CON.7 Information Security during International Travel
Work-related travel has become part of everyday life in many institutions. In order to be able to work outside the regular working environment, it is...
Description
Introduction
Work-related travel has become part of everyday life in many institutions. In order to be able to work outside the regular working environment, it is necessary to carry not only paper documents but also information technology such as notebooks, smartphones, tablets, portable hard disks or USB sticks. On business trips, especially abroad, however, there are a multitude of threats and risks to information security that do not exist in normal business operations.
Each trip must be assessed individually, since the combination of the purpose of travel (business meeting, conference, congress, etc.), duration of travel and destination always creates a new threat situation, including with respect to the protection of business-critical information.
The threat situation is particularly elevated when travelling. This arises, for example, from communication via public networks that are not under the control of the institution. As a result, threats that the institution may have already addressed again become relevant. In addition, the risk on international trips is often considerably higher than for domestic travel, depending on the destination country.
The protection of operational and business information is not always easy to realise given constantly changing travel destinations and regulatory and legal requirements. For example, legal requirements can tighten border controls and thereby affect the protection of data confidentiality. This gives rise to individual information security requirements depending on the nature and duration of travel and the destination. Political, social, religious, geographical, climatic, legal and regulatory particularities of individual destinations play a decisive role here.
Objective
This building block describes the protection of all information carried on international trips, whether in electronic or physical form, with regard to confidentiality, integrity and availability. Confidential information that travelling employees carry in their heads is also the subject of this building block. Appropriate rules and measures for handling sensitive information and data on international trips are presented. Fundamental framework conditions from the areas of IT, data protection and law must be taken into account.
This building block highlights threats and requirements of specific scenarios directly connected with the secure use of information technology, information and devices used on international trips.
This building block serves as an orientation guide for those responsible in an institution to establish appropriate security measures in the context of information security on international trips. The key principles to be considered in this context are presented. Many of the threats mentioned also apply to domestic travel or generally to the processing of information in environments not under the institution’s own control.
Scope and Modeling
The building block CON.7 Information Security during International Travel is to be applied to the information network when employees travel abroad or are temporarily working abroad and carry or process particularly sensitive information.
The building block fundamentally covers the requirements that contribute to adequate protection of information on international trips. The protection of the confidentiality and integrity of sensitive information during travel has the same priority as at the institution’s premises.
Threats and requirements affecting the local information network are not considered here.
Since the building block CON.7 Information Security during International Travel specifically considers procedural, technical and organisational requirements specific to business work during travel, requirements of the layers NET Networks and Communications, SYS IT Systems and APP Applications are not considered. All necessary building blocks, especially SYS.2.1 General Client, NET.3.3 VPN and SYS.3.2.2 Mobile Device Management (MDM), must be considered separately.
The requirements from the thematically related building blocks INF.9 Mobile Workplace and OPS.1.2.4 Teleworking must also be observed and implemented.
This building block also overlaps with further building blocks and subject areas that are not considered here:
- Fulfilment of data protection requirements,
- Preventive measures to protect information (including technical requirements for portable IT systems, e.g. emissions or eavesdropping protection), and
- Personnel security.
Threat Landscape
Since IT-Grundschutz building blocks cannot address individual information networks, typical scenarios are used to illustrate the threat landscape. The following specific threats and vulnerabilities are of particular relevance for the building block CON.7 Information Security during International Travel.
Eavesdropping and Espionage of Information / Economic Espionage
Espionage refers to attacks that aim to gather, evaluate and prepare information about institutions, persons, products or other targets. Particularly when travelling abroad, there are unknown sources of danger over which the institution’s own information security management has no influence. In unfamiliar premises and IT environments, there are generally many dangers from the targeted interception of conversations, lines, telephone calls or data transmissions. This can be particularly problematic abroad due to relevant legal powers and may be difficult for travellers to assess.
The threats can affect public places and spaces, situations in other institutions, but also the institution’s own representations abroad. Devices such as mobile phones can also be used to record or listen in on conversations without being noticed. Additionally, many IT systems are standard-equipped with microphones and cameras that can be attacked and then exploited.
Furthermore, certain countries may have restrictions on entry and exit that override or contradict the regulatory requirements of the country of origin and the institution’s security requirements. For example, access to data stored on notebooks and other portable IT systems may be demanded. In some cases, confidential and personal data may not only be viewed but also copied and stored. Since this information could include, for example, strategic papers or strictly confidential drafts of an institution, potential misuse (economic espionage) must always be expected in the event of such access.
