FAQ

Click questions to expand answers.

Academic Support Request Items

Account Access Reinstatement

Who can submit a request?

This request is available to all University account users (i.e. NetID users), however, written authorization from a cognizant University official is required (see below).

What information is required to submit a request?

Requestors shall provide a clear and concise overview in the description of their request, a thoroughly completed Account Access Reinstatement Form, and a signed authorization memo from a cognizant University official (e.g. Dean of Students). The required form and memo shall be attached to the request record at the time of submission.

Requests that are overly broad or that lack specificity, or that do not include an Account Access Reinstatement Form, or a signed authorization memo cannot be processed.

What is the cost of this request?

This request is provided to all University account users at no-cost.

Requests that deviate from the standard offering are evaluated on a case-by-case basis and may result in a fee in scenarios where additional resources including, but not limited to, hardware, software, staff time, or other materials are required to support such requests.

Where can I submit this request?

This request shall be submitted in the ServiceNow Customer Portal to ensure that each request is opened, tracked, and processed in a timely manner.

Requests submitted outside of the ServiceNow Customer Portal portal cannot be processed.

When can I submit this request?

Requests may be submitted at any time.

Requests that are submitted after hours, including nights, weekends, and holidays will be processed the next business day during standard business hours.

When will my request be processed?

Requests that include all minimum-required information at the time of submission, are processed during standard business hours (i.e. 08:00 to 17:00 Mountain Time), Monday through Friday, excluding weekends and holidays.

Requests that are submitted after hours, including nights, weekends, and holidays will be processed the next business day during standard business hours.

When will my request be fulfilled?

This request is fulfilled within the three (3) business day period specified in its Service-Level Agreement (SLA).

Requests are prioritized and fulfilled based on resource availability including hardware, software, staff, and cannot be expedited.

How can I submit this request?

All requests must be submitted through the ServiceNow Customer Portal to ensure timely processing, proper tracking, and accountability.

To submit a request, please navigate to this link.

ServiceNow Customer Portal requests are automatically routed to the appropriate team, helping to avoid delays and maintain a consistent, reliable process. Requests submitted through email, MS Teams, or other methods cannot be accepted.

Network Access Reinstatement

Who can submit a request?

University staff selecting this request shall have an appropriate University-defined cybersecurity or information technology-focused job description (i.e. position classification). For more information about UNM's Job Descriptions, please reference the UNM Human Resources Position Classification Description Listing website for more information.

Cybersecurity Roles

Information Security Officers

University Information Security & Privacy Officer (Info Security Ofcr)
Information Security Officer (Info Security Ofcr)

Cybersecurity Engineers

Cybersecurity Engineer I-III (Cybersecurity Engineer 1-3)

IT Roles

IT Directors and Associate IT Directors

Director of Core Information Technology Services (Dir,Core IT Svcs)
Director of Information Technology Service (Dir,IT Svcs)
Associate Director of Core Information Technology Services (Assoc Dir,Core IT Svcs)
Associate Director of Information Technology Services (Assoc Dir,IT Svcs)

IT Managers

Manager of Core Information Technology Services (Mgr,Core IT Svcs)
Manager of Information Technology Services (Mgr,IT Svcs)

IT Officers

IT Officer (IT Officer)

IT Project Managers

IT Project Manager I-III (IT Project Mgr 1-3)

IT Specialists, IT Analysts, and IT Technicians

Senior Core Information Technology Services Specialist (Sr Core IT Svcs Splst)
Core Information Technology Services Specialist (Core IT Svcs Splst)
Programmer Analyst I-III (Programmer Analyst 1-3)
Systems/Network Analyst I-III (Systems/Network Analyst 1-3)
Technical Analyst I-III (Technical Analyst 1-3)
Information Technology Support Technician I-III (IT Support Tech 1-3)

Requests submitted by UNM staff who do not have an appropriate job description cannot be processed.

Departments

IT - Campus Outreach & Engagement
IT - Computing Platforms
- Enterprise Managed Systems & Services (EMSS)
  - Systems
  - Workstations
University Libraries IT

Requests submitted by UNM staff who are not directly assigned to a department or area listed above cannot be processed.

NOTE: Faculty and administrative staff in need of assistance with this request are encouraged to contact their area's designated IT Officer or Liaison.

What information is required to submit a request?

Requestors shall provide a clear and concise overview of their requirements in the description of their request and a thoroughly completed Network Access Reinstatement Form which shall be attached to the request record at the time of submission.

Requests that are overly broad or that lack specificity, or that do not include a Network Access Reinstatement Form cannot be processed.

What is the cost of this request?

This request is provided to all IT support units at no-cost.

Where can I submit this request?

All requests submitted to the University's Information Security & Privacy Office (ISPO) shall be submitted by University-defined Information Technology staff in the ServiceNow Customer Portal to ensure that each request is opened, tracked, and processed in a timely manner.

Requests submitted outside of the ServiceNow Customer Portal portal cannot be processed.

When can I submit this request?

Requests may be submitted at any time.

Requests that are submitted after hours, including nights, weekends, and holidays will be processed the next business day during standard business hours.

When will my request be processed?

Requests that are submitted after hours, including nights, weekends, and holidays will be processed the next business day during standard business hours.

When will my request be fulfilled?

This request is typically fulfilled within a one (1) business day period, with most being fulfilled within the three (3) business day period specified in the Service-Level Agreement for this request.

Requests are prioritized and fulfilled based on resource availability including, but not limited to, hardware, software, staff, and cannot be expedited.

How can I submit this request?

All requests must be submitted through the ServiceNow Customer Portal to ensure timely processing, proper tracking, and accountability.

To submit a request, please navigate to this link.

Business Support Request Items

Business Continuity Access

Business Continuity Access is a formal process designed to provide temporary and limited access to an employee’s work-related files within enterprise IT systems when there is an immediate and legitimate operational need. This process is strictly limited to non-investigatory, business-related purposes and exists solely to maintain continuity of operations.

Access may be delegated only to the employee’s designated supervisor or manager. This process is not available for use by IT staff to obtain access to employee or faculty files.

Outlook email and Microsoft Teams chat content are generally available for up to 31 days following employee separation.
OneDrive for Business (personal files) and SharePoint Online (organizational files) content may, in limited circumstances, remain available for up to 61 days following separation.

To ensure the preservation of essential business information, business process owners are responsible for initiating the appropriate access requests within 14 days of the employee’s separation.

Who can submit a request?

Access to the Business Continuity Access catalog item is limited to staff in supervisory or managerial roles.

Note: Faculty and administrative staff in need of assistance with this request type are encouraged to contact their area’s designated IT Officer or Liaison.

Requests submitted by staff who do not hold managerial or supervisory responsibilities cannot be processed.

What information is required to submit a request?

Requestors shall provide a clear and concise overview of their requirements using the corresponding web form available in the ServiceNow Customer Portal. All fields in the web form must be completed at the time of submission.

Requests that are overly broad or that lack specificity cannot be processed.

What approvals are required?

All business continuity access activities must be approved by the subject’s supervisor or manager, another individual in the reporting chain, or designated HR staff (including HR Directors, Managers, Consultants, Administrators, Analysts, or Technicians).

Approvals are facilitated via ServiceNow. Please have the designated approver check for email from ServiceNow (servicenow[at]unm.edu). Designated approvers are responsible for reviewing and completing the approval request accordingly.

Requests that do not receive all required approvals cannot be processed.

What is the cost of this request?

This request is provided to all IT support units at no-cost.

Where can I submit this request?

This request shall be submitted in the ServiceNow Customer Portal to ensure that each request is opened, tracked, and processed in a timely manner.

Requests submitted outside of the ServiceNow Customer Portal portal cannot be processed.

When can I submit this request?

Requests may be submitted at any time.

Requests that are submitted after hours, including nights, weekends, and holidays will be processed the next business day during standard business hours.

When will my request be processed?

Requests that are submitted after hours, including nights, weekends, and holidays will be processed the next business day during standard business hours.

When will my request be fulfilled?

This request is typically fulfilled within a three (3) business day period, with most being fulfilled within the five (5) business day period specified in the Service-Level Agreement for this request.

Requests are prioritized and fulfilled based on resource availability including hardware, software, staff, and cannot be expedited.

How can I submit this request?

All requests must be submitted through the ServiceNow Customer Portal to ensure timely processing, proper tracking, and accountability.

To submit a request, please navigate to this link.

Investigation Support

Investigation Support is a formal process that enables designated University administrative departments to request subject matter expertise from the ISPO's cybersecurity areas in support of authorized investigations. Eligibility is limited to staff assigned to formally recognized investigative or compliance functions (e.g., CEEO, HR, IA, or ORIC).

Who can submit a request?

University staff selecting this request shall have work assignments within an appropriate University-defined department (i.e. administrative functional area).

Departments

Complinace, Ethics, & Equal Opportunity (CEEO)
Human Resources (HR)
Internal Audit (IA)
Office of Research Integrity and Compliance (ORIC)

Requests submitted by UNM staff who are not directly assigned to a department or area listed above cannot be processed

NOTE:: Faculty and administrative staff in need of assistance with this reqeut are encouraged to contact their area's designated IT Officer or Liaison.

What information is required to submit a request?

Requestors shall provide a clear and concise overview of their requirements, including, but not limited to, basic contact information (first and last name, University-defined job description, work email and phone) in the description of their request. Please avoid sharing business-sensitive information or documentation within the request record.

Requests that are overly broad or that lack specificity cannot be processed.

What is the cost of this request?

This request is provided at no-cost.

Where can I submit this request?

All requests submitted to the University’s ISPO shall be submitted in the ServiceNow Customer Portal to ensure each request is opened, tracked, and processed in a timely manner. Please avoid sharing business-sensitive information or documentation with the request.

