Skip to main
University-wide Navigation

Official Capacity Travel Guidelines

START OVER Personal Travel Guidelines

Cybersecurity Policy for International Official University Travel

Travelers from the higher-education community often have several unique considerations to be accounted for that the average person abroad does not have to address. The Enterprise Cybersecurity team is available to assist and guide you to ensure that you have a safe and productive trip. Regardless of the travel destination, if project personnel are traveling for collaboration/research, field work/site visits, are taking University equipment with them, or need to take or remotely access any information covered by a University Administrative Regulation 10.1 they should notify the UK Enterprise Cybersecurity team prior to the trip, in order to receive additional guidance.

Basic security requirements must be observed when traveling:  
  1. Register with the UK International Center’s International Travel RegistryIndividuals participating in Education Abroad programs must register by emailing educationabroad@uky.edu. Registration with the UK International Center before high-risk travel is required, and UK students (including graduate students) are not permitted to travel to certain high-risk destinations without explicit approval from the UK International Center. 
  1. Only take devices necessary while traveling. If you can do without the device, it is best left at home.  
  1. Do not log into university accounts/resources when using publicly available computers. Be aware that your account login information can be stolen in common ways, such as hidden software that records what you type, someone watching over your shoulder, or cameras capturing your keystrokes. 
  1. Change your account password upon returning to the University.  
  1. Don't leave computers/devices in hotel rooms or public spaces unattended. It’s important to lock them in a hotel safe or keep them with you at all times.  

UK Mobile Device Requirements phone, tablet, laptop, ect.

  1. Do not connect flash drives or other removable media received while traveling (i.e. conference exhibitor gifts) to UK devices. 
  1. Do not install new software while traveling internationally. 
  1. Clear internet browsers before travel and before returning to the University. 
  1. Only connect your devices to computers and accessories that you trust and recognize. 
  1.  A data blocker device is required to be utilized when utilizing public charging stations.   
  1. Keep software and apps up to date. 
  1. Use lock screen PINs and Passwords with a minimum 6-character length. 
  1. Set devices to lock after 5 minutes or less. 
  1. Encrypt data, if possible, following these directions for MacOS and/or Windows. NOTE:  Some countries, such as China, Cuba, Iran, North Korea, Russia, Sudan, and Syria have restrictions on the import and use of encryption tools and do not allow cryptography tools to be imported or used within their borders without a license, or in some cases, at all.  
  1. Do not connect to open Wi-Fi networks, use reputable U.S-based or UK’s Virtual Private Network (VPN) whenever possible, and in accordance with local, state, and country laws. NOTE:  Some countries, such as China, Russia, Belarus, Egypt, and Turkey have restrictions or bans that do not allow VPN.

  2. Disable nonessential mobile device capabilities: 

    1. Wi-Fi when not connected to a trusted network. 
    1. Bluetooth. 
    1. Near-Field Communication (NFC). 

Take a "clean" Laptop

Work with your departmental IT to configure your device to be a “clean” laptop to use when traveling abroad.  Travel laptops must meet the following minimum configuration and data requirements:

  1. University device management software installed. 
  1. VPN software installed whenever possible, and in accordance with local, state, and country laws.  NOTE:  Some countries, such as China, Russia, Belarus, Egypt, and Turkey have restrictions or bans that do not allow VPN.  See (later in this document), Special Notes for HealthCare Employees/Students, for additional restrictions.  
  1. Fully updated operating system. 
  1. An encrypted hard drive. NOTE:  Some countries, such as China, Cuba, Iran, North Korea, Russia, Sudan, and Syria have restrictions on the import and use of encryption tools and do not allow cryptography tools to be imported or used within their borders without a license, or in some cases, at all.   
  1. Only software that is considered “tools of the trade” as they relate to your profession/official travel purpose must be loaded. 
  1. If available, use the eduroam network for wireless service. This service is made up of a consortium of education institutions and the research community that shares each other's secured wireless networks, allowing members to log in with their home institution ID. UK is a member of the eduroam consortium. Travelers must test their eduroam access before departing.

  2. Minimize protected data (as defined by AR 10:7) contained on the device(s). Do not take with you ANY: 

    1. Data that is under an obligation of confidentiality or a non-disclosure agreement. 
    1. Data or analyses that result from a project for which there are export control restrictions or a contractual agreement that constrains the sharing of the research results.  
    1. Any computer software that is restricted for export from the United States.  
    1. Confidential information about human research subjects.  
    1. Data or software that has national defense, military, or aerospace applications.

