Information Security Requirements for International Travel (Best Practices)

Traveling outside the United States presents unique information security challenges. The reasons for your travel often require the use of your devices (laptop, tablet, mobile phone) in unfamiliar places that may expose your information to malicious people and software. Beyond the physical aspects, staying digitally connected often means connecting to Wi-Fi in hotels, airports, and conference centers. These networks will expose your device and data while harboring criminals targeting international travelers. In some cases, education networks are broadly targeted by government agencies strictly for the purposes of data theft.

To protect your devices and data, whether personal or Drake-related, please review and abide by the requirements in this document. In addition to information security safeguards, when traveling internationally you also need to consider U.S. export control laws and import restrictions imposed by the destination countries. You also need to be added to an external list of traveling people so that you can connect to our network. 

If you have any questions about these requirements, contact the security & compliance team at informationsecurity@drake.edu

Consider the need to take each device and the data contained on it. If you don’t need to access data stored on your computer, leave it behind. If you must take the device, move all locally-saved data to Teams and/or OneDrive. This will minimize the impact to information if your device is stolen.

1. Submit an Account/Security Request to be added to the traveling list.
2. Confirm whether the devices you’re taking are encrypted, and if your destination country allows the use of encryption. If you’re not able to use encryption at your destination, leave the device at home. Taking an unencrypted device to a foreign country will result in stolen data.
3. Install and configure VPN software. NordVPN and IPVanish are two of the most trusted commercial options, and both have short and long-term subscription options. Never use a free VPN service.
4. Ensure your accounts and devices are fully secured by confirming:
   • The latest software and patches are installed.
   • All accounts have strong passphrases and multi-factor authentication.
5. Look to see if you’re traveling to a participating eduroam-institution. If you are, you’ll be able to connect directly to the eduroam secure wireless network using your Drake credentials. For a list of eligible locations see https://www.eduroam.org/where/.
6. Review the MFA articles on staying connected while you are out of the country:

   • Using MFA Without Cellular Service or While Traveling (How-to)

   • Setting up Additional MFA Options or Changing your Default Option (How-to)

   • Getting Started Using Text Messages or Phone Calls for Multi-Factor Authentication (How-to)

   • Clearing a User's MFA Settings (How-to)

Be careful:

1. Connect only to known Wi-Fi networks. It’s easy for attackers to set up access points with legitimate-sounding names, hoping to lure travelers to connect while capturing information. This is especially prevalent at cafes, hotel lobbies, and airports. Before you connect, find out the name of the correct network. If you’re connecting to eduroam, the network will only ever be named eduroam.
2. Use VPN software to establish a secure connection. As soon as you’re connected to Wi-Fi, enable a VPN connection to ensure all data transmitted to and from your device is encrypted.
3. Disable Wi-Fi and Bluetooth when not in use. Because attackers imitate legitimate networks, your device may automatically connect to a dangerous network without your knowledge.
4. Never leave your device unattended. Physical access is the easiest way for others to temporarily or permanently access data. Plan to keep the device in your carry-on bag and always keep that bag with you. If you must leave the device, turn it off completely instead of putting it to sleep.
5. Take note or list any passwords used during the trip. Regardless of whether you used them on your device or a public computer, they may be compromised. To be safe, take note of what you used so they can be reset once you return.

Protect your device:

1. Reset any passwords used during the trip. As noted above, consider any credentials used while away to be compromised. Use a trusted computer, whether one at Drake or at home, to reset any passwords used. For example, if you used your Drake ID to access email, reset the password by going to https://password.drake.edu.
2. Scan the device using an anti-malware tool, or have it scanned by ITS by bringing your device(s) to the ITS Support Center.

Important Information for Drake Employee Travel to China

To protect Drake University’s IT systems and your personal data, special protocols apply when accessing Drake resources from countries designated by the U.S. Department of Justice as “Countries of Concern.” These currently include China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela.

Computer Use in China

• Do not take or use your Drake-issued work computer in any “country of concern” including China. Employees working with Qingdao University will be issued a university-owned laptop that is specially configured for this purpose.
• Coordinate with the ITS Support Center well in advance of your trip to schedule setup and ensure timely delivery of your device.
• The computer must be returned to the ITS Support Desk within one week of your return to the U.S. As a security precaution, computers will be quarantined and unable to connect to the Drake network.

Accessing Drake Systems in China

• Multi-Factor Authentication (MFA) is required for all Drake web services (e.g., Microsoft 365, myDrake, email, OneDrive, Teams, Blackboard, Banner). Your issued computer will include a Yubikey MFA device and a backup.
• Avoid accessing Banner Self-Service unless absolutely necessary. It contains sensitive personal and student data and should not be accessed from countries of concern. If needed, use a VPN from outside these countries with extreme caution.
• VPN Setup: ITS will install VPN software on your device before departure. You must create a personal VPN account and pay the associated fee. Use VPN whenever possible to access web resources securely.

Mobile Phone Use in China

• The U.S. Department of Homeland Security and Drake Information Technology Services (ITS) strongly discourage use of your personal U.S. mobile phone when traveling to China. We recommend using a temporary or "burner" phone instead.
• Personal devices such as mobile phones, laptops, and tablets used in China must be wiped and reconfigured according to Drake ITS standards before connecting to any Drake applications or systems including the Drake eduroam network, upon return to campus. Failure to comply will be considered a violation of the university’s Acceptable Use of Information Technology Resources Policy.
• Drake will provide a Wi-Fi-enabled iPhone for your trip. It will not include cellular service or a data plan but can be used for apps like WeChat and Discord.
• The iPhone must be returned to the ITS Support Desk with your issued computer, within one week of your return to the U.S. As an additional precaution, the device will be quarantined and unable to connect to the Drake network.
• If you need cellular service, purchase an eSIM data plan before departure. Note: U.S.-purchased iPhones support eSIM only; Chinese-purchased iPhones require physical SIM cards.
• Avoid using Android phones due to security concerns with Chinese hardware and app stores. Apple devices offer stronger protections and are required by many U.S. government and business organizations.
• Do not link your personal iCloud account to the Drake-issued phone. Instead, manually add necessary contacts and data before travel.
• Do not install or access Drake-connected apps (e.g., email, MFA) on mobile devices while in China.