International Travel and Technology
Policy 14.3 | |
---|---|
Approved by: | President |
Responsible Officer: | CHIEF INFORMATION OFFICER |
Responsible Office: | INFORMATION TECHNOLOGY SERVICES |
Originally Issued: | 02/29/2024 |
Last Revision: | NEW |
Category: | TECHNOLOGY |
Related Policy | |
Export Controls 11.1 |
I. REASON FOR THIS POLICY
Dakota State University (DSU) is dedicated to safeguarding the confidentiality of digital information and data held by the University, encompassing proprietary details, sensitive research data, and intellectual property belonging to the University, its faculty, staff, and students. Traveling with electronic devices beyond the borders of the United States heightens the risk of theft of data from any device, DSU owned or otherwise and cybersecurity threats, increasing the potential for unauthorized access to potentially sensitive data. This situation may also expose devices and the University's network to malware or spyware, necessitating special precautions. The purpose of this policy is to help mitigate Cybersecurity risks associated with international travel.
II. DEFINITIONS
- CIO (Chief Information Officer). Campus Chief Information Officer/Vice President of Technology is the department head for the DSU (Dakota State University) technology department.
- DSU Digital Data. Digital data accessible to users through DSU on-premise and/or cloud hosted systems managed through access control.
- Definition of Devices.
- DSU Owned. Includes but is not limited to, laptops, smartphones, virtual desktops and all other technology issued by DSU for work-related purposes.
- Bring Your Own Device (BYOD). Personal devices used for University related work. BYOD devices include laptops, personal computers, smartphones, tablets, and any other electronic device not directly provided by the University but used for accessing university networks, data, and systems. BYOD devices require adherence to specific security standards to ensure the protection of digital data and resources.
- Loaner Device. A loaner device provided by ITS that undergoes comprehensive data wiping and encryption processes to securely remove all sensitive or personal information. These laptops are equipped with a minimal operating system, drivers, and browsers, allowing for essential functionality while traveling. This precaution ensures that the device is devoid of locally stored sensitive data, mitigating the risk of exposing such data.
- Department Head. Individuals responsible for overseeing the administration and management of a specific University or academic department. They may also be referred to as deans, vice presidents, directors, or managers.
- ITS. Information Technology Services. The official technology department for Dakota State University and subsumed departments.
- Malware. Software intentionally designed to damage or disrupt computers and computer systems.
- MAM (Mobile Application Management). A technology solution to monitor, manage, and secure mobile applications on devices such as smartphones, tablets, and laptops.
- Spyware. A type of malware that covertly collects and transmits personal or sensitive information from your computer without your knowledge or consent.
III. STATEMENT OF POLICY
- Dakota State University Authority.
- The CIO, successor, or designee in accordance with this policy shall assess and make the final decision on technology allowances in compliance with this policy.
- Authorization.
- Employees must obtain authorization from ITS for international access to DSU digital data before international travel occurs.
- Authorization will require the faculty and staff employees to provide the travel, location, duration, and confirmation that the employee complies with this policy.
- Data Security.
- When traveling internationally, there are additional considerations and cybersecurity requirements. The University reserves the right in its sole discretion to designate locations as “high-risk.”
- Any BYOD device used by employees to access DSU digital data while traveling internationally must be enrolled with the DSU ITS MAM solution.
- Employees that require a laptop device while traveling internationally will be provided with a loaner device by ITS.
- Employees are responsible for ensuring that no sensitive or confidential data is stored locally on loaner devices before or during international travel.
- Use of encryption tools and secure storage mechanisms is mandatory to prevent unauthorized access to sensitive information, when applicable.
- Device Handling.
- Devices must be carried in carry-on luggage and never checked-in to prevent loss or theft.
- Devices should be kept in the immediate possession of the employee and never left unattended when possible.
- Network Connectivity.
- Employees must exercise caution when connecting devices to public networks while traveling.
- Reporting.
- Employees are required to report any loss, theft, damage, or unauthorized access to DSU owned, scrubbed or BYOD devices immediately to their supervisor and the ITS department.