Requests submitted outside of the ServiceNow Customer Portal cannot be processed.

When can I submit this request?

Request may be submitted at any time.

Requests that are submitted after hours, including nights, weekends, and holidays will be processed the next business day during standard business hours.

When will my request be processed?

Requests that are submitted after hours, including nights, weekends, and holidays will be processed the next business day during standard business hours.

When will my request be fulfilled?

This request is typically fulfilled within a seven (7) business day period, with most being fulfilled within the ten (10) business day period specified in the Service-Level Agreement for this request.

Requests are prioritized and fulfilled based on resource availability including, but not limited to, hardware, software, staff, and can be expedited for a fee.

How can I submit this request?

All requests must be submitted through the ServiceNow Customer Portal to ensure timely processing, proper tracking, and accountability.

To submit a request, please navigate to this link.

Staff Separation

Staff Separation is a formal process that facilitates the secure and timely removal of IT access, credentials, and privileges for departing University staff. Eligibility is limited to supervisors, managers, and designated HR staff, and all requests require an authorization memorandum from a cognizant University vice president. Requests must be submitted through the ServiceNow Customer Portal to ensure compliance, accountability, and continuity of operations.

Who can submit a request?

Access to the Staff Separation catalog item is limited to staff in supervisory or managerial roles, or with a human resources-focused job description (i.e. position classification). For more information about UNM's Job Descriptions, please reference the UNM Human Resources Position Classification Description Listing website for more information.

Note: Faculty and administrative staff in need of assistance with this request type are encouraged to contact their area’s designated IT Officer or Liaison.

Requests submitted by UNM staff who do not hold a supervisory or managerial role, or an appropriate job description cannot be processed.

What information is required to submit a request?

Requestors shall provide a clear and concise description of their request, all accounts owned or used by the in-scope staff, and an authorization memorandum signed by a cognizant University vice president.

Requests that do not include a signed authorization memorandum cannot be processed.

What approvals are required?

All staff separation activities must be approved by the subject’s supervisor or manager, another individual in the reporting chain, or a designated HR staff member.

Approvals are facilitated via ServiceNow. Designated approvers will receive an email from ServiceNow (servicenow[at]unm.edu) and should review and complete the approval request accordingly.

Requests that do not receive all required approvals cannot be processed.

What is the cost of this request?

This request is provided to all human resources, information technology, and labor and employee relations areas at no-cost.

Where can I submit this request?

Requests submitted outside of the ServiceNow Customer Portal portal cannot be processed.

When can I submit this request?

Requests may be submitted at any time.

Requests that are submitted after hours, including nights, weekends, and holidays will be processed the next business day during standard business hours.

When will my request be processed?

Requests that are submitted after hours, including nights, weekends, and holidays will be processed the next business day during standard business hours.

NOTE: In the event initial processing and fulfillment of an individual request needs to be expedited, the requestor is responsible for communicating details regarding urgency and impact, and specifics regarding desired timing of activities.

When will my request be fulfilled?

This request is fulfilled within the three (3) business day period as specified in its Service-Level Agreement (SLA).

Requests are prioritized and fulfilled based on resource availability including, but not limited to, hardware, software, and staff.

How can I submit this request?

All requests must be submitted through the ServiceNow Customer Portal to ensure timely processing, proper tracking, and accountability.

To submit a request, please navigate to this link.

Cybersecurity Request Items

Cloud Vendor Assessment

Cloud Vendor Assessment is a formal process used to evaluate third-party cloud service providers for alignment with the University’s information security, privacy, compliance, and risk management requirements. This process ensures that vendors handling institutional data or services meet minimum requirements before adoption or continued use.

Assessments are initiated automatically through Banner Workflow and require vendors to complete the Higher Education Community Vendor Assessment Toolkit (HECVAT), along with any supporting documentation referenced within the toolkit.

The Cloud Vendor Assessment process is not available for direct request by individuals or IT staff. All assessments must originate through Banner Workflow, and incomplete submissions (e.g., those lacking a completed HECVAT) cannot be processed.

Work product generated through this process is provided directly to ISPO’s Privacy, Compliance, and Risk area via Banner Workflow.

Who can submit a request?

This request cannot be directly requested.

A system process will generate request records classified as the Cloud Vendor Assessment when triggered by a workflow item contained in Banner Workflow.y a workflow item contained in Banner Workflow.

What information is required to submit a request?

This request cannot be directly requested.

Banner Workflow item submitters shall provide a clear and concise description of their request in the upstream Banner Workflow application, a vendor-completed Higher Education Community Vendor Assessment Toolkit (HECVAT), and any supplemental documentation referenced within the vendor-completed HECVAT.

System-generated requests that are overly broad, that lack specificity, or that do not contain a vendor-completed HECVAT cannot be processed.

What is the cost of this request?

This request cannot be directly requested.

This request is provided to the ISPO's Privacy, Compliance, and Risk area at no-cost.

Where can I submit this request?

This request cannot be directly requested.

A system process will generate request records classified as the Cloud Vendor Assessment when triggered by a workflow item contained in Banner Workflow.

When can I submit this request?

This request cannot be directly requested.

Requests that are generated after hours, including nights, weekends, and holidays will be processed the next business day during standard business hours.

When will my request be processed?

This request cannot be directly requested.

Requests that include all minimum-required information at the time of generation by system process, are processed during standard business hours (i.e. 08:00 to 17:00 Mountain Time), Monday through Friday, excluding weekends and holidays.

Requests that are generated after hours, including nights, weekends, and holidays will be processed the next business day during standard business hours.

When will my request be fulfilled?

This request cannot be directly requested.

This request is fulfilled within the five (5) business day period as specified in its Service-Level Agreement (SLA).

Work product created to fulfill in-scope requests is provided directly to the ISPO's Privacy, Compliance, and Risk area using Banner Workflow.

Requests are prioritized and fulfilled based on resource availability including, but not limited to, hardware, software, staff, and cannot be expedited.

How can I submit this request?

This request cannot be directly requested.

Cybersecurity Application Access

Cybersecurity Application Access allows eligible University IT and cybersecurity staff to request access to ISPO-managed applications. Eligibility is determined by the requestor’s job classification and assigned department, and requests must be approved by the direct supervisor.

Who can submit a request?

Eligibility to request access to ISPO-managed cybersecurity applications is determined by the requestor’s assigned role and assigned department (or area).

CIO Roles

Chief Information Officer (Chief Information Officer)
Deputy Chief Information Officer (Deputy CIO)

Cybersecurity Roles

Information Security Officers

University Information Security & Privacy Officer (Info Security Ofcr)
Information Security Officer (Info Security Ofcr)

Cybersecurity Engineers

Cybersecurity Engineer I-III (Cybersecurity Engineer 1-3)

IT Roles

IT Directors and Associate IT Directors

Director of Core Information Technology Services (Dir,Core IT Svcs)
Director of Information Technology Service (Dir,IT Svcs)
Associate Director of Core Information Technology Services (Assoc Dir,Core IT Svcs)
Associate Director of Information Technology Services (Assoc Dir,IT Svcs)

IT Managers

Manager of Core Information Technology Services (Mgr,Core IT Svcs)
Manager of Information Technology Services (Mgr,IT Svcs)

IT Officers

IT Officer (IT Officer)

IT Specialists, IT Analysts, and IT Technicians

Senior Core Information Technology Services Specialist (Sr Core IT Svcs Splst)
Core Information Technology Services Specialist (Core IT Svcs Splst)
Programmer Analyst I-III (Programmer Analyst 1-3)
Systems/Network Analyst I-III (Systems/Network Analyst 1-3)
Technical Analyst I-III (Technical Analyst 1-3)
Information Technology Support Technician I-III (IT Support Tech 1-3)

Requests submitted by UNM staff who do not have an appropriate job description cannot be processed.

Department

Center for Academic Program Support (CAPS IT)
Center for Advanced Research Computing (CARC IT)
Center for High Technology Materials (CHTM IT)
College of University Libraries & Learning Sciences (CULLS IT)
Earth Data Analysis Center (EDAC IT)
Information Security & Privacy Office (ISPO)
- Cybersecurity Engineering & Operations
- Information Security Program Management
IT Academic Technologies (IT AT)
- Learning Environments
- Learning Management Systems, Scoring, Surveys, and Evaluations
- Media & Collaborative Applications
IT Applications (IT APPS)
- Data and Reporting
- Development
- Operations
- Support
IT Campus Outreach & Engagement (IT COE)
- Anderson School of Management (ASM IT)
- Athletics (Athletics IT)
- Branch Campuses
  - Gallup
  - Los Alamos
  - Taos
  - Valencia
- Business Center (BC IT)
- Division of Enrollment Management (EM IT)
  - Global Education Office (GEO)
  - Student Affairs (SA)
  - Student Health and Counseling (SHAC)
- College of Arts & Sciences (A&S IT)
- College of Education and Human Sciences (CoEHS IT)
- College of Fine Arts (CFA IT)
- Institutional Support Services (ISS - IT)
  - Auxiliaries (ISS - Auxiliaries)
  - Facilities (ISS - Facilities)
- School of Engineering (SoE IT)
- School of Law (SoL IT)
IT Computing Platforms (IT Platforms)
- Database Administration (DBA)
- Distributed Systems (DSYS)
- Enterprise Managed Systems & Services (EMSS)
  - Desktop and Printer Support
    - Managed Workstations
    - Student Field Agent Program
  - Systems
- Virtual Infrastructure & Storage (VIS)
IT Customer Support Services (IT CSS)
- Customer Service Desk (CSD)
- Service Management (SM)
IT Networks (IT Networks)
- Data Networks
  - LAN
  - WAN
  - Wireless
- Fire & Security Services
- Voice
  - Advanced Voice Applications
KNME-TV, New Mexico PBS (KNME IT)
KUNM (KUNM IT)
NM Established Program to Stimulate Competitive Research (EPSCoR IT)
Office of the Chief Information Officer (Office of the CIO)
Office of the Vice President for Research (OVPR IT)
Police Department (PD IT)
School of Architecture & Planning (SAAP IT)
Utility Services (US IT)

Requests submitted by UNM staff who are not directly assigned to a department or area listed above cannot be processed.

