1. University Travelers traveling with University Devices or accessing University Data remotely shall not create data security or other confidentiality risks that cannot be effectively mitigated.
  2. Travelers traveling with University Device(s) and/or University Data on University Travel to a High-Risk Destination or Elevated Cybersecurity Risk Destination must comply with cybersecurity, connectivity, telecommunication requirements as set forth by the Traveler’s respective Campus as well as any pertinent state, federal or international requirement, regulation or law.
    1. Each Campus shall establish these requirements for their respective Campus and respective Travelers.
    2. University Travelers traveling to a High-Risk Destination or Elevated Cybersecurity Risk Destination are responsible for securing permission from their respective Campus IT department or designated IT point of contact to bring or access University Devices or Data prior to traveling to these Destinations.
      1. The Campus IT department or designated IT point of contact is authorized to determine the measures required to be taken to effectively mitigate the cybersecurity risk. These measures must be implemented by the Traveler or IT Department to be allowed to bring and/or access University Devices or University Data while traveling to these Destinations.
        1. If the Campus IT department or designated IT point of contact determines the cybersecurity risks cannot be effectively mitigated, University Travelers shall not be allowed to bring University Devices or Data on Travel or access University Data during Travel.
      2. If a Traveler stores or accesses University Data on or from a personal device (which is strongly discouraged), said personal device is subject to the Campus IT department’s requirements and mitigation measures while the Traveler is on University Travel to a High-Risk Destination or Elevated Cybersecurity Risk Destination.  If mitigation measures are not feasible, or the Traveler chooses not to apply mitigation measures to the personal device, said Data or access to Data must be removed from the personal device. 
    3. Personal Travel:
      1. Individuals who intend to bring or access University Devices or Data on Personal Travel to a High-Risk Destination or Elevated Cybersecurity Risk Destination must comply with cybersecurity, connectivity, telecommunication requirements as set forth by the Traveler’s respective Campus for University Devices and Data.
        1. Such individuals are responsible for securing permission from their respective Campus IT department or designated IT point of contact to bring or access University Devices or Data prior to commencing Personal Travel.
          1. The Campus IT department or IT point of contact is authorized to determine the requirements and measures that must be taken to mitigate the cybersecurity risk to University Devices or University Data. These measures must be implemented by the individual or Campus IT Department to be allowed to bring or access University Devices or University Data while on said Personal Travel to a High-Risk Destination or Elevated Cybersecurity Risk Destination.
      2. If the Campus IT department or designated IT point of contact determines that that the cybersecurity risks to University Devices or Data cannot be mitigated, University Travelers are not allowed to bring and/or access University Devices or University Data while on said Personal Travel to these Destinations.
        1. If individuals who intend to access University Data on or from a personal device (which is strongly discouraged) while conducting Personal Travel to a High-Risk Destination or Elevated Cybersecurity Risk Destination, said personal device is subject to the individual’s respective Campus IT department’s requirements and mitigation measures. If mitigation measures are not feasible, or the individual chooses not to apply mitigation measures to the personal device, said Data or access to Data must be removed from the personal device.