Technology Compliance as a Global Effort
NYU community members must follow NYU compliance policies at all global locations in all aspects of university life including, but not limited to, teaching and learning, research, community life, and administration. All faculty, students, and administrators/staff who plan to visit any of NYU’s global academic centers/study-away sites or portal campuses are strongly encouraged to use the information provided here as a reference resource prior to travel.
It is important to be aware of the various laws and regulations governing technology across all NYU locations because the responsibility for knowing and complying with those laws and regulations is your own. In addition to local laws at the global locations, awareness of and compliance with NYU's policies, guidelines, and regulations are critical wherever an NYU community member uses, stores, and/or transports data or hardware. Toward that end, you are advised to become familiar with those policies, in particular:
- Data Classification Table
- Reference for Data and System Classification
- Data and Computer Security Policy
- Data and System Security Measures
- Security Guidelines for Desktop and Laptop Computers
- Security Education: Recommendations for getting secure
Best Practices for Device Security When Traveling Abroad
Traveling abroad requires particular attention to safety and security considerations for your computer and other electronic devices and for the data on those devices. Countries to or through which you may travel have different laws and regulations regarding data privacy. These laws and regulations may place the security and privacy of NYU's Restricted data or other sensitive information at risk. This means that the electronic devices that you bring for work may be subject to search and seizure, even at the U.S. border.
In addition, electronic devices are subject to attack and compromise in a number of ways, some subtle, such as malicious mobile software updates, and some obvious, such as theft or physical tampering with devices. Your Internet usage may be monitored as well. Remember to “travel smart” and understand that if you are looking at something, in all probability someone else is looking as well. Your management of the risk to NYU computers and data in order to continue your operational business capability while respecting the privacy laws and cultural norms of specific countries is of increasing importance.
Before You Leave:
- Ensure that you will be able to use NYU Multi-Factor Authentication to access NYU services while traveling.
- Borrow an NYU loaner laptop or mobile device from your school or department that contains no personal or work-related data. In order to provide the best safeguards, the loaner laptop should have been locked down with only minimal software installed. Take only what you need and do not install additional software as it may compromise the security profile. If you are uncertain, contact NYU IT Office of Information Security (OIS) at firstname.lastname@example.org.
- If an NYU loaner laptop or mobile device is not available, remove any Restricted data that you might have stored—as well as any Protected or Confidential data which might cause harm to the University if lost or stolen—and secure the laptop according to IT guidelines.
- Copy required work files to one of NYU’s file storage services appropriate to the classification of the data, so that you can securely access them via VPN while traveling. If traveling to a U.S.-sanctioned country or are taking University-owned equipment abroad, please see NYU's Export Compliance site for guidance. Also, see #4 in the “While you are traveling” section below. (Note in particular that Restricted data should never be stored on NYU Drive; such data should be stored only on NYU Box or an appropriately configured Windows file server.)
- Secure your device with a strong password and install OS security updates and antivirus, anti-spyware, and, if possible, firewall software.
- Avoid divulging your travel information to the public via social networks or through online forums.
- Contact OIS if you have pre-travel questions relating to security of electronic devices.
While You Are Traveling:
- Remain vigilant about the physical security of your devices at your hotel or apartment. Securely delete any newly downloaded data on your device prior to leaving your electronics behind. Devices may be at risk of physical tampering or theft, particularly if they are left unattended (including devices left locked in a hotel room or even left locked in a hotel safe while dining, shopping, or touring). Be aware and immediately report signs of tampering to OIS.
- It is not a good idea to use Internet cafes or other public locations to access NYU data and servers, either by using their network or provided computers (for example, in a hotel business center).
- While abroad, be cautious of installing over-the-air, or “OTA,” updates for your mobile device as they may contain spyware, viruses, trojan horses, or other types of malware.
- Use the NYU VPN service to access NYU resources, where permitted. (VPN software is prohibited for use in Iran, Sudan, Syria, and North Korea without authorization from the U.S. Government. If you plan to travel to these locations, contact NYU's Office of General Counsel at least six months in advance of travel in order to apply for a license.)
- Beware of accessing non-NYU sites, because there is a chance of “drive-by” downloads of malicious software onto your computer or mobile device.
- If traveling in a country where there is an NYU-provided Cisco landline VoIP-based service (e.g., Abu Dhabi), it generally will be much more secure than cell phones.
- If a device is taken away from you in another country and given back, it very well may have been compromised; it is probably best to throw it away. Always, first report that information to OIS and request guidance.
Upon Your Return:
- Return any devices that have been borrowed for secure wiping and re-deployment.
- If there has been suspicious activity on any of the devices you have used or, when in another country, if the devices have been taken away and returned, report that information to OIS before returning the devices.
- If you notice any unusual activity with your accounts once you have returned, use a trusted computer to change any passwords you used while traveling and report the activity to OIS.