Skip Maine state header navigation
Dept. of Administrative & Financial Services
Office of Information Technology
Any computer infrastructure must undergo a battery of tests to determine if it is suitable to be deployed into production. Based on the test results, the Chief Information Officer (CIO) makes the final determination whether or not this infrastructure should be placed into production.
While applications constitute the more visible components of I.T. from the customer perspective, applications cannot exist without a robust infrastructure foundation. A decisive part of the stability, reliability, scalability, security, and performance of an application is dictated by the underlying infrastructure. Therefore, it is extremely important to thoroughly vet any infrastructure before it is deployed into production. This policy establishes a uniform and objective battery of tests that enables the CIO to evaluate the suitability of an infrastructure to be deployed into production. A direct benefit of this policy is that it leads to pre-certified infrastructure that does not need to be vetted any further on a per-application basis.
This policy applies both to new infrastructure as well as modifications to existing infrastructure. Its scope is limited to infrastructure operated by the Office of Information Technology.
1. Operating Test: Ensures proper functioning of the infrastructure.
2. Security Test: Ensures the confidentiality, integrity, and availability of the infrastructure.
3. Backup and Recovery Tests: Ensures disaster recovery and planned rollback of the infrastructure.
1. Operating Test: The infrastructure must operate as stated by its vendor, be it the original equipment manufacturer or the value-added reseller. All features listed by the vendor that are relevant to the State should be thoroughly tested in order to ensure that they indeed deliver as expected. For any feature that is relevant to the State, any compliance statement from the vendor is not relevant for this purpose.
2. Security Test: The infrastructure must ensure the highest levels of Confidentiality (No unauthorized access), Integrity (No tampering), and Availability (No denial-of-service). It must not compromise any data or workflow that either resides on it, or transits through it. It must support encryption, should the data or the workflow that is either in residence or transit merit encryption. A full vulnerability assessment and penetration test must be performed on the infrastructure. At a minimum, such an assessment should include hardened configuration, strong credentials, vetted access control lists, log mining, forensic auditing, integrity checks, and simulated denial-of-service attacks. All devices must have the latest, preferably hardened, operating system, anti-viral, anti-hacker, anti-spam, anti-spyware, and anti-malware utilities. Where relevant, the device should also have the most aggressive intrusion-detection and firewall protection. The Enterprise Security Office will provide further guidance on this item, as needed.
3. Backup and Recovery Tests: Two distinct tests must be performed as part of backup and recovery. The first is to restore the current state, or as close to it as possible, from the backup media in order to simulate recovery from a disaster. The second is to rollback the infrastructure to a previous state from archived media in order to simulate recovery from a disastrous upgrade, a series of flawed transactions, etc.
1. Document Reference Number: 39
2. Category: Infrastructure: Computer Environment and Platform
3. Adoption Date: March 14, 2011
4. Effective Date: March 14, 2011
5. Revision Date: March 14, 2013
Point of Contact: B. Victor Chakravarty,
Approved By: Greg McNeal, Acting Chief Information
Officer, State House Station #145,
Position Title(s) or Agency Responsible for
Enforcement: David W. Maxwell, Director, Project Management Office, Office of
Information Technology, State House Station #145,
9. Legal Citation: 5 M.R.S.A. Chapter 163 Section 1973 paragraphs B and D, which read in part, “The Chief Information Officer shall: “Set policies and standards for the implementation and use of information and telecommunications technologies…” and “Identify and implement information technology best business practices and project management.”