IT & Data Security

Cyberattacks and cyber monitoring are becoming more prolific and sophisticated. Be aware of and comply with visa, customs, and security rules to minimize the chances that you or your devices will be easy targets or selected for scrutiny.

High-Risk Locations

The U.S. government has identified a “pervasive threat” to information security from certain countries deemed “high risk,” including China and Russia. If you’re working in a high-risk location, assume all data is compromised.

U.S. State Department Country Information

Freedom on the Net Country Reports

Laws

Foreign regulations on data protection can be more rigid or have a different focus than US regulations. For example, the European Union adopted the General Data Protection Regulation (GDPR) that restricts how personal information for individuals located in the European Economic Area (EEA) is collected, managed, and used. Additionally, some countries do not permit encrypted devices because it would hamper the activities of their intelligence and law enforcement agencies.

Some US laws, such as OFAC regulations, may also affect your technology usage abroad. Duo—the third-party tool that Harvard uses for 2-step verification—blocks authentications from OFAC-sanctioned countries and regions. This means Harvard affiliates based in or travelling to those areas cannot access or communicate via most University-provided technology resources.

Harvard's GDPR Readiness

Worldwide Encryption Laws & Policies

Duo Blocks Authentications in OFAC-Sanctioned Countries and Regions

Research Data

Some foreign governments and groups specifically target research data, especially at border crossings and in transit. This is particularly true when traveling in or through countries with intense scientific competition.

Advice for Electronic Device Searches

Reliability

Internet connectivity, network security, and IT resources may be much less reliable or different than you’re accustomed to in the U.S., especially in countries with political unrest or civil discord.

Freedom on the Net Country Reports

You may find it helpful to review our International Data Security Guide for Travelers. Many of the tips and recommendations for individual travelers are applicable to programs.

International Data Security Guide for Travelers

Device Loaners

Bringing personal laptops or mobile devices when traveling increases the possibility of data and identity theft, especially in countries deemed to be high risk (as outlined above). If you're traveling for approved University business, you may be eligible to loan a device from HUIT for the duration of your trip. Note: This is currently a pilot program limited to junior and senior faculty members in the FAS Division of Sciences. HUIT hopes to offer this service to a broader population in the future.

HUIT Loaner Device Program

In-country IT Support

If you’ll need IT support in your host country, we can help you identify and source a local vendor. It’s important to determine this early in the project so that you can budget accordingly.

Internet Connectivity

If you plan to connect to the Internet, determine the risk level of your location and whether or not you have access to secure networks. If secure network access is available, always connect to Harvard’s network via a Virtual Private Network (VPN). And if a secure network is not available, consider using an “empty” machine to collect the data.

How to Connect to Harvard VPN

Storing Documents

Consider using an encrypted USB storage device like IronKey or an encrypted external hard drive to store documents. Harvard University Information Technology (HUIT) may be able to provide you with an IronKey. Access to a SharePoint site or cloud service may also be an option for storing documents securely.

Collecting Data

Human Subject Data

If your project involves working with human subject data, contact your School’s Institutional Review Board (IRB) for approval. They may be able to connect you with a foreign IRB that can help you navigate the host country’s privacy and data protection regulations. The foreign IRB may also need to approve your research.

Cambridge & Allston campuses IRB

Longwood IRB

Confidential or Sensitive Data

If you’re working with sensitive or confidential information, refer to resources from the Office of the Vice Provost for Research and from HUIT.

Research Data Security & Management Guidance

Information Security Policy Quick Reference Guide

If you’re taking a group of students, faculty, or staff overseas and you’re concerned about IT security, we can coordinate an IT security overview for your group, conducted by your local IT group or HUIT. Contact us as soon as possible and at least a month before your travel.

If you believe you’re an especially high-risk traveler due to the nature of your work or your destination, contact us for a personalized IT security plan in consultation with your local IT group or HUIT.

Schedule a Consultation