S 2.430 Security policies and rules for protecting information while travelling

Initiation responsibility: IT Security Officer

Implementation responsibility: IT Security Officer, User

Information does not only need to be adequately protected when it is located in an organisation's building, but also when it is located outside of the building. Employees also need to handle sensitive information carefully on business trips and when travelling privately.

A security policy should be drawn up that describes what employees need to consider on business trips and when travelling privately. This policy can also be integrated into the policy for the secure use of mobile IT systems (see S 2.309 Security policies and rules for the use of mobile IT). In addition, a brief and clearly laid out leaflet on the proper behaviour travelling should be drawn up for the employees.

Raising user awareness

The employees should be informed that they are not allowed to exchange confidential information with strangers while travelling. In particular, the communication partner must be asked to identify himself before providing detailed information (see also T 3.45 Inadequate checking of the identity of communication partners). Furthermore, confidential information should not be discussed or passed on within hearing or viewing distance of third parties.

In addition, the employees must be informed which information they are allowed to process while travelling. The information should be classified accordingly so that the users are able to clearly recognise any restrictions (see also S 2.217 Careful classification and handling of information, applications, and systems).

Employees should be informed of the following aspects, among others:

• Employees must inform themselves of the security situation, customs, and laws of the country they are travelling to before the trip. The Foreign Office in Germany, for example, provides valuable country and travelling information.
• If possible, no sensitive information that is not absolutely required should be taken along when travelling. If this is necessary, though, then it should be carried in hand luggage. The luggage should never be left unattended.
• Sensitive information should not be left unattended in the hotel room, in conference rooms, or in offices. Locking the device up in a cabinet will discourage casual thieves. However, highly sensitive information should not even be stored in the hotel's own safe.
  Only secure connections should be used to communicate with the employee's own organisation and with business partners. Since it is possible to monitor emails, office telephones, and mobile telephones, communication should be secured using end-to-end-encryption (if possible) when highly sensitive information is exchanged. Care must also be taken when using outside fax machines because the documents to be faxed are stored on the fax machine and can be printed out or copied later.
• Employees should be suspicious when they feel they are being asked an unusually large number of questions while travelling. They should never talk with strangers about their employer or the purpose of their trip.
• Gifts containing digital storage, e.g. USB sticks, should be handled with special care since they could contain malware. Receiving gifts from business partners can be a general problem in any case since they may expect something in return.

Disposal of data media and documents

Even when travelling, an employee will often need to dispose of material, even if it is just to keep luggage light and bearable. While there are practised procedures available in the employee's organisation for disposing of old or unusable data media and documents (see also S 2.13 Correct disposal of resources requiring protection), it is not always possible to follow these procedures while travelling. For this reason, the data media and documents must be examined closely to determine if they contain any sensitive information before they are disposed of. If they do contain sensitive information, then the data media and documents should be transported back to the organisation, if necessary.

Furthermore, it must be noted that experts can also obtain valuable information from defective data media under certain circumstances. Such data media should never simply be thrown away if there is a possibility that data requiring protection is stored on them.

Even the use of file and data shredders in outside organisations should be considered carefully because it is usually not totally clear who disposes of the shreds or how reliable they are.

The security policy therefore needs to contain rules and regulations specifying how employees must handle old data media and documents while travelling.

Review questions:

• Is there a security policy for protecting information while travelling?
• Has every employee been informed of the most important security safeguards to take when on business trips and when travelling privately?
• Are there rules specifying how employees must handle data media and documents to be disposed of while travelling?