International Travel Security Standard

Policy Number: 1.11.1.1.4
Category: Acceptable Use
Effective: March 24, 2023
Revision History: Originally effective October 1, 2019
Review Date: March 23, 2026

1. Purpose, Scope, and Responsibilities

   1. Pursuant to BOG Rule 5.8, Travel, all international Travel must be approved in advance through the process designated by the Office of Global Affairs (“OGA”) and the Export Control Office (“ECO”). OGA and ECO have determined that all official University international travel or personal international travel that includes taking a University-owned device (“University Device”) be registered. Because international travel exposes University Data and University Information Systems to new environments and potentially greater risks, additional precautions are required to ensure their protection when traveling abroad.
   2. The purpose of this Standard is to define the minimum requirements for the acceptable use of University Devices used and/or University Information Systems accessed while traveling abroad.
   3. This Standard applies to all University employees, students, volunteers, or other individuals authorized to access University Information Systems while traveling outside of the United States.
   4. The Chief Information Officer, in conjunction with the Chief Information Security Officer, is responsible for implementation and enforcement of this Standard.
   5. OGA and ECO are responsible for coordinating with the appropriate IT support unit(s) to ensure any University Device being taken internationally meets the requirements identified within this document. Visit the College, Department, & Regional Support article in the WVU IT Help Center for more information.
   6. Individuals traveling outside of the United States are responsible for submitting the appropriate travel registration with the University prior to traveling as well as contacting their IT support staff to ensure the University Device(s) they are taking abroad meet the requirements identified within this standard.

2. Use of University Devices

   1. Pursuant to the Acceptable Use of Data and Technology Resources Policy, University Devices must be used as the primary means to create, store, send, or receive University Data; therefore, University Devices must be the primary devices utilized to access University Information Systems and University Data when traveling abroad.
   2. Employees traveling outside of the United States may use the University Device issued to them to perform their job duties provided the device meets the requirements of the University-Owned Device Standard.
   3. Employees who do not want to take their primary University Device, or employees who do not have a primary University Device, should contact their college or department IT support staff to inquire about obtaining a University-owned laptop for use abroad.
   4. All University Devices used to access University Information Systems or University Data, when traveling abroad must adhere to the University-Owned Device Standard, including, but not limited to, the following requirements:
      1. Authentication using WVU Login credentials;
      2. Enrollment in SCCM, Jamf, or Intune;
      3. Running the latest operating system;
      4. Anti-virus (Sophos) installed and latest version running Real-Time Scanning;
      5. Configured to lock and require a user to re-authenticate if left unattended for more than 15 minutes; and,
      6. Encrypted with whole disk encryption using BitLocker or SecureDoc for Windows or FileVault for MacOS.
   5. Bluetooth and Wi-Fi must be disabled unless actively using these functions.
   6. Laptops/tablets must remain under the traveler’s Effective Control at all times.
   7. University Devices must never be taken to embargoed countries (Iran, Syria, Cuba, or North Korea) unless specifically approved by the ECO.
   8. The University highly discourages use of external drives when traveling abroad; however, any external drive taken abroad must be encrypted. Contact your IT support staff to ensure any external drive you want to use is encrypted prior to traveling.
   9. Only plug accessories into the University Device that you have brought with you. Use of unknown external drives is prohibited and can result in the installation of malicious software. Public USB charging stations at airports and hotels should also be avoided.
   10. Pursuant to the Computer Security Incident Response Policy, if a device is lost or stolen while abroad, contact ITS immediately of the Security Incident. Submit an Incident Report immediately.

3. Accessing University Data and Systems

   1. The General and HSC VPNs are not available to individuals when outside of the United States; instead, utilize the clientless (SSL) VPN. Visit the Clientless (SSL) VPN article in the WVU IT Help Center for more information.
   2. Never connect to a University Information System via public Wi-Fi unless using the appropriate University VPN. If a University VPN is not available, an approved remote desktop solution must be utilized to access University Information Systems. For more information see Remote Access Standard.
   3. Public workstations in cybercafes, libraries, hotels, or foreign institutions must never be used to access University Information Systems.
   4. University Information Systems that require providing WVU Login credentials must only be accessed when necessary, during travel. If WVU Login credentials are used while traveling abroad, the password must be changed immediately upon return to the United States at login.wvu.edu.
   5. Sensitive Data must never be accessed when traveling abroad.

4. Exceptions

   1. Individuals taking personal devices for personal use, such as students participating in Travel Abroad, should refer to the University’s International Travel Tips for information about securing them prior to, during, and upon return home from traveling abroad.
   2. De minimis use of personal devices to create, store, send, or receive University Data while traveling abroad, such as checking your WVU email on your personal cell phone, is permitted provided the device meets the security requirements within the Bring Your Own Device Standard.

5. Definitions

   1. "Effective Control” means when a traveler either retains physical possession of the device or secures the device in an environment such as a hotel safe, a bonded warehouse, or a locked and guarded exhibition facility.
   2. “Real-Time Scanning” means anti-malware software that analyzes files and programs as they are accessed to prevent the user from unknowingly becoming infected.
   3. “University Devices” means laptops, computers, notebooks, tablets, and smartphones owned by the University that are used to collect, store, access, transmit, carry, use, or hold any University Data whether during or outside of normal working hours and whether it is used at a normal place of work or not.
   4. “University Data” means data created, received, maintained, or transmitted by or on behalf of the University through the course of its academic, administrative, research, or outreach activities.
   5. “University Information System” means technology systems used for academic, administrative, outreach, and research operations at the University whether operated and managed by the University or a third-party vendor.

6. Related Documents

   1. BOG Rule 5.8 - Travel
   2. Acceptable Use of Data and Technology Resources
   3. Sensitive Data Policy
   4. Bring Your Own Device Standard
   5. University-Owned Device Standard
   6. Remote Access Standard
   7. International Travel Tips