IMP 05: Working Abroad Information Security Policy
Information Classification - Public
Policy Introduction and Purpose
This policy lays out the principles and practices to be followed in relation to information security when working outside of the United Kingdom.
When travelling abroad for work, particularly to countries which may have very different privacy laws, it is important to ensure that the information accessed (either digital or in physical form) and devices used are secure. The policy lays out how the University aims to achieve this.
It is essential that a risk assessment of travel plans is conducted well in advance of travelling. This includes an assessment of the information security risks.
Scope
This policy covers working abroad, for or on behalf of the University, with information classified as Confidential or Highly Confidential in accordance with the IMST 01 Information Classification StandardLink opens in a new window.
The policy covers everyone who has a contractual (formal or informal/implied) relationship with the University, including employees, students, visiting academics, and consultants. Please note that this list is not exhaustive.
Responsibilities (Policy and Operational)
The Chief Information & Transformation Officer (CITO) retains overall accountability for this Policy. The Chief Information Security Officer (CISO) has delegated authority for ensuring the Policy meets legal and regulatory requirements; for keeping this Policy up to date; and for ensuring that controls, checks, and audits are carried out as part of compliance with this Policy.
Operational Responsibilities
Adherence to this policy and its supporting Standards and Standard Operating Procedures (SOPs) is achieved by following the policy principles and the data restrictions and security provisions. It is everyone’s responsibility to ensure that they follow this policy.
| Role | Function |
|---|---|
| Designate of Head of Department (e.g. academic lead on research, individuals with delegated authority for information, system administrators) | Responsible – for overseeing compliance with the Policy within areas of responsibility |
| Head of Department | Accountable – for compliance with this policy within Departments |
| Information Risk and Compliance Team (with escalation to CISO and CITO required) | Consult – to discuss organisational level compliance with the Policy |
| IDG Digital Business Partners | Inform – must be informed of the content of the Policy to communicate it to their departments |
Principles of the Policy
General
Before travelling a risk assessment must be completed via the Travel HubLink opens in a new window.
Where the risk assessment categorises a destination as Amber any risks need to be mitigated by travelling with the minimum amount of data necessary.
Data within the scope of UK export controls must never be accessed, transported, or otherwise processed without appropriate licencingLink opens in a new window. Failure to obtain or abide by appropriate export control licences may result in a criminal offence being committed.
The type of devices being taken must be understood by those traveling abroad e.g. laptops, mobiles, tablets etc:
- Encrypted devices. Most University managed devices are encrypted. The ServiceDesk (or WMG IT Support/WBS eSolutions where appropriate) can be contacted if it is unclear if a device is encrypted or not.
- Unencrypted devices. These can be requested via the Travel Device Service (service currently in development) and may be taken abroad if both of the following apply:
- There is no Confidential or Highly Confidential information held locally on the device.
- Confidential or Highly Confidential information is only accessed via Warwick’s Virtual Desktop InfrastructureLink opens in a new window.
It is prohibited to use public devices, such as those found in hotel lobbies or cyber cafes, to connect to the University’s services.
Information Security also relies on physical security. All reasonable measures must be taken to ensure devices are not lost, stolen or otherwise compromised. See IMST 04 Secure Remote Working StandardLink opens in a new window.
Encryption
Most standard university devices are encrypted using publicly available mass market encryption products. If any specialist encryption tools are being used obtaining an export license may be required before taking the device outside of the UK. Refer to the Working Abroad Information Security Standard (currently being drafted) for details.
To protect University data, encrypted devices must be used where possible. Many countries allow encryption for personal use; however, many (including the UK) also give immigration and other authorities legal powers to demand decryption of devices on request. Some countries do not allow encrypted devices at all. Use the Travel Device Service (service currently in development) where necessary.
Members must be aware that any personal devices taken abroad could also be encrypted or have encrypted data, for example, personal iPads if password protected auto lock is used, and personal mobile phones. See Use of personal devices abroad - guidanceLink opens in a new window for further information.
VPN and Cloud Services
Whether encryption is used or not, make use of the University’s VPN serviceLink opens in a new window for secure remote access where this does not contravene local regulations. If the use of VPNs does contravene local regulations, contact Information Risk & ComplianceLink opens in a new window for advice. If only official sanctioned VPNs are allowed in the host country, these must be considered to be insecure.
Regardless of what device are being used, the best way to minimise the risks associated with having data on a device is to work online where possible using SharePoint, Teams and OneDrive for storage via a browser. See IMST 04 Secure Remote Working StandardLink opens in a new window. Any data classified as Confidential or Highly Confidential that is unintentionally downloaded must be deleted.
Highly Confidential Information
If it is essential to take abroad Highly ConfidentialLink opens in a new window information (physical or electronic) this must be kept to the minimum necessary for the duration of the trip and:
- Seek permission from the relevant HoD.
- Apply for an exception using the Exceptions ProcessLink opens in a new window.
- Ensure a copy is stored securely at the University prior to departure. This should be a digital copy but may be physical if necessary.
Using WiFi Abroad
- When using an encrypted WiFi service, this must still be used in conjunction with the University VPN (where this does not contravene local regulations) to enhance security.
- If using an unencrypted WiFi service the University VPN must be used or, if this is not an option, resort to using mobile data.
- Before using any WiFi network, look for independent affirmation that the service connected to is the official service for the location. See IMST 04 Secure Remote Working StandardLink opens in a new window.
- Only use the official WiFi services at host universities, hotels, conference centres, airports etc.
Higher Risk Destinations
There are potential risks when entering other countries which depend on many factors including the role and identity of the traveller and the purpose for which they are entering the country, (e.g. field of research, job title). Therefore, some travellers may need to take additional precautions.
Be aware that in high-risk countries where there is an enhanced risk of internet connections being monitored, travellers must avoid accessing or transmitting content that would pose a risk to themselves, others, or the University. See the Trusted Research: Countries and ConferencesLink opens in a new window guide produced by the NPSA.
Before returning from abroad travellers musty delete any locally stored files containing data that may put the traveller, others or the University at risk should the device be checked by local authorities.
Exceptions
‘Exception requests’ under this policy must be submitted to the CITO or their designate. Exception requests are found here: Request for an exception to a standard service or policy - Service PortalLink opens in a new window.
Exceptions to this policy may only be granted by the CITO or their designate.
This policy may have an impact on users of assistive technology or assistive software due to their disability. These individual cases will be considered on a case-by-case basis.
Compliance Monitoring
It is everyone’s responsibility to report instances of non-compliance with this policy to the Information Risk and Compliance Team. The Information Risk and Compliance Team will use report data, and any other tools made available to it to monitor compliance with this policy, standards, SOPs. Issues that are deemed to merit escalation or further discussion will be brought to the attention of the Information Security and Data Protection Committee via the CISO. Where non-compliance presents a significant risk, it will be subject to the staff or student disciplinary process.
Version/document control
| Version | Date created | Date published | Next review | Notes/outcomes |
|---|---|---|---|---|
| 1.0 | August 2025 | 8th Sept 2025 | September 2026 | A new policy within the Information Management Policy Framework (IMPF) |