Maine State Government
Dept. of Administrative &
Office of Information Technology
Policy to Govern Information Security Risk Assessments of State
Computer Systems and to Ensure the Prompt Remediation of Deficiencies
State computer systems will
be assessed for security risks, and priority risks will be promptly addressed.
The purpose of this policy
is to document and clarify responsibilities and processes regarding security
assessment of computer devices, their operating systems, and their applications,
and subsequent remediation of deficiencies for all applicable information
systems. This policy expands upon the State of Maine Information Technology
Security Policy approved by the CIO January 6, 2009.
This policy applies to
agencies within the Executive Branch of Maine State government, and to all its
information systems irrespective of where they are hosted. This policy also
extends to those applications owned by all governmental branches and constitutional
offices that are hosted on computer devices
operated by the Office of Information Technology or traverse the State’s wide
A. Chief Information Officer (CIO) - The CIO is required
by Maine statutes to protect information owned by State agencies.
Specifically 5 M.R.S.A. Section 1982 paragraph 9 reads: “Protection of information files. The Chief Information Officer shall develop rules
regarding the safeguarding, maintenance and use of information files relating
to data processing, subject to the approval of the commissioner. The office is
responsible for the enforcement of those rules. All data files are the property
of the agency or agencies responsible for their collection and use.”
B. Enterprise Information Security Director - Under the
direction of the CIO, the Enterprise Information Security Director will
scheduled and random use of information security and risk assessment tools to
evaluate State computer devices, operating systems, and applications, including
websites, for risk vulnerability as it pertains to confidentiality, integrity
2. Coordinate the
application of risk assessment tools with the AITD of the agency which owns the
system, agency policy influencing leaders, web coordinator and/or webmaster and
the hosting organization in order to minimize disruptions to operations.
Whenever the Information Security Director feels the situation is of the
highest risk, these assessments may be conducted without notice.
a. OIT employees and contractors will protect
data supplied to evaluate risk, and will comply with all confidentiality
requirements of the agency, including signing any necessary agreements.
b. If OIT employees and contractors are able
to breach security while testing, they will not disclose any confidential or
personal data, or the source of the vulnerability without written authorization
of the Enterprise Information Security Officer.
3. Alert the Agency Information Technology
Director or the Chief Technology Officer
(CTO), and the policy influencing
leadership of the agency which owns the system, whenever a critical information
security deficiency is discovered.
4. Promptly provide
a report to the Agency Information Technology Director or CTO and policy influencing agency leadership and others. The Director
will work collaboratively with them to effect a remediation in a timely manner.
At his/her discretion, the Enterprise Information Security Director may remove
the computer device or application from service until a satisfactory remediation
5. Choose and use
all practical methods, tools and techniques to evaluate the security of the
State’s computer devices and the applications that run on them. These may
include, but are not limited to, tools that scan for common operating system
and application configuration and program vulnerabilities.
6. In concert with the
Chief Technology Officer and Agency Information Technology Directors, with
input from lead technical managers from the Legislative and Judicial branches,
establish and promulgate security vulnerability standards, procedures and best
practices governing computer applications, enterprise network systems and
7. Conduct security
assessments on all new major applications in accordance with the Application Deployment
8. Evaluate requests for exemption from this policy. These requests
must be received in writing and signed by the Agency Information Technology
Director or CTO. The request will
include business reasons justifying why the risk assessment methods, tools and
techniques should not be employed. The Enterprise Information Security Director
will decide each case on its merits, and appeals of his/her decision may be
made to the CIO
C. Agency Information Technology
(AITD). AITDs are accountable for their
agencies’ information technology security, both physical and logical. AITDs will
1. Implement risk
remediation findings required by the Enterprise Information Security Director.
2. Assist the
Enterprise Information Security Director in maintaining the State’s enterprise
3. Ensure all
germane requests for proposals (RFPs) and resulting contracts with vendors
contain language intended to enforce this policy and its standards.
4. Assess potential
risks in existing systems and determine which should be evaluated for
vulnerabilities and remediation.
D. OIT Employees Responsible for Systems Maintenance.
These employees are required to
1. Implement the
security vulnerability standards governing OIT’s applications, enterprise network
systems and operating systems.
2. Assist the
Enterprise Information Security Director in the conduct of his/her duties
regarding the implementation of this policy, its standards and procedures.
3. Regularly assess
security, and remediate vulnerabilities within their responsibilities.
4. Alert the
Enterprise Information Security Director and their direct supervisor of their
remediation actions, and highlight issues that they are not able to remediate.
5. Alert the
Enterprise Information Security Director and their direct supervisor whenever
they discover, or suspect, a security vulnerability beyond the scope of their
E. Contractors. All information technology contractors
must agree to recognize the State’s right to conduct vulnerability testing in
accordance with this policy.
1. Contractors must
agree to support this testing and collaborate with the State to implement
security remediation findings in applications for which they are responsible.
