Maine State Government
Dept. of Administrative & Financial Services
Office of Information Technology
Procedure for the Use of
Non-State Owned/Approved Software and Devices for State Business
I. Statement
State agencies will comply with the procedures associated
with the use of non-state owned/approved software or devices for state
business.
II. Purpose
A. The
purpose of this procedure is to govern the approval and use of non-state
owned/approved software and devices.
B. The State
of Maine Office of Information Technology (OIT) establishes the conditions by
which the assets may be configured, upgraded, maintained and supported, as
billable services, in order to minimize security risks to the State’s network
or data sources.
III. Guidelines
A. The OIT
Director of Client Technologies will, at her/his discretion, evaluate non-State
owned software and IT devices for functionality of interfacing with State of
Maine desktop configurations, compliance with OIT network security, and other
relevant standards.
1. OIT support of non-State
software or IT devices will be limited to basic trouble shooting from the Customer Support Center and Network Services in assurance of interoperability with desktop
computer. Should higher level troubleshooting or on-site service be required,
OIT will refer the service request to the agency director who will be
responsible for approval of further troubleshooting.
2. Should the device under
review be used in conjunction with the State’s radio network, the Customer Support Center will notify the Director of Radio Services, who may, at her/his
discretion oversee the remediation.
3. State OIT policies that have
governance over and impact any request include, but are not limited to, the State
of Maine Information Technology Security Policy, the DAFS and other Departmental
Security Policies, the Computer Virus Policy, Wide Area Network Security
Policy, Policy to Safeguard Information on Portable Computing and Storage
Devices, and the Policy to Govern PKI Security Requirements.
B. Agency
director(s) or designee
1. Will receive the electronic
request for the use of non-State owned software and IT devices and will
process this request on behalf of their employee(s) and vendor(s) if the agency
feels it is in the best interest of the State to approve the request.
2. Will become financially
responsible for;
a. Initial fees associated with preparing the IT
device for use in a manner which safeguards the State’s networks and data,
comparable to State owned devise,
b. Ongoing service connect fees/rates for IT
devices as though the device was State owned and
c. Subsequent OIT upgrade/maintenance fees to
ensure the IT device continues to comply with State standards.
3. Will alert their Agency Information
Technology Director (AITD) and OIT’s Director of Radio Services should the
installation of ancillary equipment reduce the ‘receive’ and ‘transmit’ quality
of radios, which can happen if installed without proper engineering.
C. Users of non-State owned/approved software or devices who receive
permission from their State agency to use non-State owned/approved software and
devices;
1. Understand that all
State technology policies, standards and procedures are applicable to the use
of non-State owned/approved software and devices.
2. Relinquish their
privilege to Workers Compensation claims of injury, which could result from the
use of non-State owned/approved software or devices used for conducting State
business.
3. Acknowledge that OIT may
suspend service to these IT devices at its discretion, and cease ongoing
connect rate/fee billing to their agency.
4. May withdraw from using
the State’s network at any time. These individuals are required to notify the Customer Support Center whenever they no longer wish to use their personally owned software
or devices for State purposes.
5. Acknowledge that they agree to
be bound by and adhere to ALL State and OIT policies.
IV. Applicability
A. This procedure
is intended to manage the approval and use of non-state owned/approved software
and devices connected to the State of Maine wide area network by
1. Vendors and employees of
agencies within the Executive Branch and semi-autonomous State agencies
2. Vendors, all
governmental branches and constitutional offices that host applications on
devices operated by the OIT or traverse the State’s networks.
V. Responsibilities
A. The Chief
Information Officer (CIO) is responsible for the development, implementation
and monitoring of statewide standards. The CIO is responsible for approving all
fee schedules associated with this procedure.
B. The OIT
Director of Client Technologies will provide an electronic system for agencies
to electronically
submit their requests for the use of non-state owned/approved software and
devices.
C. Agency
director(s) or their designees will be responsible for approving the request
for the use of non-state owned/approved software and devices.
D. The Agency
Information Technology Director (AITD) and the OIT Director of Client
Technologies Services will be included in the information exchange regarding
this request for the use of non-state owned/approved software and devices. Should
the AITD or the Director of Client Technologies find concern with the agency
director’s decision, it is the AITD’s responsibility to intervene in the
process.
E. The OIT Enterprise Information Security Director is
responsible to assure the process defined to implement the policy and
procedures is in accordance with ALL State and OIT policies.
VI. Definitions
A. Non-State
owned – For the purpose of this policy, the phrase “non-State owned” includes,
but is not limited to, any equipment to be used for approved State business
owned by
1. Maine State employees,
2. Vendors under contract
with the State of Maine,
3. Political subdivisions
of the State of Maine (e.g. counties, municipalities, and by extension their
instrumentalities such as municipal fire departments, and regional agencies
such as Public Safety Answering Points) and
4. Federal government.
B. IT Device:
For the purpose of this policy IT Devices are defined broadly, to include
desktop computers as well as other technology devices used to transact business
electronically.
C. Permitted
Software - OIT permitted software is listed on OIT’s intranet site: http://inet.state.me.us/oit/services/index.
See State of Maine Procedure Governing the Use of Non-State Owned/Approved
Software or Devices for State Business for the process on adding software to the
State’s permitted list.
D. Agency
director(s) – For the purposes of this policy, the term “agency director(s)”
refers to the agency policy influencing leaders identified in Maine Revised
Statutes Annotated, Title 5 section 932 etc.
E. Semi-autonomous
state agency: An agency created
by an act of the Legislative Branch that is not a part of the Executive Branch.
This term does not include the Legislative and Judicial Branches, Offices of
the Attorney General, Secretary of State, State Treasurer and Audit Department.
VII. References
VIII. Document Information
A. Document
Reference Number: 18
B. Category:
Security and Privacy
C. Adoption
Date: 03/03/2008
D. Effective
Date: 03/03/2008
E. Review
Date: 03/03/2009
F. Point of
Contact: Office of Information Technology: Mark Kemmerle, Enterprise
Information Security Officer, telephone: 207-624-8892, and Karen Curtis,
Director of Client Technologies Services, telephone 207-624-9508
G. Approved
By: Richard B. Thompson, Chief Information Officer
H. Position
Title(s) or Agency Responsible for Enforcement: Greg McNeal, Chief Technology
Officer, telephone 207-624-9471
I. Legal
Citation: 5 M.R.S.A. Chapter 163 §
1973. Responsibilities of the Chief Information Officer, paragraph 1B “Set policies and standards for the implementation
and use of information and telecommunications technologies, including privacy
and security standards…”
J. Waiver Process:
Waiver requests must be submitted
electronically to the Chief Information Officer.
