Research Cybersecurity - Remote Work Guidance

International Travel Remote Work Security Requirements

This guidance is intended to address security concerns when CU information and devices are used while traveling internationally. Planning ahead to incorporate the following guidance into your travel plans will reduce the risk of CU owned information and devices being compromised or stolen during and after your trip. 

Minimum Security Standards

Laptops or Other Portable Mobile Devices

• When possible, leverage a department loaner laptop or a clean computer (one that has had the storage system securely erased and the operating system re-installed).  If a clean laptop is not available and you must use your work device to access CU Confidential or Highly Confidential data, a CU owned and managed device is required.  A CU managed device is one that is administered by OIT or a departmental IT professional. 
  • If your device is managed by OIT DDS (Dedicated Desktop Support) your device meets many of the security requirements listed on this page.
  • If you do not have a DDS managed device, you will be responsible for ensuring that your CU owned and IT managed device has the necessary security requirements below prior to leaving on INTL travel.
  • Please Note: If you need to report a lost or stolen device while traveling, follow the process outlined on this page as soon as possible.

Additional Device Security

Once you have acquired a departmental loaner or a clean computer, please ensure the following security best practices are in place on the system:

• Access Control: 
  • The laptop should be a single user laptop that requires login with a unique passphrase known only by the authorized primary user. 
  • For CU applications (Microsoft 365, MyCUInfo, etc.) do not save account information and passwords to autofill.
• Least Privilege: Accounts used to login to the computer should be configured with the least privileges necessary for you to perform your job. Your primary login account should not have administrative privileges.
• Limit System Complexity: Disable unnecessary services or applications. Disable File and Print sharing.
• Screen Saver: Enable a screen saver that automatically locks the device after a period of 15 minutes of inactivity.
• Enable full disk encryption: 
  • If your laptop is managed by OIT DDS it should be encrypted with PGP encryption.
  • If your laptop is not managed by DDS you can use other encryption products such as Bitlocker for Windows and FileVault for Macs.
• Backups: Back up your device files and folders prior to leaving on your trip. This minimizes data loss in case of a damaged, lost, or stolen device.
• Malware Protection: Keep security software (antivirus) up to date and run a scan when you return from your trip abroad prior to connecting to the CU network.
• Patching: Prior to leaving on your trip, install the latest OS and third-party software patches as soon as the update is made available.
• Firewall: Enable your operating system firewall if applicable.
• Physical Security: Always maintain physical possession of your device and don’t place it in your checked bags.
• Wireless Networks: 
  • Do not connect to public Wi-Fi networks. 
  • Disable your Wi-Fi network when working remotely.
• Public Charging Stations: Do not use public charging stations.
• External hard drives and thumb drives: Portable hard drives and thumb drives used while on travel should be encrypted.
• Data Security: Prior to departing, remove all non-essential files and folders that contain CU data or your own personal data and store on an appropriate CU resource.
• Device Disposal or Reuse: Sanitize your device by destroying all CU data before disposal or transfer.
• Remote Access: All CU information accessed or transmitted while traveling must be done while utilizing the CU Boulder VPN.

Sponsored Research and University Highly Confidential Projects

In some situations, the above guidance will not be sufficient. If you will be performing remote work for a sponsored research project or any project which utilizes University Highly Confidential data, and/or working from a high risk country, contact the Research Cybersecurity team at itso-sec-review@colorado.edu for further guidance.

If your project will include export-controlled material, you will need to work with the Office of Export Controls (OEC) to determine additional steps that must be taken to safeguard the material. You can contact the OEC team by emailing exportcontrolshelp@colorado.edu.

Data classification resources: 

• Office of Information Security's Data Classification website 
• Student Data Use Guidelines
• Employee Data Use Guidelines

Report a lost or stolen device

Reporting lost or stolen devices is important so that CU Boulder is aware of a potential loss of information that the university is legally or contractually bound to protect. This includes the loss or theft of university-issued or personally-owned devices or physical media (e.g. USB drives, hard drives, or paper files) storing CU information as well as devices that support critical university functions.

Take the following steps if a device is lost or stolen:

1. File a report with the local police department where the loss occurs. If lost or stolen while on the CU Boulder campus, file a report with the CU Boulder Police Department (303-492-6666).
2. Change passwords to all sensitive accounts you access with the device using a trusted computer.
3. Report the incident to your campus IT or information security office. 
   CU Boulder incident report contact: security@colorado.edu or 303-735-4357
   CUI incident report contact: CUI-Incident@colorado.edu 
   Please provide the following information when reporting an incident:
   • Your current contact information.
   • College or Department involved.
   • Brief description of the incident and device.
   • General description of the type of information involved.
   • Was it sensitive (confidential, highly confidential, regulated or sponsored research) university information? Was it shared with or accessed by unauthorized people?
   • General description of the impact of the incident, if known
   • Is the device encrypted?
   • Are any other known resources affected?
   • Include the police report number and department information if outside of CU Boulder.