Skip Maine state header navigation

Agencies | Online Services | Help

State of Maine Seal

Maine State Government

Dept. of Administrative & Financial Services

Office of Information Technology

 

 

Policy Governing the Use of Non-State Owned/Approved Software and Devices for State Business

I. Statement

State of Maine employees shall use State owned/approved software and devices in the absence of a compelling reason to the contrary.

II. Purpose

This policy provides the leadership and guidance to executive branch agencies and others with regard to the use of software and IT devices, not owned or leased by the State, to be used for State’s business.   The State of Maine conducts the majority of its business through software and IT devices.  The use of non-approved software and IT devices can seriously jeopardize the security and confidentiality of important information of the State of Maine.  This policy expands upon the State of Maine Information Technology Security Policy adopted by the Information Services Policy Board (ISPB) 12/19/2002, and replaces the Software Usage Policy adopted by the ISPB 12/2002.

 

III. Guidelines & Procedures

1. State Executive Branch agencies are responsible for managing the use of non-state owned/approved software or devices for state business.

2. The procedure and guidelines for meeting the requirements of this policy are located in the Procedure for the Use of Non-State Owned/Approved Software and Devices for State Business document created to accompany this policy.

IV. Applicability

This policy is intended to govern the use of non-state owned/approved software or devices connected to the State of Maine wide area network by

A. Executive Branch and semi-autonomous State agencies

B. Agencies from other Maine State government branches

C. Vendors conducting business with the State of Maine and

D. All other entities that host applications on devices operated by the OIT or other applications which traverse the State’s wide area and radio networks.

V. Responsibilities

A. Chief Information Officer (CIO) - Title 5, Maine Revised Statutes, Chapter 163 §1973, Section 1, Paragraph B authorizes the CIO to “set policies and standards for the implementation and use of information and telecommunications technologies,” et seq.

1. The CIO directs the Chief Technology Officer to implement the provisions of this policy.

B. In support of the above, the Chief Technology Officer will:

1. Establish the procedures to govern the use of software and IT devices, not owned or leased by the State, that are used for State’s business.

2. Create and manage an electronic procedures process for vendors, agency directors or designees to request permission for the use of software and IT devices, not owned or leased by the State.

3. Assure the process defined to implement the policy and procedures is in accordance with ALL State and OIT policies.

 

C. Agencies will:

1. Submit a request to use software and IT devices, not owned or leased by the State.  See procedure associated with this policy.

2. Adhere to the procedures associated with this policy.

VI. Definitions

A. Non-State owned – For the purpose of this policy, the phrase “non-State owned” includes, but is not limited to, any equipment to be used for approved State business owned by

1. Maine State employees,

2. Vendors under contract with the State of Maine,

3. Political subdivisions of the State of Maine (e.g. counties, municipalities, and by extension their instrumentalities such as municipal fire departments, and regional agencies such as Public Safety Answering Points),

4. Federal government and

5. Others that access or store State of Maine information.

B. IT Device: For the purpose of this policy IT Devices are defined broadly, to include desktop computers as well as other technology devices used to transact business electronically. 

C. Permitted Software - OIT permitted software is listed on OIT’s intranet site: http://inet.state.me.us/oit/services/index.html . See Procedure for the Use of Non-State Owned/Approved Software and Devices for State Business for the process on adding software to the State’s permitted list.

D. agency director(s):  For the purposes of this policy, the term “agency director(s)” refers to the agency policy influencing leaders identified in Maine Revised Statutes Annotated, Title 5 section 932 etc.

E. Semi-autonomous state agency: An agency created by an act of the Legislative Branch that is not a part of the Executive Branch. This term does not include the Legislative and Judicial Branches, Offices of the Attorney General, Secretary of State, State Treasurer and Audit Department.

VII. Reference

A. Procedure for the Use of Non-State Owned/Approved Software and Devices for State Business

 

VIII. Document Information

A. Document Reference Number: 17

B. Category:  Security and Privacy

C. Adoption Date:  03/03/2008

D. Effective Date: 03/03/2008

E. Review Date: 03/03/2009

F. Point of Contact: Office of Information Technology: Mark Kemmerle, Enterprise Information Security Officer, telephone: 207-624-8892, and Karen Curtis, Director of Client Technologies Services, telephone 207-624-9508

G. Approved By: Richard B. Thompson, Chief Information Officer

H. Position Title(s) or Agency Responsible for Enforcement:  Greg McNeal, Chief Technology Officer, telephone 207-624-9471

I. Legal Citation:  5 M.R.S.A. Chapter 163 § 1973.   Responsibilities of the Chief Information Officer, paragraph 1B Set policies and standards for the implementation and use of information and telecommunications technologies, including privacy and security standards…”

J. Waiver Process:  The CIO or his/her designee may authorize an exception on a case-by-case basis.

Apply for a waiver as follows:

Address an email to Richard B. Thompson and include as a CC: the Associate Chief Information Officer or the agency Agency Information Technology Officer. If you require assistance with determining the correct person, contact the CIO’s office at 624-8800.

Include the following in the email:

Document a compelling technical or business case that identifies the specific action and how it warrants exemption.

Include any supporting documentation you may have.

 

When a decision has been reached in granting or denying the waiver, the CIO will respond to the submitter, the AITD, and the following three designated people whose names are located on the policy/standard for which the waiver is being sought: Point of Contact, Approved By and Position Title(s) or Agency Responsible for Enforcement.