What information is required to submit a request?

Requestors shall provide a clear and concise overview of their requirements in the description of their request.

Cybersecurity Application Access Requests must be approved by the requestor’s direct supervisor.

Requests that are overly broad or that lack specificity, or that do not receive the appropriate approvals cannot be processed.

What approvals are required?

Approvals will be generated in ServiceNow on behalf of the requestor. Please have the approver respond to email from ServiceNow (servicenow[at]unm.edu).

Eligibility for access to ISPO-managed cybersecurity applications is determined by the requestor’s assigned role and assigned department (or area).

Requests that do not receive the appropriate approvals cannot be processed.

What is the cost of this request?

Basic application access is provided to all IT support units at no-cost.

Where can I submit this request?

Requests submitted outside of the ServiceNow Customer Portal portal cannot be processed.

When can I submit this request?

Requests may be submitted at any time.

Requests that are submitted after hours, including nights, weekends, and holidays will be processed the next business day during standard business hours.

When will my request be processed?

Requests that are submitted after hours, including nights, weekends, and holidays will be processed the next business day during standard business hours.

When will my request be fulfilled?

This request is fulfilled within the three (3) business day period as specified in its Service-Level Agreement (SLA).

Requests are prioritized and fulfilled based on resource availability including hardware, software, staff, and cannot be expedited.

How can I submit this request?

All requests must be submitted through the ServiceNow Customer Portal to ensure timely processing, proper tracking, and accountability.

To submit a request, please navigate to this link.

Cybersecurity Application Maintenance

Cybersecurity Application Maintenance is a formal process that tracks maintenance activities for ISPO-managed cybersecurity applications. Requests are generated only by Cybersecurity Engineering and Operations staff on an as-needed basis and cannot be directly requested.

Who can submit a request?

This request cannot be directly requested.

Cybersecurity Engineering and Operations staff will generate this request on an as-needed basis to track maintenance-related activities.

What information is required to submit a request?

This request cannot be directly requested.

Requests that are overly broad or that lack specificity, or that do not receive the appropriate approvals cannot be processed.

What approvals are required?

Approvals may be required on a case-by-case basis. In the event an approval is required, one will be generated in ServiceNow on behalf of the requestor. In such an event, please have the approver respond to email from ServiceNow (servicenow[at]unm.edu).

Eligibility to request maintenance of ISPO-managed cybersecurity applications is determined by the requestor’s assigned role and assigned department (or area).

Requests that do not receive the appropriate approvals cannot be processed.

What is the cost of this request?

This request cannot be directly requested.

Where can I submit this request?

This request cannot be directly requested.

Cybersecurity Engineering and Operations staff will generate this request on an as-needed basis to track maintenance-related activities.

When can I submit this request?

This request cannot be directly requested.

Cybersecurity Engineering and Operations staff will generate this request on an as-needed basis to track maintenance-related activities.

Requests that are submitted after hours, including nights, weekends, and holidays will be processed the next business day during standard business hours.

When will my request be processed?

This request cannot be directly requested.

Requests that include all minimum-required information at the time of submission are processed during standard business hours (i.e. 08:00 to 17:00 Mountain Time), Monday through Friday, excluding weekends and holidays.

Requests that are submitted after hours, including nights, weekends, and holidays will be processed the next business day during standard business hours.

When will my request be fulfilled?

This request cannot be directly requested.

This request is fulfilled within the five (5) business day period as specified in its Service-Level Agreement (SLA).

Requests are prioritized and fulfilled based on resource availability including, but not limited to, hardware, software, staff, and cannot be expedited.

How can I submit this request?

This request cannot be directly requested.

Cybersecurity Application Support

Cybersecurity Application Support is a formal process that provides eligible University IT and cybersecurity staff with assistance for ISPO-managed applications. Eligibility is determined by the requestor’s job classification and assigned department.

Who can submit a request?

Eligibility to request access to ISPO-managed cybersecurity applications is determined by the requestor’s assigned role and assigned department (or area).

CIO Roles

Chief Information Officer (Chief Information Officer)
Deputy Chief Information Officer (Deputy CIO)

Cybersecurity Roles

Information Security Officers

University Information Security & Privacy Officer (Info Security Ofcr)
Information Security Officer (Info Security Ofcr)

Cybersecurity Engineers

Cybersecurity Engineer I-III (Cybersecurity Engineer 1-3)

IT Roles

IT Directors and Associate IT Directors

Director of Core Information Technology Services (Dir,Core IT Svcs)
Director of Information Technology Service (Dir,IT Svcs)
Associate Director of Core Information Technology Services (Assoc Dir,Core IT Svcs)
Associate Director of Information Technology Services (Assoc Dir,IT Svcs)

IT Managers

Manager of Core Information Technology Services (Mgr,Core IT Svcs)
Manager of Information Technology Services (Mgr,IT Svcs)

IT Officers

IT Officer (IT Officer)

IT Specialists, IT Analysts, and IT Technicians

Senior Core Information Technology Services Specialist (Sr Core IT Svcs Splst)
Core Information Technology Services Specialist (Core IT Svcs Splst)
Programmer Analyst I-III (Programmer Analyst 1-3)
Systems/Network Analyst I-III (Systems/Network Analyst 1-3)
Technical Analyst I-III (Technical Analyst 1-3)
Information Technology Support Technician I-III (IT Support Tech 1-3)

Requests submitted by UNM staff who do not have an appropriate job description cannot be processed.

Department

Center for Academic Program Support (CAPS IT)
Center for Advanced Research Computing (CARC IT)
Center for High Technology Materials (CHTM IT)
College of University Libraries & Learning Sciences (CULLS IT)
Earth Data Analysis Center (EDAC IT)
Information Security & Privacy Office (ISPO)
- Cybersecurity Engineering & Operations
- Information Security Program Management
IT Academic Technologies (IT AT)
- Learning Environments
- Learning Management Systems, Scoring, Surveys, and Evaluations
- Media & Collaborative Applications
IT Applications (IT APPS)
- Data and Reporting
- Development
- Operations
- Support
IT Campus Outreach & Engagement (IT COE)
- Anderson School of Management (ASM IT)
- Athletics (Athletics IT)
- Branch Campuses
  - Gallup
  - Los Alamos
  - Taos
  - Valencia
- Business Center (BC IT)
- Division of Enrollment Management (EM IT)
  - Global Education Office (GEO)
  - Student Affairs (SA)
  - Student Health and Counseling (SHAC)
- College of Arts & Sciences (A&S IT)
- College of Education and Human Sciences (CoEHS IT)
- College of Fine Arts (CFA IT)
- Institutional Support Services (ISS - IT)
  - Auxiliaries (ISS - Auxiliaries)
  - Facilities (ISS - Facilities)
- School of Engineering (SoE IT)
- School of Law (SoL IT)
IT Computing Platforms (IT Platforms)
- Database Administration (DBA)
- Distributed Systems (DSYS)
- Enterprise Managed Systems & Services (EMSS)
  - Desktop and Printer Support
    - Managed Workstations
    - Student Field Agent Program
  - Systems
- Virtual Infrastructure & Storage (VIS)
IT Customer Support Services (IT CSS)
- Customer Service Desk (CSD)
- Service Management (SM)
IT Networks (IT Networks)
- Data Networks
  - LAN
  - WAN
  - Wireless
- Fire & Security Services
- Voice
  - Advanced Voice Applications
KNME-TV, New Mexico PBS (KNME IT)
KUNM (KUNM IT)
NM Established Program to Stimulate Competitive Research (EPSCoR IT)
Office of the Chief Information Officer (Office of the CIO)
Office of the Vice President for Research (OVPR IT)
Police Department (PD IT)
School of Architecture & Planning (SAAP IT)
Utility Services (US IT)

Requests submitted by UNM staff who are not directly assigned to a department or area listed above cannot be processed.

What information is required to submit a request?

Requestors shall provide a clear and concise overview of their requirements in the description of their request.

Requests that are overly broad or that lack specificity cannot be processed.

What approvals are required?

Eligibility to request support for ISPO-managed cybersecurity applications is determined by the requestor’s assigned role and assigned department (or area).

Requests that do not receive the appropriate approvals cannot be processed.

What is the cost of this request?

Basic application support is provided to all IT support units at no-cost.

Where can I submit this request?

Requests submitted outside of the ServiceNow Customer Portal portal cannot be processed.

When can I submit this request?

Requests may be submitted at any time.

Requests that are submitted after hours, including nights, weekends, and holidays will be processed the next business day during standard business hours.

When will my request be processed?

Requests that are submitted after hours, including nights, weekends, and holidays will be processed the next business day during standard business hours.

When will my request be fulfilled?

Requests are prioritized and fulfilled based on resource availability including hardware, software, staff, and cannot be expedited.

How can I submit this request?

All requests must be submitted through the ServiceNow Customer Portal to ensure timely processing, proper tracking, and accountability.

To submit a request, please navigate to this link.

Cybersecurity Consulting

Offers eligible University IT and cybersecurity staff the ability to request expert guidance on secure system design, configuration, and service deployment. Eligibility is determined by the requestor’s official job classification and assigned department. Requests must include a clear description of the system or service in scope, and engagement is subject to ISPO review and prioritization based on institutional risk.