  3. When travelling abroad, travelers may engage in activities subject to export control and sanctions regulations based on the travel destination, parties a traveler may interact with, items and data travelers may take with them, and data travelers may remotely access from the foreign location. Contact the below offices/individuals for specific guidance:  

    1. John Craddock, CAER - Export Control Compliance Officer, john.craddock@uky.edu 
    1. UK Enterprise Cybersecurity, cybersecurity@uky.edu  

  4. If you are part of a project that involves export-controlled technologies or Controlled Unclassified Information (CUI) it is required that you not travel outside the U.S. with any data that is involved with the project or access any associated project data when travelling abroad. Contact the below offices/individuals for specific guidance:  

    1. John Craddock, CAER - Export Control Compliance Officer, john.craddock@uky.edu 
    1. UK Enterprise Cybersecurity, cybersecurity@uky.edu  
    1. Department IT Administrator who wrote/reviewed the IT Security Compliance Plan 

  5. Upon returning to the US return your UK device(S) and any portable media (e.g., hard drives, flash drives) to your departmental desktop support team as soon as possible for a cybersecurity “check-up”.   

Training Requirements

All UK employees and students traveling to locations outside of the United States of America must participate in the following trainings:

  1. First thing you should do

  2. CyberSafeCats Website (students and employees): 

  3. myUK Learning Portal (employees only): 

    1. CYB 101 Cybersecurity Awareness Foundations 
    1. CYB 200 Remote Work Cybersecurity Basics 
    1. CYB 201 Remote Work Cybersecurity Advanced 
    1. CYB 202 International Travel Cybersecurity Basics  
    1. CYB 401 Protecting Protected Health Information (PHI), Personal Identifiable Information (PII), Data, & Other Information

  4. Researchers (students and employees): 

    1. Research Security Advanced Refresher course (ID 339466) in CITI includes a module titled “International Travel” (ID 21273) that must be completed.  Researchers will use the UK CITI access login located at the link provided.   

Travel to Sanctioned/High-Risk Destinations

Traveling to Cuba, North Korea, Iran, Sudan, Syria, certain parts of Ukraine (Crimea region, Donetsk region, Luhansk region, and Sevastopol region), Afghanistan, Belarus, Burma, Cambodia, China, Russia, or Venezuela is considered high risk from an IT security perspective. When traveling in these areas you may experience “Access denied. Duo Security does not provide services in your current location” messaging when attempting to log-in utilizing multi-factor authentication.

You may also be unable to access Microsoft resources. For some locations conditional access may be granted to Microsoft resources by following reviewing following article: "How do I request conditional access for Microsoft 365 in a blocked locale?" and submitting a self-service form below.

How do I request conditional access for Microsoft 365 in a blocked locale?

Self-Service Form

Individuals traveling to Ghana, Nigeria, and/or Tanzania will not be able to access University technology resources and must submit a exception request form before traveling.

Exception Request Form

For a current list of sanctioned/high-risk areas travelers can search here:

Sanctions List Search

Travel Advisories

When traveling to a comprehensively sanctioned jurisdiction notify the University’s Export Controls point-of-contact in advance. They will review General Licenses issued by the U.S. Department of the Treasury, Office of Foreign Assets Control, along with the Export Administration Regulations (EAR) and International Traffic in Arms Regulations (ITAR) to ensure the travel plan abides by U.S. export control and sanctions regulations and that any necessary licenses are obtained.

Travelers should review national guidance here: 

High-Risk Area Travelers

Individuals traveling to these areas must contact the UK International Center and/or Enterprise Cybersecurity prior to traveling, to receive additional guidance.

Report Appropriately When Something Goes Wrong

If your UK device or device you utilize to access UK resources is lost, stolen, and/or confiscated for any amount of time, report the incident immediately at:

Stolen, Lost, and/or Confiscated Equipment Report

Staff: If you are no longer in possession of your UK device and need a replacement reach out to your departmental IT staff.

Students: If you are no longer in possession of your UK issued iPad you may be eligible for replacement. Smart Campus will not replace devices/equipment (iPad, Apple pencil, keyboard, or charger) lost by a student. The student is responsible for purchasing lost items. Technology that has been stolen is eligible for replacement. To qualify for this replacement process, you must be able to file and provide a police report saying what was stolen. When filing this report you will need the iPad, keyboard, or accessories' serial number. It is your responsibility to notify Smart Campus through email at smartcampus@uky.edu. Smart Campus staff will be able to disable the device remotely, making it unusable until found/returned.

