Skip to main content

International Travel Security Standard

Policy Number: IT.1.1.4S
Category: Acceptable Use
Effective: October 1, 2019
Revision History:
None
Review Date:
September 30, 2022

  1. Purpose, Scope, and Responsibilities

    1. Pursuant to BOG Rule 5.8, Travel, the Office of Global Affairs (“OGA”) and the Office of Export Control (“OEC”) must approve all international travel in advance of trip. Because international travel exposes University Data and Information Technology Resources to new environments and potentially greater risks, additional precautions are required to ensure their protection when traveling abroad.
    2. The purpose of this Standard is to define the minimum requirements for the acceptable use of University-owned devices used and/or University Information Systems accessed while traveling abroad.
    3. This Standard applies to all University employees, students, volunteers, or other individuals authorized to access University Information Systems while traveling outside of the United States.
    4. The Chief Information Officer, in conjunction with the Chief Information Security Officer, is responsible for implementation and enforcement of this Standard.
    5. OGA and OEC are responsible for coordinating with the appropriate IT unit(s) to ensure any University-owned device being taken internationally meets the requirements identified within this document.
  2. University Data and Information Systems Access

    1. Only University-Owned Devices must be utilized to access University Information Systems and data when traveling abroad. The use of personal desktops/laptops/tablets to access University Information Systems and data while traveling abroad is expressly prohibited.
    2. Utilize a Virtual Private Network (“VPN”) when possible to access University Information Systems while traveling abroad. University-issued VPNs may be available for use. Contact your IT support staff for additional information.
      1. If connecting via public Wi-Fi and VPN is not available, Workspace (workspace.wvu.edu) must be utilized to access University Information Systems.
    3. Public workstations in cybercafes, libraries, hotels, or foreign institutions must not be used to access University Information Systems.
    4. University Information Systems that require providing WVU Login credentials must only be accessed if absolutely necessary during travel. If WVU Login credentials are used while traveling abroad, the password must be changed immediately upon return to the United States at login.wvu.edu.
    5. Sensitive Data must not be accessed at any time when traveling abroad.
  3. University-Owned Devices Security

    1. University-Owned Devices used to access University Information Systems or University Data, when traveling abroad must adhere to the University-Owned Device Standard, including, but not limited to, the following requirements:
      1. Enrollment in SCCM, Jamf, or Intune;
      2. Running the latest operating system;
      3. Anti-virus (Sophos) installed and latest version running;
      4. Configured to lock and require a user to re-authenticate if left unattended for more than 15 minutes; and,
      5. Encrypted with whole disk encryption using BitLocker or SecureDoc for Windows or FileVault for MacOS.
    2. All University Data and/or programs and applications not required for the purpose of the travel must be removed from the laptop/tablet prior to travel. Applications that remain on the device must be up to date with the latest security patches. Contact your IT support staff to inquire about obtaining a travel laptop for use abroad.
    3. Bluetooth and Wi-Fi must be disabled unless actively using these functions.
    4. Laptops/tables must remain with the traveler at all times. Do not assume that a hotel safe is a secure place to store a device.
    5. University-owned laptops/tablets must never be taken to embargoed countries (Iran, Syria, Cuba, North Korea, or Sudan) unless specifically approved by the ECO.
    6. All USB sticks and/or CDs must be encrypted.
    7. Only plug accessories into the device that you have brought with you. Use of unknown USB keys is prohibited and can result in the installation of malicious software. Public USB charging stations at airports and hotels should also be avoided.
    8. Upon return to the United States, all device(s) used internationally must be erased and reimaged, either from an existing backup or through a new installation of the respective operating system, prior to connecting to the campus network.
    9. Pursuant to the Computer Security Incident Response Policy, if a device is lost or stolen while abroad, ITS must be contacted immediately and informed of the Security Incident.
    10. Travelers must spend no more than twelve (12) months outside the United States with either University-owned device(s) or University Data.
  4. Personal Smartphone/Tablet Security

    1. The University highly recommends leaving personal smartphones/tablets at home while traveling abroad; however, if a personal smartphone/tablet is taken out of the country with the intent to access University Information Systems (e.g., email) it must meet the following requirements:
      1. Employ a passcode;
      2. Configured to lock and require re-authentication if left unattended for more than 15 minutes;
      3. Enable native encryption if setting a passcode did not automatically encrypt your phone or tablet;
      4. Ensure operating systems are up to date;
      5. Only download Apps from trusted sources;
      6. Install anti-virus (Sophos) and ensure it is running at most recent version;
      7. Enable “Find My Device” to be able to wipe contents remotely, if needed; and,
      8. Back up device prior to travel.
  5. Exceptions

    1. Individuals taking personal devices, such as students participating in Travel Abroad, should refer to the University’s International Travel Tips for information about securing them prior to, during, and upon return home from traveling abroad.
  6. Definitions

    1. “University-Owned Devices” means laptops, computers, notebooks, tablets, and smartphones owned by the University that are used to collect, store, access, transmit, carry, use, or hold any University Data whether during or outside of normal working hours and whether it is used at a normal place of work or not.
    2. “University Data” means data created, received, maintained, or transmitted by or on behalf of the University through the course of its academic, administrative, research, or outreach activities.
    3. “University Information System” means technology systems used for academic, administrative, outreach, and research operations at the University whether operated and managed by the University or a third-party vendor.