When travelling abroad, the risk is not only that information can be intercepted via technically complex means. Often, sensitive data can be more easily spied out visually, acoustically or electronically, since abroad the accustomed standards for information security requirements often cannot be maintained. This concerns, for example, the general security level of a country and the local conditions that travellers are inevitably compelled to use.
Disclosure and Misuse of Sensitive Information (Electronic and Physical)
When exchanging information, it can happen that in addition to the desired information, sensitive information is also unintentionally transmitted. This can occur both in the electronic transmission of information and during a telephone call or in the personal handover of storage media. On international trips, the secure exchange of information is sometimes made even more difficult by technically insecure conditions. It can also happen that business travellers carelessly leave confidential documents — both physical and electronic — in plain view in public spaces or in the hotel room.
Communication with unknown IT systems and networks always carries a potential threat to one’s own device. For example, confidential information can also be copied.
On the other hand, external storage media can also contain malware. Here there is a risk that important data may be stolen, manipulated, encrypted or destroyed. The integrity and availability of IT systems can also be affected. This aspect is compounded by the fact that data exchange abroad often takes place via insecure media. However, employees are not always aware of this important point.
Impersonation of a False Identity
In the context of communication during travel, there is an elevated risk that during attacks, both personally and electronically, attempts are made to assume a false identity or to take over an authorised identity, for example through masquerade, spoofing, hijacking or man-in-the-middle attacks. Users can thereby be deceived about the identity of their communication partner to such an extent that they disclose sensitive information. An attacker obtains a false digital identity, for example, by spying out a user ID and password, by manipulating the sender field of a message, or by manipulating an address in the network.
Employees do not always know their contact persons personally in foreign business relationships. It can therefore happen that strangers introduce themselves using the names of contact persons, and employees trust them and pass on valuable information.
Security requirements for confidentiality and integrity can never be fully met in premises and rooms belonging to other institutions, especially in foreign countries. There is therefore always a residual risk that devices might be manipulated that would normally be classified as secure. This includes, for example, the caller ID display on a telephone or the fax identification of a fax sender, through which a false identity can be assumed and information obtained.
Lack of Security Awareness and Carelessness in Handling Information
It is frequently observed that although institutions have organisational rules and technical security procedures for portable IT systems and mobile storage media, employees do not observe and implement them sufficiently. For example, employees often leave mobile storage media unattended in meeting rooms or in train compartments.
Furthermore, gifts in the form of storage media, such as USB sticks, are accepted by employees and thoughtlessly connected to their own notebook. There is then a risk that the notebook becomes infected with malware, through which sensitive data is stolen, manipulated or encrypted.
In public transport or during business dinners, it can also be repeatedly observed that people have open conversations about business-critical information. These can easily be overheard by outsiders and potentially used to the serious detriment of the employees or their institution.
Violation of Local Laws or Regulations
When travelling abroad, the different laws and regulations of the destination country must be taken into account in particular, as these can differ massively from national law. Relevant laws and regulations of the destination country — for example on data protection, disclosure obligations, liability or third-party information access — are often unknown to travellers or are incorrectly assessed. As a result, violations of a multitude of laws can occur not only abroad but also domestically — for example when personal data of domestic customers is transmitted without protection via public networks during a foreign business trip.
Coercion, Extortion, Abduction and Corruption
Different security risks often apply abroad due to political and social circumstances. The security of information, but also the safety of travellers themselves, could be endangered on international trips by coercion, extortion or abduction. For example, employees could be threatened with violence to compel them to hand over sensitive data. They are then forced to circumvent or disregard security policies and measures. The focus here is often on senior executives or employees who enjoy a position of special trust.
Attacks primarily aim to steal or manipulate sensitive information in order to affect the execution of business processes or to enrich themselves or others. The political, ideological and economic objectives of the attackers play a major role here.
In addition to threats of violence, there is also the possibility of bribery or corruption. Travellers may be deliberately offered money or other advantages to induce them to hand over confidential information to unauthorised persons or to commit security violations.
In general, coercion, extortion, abduction and corruption disrupt or undermine information security rules.
Information from Unreliable Sources
In the course of activities abroad, travellers may be deliberately fed false or misleading information in order to deceive them. As a result of this deception, false statements could find their way into business-critical reports. This can lead, among other things, to business-relevant information being based on a false data foundation, calculations producing incorrect results, and decisions based thereon being made incorrectly.
Theft or Loss of Devices, Storage Media and Documents
When travelling abroad in particular, mobile devices are at risk of being easily lost or stolen. The smaller and more desirable these devices are, the higher this risk. In addition to the purely material damage from the immediate loss of the mobile device, further financial damage can arise from the exposure of sensitive data such as emails, meeting notes or addresses. The institution’s reputation can also be damaged.
