Maine State Government

Dept. of Administrative & Financial Services

Office of Information Technology

Infrastructure Deployment Certification Policy

 

I. Statement

Any computer infrastructure must undergo a battery of tests to determine if it is suitable to be deployed into production. Based on the test results, the Chief Information Officer (CIO) makes the final determination whether or not this infrastructure should be placed into production.

 

II. Purpose

While applications constitute the more visible components of I.T. from the customer perspective, applications cannot exist without a robust infrastructure foundation. A decisive part of the stability, reliability, scalability, security, and performance of an application is dictated by the underlying infrastructure. Therefore, it is extremely important to thoroughly vet any infrastructure before it is deployed into production. This policy establishes a uniform and objective battery of tests that enables the CIO to evaluate the suitability of an infrastructure to be deployed into production. A direct benefit of this policy is that it leads to pre-certified infrastructure that does not need to be vetted any further on a per-application basis.

 

III. Applicability

This policy applies both to new infrastructure as well as modifications to existing infrastructure. Its scope is limited to infrastructure operated by the Office of Information Technology.

 

IV. Responsibilities

A. Chief Technology Officer (CTO): The CTO is responsible for executing this test battery and submitting the results to the Director, Project Management Office (PMO). This submission consists of a summary result (Passed/Failed/Not Applicable) and a short paragraph clarifying that summary result, for each of the tests specified below.

 

B. Chief Information Officer (CIO): The CIO may delegate authority to certify or approve new or modified infrastructure for deployment.  Regardless of approving authority, certification of infrastructure will be based on advice from the Director, PMO, the Chief Technology Officer (CTO), the Associate CIO for Applications, and/or other subject matter experts.

 

C. Director, PMO: This Policy is owned, interpreted, executed, and enforced by the Director, PMO.

 

V. Guidelines & Procedures

A. The following list defines the battery of infrastructure tests:

 

1.              Operating Test: Ensures proper functioning of the infrastructure.

2.              Security Test: Ensures the confidentiality, integrity, and availability of the infrastructure.

3.              Backup and Recovery Tests: Ensures disaster recovery and planned rollback of the infrastructure.

 

B. Brief general descriptions of the tests are provided below:

 

1.              Operating Test: The infrastructure must operate as stated by its vendor, be it the original equipment manufacturer or the value-added reseller. All features listed by the vendor that are relevant to the State should be thoroughly tested in order to ensure that they indeed deliver as expected. For any feature that is relevant to the State, any compliance statement from the vendor is not relevant for this purpose.

 

2.              Security Test: The infrastructure must ensure the highest levels of Confidentiality (No unauthorized access), Integrity (No tampering), and Availability (No denial-of-service). It must not compromise any data or workflow that either resides on it, or transits through it. It must support encryption, should the data or the workflow that is either in residence or transit merit encryption. A full vulnerability assessment and penetration test must be performed on the infrastructure. At a minimum, such an assessment should include hardened configuration, strong credentials, vetted access control lists, log mining, forensic auditing, integrity checks, and simulated denial-of-service attacks. All devices must have the latest, preferably hardened, operating system, anti-viral, anti-hacker, anti-spam, anti-spyware, and anti-malware utilities. Where relevant, the device should also have the most aggressive intrusion-detection and firewall protection. The Enterprise Security Office will provide further guidance on this item, as needed.

 

3.              Backup and Recovery Tests: Two distinct tests must be performed as part of backup and recovery. The first is to restore the current state, or as close to it as possible, from the backup media in order to simulate recovery from a disaster. The second is to rollback the infrastructure to a previous state from archived media in order to simulate recovery from a disastrous upgrade, a series of flawed transactions, etc.

 

VI. Definitions

 

VII. References

1.          Application Deployment Certification Policy[1]

 

2.          Change Management Standard[2]

 

3.          Policy to Safeguard Information on Portable Computing and Storage Devices[3]

VIII. Document Information

1.          Document Reference Number:  39

 

2.          Category: Infrastructure: Computer Environment and Platform

 

3.          Adoption Date: March 14, 2011

 

4.          Effective Date: March 14, 2011

 

5.          Revision Date: March 14, 2013

 

6.          Point of Contact: B. Victor Chakravarty, Enterprise Architect, Office of Information Technology, State House Station #145, Augusta, ME 04333, (207) 624-9840.

 

7.          Approved By: Greg McNeal, Acting Chief Information Officer, State House Station #145, Augusta, ME 04333, (207) 624-9471.

 

8.          Position Title(s) or Agency Responsible for Enforcement: David W. Maxwell, Director, Project Management Office, Office of Information Technology, State House Station #145, Augusta, ME 04333, (207) 624-9793.

 

9.          Legal Citation:  5 M.R.S.A. Chapter 163 Section 1973 paragraphs B and D, which read in part, “The Chief Information Officer shall: “Set policies and standards for the implementation and use of information and telecommunications technologies…” and “Identify and implement information technology best business practices and project management.”

 

10.      Waiver Process: See the Waiver Policy[4].