Skip Maine state header navigation

Agencies | Online Services | Help

State of Maine Seal

Maine State Government

Dept. of Administrative & Financial Services

Office of Information Technology

 

 

Policy to Safeguard Information on Portable Computing and Storage Devices

 

I. Statement

State custodians of electronic information will safeguard classified information stored on portable devices (common examples currently in use include laptops, pocket personal computers, hand-held devices (PDAs), USB thumb drives, cell phones etc.) by properly classifying data, using encryption to prevent unauthorized access, and requiring written authority to copy data to portable devices.

II. Purpose

To reduce the risk of State classified information being compromised, if it is lost or stolen while on a portable device. This policy documents and clarifies responsibilities regarding the protection of classified information whenever it is authorized for transfer to approved portable devices for use by State employees or their business partners.  This policy expands upon the State of Maine Information Technology Security Policy adopted by the Information Services Policy Board, adopted 12/19/2002.

III. Applicability

This policy applies to data custodian agencies within the Executive Branch and semi-autonomous agencies of Maine State government, and to all their applications and data irrespective of where they are hosted.   This policy also extends to those applications owned by all governmental branches that are hosted on devices operated by the Office of Information Technology or that traverse the State’s wide area network.

 

 

IV. Responsibilities

A. Agency directors.  State agency directors are responsible for safeguarding classified information collected by their respective agencies.  They may consult with their Agency Information Technology Director, and when appropriate, the lead technical managers from the Legislative and Judicial Branches, and/or Office of Information Technology (OIT) Enterprise Information Security Officer in the performance of these responsibilities.

1. Agency directors are responsible for notifying individuals if their personal information has been compromised, as required by Public Law Chapter 583- An Act to Amend the Notice of Risk to Personal Data Act[1].  In the event a portable device containing personal information becomes lost or stolen, the information shall be considered compromised under this act.

2. Agency directors shall identify, document and classify which information under their custody qualifies as classified.  They shall develop standards governing their agency’s release of this information, and the copying of it to mobile devices.  Information on portable devices that have not been classified shall be safeguarded as though it is classified.

3. Agency directors shall ensure that all information required to be safeguarded will be encrypted while on portable devices.

4. Agency directors shall ensure that all personnel in their agencies who use portable devices in the performance of their duties are aware of, and comply with this policy and its standard(s).  To this end, they shall develop appropriate performance standards, including consequences for non-compliance and training to ensure reasonable assurance that employees observe this policy. 

B. Agency Information Technology Directors (AITDs).  Executive Branch AITDs shall work collaboratively with the agency director(s) of their respective agencies, and when appropriate, their counterparts in the Legislative and Judicial Branches and Constitutional Officers, and with the Enterprise Information Security Officer, to

1. Evaluate and approve non-state owned portable devices as being secure to receive classified information, in compliance with OIT standards and/or best practices established by the Enterprise Information Security Officer.

C. Enterprise Information Security Officer.  The Enterprise Information Security Officer will:

1. Set standards for safeguarding information on portable devices including standards for encryption.

2. Establish training programs to increase awareness of requirements and methods to safeguard information on portable devices.

V. Guidelines & Procedures

A. All State employees who use portable devices shall do the following. 

1. Physically and logically safeguard the devices (both personally and state owned) which host classified information used outside the office.

2. Annually review and carry out the terms of their agency’s confidentiality and nondisclosure agreement as described by in the Standard to Safeguard Information on Portable Computing and Storage Devices.

3. Immediately inform their direct supervisor if they suspect the integrity or confidentiality of any information entrusted to them, or to a colleague, or a business partner, has been compromised.

VI. Definitions

1. agency Director(s)  For the purposes of this policy, the term “Agency Director(s)” refers to the agency policy influencing leaders identified in Maine Revised Statutes Annotated, Title 5 section 932[2] etc. These individuals hold appointed, non-classified service state government positions. 

2. Portable Device – Portable device means an electronic, magnetic, optical, electrochemical, or other high-speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device[3] that may be carried. For the purposes of this policy this definition also includes ancillary equipment related to mobile computing, such as DVDs and diskettes etc.  Common examples currently in use include laptops, pocket personal computers, hand-held devices (e.g.  personal data assistants (PDAs), USB thumb drives, cell phones etc.

3. Classified Information – The term “Classified Information” includes confidential[4] and personally identifiable[5] information identified by the Maine Legislature, and information otherwise designated as privileged.  Classified data is information which has been converted to digital form in order to be placed on a portable device.

4. Data Custodian – “Data custodian” refers to any branch, agency or instrumentality of State Government and their employees, or any agency or instrumentality of a political subdivision of the State, or a vendor under contract with the State that gathers, stores or generates information. 

5. Encryption – Computer encryption is the process of obscuring information to make it unreadable without special knowledge. Encryption can be used to ensure secrecy, but other techniques are still needed to make communications secure, particularly to verify the integrity and authenticity of a message.

6. Semi-autonomous State Agency – An agency created by an act of the Legislative Branch that is not a part of the Executive Branch.  This term does not include the Legislative Branch, Judicial Branch, Office of the Attorney General, Office of the Secretary of State, Office of the State Treasurer and Audit Department.

 

VII. References

A. 5 M.R.S.A. Chapter 163 § 1973.   Responsibilities of the Chief Information Officer, paragraph 1B Set policies and standards for the implementation and use of information and telecommunications technologies, including privacy and security standards…”

B. In Maine, there are over 300 statutory exceptions to the Freedom of Access Act’s definition of a public record. Many of these exceptions specifically designate a certain type of record, or a class of information within a record, as confidential or otherwise not subject to the Freedom of Access laws. A search tool (http://www.mainelegislature.org/legis/foa/) is maintained by the Maine Legislative Council on behalf of the Maine Right to Know Advisory Committee.  

VIII. Document Information

 

1.  Document Reference Number: 10

 

2.  Category:    Information and Data, and Security and Privacy

 

3.  Adoption Date: 4/3/07

 

4.  Effective Date: 7/1/07

 

5.  Review Date: 4/3/2010

 

6.  Point of Contact:      Mark Kemmerle, Enterprise Information Security Officer, Office of Information Technology, telephone: 207-624-8892.

 

7. Approved By: Richard B. Thompson, Chief Information Officer

 

8.  Position Title(s) or Agency Responsible for Enforcement:  Mark Kemmerle, Enterprise Information Security Officer, Office of Information Technology, telephone: 207-624-8892.

 

9.  Legal Citation:   5 M.R.S.A. Chapter 163 § 1973.   Responsibilities of the Chief Information Officer, paragraph 1B

 

10.  Waiver Process: