L&I, Office of Information Technology Policy PLT-001
||Purchase, Deployment and Transport of IT Equipment
This policy facilitates the appropriate and responsible business handling of the Department of Labor & Industry’s (L&I’s) Information Technology (IT) Equipment. This policy mandates the Office of Information Technology’s (OIT’s) involvement in the purchasing, deployment, and transportation of all IT equipment. This policy is meant to promote improved operational efficiency, increased productivity, reduced security risks, consistent technical support, and availability of services. This policy documents the implementation of the National Institute of Standards and Technology (NIST) Security Controls: SA-1 and PM-9 per SP 800-53 R4
This policy is published under the general authority of the Information Technology Policies (ITPs) published by the Governor’s Office of Administration (OA) / Office of Information Technology (OIT), in that it identifies key roles and responsibilities in support of ITPs. OA/OIT provides direction regarding the purchase, deployment and transportation of IT Equipment by L&I and other commonwealth agencies under the governor’s jurisdiction, reference OA ITP-SEC025 - Proper Use and Disclosure of Personally Identifiable Information.
Improper procurement, deployment, and transportation of IT Equipment represents one of the highest data security risks and expenditures that could occur within L&I because sensitive data is stored on IT Equipment. Improper ordering, deployment, and transportation of IT Equipment can cause L&I financial loss and limit the ability of OIT to provide support.
IT Equipment is defined as:
PC desktops, laptops, docking stations, keyboards, mice, monitors, monitor stands, PC speakers, servers, routers, switches, firewalls, load balancers, printers, copiers, multi-function devices, scanners, uninterruptable power supply, cellular/smart phones, iPhones, iPads, tablets, personal digital assistants, external devices that connect to a PC, digital cameras, conference telephone systems, computer patch cables, electronic media such as, USB drives (thumb/flash drives), SD cards, hard drives, CD, DVD, tapes, and any items defined in the OIT Asset and Configuration Management System.
This policy applies to all employees within all bureaus, divisions, boards, commissions, and councils within L&I. This includes any contracted employees in the service of L&I (hereinafter referred to collectively as “L&I Users”).
L&I OIT shall be responsible for the deployment and transportation of all IT Equipment. The procurement of all IT Equipment shall be reviewed and approved by OIT to ensure all requirements, contractual mandates, standards, and policies are met.
OIT shall establish procedures for procurement of IT Equipment. All IT Equipment procurements shall be reviewed and approved by OIT, either by email or through the Supplier Relationship Management (SRM) shopping cart.
All IT equipment deployments shall be requested through the Information Technology Service Management (ITSM) tool. OIT staff shall tag all IT Equipment, enter the equipment data in the ITSM tool, and deploy the equipment as required.
All IT Equipment procurements shall have a Change Request (CR) created in the ITSM tool. The ITSM tool is the system of record to document the deployment of the IT Equipment.
A “Chain of Custody Tracking Form” shall be used whenever IT Equipment is being deployed.
All transfers or moves of IT Equipment shall be initiated and documented by a CR in the ITSM tool.
All IT Equipment transfer CRs shall include the associated assets by unique identifier and detail the pick-up and delivery location of the CR.
All IT Equipment that can store data such as laptops, desktops, servers networking equipment, mobile devices, and storage media shall be documented on a chain of custody tracking form when it is being transported or moved.
Exceptions to this policy will be approved on a case-by-case basis and shall be authorized and approved in writing by the manager responsible for the IT Equipment device (bureau director or above) and the L&I’s Chief Information Officer (CIO) or designee.
Exceptions to this policy are granted for leased Multi-Function Devices (MFD) leased from the parent DGS contract 4600024368 or any previous MFD lease contract. These devices are under contract and only the vendor is authorized to move the device. Hard drives shall be removed from all MFD before being returned to the vendor. The hard drives shall be removed by either OIT staff or the MFD vendor. If the vendor removes the hard drives they shall be turned over to OIT with a Chain of Custody Tracking Form.
L&I User responsibilities:
Notify OIT of procurements;
Coordinate the purchase and transportation of IT Equipment with OIT;
Ensure accuracy of Chain of Custody Tracking Forms;
Ensure proper security measures are taken to prevent unauthorized access to the Commonwealth’s data;
Follow all instructions from OIT; and
Comply with all OIT Policies, Commonwealth Management Directives, and laws.
L&I management responsibilities:
Ensure a CR is submitted for the transfer, transport, or relocation of all IT Equipment;
Review IT Equipment move requests and authorize where appropriate;
Ensure any transfer, transport, or relocation of IT Equipment is properly documented on a Chain of Custody Tracking form; and
Ensure L&I Users comply with all OIT policies, Commonwealth Management Directives, and laws.
L&I Policy Definitions Document
PLT-002 - Disposition of IT Equipment and Electronic Waste Products
ITP_PRO001 - IT Procurement Review Process
ITP_SEC019 - Policy and Procedures for Protecting Commonwealth Electronic Data
ITP_SEC025 - Proper Use and Disclosure of Personally Identifiable Information
ITP_SEC029 - Physical Security Policy for IT Resources
MD 205.34 - Commonwealth of Pennsylvania IT Acceptable Use Policy
7. Version Control
||Format and Content Revision
||Annual review & content revision