Home Information for UM Faculty and Staff Mobile Device Security Mobile Computing Guidelines for Travel

ALERT Travelers should avoid installing software updates when using a hotel or other guest network. See this FBI advisory: Malware Installed on Travelers' Laptops Through Software Updates on Hotel Internet Connections. Anyone who believes they have been a target of this type of attack should immediately contact IIA.

Mobile Computing Guidelines for Traveling Abroad

Secure Your Computer, Phone, and Tablet for Travel

It is important that you keep your personal and university-owned data secure as you travel. Electronic data stored on mobile devices such as smart phones, tablets, and laptops are assets that individuals, organized crime, and some foreign governments are increasingly looking to steal. By taking a few specific actions before, during, and after your trip, you can protect the data on your devices.

On this page:

• Laptops: Best Practices When You Travel
• Smart Phones and Tablets: Best Practices When You Travel
• Travel to High Risk Locations and/or For Accessing Sensitive Data: Best Practices
• Data Security Information For Travel To China

General Tips

• Be aware that governments in some countries may copy data from your computer and/or log your Internet activity without your knowledge or consent.
• Assume that any computer network you use is insecure, including those of friends you are staying with, in business centers, at cyber-cafes, or in libraries.
• Never enter or access sensitive data when using a shared or public computer.

BEFORE YOU TRAVEL

1. If it's not necessary, don't travel with it

• Leave behind any devices or media that are not absolutely necessary.
• Take only the data and application sets you need. Remove unnecessary sensitive data, and make sure you securely delete it as appropriate.
• Do not save sensitive personal information like credit card numbers, passport information, or social security numbers on your device.
• TIP: Ask your IT Department for a loaner laptop.

2. Inventory your data

• Know what data you are taking. It is important that you have an inventory of the data you are traveling with if your device is lost or stolen.

3. Back it up

• Securely back up data stored on the workstation or medium onto media that will not be taken on the trip.

4. Secure your device

• Be sure all software is patched and updated, including the operating system, applications, and antivirus software.
• Run a full scan for malware, using antivirus and anti-spyware tools. This serves as a baseline, ensuring that the system is clean of detectable malware prior to travel.
• Install a host-based firewall, and configure it to deny all inbound connections.
• Test the VPN. Verify that the university VPN software is installed, and that you are familiar with how to use it.
• Disable file and printer sharing.
• Disable Bluetooth.

WHILE YOU ARE TRAVELING

1. Use the U-M VPN to access the Internet.

• Download and use the university's VPN client. The VPN provides an encrypted network for all network-computing needs. For more details see http://www.itcom.itd.umich.edu/vpn/

2. Avoid public wireless

• Where possible avoid using free wireless services, and always use the university's VPN service.
• Never accept software updates on hotel internet connections or other public wifi

3. Use screen lockout

• Always lock your screen when not using your device.
• On a Windows system, press Control-Alt-Delete and select Lock Computer from the list of options. When you return, you can unlock the computer with your login name and password.
• On a Macintosh OS X system, in the Security section of the System Preferences panel, select the check box beside "Require password to wake this computer from sleep or screen saver." Then go to the Desktop and Screen Saver section of the System and Preferences panel and turn on a screen saver.

4. Keep your device with you

• To the extent possible, keep your device close rather than leaving it behind in hotel rooms.
• Be discreet. Where possible, do not use an obvious laptop storage bag, as these may make you a more obvious target.

5. Report lost or stolen device

• Contact local authorities to report the loss or theft.
• Contact the ITS Service Center for assistance in changing your passwords.
• Contact security@umich.edu if you believe that university-owned sensitive data was on the device.

WHEN YOU GET BACK

1. Change your UMICH password

• Immediately change your UMICH password to a new password upon your return.

2. Scan and clean

• Run a full in-depth scan for malware, using anti-virus and anti-spyware tools. If any malware infections are detected then follow the remediation steps recommended by the antivirus tool.

Smart Phones and Tablets: Best Practices When You Travel

Smart phones and tablets pose a great risk when traveling. Because of their value, these items are often a greater target for thieves than laptops. Because they are devices we carry with us on a daily basis, they are at even greater risk for being lost or misplaced. Finally, because these devices are typically personally-owned, there is less ability to enforce enterprise-level security features.