- Compliance with Local Laws:
- Employees must comply with the laws and regulations of the destination country related to the use and import of electronic devices.
- Noncompliance Penalty. ITS will respond to any suspicious activity alerts unless informed in advance about international travel through proper requests. In the absence of a travel request submission, accounts will be disabled until the employee returns to the U.S.
Exclusions
None
Exceptions
None
IV. PROCEDURES (MAJOR)
- Requirements.
- For Individuals Based in the United States who are on University travel there are countries and entities subject to United States trade or economic restrictions. These lists are administered by the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC), the U.S. Department of Commerce through its Bureau of Industry and Security Lists of Parties of Concern, and The International Traffic in Arms Regulations (ITAR) found on the U.S. Department of State Directorate of Defense Trade Controls website.
- All University-affiliated travelers shall fill out the International Travel Technology Request form no fewer than ten business days prior to travel (Export Controls IV.1.a).
- Employees traveling internationally for personal reasons and wishing to utilize University resources such as email are encouraged to fill out the International Travel Technology Request form. While completion of the form is not required for personal travel, employees should note that attempting to access any resource without doing so may lead to the temporary disablement of their DSU account until they return to campus.
- Should an individual need a device for University sponsored travel, the need must be identified when completing the International Travel Technology Request form. A loaner device will be provided for international travel.
- DSU ITS will provide employees who are traveling internationally for DSU business access to applications and DSU digital data they need while minimizing the amount of sensitive data that is taken abroad.
- No intellectual property or confidential information should be downloaded to any loaner device. Users are not permitted to modify system settings or install additional software and should not load any files or data onto these devices.
- To access DSU resources while traveling, DSU BYOD such as phones, tablets, etc., must be enrolled in DSU ITS MAM solution. Users are required to agree to the Acceptable Use Agreement for Mobile Application Management, granting permission for DSU monitoring and the potential wipe of any DSU data from the device in instances of compromise or theft.
- After returning to the University, the traveler must return the loaner device(s) promptly to the ITS Support Desk where it will be wiped and re-imaged.
- Complete appropriate required request and forms.
- Initiate the process for international travel by filling out the International Travel Technology Request form.
- Personal travel shall be chosen if the employee is not traveling on behalf of DSU or associated with DSU in any manner. Select Business if the intent for travel is on behalf of or associated with DSU.
- Under Destination Countries, list each location you will be visiting, including layovers, along with the expected date of arrival and departure.
- Dakota State University Owned Devices
- ITS will provide a loaner laptop that can be used for international travel and returned once the trip is complete.
- Phone usage authorization must be granted by ITS to access DSU digital resources such as Email.
- BYOD Devices
- List each personal device that you will be traveling with. This is required to comply with export control laws.
- Any device that uses Wi-Fi, Bluetooth, encryption features, or any additional 2-way communication is required to be listed.
- The ECCN stands for Export Control Classification Number. To find the ECCN do a web search for the model and make of your product, followed by ECCN.
- If there is not enough space on the form for all the trip details, fill out an additional document and attach it at the bottom of the form.
- Unauthorized International Travel Access
- Failure to complete the Technology Authorization for International Travel form prior to traveling internationally will result in the user account being disabled.
- In the event an account gets disabled, ITS will send notification to the user's alternate email and to the user’s department head or Dean indicating the reason the account has been disabled.
- The notification will be sent to the user’s secondary email address provided to DSU.
- The user account will remain disabled until the user returns to United Sates territory is confirmed.
- Upon returning to the US, the user may either:
- Contact DSU ITS to inform them of the user location in the US.
- Be aware that providing false information about the user location will result in the account being disabled and may lead to further disciplinary actions.
- Notify the user department head of the user return who may reach out to ITS on the user behalf.
- Visit the DSU ITS office on campus and request the user account to be re-enabled.
- Contact DSU ITS to inform them of the user location in the US.
V. RELATED DOCUMENTS, FORMS AND TOOLS
International Travel Technology Request
International Travel Technology Request Information
Additional International Travel Information
Acceptable Use Agreement for Mobile Application Management
VI. POLICY HISTORY
ADOPTED: 04/29/2024