Requirements
The following are the specific requirements of the building block CON.7 Information Security during International Travel. The Information Security Officer (ISO) is responsible for ensuring that all requirements are met and reviewed in accordance with the established security concept. The ISO must always be involved in strategic decisions.
Additional roles are defined in the IT-Grundschutz Compendium. These should be filled to the extent that it is sensible and appropriate.
| Responsibilities | Roles |
|---|---|
| Primary responsibility | Information Security Officer (ISO) |
| Additional responsibilities | Users, IT Operations, HR Department |
Exactly one role should bear Primary responsibility. There may also be Additional responsibilities. If one of these additional roles has primary responsibility for fulfilling a specific requirement, that role is listed in square brackets after the heading of the requirement. The use of singular or plural says nothing about how many persons should fill these roles.
Basic Requirements
The following requirements MUST be met as a priority for this building block.
CON.7.A1 Security Policy for Information Security during International Travel (B)
All aspects relevant to information security in connection with activities abroad MUST be considered and regulated. The security measures taken in this context MUST be documented in a security policy for information security during international travel. This security policy, or a corresponding fact sheet listing security measures to be observed, MUST be handed to employees who operate transnationally.
In addition, a security concept for handling portable IT systems on international trips MUST be created that describes all security requirements and measures in adequate detail. The implementation of the security concept MUST be regularly reviewed.
CON.7.A2 Raising Employee Awareness of Information Security during International Travel (B)
Users MUST be made aware of and trained in the responsible use of information technology and portable IT systems on international trips. Users MUST be aware of the dangers that can arise from the inappropriate handling of information, the improper destruction of data and storage media, or through malware and insecure data exchange. Furthermore, the limits of the security measures used MUST be shown. Users MUST be enabled and encouraged to prevent loss or theft and to seek expert advice in cases of irregularities. Employees SHOULD also be made aware of legal requirements of individual travel destinations with regard to travel security. For this purpose, the Information Security Officer MUST obtain information on the legal requirements in the context of information security (e.g. data protection, IT Security Act) and make employees aware of them.
CON.7.A3 Identification of Country-Specific Rules, Travel and Environmental Conditions (B) [HR Department]
Before departure, the regulations applicable in each country MUST be examined by information security management or the HR department and communicated to the relevant employees.
The institution MUST create, implement and communicate appropriate rules and measures that enable adequate protection of internal data. Individual travel and environmental conditions MUST be taken into account.
Furthermore, employees MUST, before departure, familiarise themselves with the climatic conditions of the travel destination and clarify what protective measures they need for themselves (e.g. vaccinations) and what protective measures are necessary for the information technology being carried.
CON.7.A4 Use of Privacy Screen Filters (B) [Users]
Users MUST, especially abroad, ensure that no sensitive information can be spied out while working with mobile IT devices. An appropriate privacy screen filter MUST be used that covers the entire screen of the respective device and makes it more difficult to spy out information.
CON.7.A5 Use of Screen Lock / PIN Lock (B) [Users]
A screen or PIN lock that prevents third parties from accessing the data on mobile devices MUST be used. Users MUST use an appropriate PIN or a secure device password. The screen lock MUST automatically activate after a brief period of inactivity.
CON.7.A6 Timely Reporting of Loss (B) [Users]
Employees MUST immediately report to their institution if information, IT systems or storage media have been lost or stolen. There MUST be clear reporting channels and contact persons within the institution for this purpose. The institution MUST assess the potential consequences of the loss and take appropriate countermeasures.
CON.7.A7 Secure Remote Access to the Institution’s Network (B) [IT Operations, Users]
To enable employees to securely access the institution’s network remotely when on international trips, IT Operations MUST have set up a secure remote access in advance — for example a Virtual Private Network (VPN). The VPN connection MUST be cryptographically secured. In addition, Users MUST have appropriately secure credentials with which to successfully authenticate themselves to the device and the institution’s network. Employees MUST use the secure remote access for all communication possible through it. It MUST be ensured that only authorised persons may access IT systems that have remote access. Mobile IT systems MUST, to the extent possible, be protected against direct connection to the internet by a restrictively configured personal firewall.
CON.7.A8 Secure Use of Public WLANs (B) [Users]
There MUST generally be a rule governing whether mobile IT systems may directly access the internet.
For access to the institution’s network via publicly accessible WLANs, Users MUST use a VPN or comparable security mechanisms (see CON.7.A7 Secure Remote Access and NET.2.2 WLAN Usage). Security measures MUST also be taken when using WLAN hotspots; see also INF.9 Mobile Workplace.