Who can submit a request?

Cybersecurity Roles

Information Security Officers

University Information Security & Privacy Officer (Info Security Ofcr)
Information Security Officer (Info Security Ofcr)

Cybersecurity Engineers

Cybersecurity Engineer I-III (Cybersecurity Engineer 1-3)

IT Roles

IT Directors and Associate IT Directors

Director of Core Information Technology Services (Dir,Core IT Svcs)
Director of Information Technology Service (Dir,IT Svcs)
Associate Director of Core Information Technology Services (Assoc Dir,Core IT Svcs)
Associate Director of Information Technology Services (Assoc Dir,IT Svcs)

IT Managers

Manager of Core Information Technology Services (Mgr,Core IT Svcs)
Manager of Information Technology Services (Mgr,IT Svcs)

IT Officers

IT Officer (IT Officer)

IT Project Managers

IT Project Manager I-III (IT Project Mgr 1-3)

IT Specialists, IT Analysts, and IT Technicians

Senior Core Information Technology Services Specialist (Sr Core IT Svcs Splst)
Core Information Technology Services Specialist (Core IT Svcs Splst)
Programmer Analyst I-III (Programmer Analyst 1-3)
Systems/Network Analyst I-III (Systems/Network Analyst 1-3)
Technical Analyst I-III (Technical Analyst 1-3)
Information Technology Support Technician I-III (IT Support Tech 1-3)

Requests submitted by UNM staff who do not have an appropriate job description cannot be processed.

NOTE: Faculty and administrative staff in need of assistance with this request are encouraged to contact their area's designated IT Officer or Liaison.

What information is required to submit a request?

Requestors shall provide a clear and concise overview of their requirements in the description of the request.

Requests that are overly broad or that lack specificity cannot be processed.

What is the cost of this request?

This request is provided to all IT support units at no-cost.

Where can I submit this request?

All requests submitted to the University's Information Security & Privacy Office (ISPO) shall be submitted by University-defined Information Technology staff in ServiceNow Customer Portal to ensure that each request is opened, tracked, and processed in a timely manner.

Requests submitted outside of the ServiceNow Customer Portal portal cannot be processed.

When can I submit this request?

Requests may be submitted at any time.

Requests that are submitted after hours, including nights, weekends, and holidays will be processed the next business day during standard business hours.

When will my request be processed?

Requests that are submitted after hours, including nights, weekends, and holidays will be processed the next business day during standard business hours.

When will my request be fulfilled?

Fulfillment timelines depend on the scope and complexity of each request; therefore, a definite Service-Level Agreement (SLA) window is not guaranteed.

Requests are prioritized and fulfilled based on resource availability including, but not limited to, hardware, software, staff, and cannot be expedited.

How can I submit this request?

All requests must be submitted through the ServiceNow Customer Portal to ensure timely processing, proper tracking, and accountability.

To submit a request, please navigate to this link.

Cybersecurity Feedback

Allows University faculty, staff, and students to provide feedback regarding ISPO-managed cybersecurity services, applications, and tools. Eligibility is determined by an active NetID and affiliation with the University. Submissions may include suggestions, concerns, or requests for clarification. Each submission is reviewed by the Information Security & Privacy Office (ISPO). Requestors will receive acknowledgement of their submission, but fulfillment is limited to review; not all feedback will result in direct action or a change.

Who can submit a request?

Cybersecurity Roles

Information Security Officers

University Information Security & Privacy Officer (Info Security Ofcr)
Information Security Officer (Info Security Ofcr)

Cybersecurity Engineers

Cybersecurity Engineer I-III (Cybersecurity Engineer 1-3)

IT Roles

IT Directors and Associate IT Directors

Director of Core Information Technology Services (Dir,Core IT Svcs)
Director of Information Technology Service (Dir,IT Svcs)
Associate Director of Core Information Technology Services (Assoc Dir,Core IT Svcs)
Associate Director of Information Technology Services (Assoc Dir,IT Svcs)

IT Managers

Manager of Core Information Technology Services (Mgr,Core IT Svcs)
Manager of Information Technology Services (Mgr,IT Svcs)

IT Officers

IT Officer (IT Officer)

IT Project Managers

IT Project Manager I-III (IT Project Mgr 1-3)

IT Specialists, IT Analysts, and IT Technicians

Senior Core Information Technology Services Specialist (Sr Core IT Svcs Splst)
Core Information Technology Services Specialist (Core IT Svcs Splst)
Programmer Analyst I-III (Programmer Analyst 1-3)
Systems/Network Analyst I-III (Systems/Network Analyst 1-3)
Technical Analyst I-III (Technical Analyst 1-3)
Information Technology Support Technician I-III (IT Support Tech 1-3)

Requests submitted by UNM staff who do not have an appropriate job description cannot be processed.

NOTE: Faculty and administrative staff in need of assistance with this request are encouraged to contact their area's designated IT Officer or Liaison.

What information is required to submit a request?

Requestors shall provide clear and concise feedback in the description of the request.

Requests that are overly broad or that lack specificity cannot be processed.

What is the cost of this request?

This request is provided to all IT support units at no-cost.

Where can I submit this request?

Requests submitted outside of the ServiceNow Customer Portal portal cannot be processed.

When can I submit this request?

Requests may be submitted at any time.

Requests that are submitted after hours, including nights, weekends, and holidays will be processed the next business day during standard business hours.

When will my request be processed?

Requests that are submitted after hours, including nights, weekends, and holidays will be processed the next business day during standard business hours.

When will my request be fulfilled?

Feedback requests and the data contained therein are tracked, reviewed, and cataloged.

Constructive feedback is taken into consideration when making periodic updates to the university's cybersecurity program and its corresponding components, cybersecurity standards and guidelines, and the University's enterprise cybersecurity services.

A basic acknowledgment is provided to all requestors, however the ISPO may not be able to directly respond to each individual request.

Requests are prioritized based on resource availability including, but not limited to, hardware, software, and staff, and cannot be expedited.

How can I submit this request?

All requests must be submitted through the ServiceNow Customer Portal to ensure timely processing, proper tracking, and accountability.

To submit a request, please navigate to this link.

Firewall Change

The Firewall Change is a joint offering from the UNM Information Security & Privacy Office (ISPO) and UNM Information Technologies (IT). It is supported by ISPO’s Cybersecurity Engineering and Cybersecurity Operations teams, as well as IT’s Networks (Data Network Group) and Platforms (Enterprise Managed Systems & Services, Platform Engineering, and Virtual Infrastructure & Storage) teams. This request is intended to enable authorized IT staff within designated departments to request changes to the university’s firewall configurations and related security policies.

Who can submit a request?

Access to the Firewall Change catalog item is limited to staff who are directly responsible for the ongoing maintenance and support of the overarching firewall management service or who provide extensive input regarding the configuration of specific firewalls; eligibility is determined by a combination of job description in addition to department name.

Please thoroughly review the information below before submitting a firewall change.

Cybersecurity Roles

Information Security Officers

University Information Security & Privacy Officer (Info Security Ofcr)
Information Security Officer (Info Security Ofcr)

Cybersecurity Engineers

Cybersecurity Engineer I-III (Cybersecurity Engineer 1-3)

IT Roles

IT Directors and Associate IT Directors

Director of Core Information Technology Services (Dir, Core IT Svcs)
Director of Information Technology Service (Dir, IT Svcs)
Associate Director of Core Information Technology Services (Assoc Dir, Core IT Svcs)
Associate Director of Information Technology Services (Assoc Dir, IT Svcs)

IT Managers

Manager of Core Information Technology Services (Mgr, Core IT Svcs)

IT Specialists, IT Analysts, and IT Technicians

Senior Core Information Technology Services Specialist (Sr Core IT Svcs Splst)
Core Information Technology Services Specialist (Core IT Svcs Splst)
Systems/Network Analyst I-III (Systems/Network Analyst 1-3)
Technical Analyst I-III (Technical Analyst 1-3)

Departments

Information Security & Privacy Office (ISPO)
- Cybersecurity Engineering
- Cybersecurity Operations
IT Computing Platforms (IT Platforms)
- Enterprise Managed Systems & Services (EMSS)
  - Device Management
  - Systems
- Platform Engineering
- Virtual Infrastructure & Storage (VIS)
IT Networks (IT Networks)
- Data Networks
  - LAN
  - WAN
  - Wireless

Requests submitted by UNM staff who are not directly responsible for the ongoing maintenance and support of the overarching firewall management service cannot be processed.

NOTE: IT staff not affiliated with the listed departments are encouraged to review the Firewall Configuration Assessment FAQ for further guidance.

What information is required to submit a firewall change request?

Required information varies by firewall category. The following pre-requisite steps must be completed before a firewall change is submitted:

A fixed IP address (DHCP reservation or static IP) has been requested and assigned to each in-scope host
A corresponding DNS record that adheres to the University’s naming convention has been assigned to each in-scope host
Each in-scope host must be running a supported operating system that is fully patched

Once all pre-requisite steps are completed, a firewall change can be submitted.

Firewall change requests must be submitted for each pair of reciprocal rules. Each request should define a specific set of source and destination addresses, along with the corresponding service port or ports.

Requests are limited to one (1) ingress policy and one (1) egress policy per submission. To maintain clarity and process efficiency, submitting multiple rules or rule changes within a single request is strongly discouraged.

Requestors must provide the following information (at minimum):

Traffic Direction: Inbound -or- Outbound
Source IP(s)
Destination IP(s)
Protocol(s)
Port number(s)
Function
Justification

Requests that do not include the above referenced information cannot be processed.

What approvals are required?