BEFORE YOU TRAVEL

1. If it's not necessary, don't travel with it.

• Leave behind any devices or media that are not absolutely necessary.
• Take only the data and application sets you need. Remove unnecessary sensitive data, and make sure you securely delete it as appropriate.
• Do not save sensitive personal information like credit card numbers, passport information, or social security numbers on your device.
• TIP: Ask your IT Department for a loaner laptop.

2. Inventory your data

• Know what data you are taking. It is important that you have an inventory of the data you are traveling with if your device is lost or stolen.

3. Back it up

• Securely back up data stored on the workstation or medium, onto media that will not be taken on the trip.

4. Secure your device

• Best practices for securing your mobile personal device are found at the U-M SafeComputing site.

WHILE YOU ARE TRAVELING

1. Avoid public wireless access

• When connecting to the Internet, avoid using free wireless services, and always use the University's VPN service

2. Use screen lockout

• Always lock your screen when not using your device.

3. Keep your device close

• To the extent possible, keep your device with you, rather than leaving it behind in hotel rooms.

4. Report lost or stolen devices

• Contact local authorities to report the loss or theft.
• Contact the ITS Service Center if you need assistance in changing your passwords.
• Contact security@umich.edu if you believe that university-owned sensitive data was on the device.

WHEN YOU GET BACK

1. Change your UMICH password

• If you changed your password, change to a new password upon your return.

2. Scan and clean

• Run a full in-depth scan for malware, using anti-virus and anti-spyware tools.

iPHONE AND ANDROID RESOURCES

• iPhone Security and Privacy Guidance
• Secure Your iPhone
• Android Security and Privacy Guidance
• How To Secure Your Android-Based Devices
• Android Security: Six Ways To Protect Your Google Phone

Travel to High Risk Locations and/or For Accessing Sensitive Data: Best Practices

When traveling to a high risk location such as China, or accessing data defined as sensitive by the university when traveling, also take the following steps:

1. Take a loaner device

• Does your IT department have a "travel" machine that could be used for just this specific trip?

2. Change your password

• If you intend to connect with the university network, VPN, or email while traveling, change your UMICH password to one that will be used only during your trip.

3. Never type in a password

• Save your passwords on a USB thumb drive. Copy and paste passwords from there.

4. Encrypt it

• Apply full disk encryption. This will provide a substantial layer of protection should the workstation or medium become lost or stolen.
• See the U-M SafeComputing Encryption page and your unit IT support for instructions on encrypting your laptop.
• PCs
• Macs

5. Do not access sensitive data

• When in a high risk location, do not use any system that accesses Sensitive Data, even when using the university VPN.

6. Disable bluetooth, wifi, and and GPS when not in use

7. During meetings, power off devices and remove batteries to mitigate risk of the microphone being turned on remotely

8. Wipe your device when you return

• To ensure no hidden spyware returns with you and infects the U-M computing environment, have your IT department completely wipe your device and install a new image.

Data Security Information for Travel to China

In addition to following the recommendations listed above, familiarize yourself with the unique data security risks of traveling to China.

• Chinese Army Unit Is Seen as Tied to Hacking Against U.S. (New York Times, 2/18/13)
• U.S. Department of State International Travel Information: China
• U.S. Department of State China 2013 Crime and Safety Report: Shanghai
• U.S. Department of State China 2012 Crime and Safety Report: Beijing

Additional Travel Security Information and Tips:

• Traveling Light in a Time of Digital Thievery (New York Times, 2/10/12)
• Threats to Traveling Data (New York Times, 3/14/2011)
• Malware installed on Travelers' Laptops Through Software Updates On Hotel Internet Connections
• Higher Education and National Security: The Targeting of Sensitive, Proprietary, and Classified Information on Campuses of Higher Education (FBI, April 2011)
• U.S. State Department International Travel for travel advisories for specific countries.
• Federal Bureau of Investigation: Safety & Security Abroad for Professionals

University of Michigan Supporting Policies and Standards

• Proper Use of Information Resources, Information Technology, and Networks at the University of Michigan (SPG 601.07-0)
• Institutional Data Resource Management Policy (SPG 601.12)
• Sensitive Regulated Data: Permitted and Restricted Uses Standard
• Information Security Incident Reporting Policy (SPG 601.25)
• Data Classification Resources (authentication required)

For questions related to International Trafficking in Arms Regulations (ITAR) and Export Administration Regulations (EAR) compliance, please contact the Office of Research and Sponsored Projects (OSRP).