UCOP International Travel Information Security

We recognize that there may be circumstances where UCOP staff require access to UC systems and/or data while outside the United States.  As most countries have unfettered rights to your device, and both border control and local police have the right to demand passwords and access which cannot be refused, UCOP Information Security recommends the following for all travelers: 

• A clean device, such as a loaner laptop, should be used when traveling outside the United States.
• If a clean device cannot be used, you must remove any documents or other files containing Protection Level 3 and 4 data from your computer prior to leaving the United States.
• Account permissions should be limited to remove access to Protection Level 3 and 4 data.
• Verify that computer software is up to date. Threat actors and cybercriminals frequently target older software with known flaws.
• Follow the guidance on traveling with electronic devices found at: https://security.ucop.edu/resources/traveling-with-electronic-devices/it-guidance.html.

Additional Requirements for Staff Requiring Access to Sensitive Data or Systems (P3+)

The following list of requirements must be met to access P3+ UCOP data or systems from outside the United States.

• Approved request in place. Requests must be:
  • Submitted by a Division Head or Unit Head.
  • Supported by a business justification. Access to UCOP data while traveling internationally requires a business justification.  This should include assertions that:
    • The work cannot be performed by another employee who is not traveling.
    • The work is time-bound and cannot wait for the employee to return from traveling.
    • Limits on work duration and scope must be specified including how duration and scope is necessary to serve the business justification.
    • Alternative arrangements to perform the work are unavailable.
  • State travel dates and destination country.
    • Requests for access to P3+ data from countries under comprehensive sanctions or those deemed a national security risk by the U.S. may not be approved.
    • Travelers to higher risk countries for data privacy, export control, or sanctions risks must review Foreign Travel Notifications; these are also provided through WorldCue when registering a trip to a high risk country.
• A UCOP-issued ‘managed’ device must be used - no BYOD. These devices are pre-configured with important security tools, including endpoint detection and response, anti-malware and data loss prevention.
• If a loaner cannot be used, any Protection Level 3 and 4 data must be removed from the device prior to leaving the United States. Removal of sensitive data is verified via a Data Loss Prevention scan of the device by UCOP Information Security prior to departure.
• Access must be configured through a remote access method that does not store data on the local device, such as a Remote Desktop server. Access may also be performed through a Zoom session with a resource within the United States.
• Access to data must use the UCOP VPN with multi-factor authentication (DUO).  

Process

1. Download and complete the Request to Access UCOP Sensitive Systems or Data from Outside the United States form.
2. Unit Head or Division Head to send completed form via email to servicedesk@ucop.edu.
3. If the employee who will be traveling will not be utilizing a loaner device, this form will be routed to the UCOP Information Security team for review and processing.
4. Requesting Unit Head or Division Head and requesting Employee will receive notification of request status and decision.  

 Additional Resources  

• UCOP Travel Policies  
• UCOP Travel Risk and Insurance  
• Traveling with Electronic Devices  
• Foreign Travel Notifications  
• Request to Access UCOP Sensitive Systems or Data from Outside the United States (form)