© 2013 President and Fellows of Harvard College.
Harvard University
Information Security Office
Advisory for Travelers
Updated March 6th 2013
This advisory is intended to assist members of the Harvard community who are going to be traveling with portable computing devices including laptop computers, PDAs, tablets and smart phones.
You should assume that your computing device will be lost or stolen. A 2008 study reported that 12,000 laptop computers go missing or are stolen each week at United States airports, 40% of them at security checkpoints. This means that you need to protect any confidential information that might be on the device.
The probability that your portable device will be lost also means that you should ensure that you do not have the only copy of important information on the portable device. Any information generated or collected during your trip should be regularly copied back to a secure location at Harvard or elsewhere. The transfer should be encrypted if the information is confidential. A simple way to do this is to encrypt the information and email the encrypted file to a University email account.
Should your device be lost or stolen, its good practice to minimize the amount of information that can potentially be disclosed or that needs to be reported. Before you travel, determine if you can reduce the information contained on the devices you will bring. Perhaps you can move anything not associated with this trip to a secure archive in your office.
In general, always maintain the most recent version of all operating system and application patches on your devices. Keep your endpoint security tools such as antivirus and firewalls enabled and up to date.
If your device is lost or stolen, please report the issue using the Report Issues or Incidents [1] link.
Harvard Security Policies
See http://www.security.harvard.edu/enterprise-security-policy/2-confidential-info/policies-2_8 [2]
See http://www.security.harvard.edu/enterprise-security-policy/1-high-risk-info/policies-1_1 [3]
In addition to the requirement for University-owned laptops and personal devices to be encrypted, Harvard has specific data gathering policies intended to protect the confidentiality of research subjects. Under no circumstances can high risk confidential information about people, such as SSNs, be stored on a laptop. See the Harvard Research Data Security Policy and other Research policies at http://www.security.harvard.edu/focus-research [4] for specific advice for researchers gathering confidential data in the field.
There are some additional factors to consider if you are traveling internationally. We highly encourage you to read the following especially if you are travelling to a location known to have an active cyber-criminal community or where you would be subject to surveilance.
The US government export regulations includes an exemption for the personal use of encryption technology on portable devices except if the travel is to one of the countries that the US has designated as supporting terrorism (as of July 30, 2010 this included Cuba, Iran, North Korea, Sudan, and Syria). You must remove any encryption technology if you will be traveling to these countries. (See www.gpo.gov/bis/ear/pdf/740.pdf [5] for more details.)
Some countries have their own regulations restricting the use of encryption. The most prominent are France, South Africa, China and Russia. See http://www.cryptolaw.org [6] for an unofficial list of national encryption related laws.
A number of countries have laws that require you to produce a password if requested by law enforcement officials. In some of these countries, refusal to provide the password can result in arrest and time in jail. US Customs occasionally searches laptops when a traveler returns to the country. They have been known to retain laptops for further analysis if a traveler refuses to unlock the system.
If at any point on your trip, you are prompted to surrender your password or device to a law enforcement official, please do so. Harvards criteria for protecting and securing information on devices should never put your own health and safety at risk.
If you need to remotely-access Harvard resources (such as University email) when travelling, change your password prior to the trip and change it again on your return. If your password is compromised, changing it proactively can potentially reduce the window of opportunity of the attacker to exploit the information accessible using your password.
For additional security when you travel, you may want to consider using a temporary mail account on a public mail server such as GMail or Hotmail. If the mail service allows for multi-factor-authentication, please choose to use the additional authentication criteria.
Harvard students, faculty, and staff who are traveling abroad are strongly encouraged to register their travel itineraries in the Harvard Travel Registry, so that Harvard may contact travelers quickly in an emergency. To register, visit www.traveltools.harvard.edu [7].
Links:
[1] http://www.security.harvard.edu/reporting-issues
[2] http://www.security.harvard.edu/enterprise-security-policy/2-confidential-info/policies-2_8
[3] http://www.security.harvard.edu/enterprise-security-policy/1-high-risk-info/policies-1_1
[4] http://www.security.harvard.edu/focus-research
[5] http://www.gpo.gov/bis/ear/pdf/740.pdf
[6] http://www.cryptolaw.org/
[7] http://www.traveltools.harvard.edu/