If you are traveling with portable computing devices including laptop computers, PDAs, tablets and smart phones you need to take proper precautions with your mobile device. A recent study reported that 12,000 laptop computers go missing or are stolen each week at United States airports, 40% of them at security checkpoints. This means that you need to protect any confidential information that might be on the device.
Travel with Electronic Devices
The probability that your portable device will be lost also means that you should ensure that you do not have the only copy of important information on the portable device. Any information generated or collected during your trip should be regularly copied back to a secure location at CSUN or elsewhere. The transfer should be encrypted if the information is confidential. A simple way to do this is to encrypt the information and email the encrypted file to the University email account.
Should your device be lost or stolen, it is good practice to minimize the amount of information that can potentially be disclosed or that needs to be reported.
Before you travel:
- Determine if you can reduce the information contained on the devices you will bring.
- Move anything not associated with the trip to a secure archive.
- Always maintain the most recent version of all operating system and application patches on your devices.
- Keep your endpoint security tools such as anti-virus and firewalls enabled and up to date.
What To Do If Your Device Is Lost or Stolen
If your device is lost or stolen, Submit a Security Incident Report.
CSUN policy requires that all University-owned laptops be password protected and encrypted. CSUN policy also requires that no Level 1 information be stored on portable devices such as laptops, even if the device is encrypted.
In addition to the requirement for University-owned laptops and personal devices to be encrypted, CSUN has specific data gathering policies intended to protect the confidentiality of PII. Under no circumstances can high risk confidential information about people, such as SSNs, be stored on a laptop.
Security Considerations for International Travelers
There are some additional factors to consider if you are traveling internationally. We highly encourage you to read the following especially if you are traveling to a location known to have an active cyber-criminal community or where you would be subject to surveillance.
May I take my encrypted laptop when traveling internationally?
It depends. Because encryption products can be used for illegal purposes, including terrorist activity, the United States and many of the countries that you may visit may ban or severely regulate the import, export and use of encryption products. So, taking your laptop with encryption software to certain countries without proper authorization could violate U.S. export law or the import regulations of the country to which you are traveling, and could result in your laptop to be confiscated, in fines or in other penalties.
Over the past fifteen years, a group of nations negotiated a set of rules attempting to facilitate traveling with encryption software known as the "Wassenaar Arrangement." One of its provisions allows a traveler to freely enter a participating country with an encrypted device under a "personal use exemption" as long as the traveler does not create, enhance, share, sell or otherwise distribute the encryption technology while visiting.
Please see the Wassenar web site for more information.
What U.S. export regulations do I need to satisfy when leaving the country with my encrypted laptop?
CSUN-owned computers are often loaded with encryption software and are subject to export control regulations under the Commerce Department’s Bureau of Industry and Security (BIS) and its Export Administration Regulations (EAR). The products listed have been granted either an “Encryption Commodities, Software and Technology” (ENC) or “Mass Market” license exception.
This exception allows us to transport or ship a University-owned or personally-owned computer that has one of our approved encryption products installed to any country as long as the computer remains under our effective control, EXCEPT for the following countries defined in the Department of Commerce’s Export Administration Regulations.
If you must travel to one of the embargoed countries, you may be able to obtain the appropriate export license, but the process can take, on average, a ninety days for review. The Department of Commerce’s Bureau of Industry and Security and the Office of Foreign Assets Control (OFAC) within Dept. of Treasury accept applications for licenses to export encryption products and technologies.
If you cannot obtain an export license, see the section below entitled "What can I do if I cannot satisfy encryption export or import control requirements?"
What countries have encryption import and use restrictions and how can I obtain an import license?
Since export laws can change at any time, please check with the US State Department before traveling internationally to ensure that you have the most up-to-date information. Additional information about international encryption controls can be found at the following websites:
A number of countries have laws that require you to produce a password if requested by law enforcement officials. In some of these countries, refusal to provide the password can result in arrest and time in jail. US Customs occasionally searches laptops when a traveler returns to the country. They have been known to retain laptops for further analysis if a traveler refuses to unlock the system. If at any point on your trip, you are prompted to surrender your password or device to a law enforcement official, please do so. CSUN's criteria for protecting and securing information on devices should never put your own health and safety at risk.
If you need to remotely-access CSUN resources (such as University email) when traveling, change your password prior to the trip and change it again on your return. If your password is compromised, changing it proactively can potentially reduce the window of opportunity of the attacker to exploit the information accessible using your password.
For additional security when you travel, you may want to consider using a temporary mail account on a public mail server such as Gmail or Hotmail. If the mail service allows for multi-factor-authentication, please choose to use the additional authentication criteria.
Consider if you can use a temporary device for the duration of the trip. Minimize the information contained on the device. On your return, print any files changed or created on the trip and wipe the device completely or restore it to the factory default.
Kiosks and Public Wi-Fi
Never trust public Wi-Fi. Use the Virtual Private Network (VPN) client on your device if available. A VPN connection will encrypt your transmission and ensure it remains confidential when traversing the public network. If your device is a smartphone or tablet that automatically checks your email, consider disabling that feature for the duration of your trip. If you need to use a public or shared resource such as Wi-Fi or a kiosk, we encourage you to refrain from accessing a University resource or e-Commerce site. If you use your username and password on an untrusted workstation or network, they may be intercepted or stolen and the confidentiality and security of any information you access may be exposed.