Information Security Guidelines for Travel

October 2017

Introduction

Continued vigilance against cybersecurity attacks remains a top priority in keeping you and your data safe, especially during travel. Whether it's driving to a conference just an hour away or flying overseas, adhering to cybersecurity practices is the smartest way to protect yourself, your devices, and your information.

Traveler's Checklist

If traveling within the United States:

• Install and configure the Microsoft authenticator app on your device(s) to work with your account: it will work for MFA even if the device is in “airplane” or “offline” mode by providing a random rotating code to enter. This will work domestic or abroad, even if you have to change SIM cards.
• Back up all files prior to travel.
• Always lock or shut down your devices after use.
• Never share your device with another user.
• Use a VPN connection when connecting to publicly-available WiFi.
• Never use a kiosk or shared computer to access any NIU data; never login to any NIU resource from a kiosk or shared computer.
• Never save or store any NIU Restricted Data on your laptop or mobile device.
• Contact your local IT if you feel you've been compromised during travel or have additional questions.

If traveling outside the United States, especially to sensitive destinations such as China or Russia:

• Install and configure the Microsoft authenticator app on your device(s) to work with your account: it will work for MFA even if the device is in “airplane” or “offline” mode by providing a random rotating code to enter. This will work domestic or abroad, even if you have to change SIM cards.
• Back up all files prior to travel.
• Never share your device with another user.
• Use a VPN connection when connecting to publicly-available WiFi.
• Never use a kiosk or shared computer to access any NIU data; never login to any NIU resource from a kiosk or shared computer.
• Never save or store any NIU Restricted Data on your laptop or mobile device.
• Use a screen protector to prevent loss of data through “shoulder surfing.”
• Cover any cameras on devices and deactivate any laptop microphones.
• If using email while traveling abroad, create a temporary account with an email service that can be deleted upon return.
• When not in use, power off your cell phone and remove the battery, if possible, to prevent any possible monitoring during travel.
• Do not purchase any new hardware, software, or seek out electronic repair or assistance while traveling.
• Use temporary, separate passwords on devices during travel that can be discarded upon return.
• Contact your local IT department for assistance in preparing and sanitizing your devices for travel, as well as wiping your devices upon return.
• VPs, AVPs, Directors, Deans and Chairs: There may be additional recommendations for traveling abroad including the use of a lock bag, sanitized device, and simple phone during travel. Please work with local IT support for these security provisions.

Additional Information and Considerations

The U.S. Department of State keeps an active list of Alerts and Warnings for travel destinations around the world.

Although there is no such thing as risk-free travel, the recommendations below from Bryan Lewis and Eric Rzeszut (Educause) describe the various levels of precautions that can be taken in accordance with your travel destination.

In general, Green recommendations are destinations within the United States, Red recommendations are destinations outside of the United States with known alerts or warnings according to the State Department, and the Yellow recommendations are all remaining locations.

Before your trip:

• Ensure data is backed up on a server, drive, or another device NOT making the trip.
• Ensure your PC is patched and the antivirus software updated.
• Disable Bluetooth and Wi-Fi on your devices, and only turn them on when in use.
• Notify IT staff of travel plans and locations. IT staff should strongly consider readying spare equipment for delivery in an emergency.

During your trip:

• Assume your data on any wireless network can be monitored, and act accordingly. Use a VPN whenever possible, especially while on public networks and/or when accessing sensitive data.
• NEVER let anyone else borrow or use your devices.
• Do not borrow any devices (e.g. a USB drive) for use on your computer.
• Do not install any software on your laptop.
• Be aware of “shoulder surfers”: anyone physically monitoring the use of your device.
• Keep your devices under your physical control or secured in a proper location when they are not. Never check devices or storage devices in luggage.

After your trip:

Perform a full virus and malware scan.

Before your trip:

• Ensure your device is encrypted (if permitted by the nation to which you are traveling).
  • Password-lock auto-encrypts iPhones; Android users should manually enable encryption.
  • Laptops: Use BitLocker, PGP, or a similar tool for Windows; use FileVault on OS X systems.
  • Sanitize your laptop to remove any sensitive data.
    • A product such as Identity Finder can assist this process.
    • Only take data necessary for the specific trip.
    • Consider taking a temporary device such as a loaner laptop or prepaid phone.

During your trip:

• When using shared Wi-Fi, stay connected to your university's VPN.
• Do not use shared computers at a business center or kiosk.

After your trip:

Consider changing passwords for all services/systems you used from overseas.

Before your trip:

• Contact NIU's Office of Research Compliance, Integrity and Safety for specific information on export control regulations.
• If traveling to a country which disallows encryption products, remove encryption from your laptop or prepare a loaner device.

During your trip:

• If you need to share data with fellow faculty/staff from your university, use encrypted flash drives.
• Take a loaner “dumbphone” (no data storage) instead of your smartphone.
• Shut down devices when not in use; do not use sleep or hibernate features.
• Keep your device(s) on your person at all times. Those hotel safes may be compromised.

After your trip:

• Erase and reformat the hard drive, especially on a loaner device.
• Wipe data from a temporary “dumbphone.”