Maine State Government
Dept. of Administrative &
Office of Information Technology
Procedure for the Use of Non-State Owned/Approved
Software and Devices for State Business
State agencies will comply
with the procedures associated with the use of non-state owned/approved
software or devices for state business.
A. The purpose of this procedure is to govern the approval
and use of non-state owned/approved software and devices.
B. The State of Maine Office of Information Technology
(OIT) establishes the conditions by which the assets may be configured,
upgraded, maintained and supported, as billable services, in order to minimize
security risks to the State’s network or data sources.
A. The OIT Director of Client Technologies will, at
her/his discretion, evaluate non-State owned software and IT devices for
functionality of interfacing with State of Maine desktop configurations,
compliance with OIT network security, and other relevant standards.
1. OIT support of non-State software or IT devices will be limited to basic
trouble shooting from the Customer Support Center and Network Services in
assurance of interoperability with desktop computer. Should higher level
troubleshooting or on-site service be required, OIT will refer the service
request to the agency director who will be responsible for approval of further
2. Should the device under review be used in conjunction with the State’s
radio network, the Customer Support Center will notify the Director of Radio
Services, who may, at her/his discretion oversee the remediation.
State OIT policies that have governance over and impact any request include,
but are not limited to, the State of Maine Information Technology Security
Policy, the DAFS and other Departmental Security Policies, the Computer Virus
Policy, Wide Area Network Security Policy, Policy to Safeguard Information on
Portable Computing and Storage Devices, and the Policy to Govern PKI Security
B. Agency director(s) or designee
1. Will receive the electronic
request for the use of non-State owned software and IT devices and will
process this request on behalf of their employee(s) and vendor(s) if the agency
feels it is in the best interest of the State to approve the request.
2. Will become financially responsible for;
a. Initial fees
associated with preparing the IT device for use in a manner which safeguards
the State’s networks and data, comparable to State owned devise,
service connect fees/rates for IT devices as though the device was State owned
c. Subsequent OIT
upgrade/maintenance fees to ensure the IT device continues to comply with State
3. Will alert their Agency Information Technology Director (AITD) and OIT’s
Director of Radio Services should the installation of ancillary equipment
reduce the ‘receive’ and ‘transmit’ quality of radios, which can happen if
installed without proper engineering.
C. Users of non-State owned/approved software or devices
who receive permission from their State agency to use non-State owned/approved
software and devices;
1. Understand that all State technology policies, standards and procedures
are applicable to the use of non-State owned/approved software and devices.
2. Relinquish their privilege to Workers Compensation claims of injury,
which could result from the use of non-State owned/approved software or devices
used for conducting State business.
3. Acknowledge that OIT may suspend service to these IT devices at its
discretion, and cease ongoing connect rate/fee billing to their agency.
4. May withdraw from using the State’s network at any time. These
individuals are required to notify the Customer Support Center whenever they no
longer wish to use their personally owned software or devices for State
Acknowledge that they agree to be bound by and adhere to ALL State and OIT policies.
A. This procedure is intended to manage the approval and
use of non-state owned/approved software and devices connected to the State of Maine wide area network by
1. Vendors and employees of agencies within the Executive Branch and
semi-autonomous State agencies
2. Vendors, all governmental branches and constitutional offices that host
applications on devices operated by the OIT or traverse the State’s networks.
A. The Chief Information Officer (CIO) is responsible
for the development, implementation and monitoring of statewide standards. The
CIO is responsible for approving all fee schedules associated with this procedure.
B. The OIT Director of Client Technologies will provide
an electronic system for agencies to electronically
submit their requests for the use of non-state owned/approved software and
C. Agency director(s) or their designees will be
responsible for approving the request for the use of non-state owned/approved
software and devices.
D. The Agency Information Technology Director (AITD) and
the OIT Director of Client Technologies Services will be included in the
information exchange regarding this request for the use of non-state
owned/approved software and devices. Should the AITD or the Director of Client
Technologies find concern with the agency director’s decision, it is the AITD’s
responsibility to intervene in the process.
E. The OIT Enterprise
Information Security Director is responsible to assure the process defined to
implement the policy and procedures is in accordance with ALL State and OIT policies.
A. Non-State owned – For the purpose of this policy, the
phrase “non-State owned” includes, but is not limited to, any equipment to be
used for approved State business owned by
1. Maine State employees,
2. Vendors under contract with the State of Maine,
3. Political subdivisions of the State of Maine (e.g. counties,
municipalities, and by extension their instrumentalities such as municipal fire
departments, and regional agencies such as Public Safety Answering Points) and
4. Federal government.
B. IT Device: For the purpose of this policy IT Devices
are defined broadly, to include desktop computers as well as other technology
devices used to transact business electronically.
C. Permitted Software - OIT permitted software is listed
on OIT’s intranet site: http://inet.state.me.us/oit/services/index.
See State of Maine Procedure Governing the Use of Non-State Owned/Approved
Software or Devices for State Business for the process on adding software to the
State’s permitted list.
D. Agency director(s) – For the purposes of this
policy, the term “agency director(s)” refers to the agency policy influencing
leaders identified in Maine Revised Statutes Annotated, Title 5 section 932
E. Semi-autonomous state agency: An agency created by an
act of the Legislative Branch that is not a part of the Executive Branch. This
term does not include the Legislative and Judicial Branches, Offices of the
Attorney General, Secretary of State, State Treasurer and Audit Department.
A. Document Reference Number: 18
B. Category: Security and Privacy
C. Adoption Date: 03/03/2008
D. Effective Date: 03/03/2008
E. Review Date: 03/03/2009
F. Point of Contact: Office of Information Technology:
Mark Kemmerle, Enterprise Information Security Officer, telephone:
207-624-8892, and Karen Curtis, Director of Client Technologies Services,
G. Approved By: Richard B.
Thompson, Chief Information Officer
H. Position Title(s) or Agency Responsible for
Enforcement: Greg McNeal, Chief Technology Officer, telephone 207-624-9471
I. Legal Citation: 5 M.R.S.A. Chapter 163 § 1973. Responsibilities of the Chief Information Officer, paragraph 1B
“Set policies and standards for the
implementation and use of information and telecommunications technologies,
including privacy and security standards…”
J. Waiver Process: The CIO or his/her designee may
authorize an exception on a case-by-case basis.
Apply for a waiver as follows:
Address an email to Richard
B. Thompson and include as a CC: the Associate Chief Information Officer or the
agency Agency Information Technology Officer.
If you require assistance with determining the correct person, contact the
CIO’s office at 624-8800.
Include the following in the
Document a compelling technical or business case that
identifies the specific action
and how it warrants exemption.
Include any supporting documentation you may have.
When a decision has been
reached in granting or denying the waiver, the CIO will respond to the
submitter, the AITD, and the following three designated people whose names are
located on the policy/standard for which the waiver is being sought: Point of
Contact, Approved By and Position Title(s) or Agency Responsible for