Maine State Government
Dept. of Administrative & Financial Services
Office of Information Technology
I. Statement
State of Maine employees shall use State owned/approved
software and devices in the absence of a compelling reason to the contrary.
II. Purpose
This policy
provides the leadership and guidance to executive branch agencies and others
with regard to the use of
software and IT devices, not owned or leased by the State, to be used for
State’s business. The State of Maine conducts the majority of its
business through software and IT devices. The use of non-approved software and
IT devices can seriously jeopardize the security and confidentiality of
important information of the State of Maine. This policy expands upon the
State of Maine Information Technology Security Policy adopted by the
Information Services Policy Board (ISPB) 12/19/2002, and replaces the Software
Usage Policy adopted by the ISPB 12/2002.
1. State Executive Branch
agencies are responsible for managing the use of
non-state owned/approved software or devices for state business.
IV. Applicability
This policy is intended to govern the use of non-state
owned/approved software or devices connected to the State of Maine wide area
network by
A. Executive
Branch and semi-autonomous State agencies
B. Agencies
from other Maine State government branches
C. Vendors
conducting business with the State of Maine and
D. All other
entities that host applications on devices operated by the OIT or other
applications which traverse the State’s wide area and radio networks.
V. Responsibilities
A. Chief
Information Officer (CIO) - Title 5, Maine Revised Statutes, Chapter 163 §1973,
Section 1, Paragraph B authorizes the CIO to “set policies and standards for
the implementation and use of information and telecommunications technologies,”
et seq.
1. The CIO directs the Chief
Technology Officer to implement the provisions of this policy.
B. In support
of the above, the Chief Technology Officer will:
1. Establish the procedures
to govern the use of software and IT devices, not owned or leased by the State,
that are used for State’s business.
2. Create and manage an electronic
procedures process for vendors, agency directors or designees to request
permission for the use of software and IT devices, not owned or leased by the
State.
3. Assure the process defined to
implement the policy and procedures is in accordance with ALL State and OIT policies.
C. Agencies
will:
1. Submit a request to use
software and IT devices, not owned or leased by the State. See procedure
associated with this policy.
2. Adhere to the procedures
associated with this policy.
VI. Definitions
A. Non-State
owned – For the purpose of this policy, the phrase “non-State owned” includes,
but is not limited to, any equipment to be used for approved State business
owned by
1. Maine State employees,
2. Vendors under contract
with the State of Maine,
3. Political subdivisions of
the State of Maine (e.g. counties, municipalities, and by extension their
instrumentalities such as municipal fire departments, and regional agencies
such as Public Safety Answering Points),
4. Federal government and
5. Others that access or
store State of Maine information.
B. IT Device: For the purpose of
this policy IT Devices are defined broadly, to include desktop computers as
well as other technology devices used to transact business electronically.
C. Permitted
Software - OIT permitted software is listed on OIT’s intranet site: http://inet.state.me.us/oit/services/index.html
. See Procedure for the Use of Non-State Owned/Approved Software and Devices
for State Business for the process on adding software to the State’s permitted
list.
D. agency director(s): For the purposes of this policy, the
term “agency director(s)” refers to the agency policy influencing leaders
identified in Maine Revised Statutes Annotated, Title 5 section 932 etc.
E. Semi-autonomous
state agency: An agency created
by an act of the Legislative Branch that is not a part of the Executive Branch.
This term does not include the Legislative and Judicial Branches, Offices of
the Attorney General, Secretary of State, State Treasurer and Audit Department.
VII. Reference
VIII. Document Information
A. Document
Reference Number: 17
B. Category: Security
and Privacy
D. Effective
Date: 03/03/2008
E. Review
Date: 03/03/2009
F. Point of
Contact: Office of Information Technology: Mark Kemmerle, Enterprise Information
Security Officer, telephone: 207-624-8892, and Karen Curtis, Director of Client
Technologies Services, telephone 207-624-9508
G. Approved
By: Richard B. Thompson, Chief Information Officer
H. Position
Title(s) or Agency Responsible for Enforcement: Greg McNeal, Chief Technology
Officer, telephone 207-624-9471
I. Legal
Citation: 5 M.R.S.A. Chapter 163 §
1973. Responsibilities of the Chief Information Officer, paragraph 1B “Set policies and standards for the implementation
and use of information and telecommunications technologies, including privacy
and security standards…”
J. Waiver
Process: The CIO or his/her designee may
authorize an exception on a case-by-case basis.
Apply for a waiver as follows:
Address an email to Richard
B. Thompson and include as a CC: the Associate Chief Information Officer or the
agency Agency Information Technology Officer.
If you require assistance with determining the correct person, contact the
CIO’s office at 624-8800.
Include the following in the
email:
Document a compelling technical or business case that
identifies the specific action
and how it warrants exemption.
Include any supporting documentation you may have.
When a decision has been reached in granting or denying the
waiver, the CIO will respond to the submitter, the AITD, and the following
three designated people whose names are located on the policy/standard for
which the waiver is being sought: Point of Contact, Approved By and Position
Title(s) or Agency Responsible for Enforcement.