All firewall changes must be approved by an appropriate IT management contact (i.e. IT Director or IT Manager).

Separately, changes to firewall policies protecting the IT Data Center environments require the direct involvement and approval of the corresponding IT Manager or stakeholder.

Approvals are facilitated via ServiceNow. Please have the designated approver check for email from ServiceNow (servicenow[at]unm.edu).

Requests that do not receive all required approvals cannot be processed.

What is the scope of a firewall change?

A Firewall Change is intended to support well-defined, minimal, and documented firewall policy changes for systems in appropriate hosting environments. This request enforces specific guardrails to maintain operational clarity and reduce cybersecurity risk.

What is in scope?

Requests must specify one ingress and one egress policy only.
Requests must reference hosts with valid fixed or reserved IP addresses, and registered DNS records that conform to UNM naming conventions.
Requests are supported only for systems in multi-tiered hosting environments (e.g., data center environments).

What is out of scope?

Individual desktop systems (e.g., user-desktop.unm.edu) are not eligible for firewall policies.
Non-production systems cannot be made accessible from the public internet.
Multiple firewall rules or unrelated changes in a single request are not supported; this introduces complexity and delays. Submit each rule or rule pair as a separate request.

NOTE: Non-specific or overly-permissive requests cannot be processed.

Examples of non-specific or overly permissive requests include, but are not limited to:

Source or destination set to any or to an address with a nonstandard DNS name.
Port number(s) without a corresponding networking protocol (TCP or UDP)
Broad IP ranges (e.g., 10.0.0.0/8) without documented justification
Access from untrusted networks to sensitive systems
Access to entire subnets or network segments
Changes with no listed function or justification
Network traffic with no clear direction (Inbound vs Outbound)

NOTE: All firewall policies are subject to annual re-evaluation and may be modified or retired based on evolving threat landscapes, technology changes, and guidance from cybersecurity professional organizations (e.g., NIST, REN-ISAC). Requestors are responsible for ensuring continued alignment with updated policy and architectural standards.

Responsibility for readiness and ongoing compliance

It is the requestor’s responsibility to ensure all prerequisite tasks, including DNS setup and IP address assignment, are completed before submitting a Firewall Change. Incomplete or misrouted requests may be closed without further action.

NOTE: All firewall policies are subject to annual re-evaluation and may be modified or retired based on evolving threat landscapes, technology changes, and guidance from recognized information security professional organizations (e.g., EDUCAUSE, REN-ISAC, NIST). Requestors are responsible for ensuring continued alignment with updated policy and architectural standards.

Need help planning or scoping a change?

Use the Firewall Configuration Assessment catalog item for exploratory firewall discussions or firewall design consultation. Firewall Change catalog items are not intended for planning, troubleshooting, or gap analysis.

Firewall Change catalog items are not intended for planning, troubleshooting, or gap analysis.

What is the cost of this request?

This request is provided to all IT support units at no-cost.

Where can I submit this request?

All requests submitted to the University’s Information Security & Privacy Office (ISPO) shall be submitted by University-defined Information Technology staff in the ServiceNow Customer Portal to ensure that each request is opened, tracked, and processed in a timely manner.

Requests submitted outside of the ServiceNow Customer Portal cannot be processed.

When can I submit this request?

Requests may be submitted at any time with the exception of time periods outlined in the ServiceNow Knowledge Base Article (What is Change (computing) Moratorium and what does it mean?).

Requests submitted during the University-specified Change Moratorium periods cannot be processed. Requestors are responsible for re-submitting requests after the moratorium period has ended.

Requests that are submitted after hours, including nights, weekends, and holidays will be processed the next business day during standard business hours.

When will my request be processed?

Requests that include all required information at the time of submission are processed during standard business hours (i.e. 08:00 to 17:00 Mountain Time), Monday through Friday, excluding weekends and holidays.

Requests that are submitted after hours, including nights, weekends, and holidays will be processed the next business day during standard business hours.

When will my request be fulfilled?

Requests are prioritized and fulfilled based on resource availability including, but not limited to, hardware, software, staff, and cannot be expedited.

How can I submit this request?

All requests must be submitted through the ServiceNow Customer Portal to ensure timely processing, proper tracking, and accountability.

To submit a request, please navigate to this link.

Firewall Configuration Assessment

Who can submit a request?

Cybersecurity Roles

Information Security Officers

University Information Security & Privacy Officer (Info Security Ofcr)
Information Security Officer (Info Security Ofcr)

Cybersecurity Engineers

Cybersecurity Engineer I-III (Cybersecurity Engineer 1-3)

IT Roles

IT Directors and Associate IT Directors

Director of Core Information Technology Services (Dir,Core IT Svcs)
Director of Information Technology Service (Dir,IT Svcs)
Associate Director of Core Information Technology Services (Assoc Dir,Core IT Svcs)
Associate Director of Information Technology Services (Assoc Dir,IT Svcs)

IT Managers

Manager of Core Information Technology Services (Mgr,Core IT Svcs)
Manager of Information Technology Services (Mgr,IT Svcs)

IT Officers

IT Officer (IT Officer)

IT Project Managers

IT Project Manager I-III (IT Project Mgr 1-3)

IT Specialists, IT Analysts, and IT Technicians

Senior Core Information Technology Services Specialist (Sr Core IT Svcs Splst)
Core Information Technology Services Specialist (Core IT Svcs Splst)
Programmer Analyst I-III (Programmer Analyst 1-3)
Systems/Network Analyst I-III (Systems/Network Analyst 1-3)
Technical Analyst I-III (Technical Analyst 1-3)
Information Technology Support Technician I-III (IT Support Tech 1-3)

Requests submitted by UNM staff who do not have an appropriate job description cannot be processed.

NOTE: Faculty and administrative staff in need of assistance with this request are encouraged to contact their area's designated IT Officer or Liaison.

What information is required to submit a request?

Requestors shall provide a clear and concise question in the description of the request.

Requests that are overly broad or that lack specificity cannot be processed.

What is the cost of this request?

This request is provided to all IT support units at no-cost.

Where can I submit this request?

Requests submitted outside of the ServiceNow Customer Portal portal cannot be processed.

When can I submit this request?

Requests may be submitted at any time.

Requests that are submitted after hours, including nights, weekends, and holidays will be processed the next business day during standard business hours.

When will my request be processed?

Requests that are submitted after hours, including nights, weekends, and holidays will be processed the next business day during standard business hours.

When will my request be fulfilled?

Requests are prioritized based on resource availability including, but not limited to, hardware, software, and staff, and cannot be expedited.

How can I submit this request?

All requests must be submitted through the ServiceNow Customer Portal to ensure timely processing, proper tracking, and accountability.

To submit a request, please navigate to this link.

Penetration Testing

Who can submit a request?

Blah...

What information is required to submit a request?

Blah...

What is the cost of this request?

Blah...

Where can I submit this request?

Blah...

When can I submit this request?

Blah...

When will my request be processed?

Blah...

When will my request be fulfilled?

Blah...

How can I submit this request?

Blah...

Other Information...

Request for Cybersecurity Information

Request for Cybersecurity Information provides University IT and cybersecurity staff with authoritative information, clarification, and guidance regarding ISPO-managed services, applications, policies, standards, and best practices. This process supports inquiries that require interpretation of cybersecurity requirements or additional detail on service offerings but does not cover fulfillment of service requests or configuration changes.

Who can submit a request?

Cybersecurity Roles

Information Security Officers

University Information Security & Privacy Officer (Info Security Ofcr)
Information Security Officer (Info Security Ofcr)

Cybersecurity Engineers

Cybersecurity Engineer I-III (Cybersecurity Engineer 1-3)

IT Roles

IT Directors and Associate IT Directors

Director of Core Information Technology Services (Dir,Core IT Svcs)
Director of Information Technology Service (Dir,IT Svcs)
Associate Director of Core Information Technology Services (Assoc Dir,Core IT Svcs)
Associate Director of Information Technology Services (Assoc Dir,IT Svcs)

IT Managers

Manager of Core Information Technology Services (Mgr,Core IT Svcs)
Manager of Information Technology Services (Mgr,IT Svcs)

IT Officers

IT Officer (IT Officer)

IT Project Managers

IT Project Manager I-III (IT Project Mgr 1-3)

IT Specialists, IT Analysts, and IT Technicians

Senior Core Information Technology Services Specialist (Sr Core IT Svcs Splst)
Core Information Technology Services Specialist (Core IT Svcs Splst)
Programmer Analyst I-III (Programmer Analyst 1-3)
Systems/Network Analyst I-III (Systems/Network Analyst 1-3)
Technical Analyst I-III (Technical Analyst 1-3)
Information Technology Support Technician I-III (IT Support Tech 1-3)

Requests submitted by UNM staff who do not have an appropriate job description cannot be processed.

NOTE: Faculty and administrative staff in need of assistance with this request are encouraged to contact their area's designated IT Officer or Liaison.

What information is required to submit a request?

Requestors shall provide a clear and concise question in the description of the request.

Requests that are overly broad or that lack specificity cannot be processed.

What is the cost of this request?

This request is provided to all IT support units at no-cost.

Where can I submit this request?

Requests submitted outside of the ServiceNow Customer Portal portal cannot be processed.

When can I submit this request?

Requests may be submitted at any time.

Requests that are submitted after hours, including nights, weekends, and holidays will be processed the next business day during standard business hours.

When will my request be processed?

Requests that are submitted after hours, including nights, weekends, and holidays will be processed the next business day during standard business hours.

When will my request be fulfilled?

Requests are prioritized based on resource availability including, but not limited to, hardware, software, and staff, and cannot be expedited.

How can I submit this request?

All requests must be submitted through the ServiceNow Customer Portal to ensure timely processing, proper tracking, and accountability.

