Maine State Government
Dept. of Administrative & Financial
Office of Information Technology
Adoption of a Policy, Standard or
This document establishes standardized methods for adopting,
formatting, reviewing and updating Information Technology (IT) policies,
standards and procedures. (Abbreviated as: P/S/P).
The Purpose is to define a procedure for the drafting,
vetting, and adoption of regulations pertaining to IT and demonstrates the
preferred format to be used.
The Approval and
Revision Process for IT Policies, Standards, or Procedures is outlined below.
Conception: The Associate CIO will accept and review
suggestions for a new or to be amended policy. The Chief Technology Officer
will accept and review suggestions for a new or amended standard/procedure. At
their discretion, the Associate CIO and the Chief Technology Officer may decide
to abbreviate the following process in order to expedite the adoption of a
P/S/P as circumstances require. If the Associate CIO or the Core Technology
declines to initiate an adoption/revision process, the originator may appeal to
the Chief Information Officer (CIO).
Foundation: The Associate CIO and the Chief Technology
Officer will assign Office of the CIO management staff to lead, facilitate or
monitor these efforts. Office of the CIO management staff will initially work
with the originator to document the need and scope of the P/S/P. If applicable,
a broadly advertised formal notice of intent to adopt or amend a P/S/P in X
content area may be extended to invite appropriate decision makers,
stakeholders, experts, users or others to participate. This notice will invite
comments regarding the content area of the P/S/P and seek volunteers to join a
working team. The CIO may waive this comment period.
Team Formed: Based upon feedback, the Office of the CIO
management staff will form a working team. The Associate CIO and Chief
Technology Officer may assign members to a working team. The working team will
determine the required comment period and procedure abbreviations (if any) and
ensure a sponsor has been designated.
Drafting: The Team will research and prepare a draft
P/S/P which will include an impact assessment and a sunset or re-evaluation
date. Policies will include language designating which organizations/positions
are responsible for developing implementation procedures and enforcing the
policy. Procedures and standards will incorporate similar language regarding
Communication: The Associate CIO and the Chief
Technology Officer will communicate regularly to OIT leadership on P/S/P
development. It will be the responsibility of the leadership to communicate
this information and provide feedback on behalf of the groups and functions
they represent within the timeliness required by the working team. Final draft
Policy will be presented to the Associate Chief Information Officer for review
and comment. The Associate Chief Information
Officer will present the final document to the Chief Information Officer. The final draft
of the S/P will be presented to the Chief Technology Officer for review and
comment. The Chief Technology Officer will present S/P to the Chief Information
Office at her/his discretion.
CIO Council – IT Leadership: The Associate CIO (or
designated working team representative) will present the final draft and the
impact of the proposed Policy. The Chief Technology Officer (or designated
working team representative) will present the final draft S/P to the CIO
Council – IT Leadership at her/his discretion. The CIO Council - I T Leadership
will discuss and make recommendations.
IT Executive Committee (ITEC) Recommendations: The
Associate CIO (or designated working team representative) will present the
final draft and the impact of the proposed Policy. The Chief Technology Officer
will present the final draft S/P to the ITEC at her/his discretion. The ITEC
will discuss and make recommendations
CIO Decision: The Associate CIO will provide the policy
draft and the ancillary documents, if required, to the CIO for an adoption
decision. At the CIO’s discretion, a
policy and/or a S/P may be returned to any of the above groups for further
comment and/or revision.
This process applies to Information Technology policies,
standards, and procedures.
Compliance - All staff engaged in operations, analysis
or actions subject to a P/S/P are responsible for becoming familiar, and
complying, with the contents of the P/S/P(s).
Supervisors are responsible for incorporating standard operating
procedures to ensure their staffs are familiar with, and adhere to, the P/S/P affecting
their program functions.
Review - At his/her discretion, the CIO may initiate an
effectiveness review of any existing P/S/P.
The format to be used
for IT Policies, Standards and Procedures is outlined below.
Categories: Policies and their standards/procedures
will be assigned to one of the following categories:
Application – includes system/application development and
Computer Environment and Platform – includes enterprise
software and hardware platforms
General / Governance
Information and Data
Middleware and Integration
Internet, Network and Transport – includes network,
telecommunications and electronic mail
Security and Privacy
Content (a “Sample Copy” of the “Template” to be used
is included as Attachment 1)
Heading 1 = Title of P/S/P
Indented on left margin from Heading 1, Heading 2 is Roman
Numerals (I – VII)
Indented on left margin from Heading 2, Heading 3 is Capital
Indented on left margin from Heading 3, Heading 4 is Numbers
followed by a period
Indented on left margin
from Heading 4, Heading 5 a small letter followed by a period
Indented on left margin from Heading 5, Heading 6 a small letter
enclosed in parentheses
Document Information (as appropriate) will be included
for each policy, standard, and procedure as noted below:
Document Reference Number:
(assigned by OCIO)
Point of Contact:
Position Title(s) or Agency Responsible for Enforcement:
CIO - The term Associate CIO refers to the Associate to the CIO the within the
Department of Administrative and Financial Services. See Guidelines and Procedures (A-B) for
details of the responsibilities of the Associate CIO as they relate to the
development or review of IT P/S/P(s).
Information Officer (CIO) - The term Chief Information Officer refers to the
CIO, the chief administrative officer of the Office of Information Technology
within the Department of Administrative and Financial Services.
Technology Officer – The term Chief Technology Officer refers to the role
within the Department of Administrative and Financial Services responsible for
all core technology services for the State of Maine.
- The term Commissioner refers to the Commissioner of the Department of
Administrative and Financial Services, a State administrative agency.
- A policy is a statement of direction with respect to the planning and
management of information technology approved by the Chief Information Officer
of the State of Maine.
- A standard is a specific approach, solution, methodology, product, or
protocol that must be adhered to for establishing uniformity.
Operating Procedure - The term Standard Operating Procedure (SOP) is the
description of a prescribed method that must be used by Office of Information
Technology staff to develop or review policies, standards, or procedures. SOPs are not appropriate to describe
procedures or requirements that apply to members of the public, other than
persons acting as agents of, or under contract with, the Maine OIT.
Reference Number: 1
2. Category: General / Governance
Date: May 9, 2006
Date: May 9, 2006
Date: May 9, 2008
of Contact: Kathy Record, Associate
CIO, Office of Information Technology (Voice: 624-9502)
By: Richard B. Thompson, Chief
Title(s) or Agency Responsible for Enforcement:
Kathy Record, Associate CIO, Office of Information Technology, Greg
McNeal, Chief Technology Officer, Office of Information Technology.