Purpose
When traveling, individuals incur additional risks related to the use of devices in unfamiliar places and potential exposure of data and devices to malicious actors. Connecting from unfamiliar locations and networks also imposes a new threat landscape, as public networks can harbor malware from bad actors looking to steal data or nation-state bad actors targeting travelers from academia to gain intellectual property. Considerations around where you are traveling, what devices you are taking, and what data you have access to through those devices during your trip are all critical to protecting both your personal data and institutional data.
Scope
This standard applies to all OHIO employees who are working while also traveling. Working shall include activities that involve accessing, processing, or transmitting university data while traveling both domestically and internationally.
Standard
Before Travel
- If traveling internationally, identify risk advisories for your destinations by viewing the Travel Advisories posted by the U.S. Department of State
.
- Travel to areas identified as “Level 4 – Do Not Travel” is high risk.
- Should you travel to these areas for purposes other than to perform required work due to your employment with Ohio University, you are not permitted to take university-owned devices or access university data from these locations.
- Use of applications on personally owned devices to access university resources while traveling to these areas for non-work purposes is prohibited. To secure university data, remove applications including Outlook, Teams, and Canvas from your personal devices before travel.
- If you are traveling for university required purposes, consult your dean or department head to determine if a loaner laptop should be obtained before travel.
- Travel to areas identified as “Level 4 – Do Not Travel” is high risk.
- Adherence to all university policies and information security standards is applicable while traveling.
- Familiarize yourself with Secure Workspace Practices prior to departure and limit the number of devices and amount of data you travel with to reduce the risk of exposure.
- Remove sensitive data from the devices you are bringing with you, as sensitive data should not be stored on a local device. Instead, opt for storing in a secure OneDrive/SharePoint site instead.
- Set up VDI and use it to access sensitive university data and resources. We strongly encourage individuals working while traveling to use VDI in lieu of VPN.
- Configure encryption
on your devices. The IT Service Desk can assist with University owned devices. For personal devices, consider BitLocker for Windows or FileVault for Mac.
- Be aware that some foreign countries restrict the use of imported encryption software, so it is your responsibility to research the software import laws of your destination country.
- It is also important to note that in accordance with the Information Security Standard: Safeguarding Sensitive Data, downloading sensitive data to personal devices such as a laptop, USB, or external hard drive is prohibited.
- Notify the Information Security Office that you will be traveling, at minimum one week prior to your departure, if you intend to work while traveling. This allows the Information Security Office to better evaluate the legitimacy of any out of country logins.
- The Information Security Office can be contacted by emailing security@ohio.edu
- Set up Multi-factor Authentication for non-OHIO and personal services like banking, social networks, and email.
- Should you need to travel to a Level 4 “High Risk” travel location as part of your assigned work as an employee of OHIO, request a temporary account (travel service account) to use while traveling. This reduces risk as your regular email account can be configured to forward to this service account for the duration of your stay. This allows you to access resources without utilizing your typical account, protecting the contents within and the associated university credentials.
- Make sure your devices’ operating system and software are up to date.
- Ensure anti-virus is installed and enabled .
- Store documents and work products in your university affiliated Microsoft OneDrive accounts and groups to ensure that you have a current back up of your data.
- Use strong passwords . Avoid dictionary words and add special characters. For cell phones, use alpha numeric or a passphrase instead of PIN entry.
- Turn on services such as Google’s "Find My Device" or Apple’s “Find My” app, if available for your device, to aid in finding lost or stolen devices.
- In accordance with the Information Security Standard: Microsoft O365 – Remote Data Wipe ; Microsoft offers the capability to remotely remove all data from a device that is synced to your OHIO email account in the event the device is lost or stolen. To utilize this functionality, you can contact the Information Security Office at 740-566-SAFE or via email security@ohio.edu
- As applicable, adhere to requirements under OHIO’s Export Control Program .
During Travel
- Keep your devices in sight at all times.
- Be cautious when connecting to public Wi-Fi. Use cellular data when possible but be mindful of roaming charges.
- Disable services like Bluetooth and Wi-Fi on your device when not in use.
- Use multi-factor authentication and a VDI when accessing university information and resources.
- Avoid public computers, such as those found in internet cafes.
- Bring your own charging cables and avoid utilizing charging kiosks as they may be infected with malware.
- Clear your internet browser after each use. (Delete history files, caches, cookies, etc.)
- If any of your devices are stolen, report it immediately to the local authorities if traveling domestically or the local US Embassy or Consulate when traveling internationally.
- If the stolen device was an Ohio University owned device or stored Ohio University data, contact the Ohio University Information Security Office (via email at security@ohio.edu or by calling 740-566-7233) in addition to notifying the local authorities, US Embassy, or Consulate.
-
Upon Return from Traveling
- Change your passwords for any credentials you used when traveling, including your OHIO account password .
- Return any loaner devices.
- If you used a temporary travel account, ensure that the forwarding has been removed.
- Run an anti-virus scan on your devices.
Definitions
Sensitive data: term used to describe the classification of data at a medium or high level that must be protected against unauthorized disclosure. Additional information can be found via University Policy 93.001 Data Classification and by visiting the Information Security Website.
References
Exceptions
All exceptions to this standard must be formally documented with the Ohio University Information Security Office (ISO) prior to approval by the Information Security Governance Committee (ISGC). Standard exceptions will be reviewed and renewed on a periodic basis by the ISO.
Request an exception:
Complete Exception Request Form .Governance
This standard will be reviewed and approved by the university Information Security Governance Committee as deemed appropriate based on fluctuations in the technology landscape, and/or changes to established regulatory requirement mandates.
Reviewers
The reviewers of this standard are the members of the Information Security Governance Committee representing the following University stakeholder groups:
- Information Technology - Ed Carter (Chair)
- Human Resources - Michael Courtney
- Faculty - Hans Kruse
- Senior Associate Dean – Brian McCarthy
- Finance and Administration – Julie Allison
- Faculty - Shawn Ostermann
- Regional Higher Education - Larry Tumblin
- Enterprise Risk Management and Insurance - Larry Wines
- Office of Audit, Risk, and Compliance - Joshua Gonzalez
- Faculty - Bruce Tong
Additional Reviewers:
Vice President of Human Resources – Mary Elizabeth Miles
History
Draft versions of this policy were circulated for review and approved on November 15, 2024.