IT Security for International Travel Standard

IT Public - KB0013549

419 views

1. Introduction

Notre Dame faculty, staff and students who travel to international destinations with a laptop, mobile phone, or other mobile device to conduct University business, may risk compromising University or personal data through:

  1. Hacking attacks
  2. Lost, stolen, or confiscated devices
  3. Eavesdropping or unsecure networks

You need to be prepared and take precautions wihile abroad to keep University data and devices safe, and to ensure that your devices are not tampered with or infected with malware. If you bring a compromised device back to the University, you can put other systems and University data is at risk. These precautions will also protect your personal security.

2. Scope

This standard applies to:

  1. Faculty, staff, or students conducting University business while traveling outside the United States.
  2. Faculty, staff, or students in possession of University laptop or other mobile device while traveling outside the United States.

This standard does not apply to students studying abroad or those engaged in activities, business, or programs unrelated to the University. However, it is recommended that all international travelers follow this standard when traveling abroad.

3. Standard

  1. You must minimize the risk of exposure of University data with attention to sensitive or highly sensitive data as defined by the University Information Security Policy: http://policy.nd.edu/assets/185243/information_security_policy_2015.pdf
    1. You must not travel with or access highly sensitive University data while abroad under any circumstances.
    2. You must comply with any export control restrictions for data you are traveling with or accessing while abroad. You also must comply with University requirements for export control data: http://or.nd.edu/research-compliance/export-control/
    3. You should remove all unnecessary sensitive University data from devices before traveling. You can store sensitive data in a University approved remote storage service such as Box and Google Drive.
  2. All University owned mobile devices required while traveling, must utilize disk-level encryption and be configured with a login password.
  3. High Risk Countries

    “High Risk” countries are those identified by the U.S. Government as having foreign intelligence services known to target the information technology resources of travelers and that represent a high risk to travelers with mobile devices

    High Risk countries are:
    • China (including Hong Kong)
    • Russia

      The following restrictions apply to High Risk countries:
      1. If it is your first time traveling to a High Risk country, you must contact the Information Security division of the Office of Information Technologies at least two weeks before departure to review standards and best practices for traveling abroad with mobile devices. If you are a frequent or returning traveler, you are not required to contact the Information Security division.
      2. You must not travel with or access sensitive University data while abroad without the explicit prior approval of your supervisor and the applicable data steward(s) in coordination with the Director of Information Security in the Office of Information Technologies.
      3. You must not travel with your University issued laptop. It is also strongly recommended that you do not take your personal laptop. If you require a laptop to conduct University business, you should utilize University rental laptop services by contacting your IT Support or the OIT Help Desk.
      4. You must not travel with your University issued mobile phone or tablet, unless your device is restored with a known clean backup prior to reconnecting to the University network. It is strongly recommended that you follow this standard when traveling with your personal mobile devices. If you require a mobile phone to conduct University business, you may utilize the University loaner mobile phone service by contacting the OIT Help Desk.
      5. If you are a frequent or long-term traveler to High Risk countries, you should consider purchasing devices specifically for exclusive use in those areas.
      6. You must not connect to USB “thumb” drives, external storage drives, or other media supplied in High Risk countries, nor may you bring back those devices, CDs, DVDs, or media to Notre Dame or connect to Notre Dame networks with them.
      7. Upon their return to Notre Dame, you must change your University NetID password. You must also change any other University credential passwords used while traveling.
      8. You must not connect any mobile device brought into a High Risk country to any University wired or wireless network until it has been examined by the ND Computer Service Center or your unit’s IT Support staff. There may be a fee for this examination service
  4. Export Control Countries

    “Export Control” countries are those countries that are under embargo for U.S. export control restrictions for encryption technologies. Export Control countries are:
    • Cuba
    • Iran
    • North Korea
    • Sudan
    • Syria

      The following restrictions apply to Export Control countries:
      1. If it is your first time traveling to an Export Control country, you must contact the Information Security division of the Office of Information Technologies at least two weeks before departure to review standards and best practices for traveling abroad with mobile devices. If you are a frequent or returning traveler, you are not required to contact the Information Security division.
      2. You must not travel with or access sensitive University data while abroad without the explicit prior approval of your supervisor and the applicable data steward(s) in coordination with the Director of Information Security in the Office of Information Technologies.
      3. You must not take any University devices, University issued or rental, to an Export Control country, unless you receive specific approval from your department head and the Director of Information Security. It is strongly recommended that you do not travel with your personal mobile devices either.
      4. Upon their return to Notre Dame, you must change your University NetID password if it was used while in an Export Control country. You must also change any other University credential passwords used while traveling.
      5. You must not connect any mobile device brought into a Export Control country, either personal or University owned, to any University wired or wireless network until it has been examined by the ND Computer Service Center or your unit’s IT Support staff. There may be a fee for this examination service.

4. Resources