Export Controlled Information and Travel
- Issue Date: November 2018
- Revision Date: N/A
- Expiration Date: N/A
As CSULB faculty and staff, you may be dealing with a research project or business activity involving or has the potential to involve the receipt and/or use of items or information governed by US Export Control laws, referred to as Controlled Information in this document.
The guidelines below are intended to help you understand the impact of the federal export laws and regulations on your work or research activity from the perspective of information security and prevent an accidental violation of US Export Control laws. For more information about federal export control regulations, please contact CSULB Office of Research and Sponsored Programs (ORSP).
The federal export control regulations apply:
- When you give Controlled Information to a non-US person, even if it happens in the US on our campus;
- When you collaborate with people in other countries via email regarding your research project/activity even though you are physically in the US;
- When you travel overseas for an international conference and you take with you a laptop computer, tablet, or flash drive or any other computing or data storage device that contains items or information governed by the US export control laws and regulations;
- When you access the Controlled Information from overseas; and
- When you are shipping a Controlled Information item outside the US.
If you are travelling internationally, please ask the following questions:
Where are you going?
Please contact ORSP to ensure you are not traveling to a sanctioned country and for help in determining your export license requirements. Please allow yourself at a minimum one month to discuss with ORSP the various requirements for your international travel. ORSP will be able to assist with travel to both Non-Sanctioned Countries and Sanctioned Countries.
Sanctioned Countries include:
- Comprehensive Sanctions: Cuba, Iran, North Korea, Sudan, and Syria
- Other Sanctions programs: The Balkans, Belarus, Burma (Myanmar), Cote d'Ivoire (Ivory Coast), Democratic Republic of Congo (DRC), Iraq, Lebanon, Liberia, Libya, Somalia, Yemen or Zimbabwe.
What are you taking with you?
Controlled Information taken out of the U.S. is an export, including data on laptop computers, cell phones or any other computing or data storage devices, and is subject to US export control. You must ensure that there is no Controlled Information stored on the device or accessible through the device.
What will you do overseas, and will you access your email and information?
Accessing Controlled Information located in the US from overseas via email or through university-networked server while travelling abroad is subject to US export control. Please allow yourself at a minimum one month to discuss the various requirements for your travel with ORSP.
Who will you be interacting with?
Providing information regarding Controlled Information at international conferences is subject to US export control.
How do you control access to Controlled Information?
Data Access
CSULB is an open network and frequently targeted by attackers. It is essential that information systems storing Controlled Information be well-maintained (patched/updated regularly) and properly secured against unauthorized access.
- Appropriate measures must be taken to secure the access to Controlled Information. Warning: Controlled Information cannot be stored on mobile devices or removable media!
- Controlled Information must not be accessed from shared or public computers such as kiosk computers in libraries, hotels, and business centers. Controlled information should only be accessed from university provided computers that have the appropriate security configurations.
- Security software, such as Windows Defender, must be enabled on the computing devices while accessing Controlled Information. If your computer does not have security protection software, please contact your campus technical coordinator to install and enable CSULB endorsed security software on your computing devices.
- Contact the Information Security if a managed hosting environment to hold Controlled Information in a secure and monitored environment is needed.
- Information systems containing Controlled Information should be appropriately maintained (patched/updated regularly) and use security software to detect malware.
- University-owned computers accessing Controlled Information must be encrypted. Please contact your campus technical coordinator to enable this service.
- Access to Controlled Information from off-campus locations must be via VPN service which provides end-to-end encryption. Public networks and Wi-Fi networks must not be used when accessing Controlled Information without VPN service. Please contact your campus technical coordinator to enable this service or visit the Remote Networking Services/VPN guidelines to obtain VPN service.
- Access to Controlled Information should be provided to individuals with appropriate authorization in accordance with the federal, State, and CSU regulations governing information access rights and privileges (e.g., nationality, etc.).
Data Storage
- Controlled Information must be stored on secured file services requiring username and password.
- Controlled Information may not be stored on mobile devices (e.g., smart phones and tablets), or removable media (e.g., USB drives, CD/DVD disks).
- Cloud-based storage platform, such as OneDrive and SharePoint, may be acceptable for some forms of Controlled Information with ORSP approval. Some federal government agencies do not allow any cloud-based storage of their data.
- If you are travelling, devices accessing Controlled Information should be stored in a hotel room safe or secured in other ways.
- Servers containing Controlled Information must require two-factor authentication for remote administration. Please contact Information Security to obtain this service.
Data Transmission
- Transmission of Controlled Information should be encrypted.
- Transmission of Controlled Information via voice is permissible only when there is reasonable assurance that access is limited to authorized persons.
Data Destruction
- Electronic media holding Controlled Information must be destroyed in accordance with the campus Electronic Media Sanitization Procuedure.
- If destruction of special media is needed, Division of Information Technology (DoIT) Information Security can offer assistance. Please contact Information Security for more information.
CSULB Division of Information Technology security team provides services that help Faculty responsible for Controlled Information to secure its storage, access, and destruction in U.S. and while travelling outside U.S. Please contact Information Security at security@csulb.edu for more information.