Introduction

University faculty, staff, and students who travel internationally with CNU Systems—which include university-issued or owned devices such as laptops, mobile phones, and tablets—are subject to many risks, namely that of loss, seizure, or tampering.

Please use these guidelines to reduce the risks associated with traveling with these devices. If you have any questions regarding these recommendations or the requirements for traveling to high-risk locations, please contact the Helpdesk or email the Information Security Team at iso@cnu.edu.

Scope

Foreign travel is all travel that does not include travel within the fifty (50) United States and territories (e.g., Puerto Rico, Guam, American Samoa, the U.S. Virgin Islands).

Definitions

• CNU Systems: Includes all university-issued devices or university-owned/leased equipment, such as mobile phones, desktop computers, laptop computers, virtual machines, tablets, or other devices capable of connecting to the internet.

• High-Risk Destination: Geographic locations that pose significant health, safety, and security concerns. The university determines these based on U.S. Department of State Travel Advisory Levels 3 ("Reconsider Travel") and 4 ("Do Not Travel"), as well as OSAC Country Security Reports.

• High Cybersecurity Risk Country: Locations identified by U.S. government sources (FBI, ODNI, OFAC) as posing extreme risks for espionage or data theft. This list currently includes China, Russia, Iran, Cuba, North Korea, Syria, and Hong Kong.

• Sanctioned Destination: Countries or entities subject to U.S. trade or economic restrictions administered by the Treasury Department (OFAC), the Department of Commerce (BIS), or the State Department (ITAR).

• Class 1 Sensitive Data: The most sensitive university data (e.g., Social Security numbers, protected health information, or financial accounts) as defined in the CNU Data Classification Standard. This data is strictly prohibited on any device traveling to high-risk or sanctioned destinations.

• Class 2 Restricted Data: Non-public university information, such as student grades, proprietary research, and internal administrative records, whose unauthorized disclosure could result in moderate risk to the university. This data requires controlled access and must not be stored on unencrypted portable media, like memory sticks, during international travel. While less sensitive than Class 1, it must still be handled with due diligence to prevent negative impacts on university reputation or individual privacy.

Privacy, Censorship and Encryption

Traveling internationally with CNU Systems involves significant risks to data privacy and security. Depending on your destination, electronic devices may be subject to official governmental review and duplication of storage.

Data Prohibitions

• Class 1 Data: No university system containing Class 1 Sensitive data (e.g., Social Security numbers, protected health information, credit card numbers) may be taken to a high-risk or sanctioned destination for any reason, including personal travel.

Encryption Compliance

• Mandatory Encryption: Christopher Newport University requires encryption on all university-owned mobile devices (including laptops).

• Foreign Legal Restrictions: Use of encryption is restricted or forbidden in several countries. You must check with Information Security before traveling to ensure compliance with foreign laws.

• Detection Risk: If your encryption product "hides" information, these areas can be detected, potentially leading to criminal charges.

• Export Controls: U.S. regulations prohibit the export of encrypted devices to embargoed countries.

Censorship and Monitoring

• Network Blocking: Due to the difficulty of monitoring encrypted traffic, secure ("https") websites and VPNs may be blocked by some countries.

• Sanctioned Content: Attempts to circumvent national censorship are strongly discouraged. Misuse of products to bypass these blocks can result in device confiscation or criminal charges.

• VPN Usage: Use a VPN only when necessary to access essential files for university business or studies.

• Surveillance: Personal privacy is not guaranteed. Hotel rooms, rental cars, and taxis may be monitored via video or audio.

• Communication Risks: Phone and in-person conversations may be tracked. Local colleagues may also be required to report interactions with foreigners to their government.

Import Restrictions  

Many countries restrict the import of encrypted devices, and U.S. regulations strictly prohibit the export of encrypted devices to embargoed nations. If you are traveling to a location that restricts these devices, you must leave your university-issued equipment in the U.S..  CNU recommends requesting a loaner laptop for international travel; contact the Helpdesk to request a loaner laptop.

Additional Countries with Import Restrictions

The following countries have historically restricted the import of encrypted devices and may not recognize personal use exemptions:

• Belarus

• Burma (Myanmar)

• Israel

• Kazakhstan

• Moldova

• Morocco

• Saudi Arabia

• Tunisia

•  Ukraine (Specifically restricted regions)

Note: This list is subject to change based on international conditions. Before traveling, you should review the U.S. Embassies website and the U.S. State Department Travel Advisories for the most current information.

General Recommendations

The following guidelines are provided to help you protect both university data and your personal information while traveling abroad. Travelers are expected to adhere to these security measures to minimize risk.

Mandatory Prohibitions & Requirements

• Data Restriction: No Class 1 Sensitive data (e.g., Social Security numbers, protected health information, credit card numbers) may be stored on or taken with any device to a high-risk or sanctioned destination for any reason, whether the travel is university-directed or personal.

• China: DO NOT travel with encrypted devices to China without advance approval from Chinese authorities. China severely regulates the import of unapproved encryption; attempts to enter with an unapproved encrypted device may result in demands for the decryption key or device confiscation.

• State Sponsors of Terrorism: The U.S. government regulates traveling with high-level encryption technology and dual-use items to countries considered to support terrorism, currently including Cuba, Iran, North Korea, and Syria. DO NOT bring encrypted devices to these locations.