Campus Security Authorities: Campus Security Authorities should report Clery Act crimes that occur in their own or students’ hotel rooms, hotel common space (lobby, stairwell, elevators, etc.), and/or rented academic space when participating in institution sponsored travel.  If the University of Kentucky has entered into a written agreement with a third-party contractor to arrange housing and/or classroom space for the sponsored trip or study program, it is assumed that the contractor is operating on behalf of the institution as the institution’s agent, putting the institution in control of this space. Learn more about your responsibility as a CSA:

Campus Security Authorities

Have questions? Email:

Clery.compliance@uky.edu 

Other Considerations

Special Note on Border Crossings

Traveling with an electronic device may result in unexpected disclosure of personal information. Certain countries are known for requiring access to device files upon entry to their country. It is important to understand that the device, the device technology, and the data stored on it are all subject to export control regulations. As such, both foreign and domestic custom agents are authorized to seize travelers’ devices at their discretion. Therefore, you should be extremely thoughtful about any proprietary or sensitive information that may be stored on your device.  Prior to leaving you are required to back up and securely erase.

Special Notes on Illness While Traveling

If you become ill while traveling, be aware you and/or your care provider may not have access to your medical records/history. Employees and students whose medical records/history is contained in UK HealthCare myChart records will not have access internationally.

Special Notes for HealthCare Employees/Students

HealthCare employees/students traveling internationally will not have access to healthcare tools/applications that have access to patient data. Examples include, but are not limited to, HealthCare VPN, Epic, myChart.

Violations

Consequences for violating technology regulations, policies, standards, guidelines, procedures, and baselines can be found here:

Consequences of Violations

Exceptions

The process for requesting an exception is standardized across all UK technology regulations, policies, standards, guidelines, procedures, and baselines and can be found here:

Request an Exception

What if I add personal travel in the same trip?

If you are traveling under an Official University capacity for part of your trip then a personal capacity for another part of your trip be sure to refer to the Personal Travel Guidelines in addition to the Official Capacity Travel Guidelines.

Personal Travel Guidelines

Regulation References

  1. General Data Protection Regulation (GDPR) 

    1. Regulation (EU) 2016/679 
    1. European Commission. https://gdpr.eu 

  2. Gramm-Leach-Bliley Act (GLBA) 

    1. 15 U.S.C. §§ 6801–6809 (Safeguards Rule) 
    1. Federal Trade Commission. https://www.ftc.gov 

  3. Payment Card Industry Data Security Standard (PCI DSS) 

    1. PCI Security Standards Council. https://www.pcisecuritystandards.org 

  4. Family Educational Rights and Privacy Act (FERPA) 

    1. 20 U.S.C. § 1232g; 34 CFR Part 99 
    1. U.S. Department of Education. https://studentprivacy.ed.gov 

  5. Health Insurance Portability and Accountability Act (HIPAA) 

    1. 45 CFR Parts 160, 162, and 164 
    1. U.S. Department of Health and Human Services (HHS). https://www.hhs.gov/hipaa 

  6. The Joint Commission Standards 

    1. Information Management (IM) and Emergency Management (EM) domains 
    1. The Joint Commission. https://www.jointcommission.org 

  7. Digital Millennium Copyright Act (DMCA) 

    1. 17 U.S.C. § 512 and § 1201 
    1. U.S. Copyright Office. https://www.copyright.gov/dmca 

  8. National Institute of Standards and Technology (NIST) 

    1. NIST SP 800-53 Rev. 5 – Security and Privacy Controls for Information Systems and Organizations 
    1. NIST SP 800-171 Rev. 2 – Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems 
    1. NIST Cybersecurity Framework (CSF) 2.0 https://www.nist.gov/cyberframework 

  9. U.S. Department of Defense (DoD) 

    1. DoD Instruction 8500.01 – Cybersecurity 
    1. DoD Instruction 8510.01 – Risk Management Framework (RMF) for DoD IT 

  10. Cybersecurity & Infrastructure Security Agency (CISA) 

    1. CISA Travel Cybersecurity Guidance and Alerts https://www.cisa.gov 

  11. U.S. Department of Homeland Security (DHS) 

    1. DHS Tips: Cybersecurity While Traveling  https://www.dhs.gov 

  12. U.S. State Department – Travel and Export Controls 

    1. International travel advisories and technology export guidance https://travel.state.gov 

  13. U.S. Department of Commerce – Bureau of Industry and Security (BIS) 

    1. Export Administration Regulations (EAR), including deemed export rules https://www.bis.doc.gov 

Customer Services

Important Information
24/7 Urgent Assistance 859-218-HELP (4357)
Non-Urgent Matters techhelpcenter.uky.edu/assistance
Online Support techhelpcenter.uky.edu
 1:1 Assistance Student Tech Help @ The Hub in W.T. Young Library
University of Kentucky Homepage A link to return to the University of Kentucky Homepage
An Equal Opportunity University
Accreditation
Directory
Email
Privacy Policy
Accessibility
Disclosures
© University of Kentucky
Lexington, Kentucky 40506