To submit a request, please navigate to this link.

Vulnerability Assessment

Who can submit a request?

Cybersecurity Roles

Information Security Officers

University Information Security & Privacy Officer (Info Security Ofcr)
Information Security Officer (Info Security Ofcr)

Cybersecurity Engineers

Cybersecurity Engineer I-III (Cybersecurity Engineer 1-3)

IT Roles

IT Directors and Associate IT Directors

Director of Core Information Technology Services (Dir,Core IT Svcs)
Director of Information Technology Service (Dir,IT Svcs)
Associate Director of Core Information Technology Services (Assoc Dir,Core IT Svcs)
Associate Director of Information Technology Services (Assoc Dir,IT Svcs)

IT Managers

Manager of Core Information Technology Services (Mgr,Core IT Svcs)
Manager of Information Technology Services (Mgr,IT Svcs)

IT Officers

IT Officer (IT Officer)

IT Project Managers

IT Project Manager I-III (IT Project Mgr 1-3)

IT Specialists, IT Analysts, and IT Technicians

Senior Core Information Technology Services Specialist (Sr Core IT Svcs Splst)
Core Information Technology Services Specialist (Core IT Svcs Splst)
Programmer Analyst I-III (Programmer Analyst 1-3)
Systems/Network Analyst I-III (Systems/Network Analyst 1-3)
Technical Analyst I-III (Technical Analyst 1-3)
Information Technology Support Technician I-III (IT Support Tech 1-3)

*Eligibility applicable only to UNM IT's Applications department.

Requests submitted by UNM staff who are not directly assigned to a department or area listed above cannot be processed.

NOTE: Faculty and administrative staff in need of assistance with this request are encouraged to contact their area's designated IT Officer or Liaison.

What information is required to submit a request?

Requestors shall provide a clear and concise overview of their requirements including all in-scope networks and/or subnetworks in the description of their request.

Requests that are overly broad or that lack specificity cannot be processed. Any vulnerability assessment requests for an area that the requestor is not responsible for or a part of cannot be processed and will be cancelled.

What is the cost of this request?

This request is provided to all IT support units at no-cost.

Where can I submit this request?

Requests submitted outside of the ServiceNow Customer Portal portal cannot be processed.

When can I submit this request?

Requests may be submitted at any time.

Requests that are submitted after hours, including nights, weekends, and holidays will be processed the next business day during standard business hours.

When will my request be processed?

Requests that are submitted after hours, including nights, weekends, and holidays will be processed the next business day during standard business hours.

When will my request be fulfilled?

This request is fulfilled within the three (3) business day period as specified its Service-Level Agreement (SLA).

Requests are prioritized and fulfilled based on resource availability including, but not limited to, hardware, software, staff, and cannot be expedited.

How can I submit this request?

All requests must be submitted through the ServiceNow Customer Portal to ensure timely processing, proper tracking, and accountability.

To submit a request, please navigate to this link.

Privacy, Compliance, and Risk Request Items

Request for Privacy, Compliance, and Risk Information

Request for Privacy Information enables University staff the ability to request expert guidance on privacy-focused data handling, compliance, and information governance practices. Eligibility is determined by the requestor’s staff affiliation. Requests must include a clear description of the system or service in scope, and engagement is subject to ISPO review and prioritization based on institutional risk.

Who can submit a request?

This request is available to all University account users (i.e. NetID users).

NOTE: Faculty and administrative staff in need of assistance with this request are encouraged to contact their area's designated IT Officer or Liaison.

What information is required to submit a request?

Requestors shall provide a clear and concise question in the description of the request.

Requests that are overly broad or that lack specificity cannot be processed.

What is the cost of this request?

This request is provided to all IT support units at no-cost.

Where can I submit this request?

Requests submitted outside of the ServiceNow Customer Portal portal cannot be processed.

When can I submit this request?

Requests may be submitted at any time.

Requests that are submitted after hours, including nights, weekends, and holidays will be processed the next business day during standard business hours.

When will my request be processed?

Requests that are submitted after hours, including nights, weekends, and holidays will be processed the next business day during standard business hours.

When will my request be fulfilled?

This request is fulfilled within the three (3) business day period as specified in its Service-Level Agreement (SLA).

Requests are prioritized based on resource availability including, but not limited to, hardware, software, and staff, and cannot be expedited.

How can I submit this request?

All requests must be submitted through the ServiceNow Customer Portal to ensure timely processing, proper tracking, and accountability.

To submit a request, please navigate to this link.

Privacy, Compliance, and Risk Consulting

Privacy Consulting enables University staff the ability to request authoritative information, clarification, and guidance regarding policies, standards, and best practices. This process supports inquiries that require interpretation of data privacy requirements or additional detail on service offerings but does not cover fulfillment of service requests or configuration changes.

Who can submit a request?

This request is available to all University account users (i.e. NetID users).

NOTE: Faculty and administrative staff in need of assistance with this request are encouraged to contact their area's designated IT Officer or Liaison.

What information is required to submit a request?

Requestors shall provide a clear and concise overview of their requirements in the description of the request.

Requests that are overly broad or that lack specificity cannot be processed.

What is the cost of this request?

This request is provided to all IT support units at no-cost.

Where can I submit this request?

Requests submitted outside of the ServiceNow Customer Portal portal cannot be processed.

When can I submit this request?

Requests may be submitted at any time.

Requests that are submitted after hours, including nights, weekends, and holidays will be processed the next business day during standard business hours.

When will my request be processed?

Requests that are submitted after hours, including nights, weekends, and holidays will be processed the next business day during standard business hours.

When will my request be fulfilled?

This request is typically fulfilled within a ten (10) business day period, with most being fulfilled within the fifteen (15) business day period specified in the Service-Level Agreement for this request.

Requests are prioritized and fulfilled based on resource availability including, but not limited to, hardware, software, staff, and cannot be expedited.

How can I submit this request?

All requests must be submitted through the ServiceNow Customer Portal to ensure timely processing, proper tracking, and accountability.

To submit a request, please navigate to this link.

Cybersecurity Security Program

Awareness Management

What is cybersecurity awareness management?

Cybersecurity awareness management is the standardized and structured process the University uses to ensure that all community members understand their responsibilities for safeguarding University data and systems. This program component aligns with National Institute of Standards and Technology (NIST) frameworks and directly supports the confidentiality, integrity, and availability of University information assets.

By providing consistent training, outreach, and awareness activities, the University ensures that students, faculty, staff, and affiliates can recognize threats, comply with University policies, and take appropriate action to reduce risk. Awareness management builds a culture of shared responsibility, strengthens compliance with laws and contracts, and supports the University’s mission.

Why is cybersecurity awareness management critical to the University?

Human behavior is one of the most common factors in cybersecurity incidents. Effective awareness management helps reduce risk by teaching community members to identify phishing attempts, protect passwords, use secure practices, and report suspicious activity.

Without a robust awareness program, the University faces greater exposure to data breaches, service disruptions, and regulatory violations. Awareness management also ensures compliance with obligations under HIPAA, FERPA, and other regulations, while reinforcing trust among students, faculty, staff, affiliates, and the public.

Who is required to participate in cybersecurity awareness management?

All members of the UNM community, including students, faculty, staff, and affiliates who access University systems or data, must participate in awareness management activities.

Faculty and staff are required to complete annual awareness training and follow institutional security policies.
Students receive training and outreach through orientations, campaigns, and targeted events.
Affiliates must follow the University’s acceptable computer use and security policies and may receive tailored awareness materials based on their access.

What topics are included in cybersecurity awareness training?

Training content is tailored to the audience and may include:

University information security policies and standards
Strong password practices and account security
Identifying and reporting phishing or other social engineering threats
Safe use of email, web browsing, and remote access
Mobile device and cloud security
Malware prevention and secure configuration practices
Safeguarding sensitive and protected information (HIPAA, FERPA, financial data)
Physical security and secure use of shared spaces

Specialized training can be provided for system administrators, data owners, and IT staff who require deeper technical awareness.

How often must awareness training be completed?

Baseline awareness trainings are performed annually and are system-assigned based on a user's role(s) and institutional engagement. Faculty and staff are obligated to complete system-assigned trainings on a yearly basis. Additional audience-focused trainings can be provided to reinforce key practices and address emerging threats.

Students and affiliates are expected to participate in awareness opportunities during onboarding or orientation and comply with ongoing awareness expectations for the duration of their access.

Who is responsible for managing cybersecurity awareness at UNM?

Cybersecurity awareness is a shared responsibility across the University.

Information Security & Privacy Office (ISPO): Develops and delivers awareness materials, coordinates outreach, evaluates effectiveness, and ensures training remains aligned with best practices and University policy.
Chief Information Officer (CIO) and University Leadership: Ensure resources are available and that awareness training is prioritized across the institution.
Faculty, staff, students, and affiliates: Must complete training, comply with security policies, and apply secure practices in their daily activities.

This shared responsibility model ensures that awareness is consistent, effective, and tied to institutional accountability.

How is cybersecurity awareness delivered at UNM?

Awareness is delivered through multiple methods to ensure accessibility and effectiveness, including:

Obligatory online training modules
Instructor-led or briefing sessions
Security Days, Tech Days, and other campus events
Targeted briefings for IT staff and administrators
Outreach through orientations (students, staff, faculty)
Social engineering exercises (e.g., simulated phishing campaigns)
Printed materials, newsletters, and online resources

By using multiple communication channels, the University reinforces key messages and ensures broad community engagement.

What happens if awareness requirements are not met?

Failure to complete required awareness training or comply with University security policies increases institutional risk and may result in administrative consequences, including:

Suspension of access to University systems or data
Obligatory retraining
Disciplinary action consistent with University policy and employment or student codes of conduct

Compliance with awareness requirements is a condition of access to University systems and is essential to protecting institutional data and operations.

