or limit these actions. A documented and signed approval and risk acceptance is required for any exception.

6. IT and Information Security must approve and validate all purchasing requests for digital computing assets to ensure adequacy from operational and security standards perspective, and issue risk exceptions where appropriate.

7. All data output, analysis outcome, application developed, research results, etc. that are resulted and realized through the use of PSFA digital computing asset are considered the property of PSFA and the State of New Mexico unless formal exception has been granted by the appropriate governance.

8. PSFA digital computing assets are to be used for PSFA approved business purposes only.

9. Cryptocurrency mining using PSFA digital computing assets is forbidden.

10. Digital computing assets should be compliant to copyright laws, telecommunication laws and all applicable laws.

11. Whenever required by law, PSFA will provide relevant information and access to digital computing assets to law enforcement entities.

12. PSFA has the right to access, collect and confiscate any digital computing asset for investigation, digital forensic, or compliance needs. Access rules and procedures are handled by Information Security functions of the IST Department, Legal and Physical Security.

13. PSFA has the right to analyze the outgoing and incoming traffic to any digital computing asset connected to its network for performance management, problem solving, information security and compliance needs.

Inventory

A digital computing asset inventory must be in place that include all relevant digital data like MAC address, operating system type and version, device vendor, model name and number, list of software installed name and version, etc. This inventory is essential for operational support, upgrade plans as well as information security controls enforcement and risk assessment. Inventory of newly added assets and retiring assets should be performed adequately. Live inventory/monitoring tools and agents can be used to identify the device status when applicable.

Possession and Chain of Custody

Possession of digital computing assets must be documented and adequately updated at all times. Digital computing assets must be delegated to a custodian via chain-of-custody documentation at all times.

Assets Return

Digital computing assets should be returned to PSFA IST whenever the asset is not in use, outdated, or the employee has ended their relation with PSFA.

Agency Servers and Associated Applications

1. Ownership of PSFA servers and its associated applications must be clarified and documented at all times in a detailed inventory.

2. An application administrator and a system administrator should be identified for every PSFA server and digital service.

3. Application and system administrators are data custodians; data owners are the authority regarding the grant and revocation of access.

4. Application administrators are the responsible person for operating and maintaining the application to meet the business objectives.

5. System administrators are the responsible person for operating and maintaining the operating system and server backend services/packages that are essential for the application to run.

6. New PSFA servers, services, applications must have the following prerequisites before going live:

    a. Documented high and low level architecture

    b. Data flow chart

    c. Documented risk assessment and business impact analysis

 

 

Policy Statement

PSFA digital computing assets include physical hardware, software, user accounts including user ID and passwords, and intellectual property created as digital form. No violations of use are accepted. PSFA has the right to protect physical, software and intellectual property assets and ensure compliance.

Title

Digital Computing Asset Management

Purpose

This document is to keep the PSFA community aware of the existence of security requirements to protect the digital computing assets of the agency.

Originator

Information Systems and Technology

Approved by

Chief Technology Officer

Classification level

Public

Related Policies

Technology Code of Conduct

Approval

Kerry Gray, Chief Technology Officer | M. Casias, Deputy Director

Audience

All PSFA regular staff, interns and internal contractors

Contacts

Responsible Agency Official: M. Casias, Deputy Director | Responsible Agency Office: Information Systems and Technology, K. Gray, CTO