Recommendations:

• Loaner Devices: International Travelers are strongly encouraged to request a loaner device from the Help Desk. These devices may have specific security software installed, hardware features (like Bluetooth or cameras) disabled, and limited network connectivity to CNU services. All loaner devices will be completely erased by IT Services upon your return (ask the helpdesk to help you securely copy data you want to keep off the loaner laptop when you return) .

Before You Travel

• Personal Devices: Configure a strong password/passcode for any personal devices you take to prevent unauthorized access if the device is lost or stolen.

• System Updates: Ensure your device’s operating system and all software are fully patched and equipped with updated security software, such as antivirus.

• Encryption Check: While university-owned laptops are encrypted, you must check with Information Security before traveling to ensure your encryption complies with the laws of your destination country.

• Cloud Storage: Store necessary files in a secure Google share or on the university’s network storage server instead of locally on your device.

• Destination Research: Research your destination via the U.S. Department of State and OSAC websites to understand the current risk levels.

During Your Trip

• Power Down: Turn off or lock your devices whenever they are not in active use.

• Secure Access: Use the University VPN to access campus resources and network files.

• Data Minimization: Do NOT copy Class 1 (Sensitive) or Class 2 (Restricted) data to memory sticks or other easily lost media.

• USB Security: Use extreme caution when connecting any USB device to an unknown computer or charger, as it may be infected with malware.

• Physical Control: Always keep your mobile devices and laptops in your physical possession; never leave them unattended in hotel rooms or safes.

Upon Your Return

• Password Changes: Immediately change your CNU password and the passwords for any other accounts accessed while abroad.

• Security Scan: IT Services may scan your device to ensure it was not infected with malware during your travels.

Upon your return from a high cyber-risk country, you must follow these steps immediately:

• Discontinue Use: Stop using the devices immediately.

• Sanitize Hardware: The hard drive must be reformatted and the operating system and all related software must be reinstalled, or the device must be properly disposed of.

• IT Support: Contact IT Services to assist with this mandatory re-imaging process.

Security Checks

Sometimes airport or other security officers will ask you to start your device to prove that it works. Comply by starting your system and entering the password yourself (if asked).

• Password Protection: If a security officer requests your password, state that it is Christopher Newport University Information Security policy to NOT share passwords.

• Compliance: If they still require you to provide the password to them, give them the password and change it immediately following the check.

• Export Controls: All employees must comply with U.S. Export Control regulations while on university travel; be aware that some countries may require you to reveal encryption keys to authorities.

Additional Recommendations

To further reduce your risk profile while traveling, Information Technology Services recommends the following best practices for all international travelers:

Device & Network Security

• Public Workstations: Avoid using public or shared workstations, as their security cannot be trusted—especially in high-risk countries.

• Credential Theft: Anything you enter into a public system, such as User IDs or passwords, may be captured and used by malicious actors.

• Wi-Fi Settings: Set all wireless-capable devices to "do not automatically connect to Wi-Fi".

• Software Updates: DO NOT update your computer or mobile device while connected to a public or hotel wireless network.

• Bluetooth: Disable Bluetooth on your laptop, mobile phone, and all other devices to prevent unauthorized connections.

• Firewalls: Ensure host-based firewalls are configured and enabled on both Windows and Mac laptops.

Physical & Visual Privacy

• Shoulder Surfing: Be aware of your surroundings when logging in; credentials can be compromised simply by someone watching you input information.

• Camera Privacy: Tape over or disable integrated laptop cameras to prevent unauthorized remote viewing.

• Mobile Security: Set your mobile device to wipe itself after 10 failed login attempts.

• Backups: Ensure you back up your device before traveling in case it is lost, stolen, or wiped.

Personal Belongings

• Access Control: Leave unneeded car keys, house keys, smart cards, credit cards, and workplace fobs at home.

• Financial Data: Clean out your purse or wallet to remove any bank account numbers, logins, or written passwords.

Government Resources for International Travelers

For the most current information regarding safety, security, and legal requirements for your destination, please consult the following official resources:

Safety and Security Advisories

• U.S. Department of State Travel Advisories: Provides color-coded risk levels (1-4) and detailed safety assessments for every country.

  • Website: travel.state.gov

• Overseas Security Advisory Council (OSAC): Offers comprehensive Country Security Reports and real-time threat alerts for private-sector and academic travelers.

  • Website: osac.gov

• Smart Traveler Enrollment Program (STEP): A free service that allows U.S. citizens to receive security updates from the nearest U.S. Embassy or Consulate during their trip.

  • Enrollment: step.state.gov

Trade Sanctions and Export Controls

• Office of Foreign Assets Control (OFAC): Administers and enforces economic and trade sanctions based on U.S. foreign policy.

  • Sanctions Lists: ofac.treasury.gov

• Bureau of Industry and Security (BIS): Maintains lists of parties (individuals and entities) subject to export restrictions.

  • Parties of Concern: bis.doc.gov

• U.S. Customs and Border Protection (CBP): Provides essential information on what you can and cannot bring back to the U.S., as well as electronic device search policies.

  • Website: cbp.gov

Health Information

• CDC Travelers' Health: Offers destination-specific vaccine recommendations and health notices.

  • Website: cdc.gov/travel