CON.7.A9 Secure Handling of Mobile Storage Media (B) [Users]
If mobile storage media are used, Users MUST ensure in advance that they are not infected with malware. Before passing on mobile storage media, Users MUST also ensure that no sensitive information is contained on them. When a storage medium is no longer used, it MUST be securely deleted, especially when it is passed on to other persons. For this purpose, the storage medium MUST be overwritten using a method established within the institution that is considered sufficiently secure.
CON.7.A10 Encryption of Portable IT Systems and Storage Media (B) [Users, IT Operations]
To prevent sensitive information from being viewed by unauthorised third parties, employees MUST ensure before departure that all sensitive information is protected in accordance with internal guidelines. Mobile storage media and IT systems SHOULD be encrypted by Users or IT Operations before departure. The cryptographic keys MUST be stored separately from the encrypted device. When encrypting data, the legal provisions of the destination country SHOULD be observed. In particular, country-specific laws on the disclosure of passwords and the decryption of data SHOULD be taken into account.
CON.7.A12 Secure Destruction of Sensitive Materials and Documents (B) [Users]
The institution MUST show employees ways to destroy sensitive documents appropriately and securely. Users MUST comply with these rules. They MUST NOT dispose of internal documents belonging to the institution before they have been securely destroyed. If this is not possible on site, or if the documents or storage media contain particularly sensitive information, these MUST be retained until return and then destroyed appropriately.
Standard Requirements
Together with the basic requirements, the following requirements represent the state of the art for this building block. They SHOULD generally be met.
CON.7.A11 Use of Anti-Theft Devices (S) [Users]
To protect mobile IT systems outside the institution, Users SHOULD use anti-theft devices, especially where there is elevated public traffic or very high turnover of users. The procurement and usage criteria for anti-theft devices SHOULD be adapted to the institution’s processes and documented.
CON.7.A13 Taking Only Necessary Data and Storage Media (S) [Users]
Before departure, Users SHOULD check which data is not absolutely necessary on IT systems during the trip. If it is not necessary to leave this data on the devices, it SHOULD be securely deleted. If it is necessary to take sensitive data on the trip, this SHOULD only be done in encrypted form. In addition, there SHOULD be a written rule specifying which mobile storage media may be taken on international trips and which security measures must be observed (e.g. protection against malware, encryption of business-critical data, storage of mobile storage media). Employees SHOULD be aware of and observe these rules before departure.
These security requirements SHOULD be guided by the protection need of the data to be processed abroad and the data to be accessed.
CON.7.A14 Cryptographically Secured Email Communication (S) [Users, IT Operations]
Users SHOULD cryptographically secure email communication in accordance with the institution’s internal requirements. Emails SHOULD also be appropriately encrypted or digitally signed. Public IT systems, such as those in hotels or internet cafés, SHOULD NOT be used for accessing emails.
When communicating via email services, e.g. webmail, IT Operations SHOULD clarify in advance which security mechanisms are implemented by the provider and whether the institution’s internal security requirements are met. This SHOULD include, for example, the secure operation of the servers, the establishment of an encrypted connection and the duration of data storage.
Requirements for High Protection Needs
The following are examples of proposed requirements for this building block that go beyond the level of protection corresponding to the state of the art. These proposals SHOULD be considered for high protection needs. The specific determination is made within the framework of an individual risk analysis.
CON.7.A15 Emissions Security of Portable IT Systems (H)
Before the trip commences, the protection need of the individual pieces of information processed on mobile storage media or the employee’s client abroad SHOULD be determined. The institution SHOULD examine whether the information being carried has a special protection need and, where applicable, use storage media and clients with low or secure emissions characteristics.
CON.7.A16 Integrity Protection through Checksums or Digital Signatures (H) [Users]
Users SHOULD use checksums as part of data transmission and data backup to be able to verify the integrity of the data. Even better, digital signatures SHOULD be used to maintain the integrity of sensitive information.
CON.7.A17 Use of Pre-Configured Travel Hardware (H) [IT Operations]
To prevent the institution’s sensitive information from being intercepted by third parties on international trips, IT Operations SHOULD provide employees with pre-configured travel hardware. This travel hardware SHOULD, based on the principle of minimal functionality, only provide the functions and information that are absolutely necessary for carrying out business activities.
CON.7.A18 Restricted Permissions on International Trips (H) [IT Operations]
Before departure, it SHOULD be examined which permissions employees actually need to carry out their day-to-day work abroad. It SHOULD be checked whether access rights can be withdrawn from Users by IT Operations for the duration of the trip, in order to prevent unauthorised access to the institution’s information.
Additional Information
Good to Know
The “Initiative Wirtschaftsschutz” provides further information on security for business trips on its website at https://www.wirtschaftsschutz.info.