How can I provide feedback on cybersecurity awareness training?

Community members may provide feedback or request additional awareness support through ServiceNow. Feedback helps ISPO improve training materials, update content for emerging risks, and ensure awareness activities remain effective and relevant.

Feedback can be submitted via this link.

A social engineering exercise is a controlled test designed to simulate real-world tactics used by threat actors to mislead individuals into revealing information or performing unsafe actions. Exercises may include simulated phishing emails, or phone-based phishing.

These exercises are approved by University Leadership and conducted under strict institutional guidelines. Their purpose is to improve readiness, reduce the risk of real attacks, and strengthen the University’s security posture.

Incident Management

What is cybersecurity incident management?

Cybersecurity incident management is the standardized and structured process the University uses to respond to confirmed or suspected cybersecurity incidents. This program component aligns with National Institute of Standards and Technology (NIST) frameworks and directly supports the confidentiality, integrity, and availability of University data and systems.

By providing a consistent, repeatable process, the University ensures that incidents are detected, reported, contained, removed, and reviewed in a timely manner. This approach reduces institutional risk, protects sensitive and protected information, and strengthens compliance with University policy, state and federal regulations, and contractual requirements.

Why is cybersecurity incident management critical to the University?

Effective incident management is essential to protecting the University’s information assets and sustaining its mission. Timely detection and response help reduce risk to sensitive data, prevent data breaches, and preserve the availability of critical services that support teaching, research, and administration.

Beyond operational impacts, incident management also ensures compliance with regulatory and contractual requirements, including obligations under HIPAA, FERPA, and other data protection frameworks. Prompt, consistent response demonstrates institutional accountability, safeguards the University’s reputation, and reinforces stakeholder trust.

What qualifies as a cybersecurity incident?

A cybersecurity incident is a violation, or imminent threat of violation, of computer security policies, acceptable use policies, or standard cybersecurity practices. Examples include but are not limited to:

Unauthorized access to a UNM account, system, or database
Phishing, spear phishing, or other social engineering attempts
Malware infections on University-owned or managed devices
Loss or theft of devices containing Protected Data
Defacement of University websites
Systems participating in attacks against internal or external services

What is the difference between a major and minor cybersecurity incident?

Major incidents involve highly sensitive data, enterprise systems of record, or have the potential to significantly impact the University’s reputation, operations, or compliance obligations. Examples include but are not limited to breaches of enterprise systems, exploitation of high-severity vulnerabilities, targeted social engineering attacks, or incidents requiring law enforcement involvement.

Minor incidents are typically isolated, limited in scope, and resolvable through standard operating procedures. Examples include but are not limited to non-targeted phishing attempts, malware infections where no sensitive data was at risk, or website defacements that do not compromise broader systems.

This classification ensures that resources are scaled appropriately and that responses are aligned with incident severity.

How do I report a cybersecurity incident?

University policy requires all community members, including students, faculty, and staff, to report incidents.

ServiceNow: For reporting major and minor incidents (do not include sensitive data in ticket descriptions).
Anonymous hotline (888-899-6092): For confidential or anonymous reporting.

What happens after I report a cybersecurity incident?

After an incident is reported, ISPO and the Incident Response Team (IRT) follow a structured process designed to minimize damage and restore operations.

Identify: Validate that an incident has occurred, determine the scope, and notify appropriate stakeholders.
Contain: Limit spread of the incident by quarantining systems, revoking accounts, or blocking malicious activity, while preserving forensic evidence.
Remove: Eliminate the root cause by applying patches, removing malware, disabling compromised accounts, or correcting unauthorized changes.
Restore: Return systems to normal operations using validated backups and secure configurations, with ongoing monitoring for recurrence.
Review: Conduct a post-incident review to identify root causes, assess response effectiveness, and recommend additional safeguards.

This lifecycle ensures consistency, accountability, and continuous improvement in incident handling.

Who is responsible for managing cybersecurity incidents?

Managing cybersecurity incidents is a shared responsibility across the University.

The Information Security & Privacy Office (ISPO) directs the overall response and provides subject matter expertise. The Incident Response Team (IRT), made up of ISPO staff and IT staff (and when necessary, departmental IT staff), carries out technical investigation, containment, and remediation.

Data Owners and Business Process Owners are responsible for the systems and data under their control, providing resources and ensuring safeguards are in place. University leadership and compliance officials support communication, risk management, and legal guidance throughout the process. Together, these roles ensure coordinated, effective incident management.

Why is timely reporting and response important?

Cybersecurity threats often spread rapidly, sometimes within minutes, making swift containment essential. Delays in reporting and response can increase the severity of an incident, lead to extended downtime, and result in greater financial and reputational impact.

In addition, federal and state regulations, such as HIPAA and FERPA, impose strict timelines for breach notification. Failing to meet these obligations can result in penalties and loss of compliance standing. Prompt reporting and response reduces operational impact, lowers the cost of remediation, and demonstrates the University’s commitment to protecting its community and information assets.

What happens if cybersecurity incidents are not reported or responded to?

Failure to report or address incidents in a timely manner increases institutional risk and may result in extended compromise of systems or data. This can lead to regulatory or contractual violations, higher remediation costs, and reputational harm.

Vulnerability Management

What is vulnerability management?

Vulnerability management is the continuous and cyclical process of identifying, prioritizing, remediating, and validating weaknesses in information systems. This program component aligns with National Institute of Standards and Technology (NIST) frameworks and directly supports the confidentiality, integrity, and availability of University data and systems.

Vulnerabilities can exist in operating systems, applications, firmware, and configurations, and may be introduced at any point in the system lifecycle. Left unaddressed, these weaknesses can be exploited to disrupt services, compromise sensitive data, or degrade institutional operations.

The vulnerability management process ensures that:

Risks are reduced proactively by identifying exposures before they are exploited.
Remediation efforts are prioritized based on severity, likelihood of exploitation, and system criticality.
Patching and configuration management are carried out consistently and within mandated timeframes.
Validation through scanning and testing confirms that vulnerabilities have been effectively mitigated.

By standardizing this process across enterprise, departmental, and third-party systems, UNM maintains a consistent and measurable approach to minimizing institutional risk while supporting compliance, operational reliability, and stakeholder trust.

Why is Vulnerability Management critical to the University?

Effective vulnerability management is essential to protecting the University’s information assets and sustaining its mission. By systematically addressing weaknesses in systems and applications, the University can:

Reduce risk to sensitive and protected information by limiting opportunities for unauthorized access, disclosure, or modification.
Prevent data breaches and service disruptions that could harm students, faculty, staff, research partners, and the University’s reputation.
Support compliance obligations under University policy, state and federal regulations, and contractual requirements with third parties.
Preserve the availability and reliability of services that are critical to academic, research, and administrative operations.
Promote institutional trust by demonstrating a consistent, standards-based approach to safeguarding information.

Without a formal vulnerability management program, the University would face increased exposure to evolving threats, higher remediation costs, and a greater likelihood of regulatory or contractual non-compliance.

Who is responsible for Vulnerability Management?

Responsibility for vulnerability management is shared across the University, with specific roles assigned to enterprise organizations, departments, and external service providers:

Information Security & Privacy Office (ISPO): Provides overall program governance, defines institutional standards, and ensures alignment with NIST frameworks and University policy. ISPO performs enterprise vulnerability scanning and validation, manages cybersecurity vendor relationships, and facilitates the risk acceptance process when remediation is not immediately possible.
UNM Information Technologies (IT): Implements patch management, and configuration changes for enterprise-managed systems and infrastructure. UNM IT staff are responsible for applying vendor updates, and ensuring remediation occurs within established timeframes.
Departmental IT: Must remediate vulnerabilities on systems they own or manage. Departmental IT staff are responsible for ensuring compliance with remediation requirements.
Cloud and Third-Party Providers: Are required to maintain effective vulnerability management practices as part of their contractual obligations. ISPO reviews vendor vulnerability management controls during initial procurement, and during periodic risk assessments to ensure that sensitive or protected University information is safeguarded.

This shared responsibility model ensures that vulnerability management is consistently applied across all environments while maintaining accountability at the appropriate operational level.

What scanning activities occur under this program?

Vulnerability scanning is a core activity within the University’s Vulnerability Management lifecycle. Regular scanning ensures that weaknesses are identified in a timely manner and that remediation efforts can be prioritized appropriately. Scanning activities occur at multiple levels of the University environment:

Enterprise Systems: Enterprise-managed servers, applications, and infrastructure are subject to continuous monitoring through daily agent-based scans, weekly internal scans, and monthly external scans. These combined approaches provide visibility into both system-level vulnerabilities and potential exposures visible from outside the campus network.
Non-Enterprise Systems: Departmental systems that are not part of the central enterprise environment must undergo internal vulnerability scanning at least weekly, with scope and frequency determined by available resources. ISPO may also initiate ad-hoc scanning if departmental systems pose a risk to enterprise services or institutional data.
University Networks: Network devices and infrastructure across the University are scanned on a recurring basis, including weekly internal scans and monthly external scans, to identify configuration issues and exposures that could be leveraged by threat actors.
Penetration Testing: Penetration tests of enterprise-managed servers and mission-critical systems are conducted at least annually. These tests may be performed by internal resources or third-party providers and are designed to simulate real-world attack scenarios that go beyond automated scanning.

Together, these activities create layered visibility into vulnerabilities, from endpoints to enterprise infrastructure, enabling the University to reduce institutional risk in a measurable and repeatable way.

How are vulnerabilities prioritized?

