Skip to main content

Minimum Security for Foreign Travel

Purpose

This document specifies the details of minimum security standards for Boise State Foreign Travel.

  • 8060 Information Privacy and Data Security
  • Presidential Memorandum on United States Government-Supported Research and Development National Security Policy (NSPM 33)

Scope

These standards apply to all Boise State users and devices, physical or virtual, that may be connected to Boise State’s network or managed cloud services through a physical, wireless, or VPN. The standards vary based on the type of data stored on the device and are classified using the Information Privacy and Data Security Policy.

Standards

All users must notify the Office of Information Technology (OIT), via the Help Desk, previous to all foreign travel, personal and professional, if they intend to bring a university device or access university resources, such as email. OIT scans regularly for foreign authentications and access and will take action if the authentication does not appear to be authentic and as a result users that fail to notify OIT may be locked out of their accounts and not be able to access Boise State resources until their return.

University Devices

University owned devices may be used for foreign travel, but extra precaution must be maintained.

  • The device must be configured for the Boise State Minimum Security Standards with all patches, AV patterns and tools updated and verification of pin enabled encryption.
  • Data must be limited to Public and Internal information that is needed for the foreign travel, as defined by the Information Privacy and Data Security Policy.
  • Restricted and Confidential data must not be on equipment being used for foreign travel.
  • When accessing a network ensure that the Boise State VPN is activated and used at all times.
  • Upon consultation with Export Control, OIT may be required to set your email account to prevent attachments from being downloaded while traveling.

Upon return:

  • We recommend that your password be changed upon return.
  • The device must be inspected for tampering by the department network administrator. They are to run a complete AV scan, look for software and patches that were installed during dates of travel and to look at the last updated date of UEFI/BIOS
  • If the endpoint was out of control of the end user or if scans detect an error or the computer shows signs of compromise, software was installed during the dates of travel or evidence of BIOS tampering the device must be reimaged, UEFI/BIOS reloaded and passwords reset.
  • We need to documented if the computer was out of your control, who had it and for how long

Personal Devices

Personal devices may be used to access Boise State resources while on foreign travel, but extra precaution must be maintained.

  • When accessing a network ensure that the Boise State VPN is activated and used at all times.
  • We recommend that you do not access Boise State resources from public or hotel courtesy computers.
  • We recommend that your password be changed upon return.

Travel to sanctioned or VPN restricted regions

Only specific university owned devices may be used to access Boise State resources when traveling to regions of the world that have been sanctioned by the Office of Foreign Assets Control (OFAC) or locations where the university VPN is blocked by the host country.

  • A device may be checked out from the Help Desk at the Zone.
  • All data to be loaded onto the laptop must be inspected and classified prior to leaving.
  • The device will be forensically wiped upon return and BIOS reloaded.
  • Your password must be changed upon return.
  • We need to documented if the computer was out of your control, who had it and for how long

Non-Compliance and Exceptions

A Request for Exception, along with a plan for risk assessment and management, can be submitted at Help Desk Self Service. Non-compliance with these standards may result in revocation of access, notification of supervisors, and reporting to the Office of Internal Audit and Office of Institutional Compliance and Ethics.

Updates

Created: November 2022

Last Update: October 2024

Next Review: February 2025