2. With respect to
systems implemented following the adoption of this policy, in accordance with
the terms of their contract(s), vendors must agree to provide a secure
environment for the hosting of the contracted application, to support periodic
vulnerability testing conducted by the State of Maine and/or its agents, and to
remediate significant security vulnerabilities in a timely manner for the term
of the contract.
F. State Employees. All State employees who suspect a breach
of security has occurred will contact the OIT Customer Solutions Center, who will inform the Enterprise Information Security Director. The Director will
promptly work collaboratively with appropriate AITDs and technical experts to
determine the appropriate course of action
V. Guidelines &
A. OIT will adopt and implement standards, procedures
and best practices to minimize the risk of security breaches within the goals
of this policy.
B. Lists of current critical application vulnerabilities
are maintained by standards organizations including: OWASP
(Top 10 list), SANS (Top 20
list) and the Web Application Security Consortium.
Organizations which currently track and publish the most critical operating
system security patches include Microsoft and Sun.
A. Computer Application - Application software
is a loosely defined subclass of computer software that employs the
capabilities of a computer directly to a task that the user wishes to perform.
This should be contrasted with system software that is involved in integrating
a computer's various capabilities, but typically does not directly apply them
in the performance of tasks that benefit the user. The term application
refers to both the application software and its implementation. For the
purposes of this policy websites are considered an application. Examples of
applications currently in use would include: MS Exchange, TAMS,
inet.state.me.us, www.maine.gov, IPHIS etc.
B. Computer Device – Computer device means an
electronic, magnetic, optical, electrochemical, or other high-speed data
processing device performing logical, arithmetic, or storage functions, and
includes any data storage facility or communications facility directly related
to or operating in conjunction with such device. Common
examples currently in use include laptops, personal computers, servers,
networks, hand-held devices, etc.
For the purposes of this policy, personal
digital assistants (PDA), cell phones and enterprise infrastructure components
(e.g. routers, switches, smart hubs, firewalls, DNS/DHCP appliances etc.) are considered
C. Operating System – The basic software used on
Computer Devices that acts as an interface between the computer hardware and
any applications used on that hardware. Operating systems often have
vulnerabilities or flaws that can be exploited by automated or manual methods,
and must be assessed for these vulnerabilities.
Security – The definition of information
security means the preservation of confidentiality, integrity, and availability
- Ensuring that information is accessible only to authorized users
2. Integrity -
Safeguarding the accuracy and completeness of information and processing
3. Availability -
Ensuring that authorized users have access to information and associated assets
E. Information Security Deficiency – A weakness in an
agency’s overall information systems security program or management control
structure, or within one or more information systems that significantly
restricts the capability of an agency to carry out its mission or compromises
the security of its information, information systems, personnel, or other
resources, operations, or assets.
F. Information Security Incident or Breach – An event that results in unauthorized access,
loss, disclosure, modification or destruction of information resources whether
accidental or deliberate.
G. Security Assessment – Assessment of threats to, impacts on, and vulnerabilities of
information and information processing facilities. Vulnerability tools
discover and assess compliance with vulnerability standards of national
organizations that track application system and operating system
Department of Administrative and
Financial Services Information Services Security Policy 12/2002 in listing of
IT policies, standards and procedures: http://www.maine.gov/oit/policies/index.shtml
OIT Security Policy 2002 in listing of
IT policies, standards and procedures: http://www.maine.gov/oit/policies/index.shtml
Document Reference Number: 6
Category: Security, Applications and
Adoption Date: December 18, 2006
Effective Date: February 9, 2009
Review Date: December 18, 2010
Point of Contact: Mark Kemmerle,
Enterprise Information Security Director, Office of Information Technology,
Approved By: Richard B. Thompson, Chief
Position Title(s) or Agency Responsible
for Enforcement: Mark Kemmerle, Enterprise Information SecurityDirector,
Office of Information Technology, 207-624-8892
Legal Citation: Title
17-A: MAINE CRIMINAL CODE Part
2: SUBSTANTIVE OFFENSES, Chapter
18: COMPUTER CRIMES and
5: ADMINISTRATIVE PROCEDURES AND SERVICES Part
4: FINANCE Chapter
163: OFFICE OF INFORMATION TECHNOLOGY. Section 1982
Waiver Process (if applicable):
alskdfjasldkfj The CIO or his/her designee may authorize an exception on a
Apply for a waiver as follows:
an email to Richard B. Thompson and include as a CC: the Associate Chief
Information Officer or the agency Agency Information Technology Officer. If you require assistance with determining the
correct person, contact the CIO’s office at 624-8800.
the following in the email:
Document a compelling technical or business case that
identifies the specific action
and how it warrants exemption.
Include any supporting documentation you may have.
When a decision has been
reached in granting or denying the waiver, the CIO will respond to the
submitter, the AITD, and the following three designated people whose names are
located on the policy/standard for which the waiver is being sought: Point of
Contact, Approved By and Position Title(s) or Agency Responsible for