Data Security on Foreign Travel

• Identify options for computer repair and service. Contact your LSP in advance of your travel and work with them to identify options for computer repair and service during travel. Information Technology support is provided at Penn through Local Support Providers (LSPs). LSPs provide various technical support services to Penn constituencies, e.g. faculty, staff, and students. If you are not sure who your LSP is, visit www.upenn.edu/computing/view/support/ for details.
•  Backup your computer. Work with your LSP to conduct a full backup of your computer. Ensure all software is up to date and appropriate security tools (such as disk/device encryption, password locking, location services, and remote wiping) are functional.  Install and run anti-virus software. Sophos Home is available at no cost to members of the Penn community. 
• Enroll in Penn’s Two-Step Verification for PennKey (work with your IT support staff if needed). Information on how to enroll is available at https://upenn.edu/twostep. Information on using Two-Step while traveling is available at https://www.isc.upenn.edu/how-to/two-step-verification-before-you-travel.
• Avoid carrying any University sensitive or confidential data unless absolutely necessary. An example of University sensitive data includes but is not limited to Personally Identifiable Information (PII), proprietary information, or data whose disclosure would cause significant harm to Penn or its constituents.  
  • The Office of Information Security recommends you work with your LSP to locate sensitive data on your computer to secure it or delete unneeded data. 
• Encrypt data. If it is essential to travel carrying University sensitive data, you need to consider the following:  
  • Users intending to travel to certain countries listed under the U.S. Department of State travel advisory as "DO NOT Travel" or "Exercise Increased Caution" should contact the Office of Research Services for assistance before carrying Penn-owned equipment or data. Please check the U.S. Department of State Travel Advisories webpage at https://travel.state.gov/content/travel/en/traveladvisories/traveladvisories.html/ for travel advisory levels. 
  • Be prepared that you may be compelled to share any data brought with you. Certain countries may inspect laptops and data upon entry.  Therefore, you should be careful about proprietary, patentable, or sensitive information that may be stored on your device. If you have encrypted files, customs officials in some countries (including the U.S.) may require you to decrypt the files for inspection.  
• Ask your LSP if a sanitized "loaner" computer is available to help avoid exposing all your data to known and/or clandestine inspection. 

• Know your wireless network and use encrypted services. WiFi connections that encrypt traffic are restricted with a password and are preferable to free and/or unencrypted services. Encrypted WiFi is provided by a trusted source similar to a University, a colleague, or a hotel, etc. When web-browsing use HTTPS over HTTP. The S at the end of HTTPS indicates the communication to the website is secure.  
  • If you must use a free WiFi connection, avoid connecting to any website or service that requires password authentication including Penn systems with sensitive data, banking or financial sites, etc.   
• Avoid accessing sensitive websites from public computers, such as at Internet cafes, as their security is highly unreliable. 
• Be cautious inserting a USB ("thumb") drive or other portable media given to you when traveling. There’s a possibility such portable media may be infected with malware; therefore, make sure your virus definitions are up-to-date, and scan any inserted media.
• You can securely access Penn's network from abroad by running a Virtual Private Network (VPN) client. Talk to your LSP for instructions. 
• If you have a secure and reliable Internet service overseas, it may be cost-effective to leverage services hosted at Penn (e.g. Webmail, Penn+Box, etc.)
• Keep your mobile devices on you or in a locked safe whenever possible. If your device is stolen, notify your LSP immediately. Lock your mobile device with a passcode or PIN and use remote wiping among other key security features as recommended in Penn's Top 10 Security Tips for Smartphone & Tablets. 

• Work with LSP to securely transfer any new data. Restore any removed data and scan your system for malware. It may make sense to wipe and reinstall the operating system as a precautionary countermeasure against unseen tampering or infection. 
• Consider changing your Pennkey password if you used it while on your trip. Visit https://weblogin.pennkey.upenn.edu/changeexpiredpassword for instruction. 

To comply with U.S. regulations, Duo, Penn's multi-factor authentication tool blocks authentications from users whose IP address originates in certain countries and regions. Penn faculty, staff, and students based in or traveling to the following areas will be unable to authenticate PennKey and other Duo-protected applications:

• Cuba
• Iran
• North Korea
• Sudan
• Syria
• Crimea, Sevastopol, Donetsk, and Luhansk regions of Ukraine

Due to regulatory restrictions, no recommended alternatives exist to access PennKey-protected sites from these regions. Travelers should be aware that IT resources will be limited or unavailable/inaccessible and discuss this with their School/Department/Center to determine what accommodations can be made ahead of time.

Privacy

Be sensitive to local privacy laws. Contact the Office of Audit, Compliance, and Privacy at privacy@upenn.edu for advice regarding the applicability of international privacy regulations if you will be working with other people's personal information. This is true if you are traveling to the European Union member countries,  Argentina, Australia, Hong Kong, Sweden and Canada where privacy laws are extensive. 

Export Control Compliance

Some software and data may be subject to Export Control Regulations. Simply accessing export-controlled data while outside the U.S. may be considered as an export of that information and subject to the regulations. Export controlled data may include opening files on a Penn server accessed via a VPN connection.

For questions related to Export Administration Regulations (EAR) compliance, please contact the Office of Research Services at https://researchservices.upenn.edu/areas-of-service/export-compliance/. 

Resources

• Penn Almanac One Step Ahead Security Tip - Traveling Safely with Devices
• Penn Almanac One Step Ahead Security Tip - Data Security During Travel

External Links & Resources

• Check the U.S. Department of State International Travel Advisories at https://travel.state.gov/content/passports/en/alertswarning.html 
• Review the Federal Bureau of Investigation tips on Safety  & Security Abroad for Professionals & U.S. Students at https://www.fbi.gov/file-repository/business-travel-brochure.pdf
• Read New York Times article on Traveling Light in a Time of Digital Thievery at www.nytimes.com/2012/02/11/technology/electronic-security-a-worry-in-an-age-of-digital-espionage.html?_r=2 

For more information and resources visit the Office of Information Security website at www.isc.upenn.edu/security or contact us at (215) 898-2172.