IT & Data Security

01. Common Risks02. Planning Your IT Needs03. Groups & High Cyber Risk Travelers

Protecting Your Data

Data security risks take many different forms abroad, from surveillance and theft to malware and hacks. The degrees of privacy and security can vary greatly from one country to the next. To protect your information and devices—especially if you’ll be conducting research—you should develop a data security plan that serves your project’s needs and that adheres to the import and export controls and local laws of the host country.

Common Risks

Cyberattacks and cyber monitoring are becoming more prolific and sophisticated. Be aware of and comply with visa, customs, and security rules to minimize the chances that you or your devices will be easy targets or selected for scrutiny.

High Cyber Risk Locations

There’s an increased risk of data and identity theft in high cyber risk locations such as China, Hong Kong, Iran, Macau, North Korea, and Russia. You’ll need to plan for additional measures if you’re working in a high cyber risk location, and assume all data is compromised.

Prepare for Travel to High Cyber Risk Locations

Laws

Foreign regulations on data protection can be more rigid or have a different focus than US regulations. For example, the European Union adopted the General Data Protection Regulation (GDPR) that restricts how personal information for individuals located in the European Economic Area (EEA) is collected, managed, and used. Additionally, some countries do not permit encrypted devices because it would hamper the activities of their intelligence and law enforcement agencies.

Some US laws also affect your technology usage abroad. Duo—the third-party tool that Harvard uses for 2-step verification of HarvardKey—blocks authentications from countries and regions that are subject to the US Office of Foreign Assets Control's (OFAC) economic and trade sanctions. These locations include Cuba, Iran, North Korea, Sudan, Syria, and regions of Ukraine (Crimea, Donetsk, Luhansk, and Sevastopol). This means Harvard affiliates based in or travelling to those areas cannot access or communicate via most University-provided technology resources.

Harvard's GDPR Readiness

Worldwide Encryption Laws & Policies

Duo Blocks Authentications in OFAC-Sanctioned Countries and Regions

Research Data

Some foreign governments and groups specifically target research data, especially at border crossings and in transit. This is particularly true when traveling in or through countries with intense scientific competition.

Advice for Electronic Device Searches

Reliability

Internet connectivity, network security, and IT resources may be much less reliable or different than you’re accustomed to in the US, especially in countries with political unrest or civil discord.

Freedom on the Net Country Reports

Planning Your IT Needs

You may find it helpful to review HUIT’s guidance on how to keep your data and devices safe while traveling. Many of the tips and recommendations for individual travelers are applicable to programs.

International Data Security Guide for Travelers

Device Loaners for High Cyber Risk and Comprehensively Sanctioned Locations

Bringing personal laptops or mobile devices when traveling increases the possibility of data and identity theft, especially in locations deemed to have a high cyber risk or that are comprehensively OFAC-sanctioned. Faculty, staff, and researchers on University-related trips to China, Cuba, Hong Kong, Iran, Macau, North Korea, Russia, Sudan, Syria, and regions of Ukraine (Crimea, Donetsk, Luhansk, and Sevastopol) may borrow a device from HUIT.

HUIT International Travel Loaner Devices

In-country IT Support

If you’ll need IT support in your host country, we can help you identify and source a local vendor. It’s important to determine this early in the project so that you can budget accordingly.

Collecting Data

Human Subject Data

If your project involves working with human subject data, contact your School’s Institutional Review Board (IRB) for approval. They may be able to connect you with a foreign IRB that can help you navigate the host country’s privacy and data protection regulations. The foreign IRB may also need to approve your research.

Cambridge & Allston campuses IRB

Longwood IRB

Confidential or Sensitive Data

If you’re working with sensitive or confidential information, refer to resources from the Office of the Vice Provost for Research and from HUIT.

Research Data Security & Management Guidance

Information Security Policy Quick Reference Guide

Groups & High Cyber Risk Travelers

If you’re taking a group of students, faculty, or staff overseas and you’re concerned about IT security, or if believe you’re an especially high cyber risk traveler due to the nature of your work or your destination, you can request a consultation with HUIT’s Information Security and Data Privacy team.

Request a PrivSec Consultation