Vulnerabilities at UNM are prioritized using the Common Vulnerability Scoring System (CVSS) in combination with institutional risk considerations. CVSS provides a standardized, industry-recognized method of assessing severity, but scoring alone is not sufficient for prioritization. The ISPO incorporates additional University-specific factors to ensure that remediation efforts address the highest-risk items first.

Key considerations include:

Severity rating: Vulnerabilities are classified as Critical, High, Medium, or Low based on CVSS scores and institutional context.
- Critical / High vulnerabilities are likely to be exploited with significant impact to confidentiality, integrity, or availability, requiring immediate action.
- Medium vulnerabilities pose moderate risk and should be remediated as part of routine operational practice.
- Low vulnerabilities may represent limited risk but must still be evaluated in the context of compensating controls and future patch cycles.
Mission criticality of the system: Systems that support critical University functions—such as academic systems, research platforms, or enterprise administrative services—are given higher priority, as their compromise would have broad institutional impact.
Sensitivity of the data: Systems storing, processing, or transmitting sensitive or protected information (e.g., FERPA, HIPAA, or financial data) receive elevated prioritization due to regulatory, contractual, and reputational implications.
Existence of compensating controls: If strong mitigating measures (e.g., firewalls, access restrictions, or monitoring) are already in place, remediation timelines may be adjusted, though compensating controls never replace the requirement to remediate.
Likelihood of exploitation: Active exploits in the wild, low complexity of attack, and ease of discovery increase the urgency of remediation, even if CVSS scores are not at the highest levels.

This combined approach ensures that prioritization is both standards-based and context-aware, balancing technical severity with the University’s mission, compliance obligations, and operational risk tolerance.

What are the required remediation timeframes?

UNM has established mandatory remediation timeframes to ensure that vulnerabilities are addressed in a consistent and risk-aware manner. These timeframes are aligned with industry standards, institutional policies, and regulatory expectations:

Critical: Must be remediated within 7 calendar days of detection. Critical vulnerabilities are those that pose the highest likelihood of exploitation and the most severe impact to confidentiality, integrity, or availability. Immediate action is required.
High: Must be remediated within 14 calendar days of detection. High-risk vulnerabilities represent serious threats and must be resolved quickly to prevent compromise of institutional systems or sensitive data.
Medium: Must be remediated within 30 calendar days of detection. Medium-risk vulnerabilities still pose significant threats and should be addressed as part of regular operational patch cycles.
Low: Must be remediated within 90 calendar days of detection. Low-risk vulnerabilities may be less likely to be exploited but must not be ignored, as unaddressed issues can accumulate and increase overall institutional risk.

Exceptions

In some cases, it may not be technically or operationally feasible to remediate a vulnerability within the required timeframe (e.g., vendor patch unavailable, operational constraints, or documented business requirements). In such cases:

An exception request must be submitted and reviewed by the Information Security & Privacy Office (ISPO).
Approval requires concurrence from the Chief Information Officer (CIO) or Data Owner, depending on system scope and criticality.
Formal risk acceptance must be documented by a cognizant University Vice President before an exception is granted.

This process ensures that any deviation from the standard remediation timeframes is formally reviewed, justified, and accepted at the appropriate level of University governance.

What if vendor patches or hotfixes are unavailable?

In some cases, a vendor may not provide a patch or hotfix for a known vulnerability, or remediation may be delayed due to technical or operational constraints. When this occurs, administrators are still required to take appropriate steps to minimize institutional risk.

IT Administrators must:

Apply configuration changes where feasible Adjust system or application settings (e.g., disabling vulnerable services, restricting access, or changing default configurations) to reduce the attack surface until a vendor patch is released.
Implement compensating controls Where direct remediation is not possible, apply alternative controls that meet the intent and rigor of the original requirement. Examples include firewall rules, intrusion prevention signatures, additional logging or monitoring, and access restrictions. Compensating controls must be documented and approved by ISPO to ensure they adequately reduce residual risk.
Pursue a formal risk acceptance process if no controls are available If neither configuration changes nor compensating controls are feasible, administrators must request an exception. This requires:
- Review and approval by the Information Security & Privacy Office (ISPO).
- Concurrence from the Chief Information Officer (CIO) or the Data Owner.
- Formal risk acceptance by a cognizant University Vice President.

This structured approach ensures that vulnerabilities are not ignored simply because a vendor patch is unavailable. Instead, risks are actively managed, documented, and either mitigated or formally accepted in accordance with University governance requirements.

How does patch management relate to vulnerability management?

Patch Management is a critical sub-process within the University’s Vulnerability Management framework. While Vulnerability Management encompasses the full lifecycle of identifying, prioritizing, remediating, and validating security weaknesses, Patch Management focuses specifically on addressing vulnerabilities by applying vendor-provided updates.

Patch Management includes:

Identifying available patches for operating systems, applications, and firmware.
Acquiring and testing patches to confirm compatibility and stability in the University environment.
Installing patches on enterprise-managed and departmental systems in accordance with approved workflows.
Verifying that patches have been applied successfully and that vulnerabilities are resolved.

Timely and consistent patching is essential because many vulnerabilities exploited by threat actors are already well-known and have vendor fixes available. By integrating Patch Management into the broader Vulnerability Management process, the University can:

Reduce exposure to common, high-risk threats.
Ensure alignment with institutional remediation timeframes.
Prevent system downtime and service disruptions.
Demonstrate compliance with University policy and external regulatory requirements.

In short, Patch Management provides the operational mechanism through which many identified vulnerabilities are remediated, making it one of the most crucial controls within the Vulnerability Management lifecycle.

What happens if vulnerabilities are not addressed?

Failure to remediate vulnerabilities within established timeframes exposes the University to significant risk and may trigger both operational and compliance consequences. Potential outcomes include:

Increased institutional risk: Unaddressed vulnerabilities increase the likelihood of system compromise, data breaches, or service outages. Threat actors frequently exploit known vulnerabilities that remain unpatched, often within days of public disclosure.
Regulatory and contractual non-compliance: Many University systems handle sensitive or protected information (e.g., FERPA, HIPAA, PCI-DSS). Failure to remediate vulnerabilities can result in violations of federal or state regulations, contractual agreements with third parties, and University policy.
System downtime or service disruption: Vulnerabilities can lead directly to service degradation or denial-of-service events, impacting teaching, research, and administrative operations. Recovery efforts often require unplanned outages to remediate under emergency conditions.
Incident response and remediation costs: Delayed remediation may require escalated incident response, forensic investigation, and containment activities. In such cases, costs for incident response and remediation may be transferred back to the responsible unit under IT service level agreements (SLAs).

Beyond these impacts, failing to address vulnerabilities also undermines institutional trust and creates reputational risk. A consistent and timely remediation process is therefore not only a technical requirement, but a critical element of the University’s broader risk management strategy.

How can departments access vulnerability data?

Vulnerability scanning at UNM is performed on a continuous basis using centrally managed tools. Because enterprise and departmental systems are already included in scheduled internal and external scans, separate ad-hoc scan requests are rarely necessary.

Departments can access vulnerability data by:

Requesting access to the vulnerability management platform to view dashboards, scan results, and reports related to their systems.
Using ServiceNow to request assistance in interpreting scan results, developing remediation plans, or validating corrective actions.

To initiate a request, log in to the ServiceNow Customer Portal and search under the Cybersecurity Services category for:

Cybersecurity Application Access: request access to vulnerability management tooling.
Cybersecurity Application Support: request assistance with vulnerability management tools.
Cybersecurity Consulting: request assistance with developing remediation plans or validating corrective actions.

Eligibility: Access to vulnerability management tools and data is limited to University IT and cybersecurity staff, as determined by the requestor’s job classification and departmental affiliation.

NOTE: Once access to vulnerability management tools is granted, department IT staff assume responsibility for analyzing and reviewing scan results and reports pertaining to their designated areas.

Departments are expected to act on vulnerability data within the remediation timeframes defined by the University’s Vulnerability Management Program. ISPO may also perform follow-up scans to validate that identified issues have been resolved.

How do host naming conventions support vulnerability management?

Host naming conventions are an essential enabler of the University’s Vulnerability Management Program. By requiring standardized hostnames for endpoints, servers, IoT devices, and printers, the University ensures that every device on the network can be uniquely identified, tracked, and associated with the responsible service administrator.

Consistent hostnames support vulnerability management in several key ways:

Accurate asset inventory: Standardized names allow ISPO and departmental IT staff to maintain an authoritative inventory of devices. This ensures that all systems are included in scheduled vulnerability scans and that results can be tied to specific assets.
Consistent vulnerability scanning: Hostnames aligned to naming conventions enable automated tools to reliably detect, categorize, and report vulnerabilities. This reduces false positives, duplicate entries, and gaps in coverage.
Reliable remediation tracking: When findings are tied to predictable hostnames, remediation efforts can be monitored across device classes (e.g., endpoints, IoT, servers). This makes it easier to validate that fixes are applied consistently and within the required timeframes.
Institutional accountability: Service administrator designators embedded in hostnames make it clear which unit or department is responsible for remediation. This accountability is critical for timely resolution and for reporting to University leadership.

In short, host naming conventions are not just an IT housekeeping standard — they are a foundational control that enables effective vulnerability management, supports institutional compliance, and ensures that risk can be measured and managed across the University environment.

If you have questions or would like to provide feedback regarding this document, please use ServiceNow to submit a request to ensure your question or feedback is received and tracked.

Report an Incident

If you suspect that your NetID (i.e. LoboMail account) or a computer have been compromised and you need to know what to do, please see our FAQ

Abuse Report Form

- or -

Report Message: Junk

- or -

Report Message: Phishing

- or -

UNM ServiceNow

- or -

UNM EthicsPoint

For more information, visit our Contact Information page