Skip Maine state header navigation

Agencies | Online Services | Help

State of Maine Seal

Maine State Government

Dept. of Administrative & Financial Services

Office of Information Technology

 

 

Procedure for the Use of Non-State Owned/Approved Software and Devices for State Business

 

I. Statement

State agencies will comply with the procedures associated with the use of non-state owned/approved software or devices for state business.

II. Purpose

A. The purpose of this procedure is to govern the approval and use of non-state owned/approved software and devices.

B. The State of Maine Office of Information Technology (OIT) establishes the conditions by which the assets may be configured, upgraded, maintained and supported, as billable services, in order to minimize security risks to the State’s network or data sources.

III. Guidelines

A. The OIT Director of Client Technologies will, at her/his discretion, evaluate non-State owned software and IT devices for functionality of interfacing with State of Maine desktop configurations, compliance with OIT network security, and other relevant standards.

1. OIT support of non-State software or IT devices will be limited to basic trouble shooting from the Customer Support Center and Network Services in assurance of interoperability with desktop computer. Should higher level troubleshooting or on-site service be required, OIT will refer the service request to the agency director who will be responsible for approval of further troubleshooting.

2. Should the device under review be used in conjunction with the State’s radio network, the Customer Support Center will notify the Director of Radio Services, who may, at her/his discretion oversee the remediation.

3. State OIT policies that have governance over and impact any request include, but are not limited to, the State of Maine Information Technology Security Policy, the DAFS and other Departmental Security Policies, the Computer Virus Policy, Wide Area Network Security Policy, Policy to Safeguard Information on Portable Computing and Storage Devices, and the Policy to Govern PKI Security Requirements.

 

B. Agency director(s) or designee

1. Will receive the electronic request for the use of non-State owned software and IT devices and will process this request on behalf of their employee(s) and vendor(s) if the agency feels it is in the best interest of the State to approve the request.

2. Will become financially responsible for;

a. Initial fees associated with preparing the IT device for use in a manner which safeguards the State’s networks and data, comparable to State owned devise,
b. Ongoing service connect fees/rates for IT devices as though the device was State owned and
c. Subsequent OIT upgrade/maintenance fees to ensure the IT device continues to comply with State standards.

3. Will alert their Agency Information Technology Director (AITD) and OIT’s Director of Radio Services should the installation of ancillary equipment reduce the ‘receive’ and ‘transmit’ quality of radios, which can happen if installed without proper engineering.

C. Users of non-State owned/approved software or devices who receive permission from their State agency to use non-State owned/approved software and devices;

1. Understand that all State technology policies, standards and procedures are applicable to the use of non-State owned/approved software and devices.

2. Relinquish their privilege to Workers Compensation claims of injury, which could result from the use of non-State owned/approved software or devices used for conducting State business.

3. Acknowledge that OIT may suspend service to these IT devices at its discretion, and cease ongoing connect rate/fee billing to their agency.

4. May withdraw from using the State’s network at any time.  These individuals are required to notify the Customer Support Center whenever they no longer wish to use their personally owned software or devices for State purposes.

5. Acknowledge that they agree to be bound by and adhere to ALL State and OIT policies.

 

IV. Applicability

A. This procedure is intended to manage the approval and use of non-state owned/approved software and devices connected to the State of Maine wide area network by

1. Vendors and employees of agencies within the Executive Branch and semi-autonomous State agencies

2. Vendors, all governmental branches and constitutional offices that host applications on devices operated by the OIT or traverse the State’s networks.

V. Responsibilities

A. The Chief Information Officer (CIO) is responsible for the development, implementation and monitoring of statewide standards. The CIO is responsible for approving all fee schedules associated with this procedure.

B. The OIT Director of Client Technologies will provide an electronic system for agencies to electronically submit their requests for the use of non-state owned/approved software and devices.

C. Agency director(s) or their designees will be responsible for approving the request for the use of non-state owned/approved software and devices.

D. The Agency Information Technology Director (AITD) and the OIT Director of Client Technologies Services will be included in the information exchange regarding this request for the use of non-state owned/approved software and devices. Should the AITD or the Director of Client Technologies find concern with the agency director’s decision, it is the AITD’s responsibility to intervene in the process.

E. The OIT Enterprise Information Security Director is responsible to assure the process defined to implement the policy and procedures is in accordance with ALL State and OIT policies.

 

VI. Definitions

A. Non-State owned – For the purpose of this policy, the phrase “non-State owned” includes, but is not limited to, any equipment to be used for approved State business owned by

1. Maine State employees,

2. Vendors under contract with the State of Maine,

3. Political subdivisions of the State of Maine (e.g. counties, municipalities, and by extension their instrumentalities such as municipal fire departments, and regional agencies such as Public Safety Answering Points) and

4. Federal government.

B. IT Device: For the purpose of this policy IT Devices are defined broadly, to include desktop computers as well as other technology devices used to transact business electronically. 

C. Permitted Software - OIT permitted software is listed on OIT’s intranet site: http://inet.state.me.us/oit/services/index. See State of Maine Procedure Governing the Use of Non-State Owned/Approved Software or Devices for State Business for the process on adding software to the State’s permitted list.

D. Agency director(s) –  For the purposes of this policy, the term “agency director(s)” refers to the agency policy influencing leaders identified in Maine Revised Statutes Annotated, Title 5 section 932 etc.

E. Semi-autonomous state agency: An agency created by an act of the Legislative Branch that is not a part of the Executive Branch. This term does not include the Legislative and Judicial Branches, Offices of the Attorney General, Secretary of State, State Treasurer and Audit Department.

 

VII. References

A. Policy Governing the Use of Non-State Owned/Approved Software and Devices for State Business

VIII. Document Information

A. Document Reference Number: 18

B. Category:  Security and Privacy

C. Adoption Date: 03/03/2008

D. Effective Date: 03/03/2008

E. Review Date: 03/03/2009

F. Point of Contact: Office of Information Technology: Mark Kemmerle, Enterprise Information Security Officer, telephone: 207-624-8892, and Karen Curtis, Director of Client Technologies Services, telephone 207-624-9508

G. Approved By: Richard B. Thompson, Chief Information Officer

H. Position Title(s) or Agency Responsible for Enforcement: Greg McNeal, Chief Technology Officer, telephone 207-624-9471

I. Legal Citation: 5 M.R.S.A. Chapter 163 § 1973.   Responsibilities of the Chief Information Officer, paragraph 1B Set policies and standards for the implementation and use of information and telecommunications technologies, including privacy and security standards…”

J. Waiver Process: The CIO or his/her designee may authorize an exception on a case-by-case basis.

Apply for a waiver as follows:

Address an email to Richard B. Thompson and include as a CC: the Associate Chief Information Officer or the agency Agency Information Technology Officer. If you require assistance with determining the correct person, contact the CIO’s office at 624-8800.

Include the following in the email:

Document a compelling technical or business case that identifies the specific action and how it warrants exemption.

Include any supporting documentation you may have.

 

When a decision has been reached in granting or denying the waiver, the CIO will respond to the submitter, the AITD, and the following three designated people whose names are located on the policy/standard for which the waiver is being sought: Point of Contact, Approved By and Position Title(s) or Agency Responsible for Enforcement.