Maine State Government
Dept. of Administrative & Financial
Office of Information Technology
Policy to Safeguard Information on
Portable Computing and Storage Devices
State custodians of electronic information will safeguard
classified information stored on portable devices (common examples currently in
use include laptops, pocket personal computers, hand-held devices (PDAs), USB
thumb drives, cell phones etc.) by properly classifying data, using encryption
to prevent unauthorized access, and requiring written authority to copy data to
To reduce the risk of State classified information being compromised,
if it is lost or stolen while on a portable device. This policy documents and
clarifies responsibilities regarding the protection of classified information
whenever it is authorized for transfer to approved portable devices for use by
State employees or their business partners.
This policy expands upon the State of Maine
Information Technology Security Policy adopted by the
Information Services Policy Board, adopted 12/19/2002.
This policy applies to data custodian agencies within the
Executive Branch and semi-autonomous agencies of Maine
State government, and to all their
applications and data irrespective of where they are hosted. This policy also extends to those
applications owned by all governmental branches that are hosted on devices
operated by the Office of Information Technology or that traverse the State’s
wide area network.
State agency directors are responsible for safeguarding classified
information collected by their respective agencies. They may consult with their Agency Information
Technology Director, and when appropriate, the lead technical managers from the
Legislative and Judicial Branches, and/or Office of Information Technology
(OIT) Enterprise Information Security Officer in the performance of these
Agency directors are responsible for notifying individuals if
their personal information has been compromised, as required by Public Law
Chapter 583- An Act to Amend the Notice of Risk to Personal Data Act. In the event a portable device containing
personal information becomes lost or stolen, the information shall be considered
compromised under this act.
Agency directors shall identify, document and classify which
information under their custody qualifies as classified. They shall develop standards governing their
agency’s release of this information, and the copying of it to mobile devices. Information on portable devices that have not
been classified shall be safeguarded as though it is classified.
Agency directors shall ensure that all information required to
be safeguarded will be encrypted while on portable devices.
Agency directors shall ensure that all personnel in their
agencies who use portable devices in the performance of their duties are aware
of, and comply with this policy and its standard(s). To this end, they shall develop appropriate
performance standards, including consequences for non-compliance and training
to ensure reasonable assurance that employees observe this policy.
Agency Information Technology Directors (AITDs). Executive Branch AITDs shall work
collaboratively with the agency director(s) of their respective agencies, and
when appropriate, their counterparts in the Legislative and Judicial Branches
and Constitutional Officers, and with the Enterprise Information Security
Evaluate and approve non-state owned portable devices as being
secure to receive classified information, in compliance with OIT standards
and/or best practices established by the Enterprise Information Security
Enterprise Information Security Officer. The Enterprise Information Security Officer
Set standards for safeguarding information on portable devices
including standards for encryption.
Establish training programs to increase awareness of
requirements and methods to safeguard information on portable devices.
V. Guidelines &
All State employees who use portable devices shall do
Physically and logically safeguard the devices (both
personally and state owned) which host classified information used outside the
2. Annually review and carry out the terms of
their agency’s confidentiality and nondisclosure agreement as described by in
the Standard to Safeguard Information on Portable Computing and Storage Devices.
Immediately inform their direct supervisor if they suspect the
integrity or confidentiality of any information entrusted to them, or to a
colleague, or a business partner, has been compromised.
Director(s) – For the purposes of this policy, the term
“Agency Director(s)” refers to the agency policy influencing leaders identified
in Maine Revised Statutes Annotated, Title 5 section 932 etc.
These individuals hold appointed, non-classified service state government
Portable Device – Portable device means an electronic,
magnetic, optical, electrochemical, or other high-speed data processing device
performing logical, arithmetic, or storage functions, and includes any data
storage facility or communications facility directly related to or operating in
conjunction with such device that
may be carried. For the purposes of this policy this definition also includes
ancillary equipment related to mobile computing, such as DVDs and diskettes
etc. Common examples currently in use
include laptops, pocket personal computers, hand-held devices (e.g. personal data assistants (PDAs), USB thumb drives,
cell phones etc.
Classified Information – The term “Classified Information”
includes confidential and
information identified by the Maine Legislature, and information otherwise
designated as privileged. Classified
data is information which has been converted to digital form in order to be
placed on a portable device.
Data Custodian – “Data custodian” refers to any branch, agency
or instrumentality of State Government and their employees, or any agency or
instrumentality of a political subdivision of the State, or a vendor under
contract with the State that gathers, stores or generates information.
Encryption – Computer encryption is the process of obscuring information to
make it unreadable without special knowledge. Encryption can be used to ensure
secrecy, but other techniques are still needed to make communications secure,
particularly to verify the integrity and authenticity of a message.
Semi-autonomous State Agency – An agency created by an act of
the Legislative Branch that is not a part of the Executive Branch. This term does not include the Legislative
Branch, Judicial Branch, Office of the Attorney General, Office of the
Secretary of State, Office of the State Treasurer and Audit Department.
5 M.R.S.A. Chapter 163 §
1973. Responsibilities of the Chief
Information Officer, paragraph 1B “Set policies and standards for the implementation
and use of information and telecommunications technologies, including privacy
and security standards…”
B. In Maine, there are over 300 statutory exceptions to
the Freedom of Access Act’s definition of a public record. Many of these
exceptions specifically designate a certain type of record, or a class of
information within a record, as confidential or otherwise not subject to the
Freedom of Access laws. A search tool (http://www.mainelegislature.org/legis/foa/) is maintained by the Maine Legislative
Council on behalf of the Maine Right to Know Advisory Committee.
1. Document Reference
2. Category: Information and
Data, and Security
3. Adoption Date: 4/3/07
4. Effective Date: 7/1/07
5. Review Date: 4/3/2010
6. Point of
Contact: Mark Kemmerle, Enterprise
Information Security Officer, Office of Information Technology, telephone:
7. Approved By: Richard B. Thompson, Chief Information
Title(s) or Agency Responsible for Enforcement:
Mark Kemmerle, Enterprise Information Security Officer, Office of
Information Technology, telephone: 207-624-8892.
M.R.S.A. Chapter 163 § 1973.
Responsibilities of the Chief Information Officer, paragraph 1B
10. Waiver Process: