International Travel Standard for Technology and Endpoint Devices
Summary
If you’re traveling internationally with a University laptop, phone, or any device that holds Northwestern data, this Standard is for you. Certain destinations and certain types of data require extra steps before you go. This document tells you what those steps are and why they matter.
U.S. federal regulations and our commercial technology contracts including export controls and sanctions laws place real restrictions on what technology and data you can take to certain countries. These aren’t abstract compliance concerns: violations can affect your research, your travel, and Northwestern’s ability to operate internationally. What you need to do depends on where you’re going and what’s on your device.
For some destinations, the safest approach is to leave your regular device at home and travel with a clean loaner laptop instead. One with no Northwestern data and only the tools you need. Northwestern IT or your local IT support team can help you arrange this.
A list of countries of concern and other export restrictions are available below, as well as on the Northwestern University Export Controls and International Compliance (“ECIC”) website.
Your department, unit, or grant may have additional requirements on top of those described here. When in doubt, check with your local IT support or the Information Security Office before you travel.
Authority
The authority for implementation and enforcement of this Standard is based on the Information Security Policy, effective January 1, 2022 and the Export Controls and International Compliance Policy, effective May 1, 2014.
Purpose Statement
This Standard exists to help you travel safely and to help Northwestern stay compliant with the laws that govern how U.S. technology and data can be used abroad.
Many of Northwestern’s software licenses and research agreements include explicit requirements around international access. The University’s Standards for Business Conduct also requires compliance with U.S. export control and sanctions laws. In some cases, using certain tools or accessing certain systems from within a sanctioned country, even briefly, even from a personal device, can put those agreements at risk.
The three things this Standard is most focused on protecting against are:
- Malware and security threats picked up while traveling abroad and brought back into Northwestern systems
- Unauthorized exposure of controlled, sensitive, or restricted software and data
- Access to Northwestern systems from environments where foreign laws or compromised infrastructure increase the risk of exposure
U.S. export control and sanctions regulations (EAR, ITAR, and OFAC) cover more than physical equipment. They also apply to software, technical data, cloud services, and remote access. Meaning that simply logging into a Northwestern system from a restricted country can trigger compliance obligations.
These rules are particularly important when traveling to the following sanctioned or high-risk countries. Requirements vary by destination. Please review the Control Requirements section for specifics:
| Belarus | Iran | Syria |
| Burma (Myanmar | Iraq | Ukraine (Crimea, Donetsk, Luhansk) |
| Cambodia | Nicaragua | Venezuela |
| China (including Hong Kong) | North Korea | |
| Cuba | Russia |
This list may change. For the most current information, visit the ECIC website.
Scope and Audience
This Standard applies to everyone in the Northwestern community (e.g., faculty, staff, students, contractors, and affiliates) who travel outside the United States with a device that contains or can access University data. That includes laptops, smartphones, tablets, USB drives, external hard drives, and cloud applications accessed from any of those devices. If your device holds non-public data (such as research data, financial records, or student information), this Standard applies to you.
Control Requirements
What you need to do before you travel depends on your destination. Countries are grouped into three categories based on the level of U.S. sanctions and export control restrictions.
If you’re traveling to a Country Group 1 or Group 2 destination, contact the ECIC office in advance (Export Controls and International Travel guidance) they can confirm whether your specific technology, data, or software requires an export license or other approvals.
| Country Group | Countries Included | Requirements |
|---|---|---|
| Country Group 1 | Belarus, Cuba, Iran, North Korea, Russia, Syria, and Ukraine (Crimea, Donetsk, Luhansk) |
Travelers to Country Group 1 are restricted from taking their University-owned device(s) if they contain non-public data, systems, or software. A “clean loaner laptop” or a personal device devoid of all Northwestern applications and data is required. Additionally, Northwestern systems (including, but not limited to the VPN, CAESAR, myHR, Canvas, and Zoom) are generally not accessible from Country Group 1. Travelers may contact their local IT support or Northwestern IT for information on what “clean loaner laptops” are available to them, as well as any potential costs of using the service. |
| Country Group 2 | Burma (Myanmar), Cambodia, China (including Hong Kong), Nicaragua, Iraq, Venezuela |
Members of the University community who are traveling to Country Group 2 are highly recommended to take a “clean loaner laptop” in lieu of their University-owned or personal devices to avoid compliance issues. Travelers may contact their local IT support or Northwestern IT for information on what “clean loaner laptops” are available to them, as well as any potential costs of using the service. |
| Country Group 3 | All other countries | Travelers are advised to travel with and/or access as little data as possible to avoid the risk of loss or non-compliance with grant or government regulations. Members of the University community are responsible for knowing and meeting all requirements from the US or foreign data protection rules for any data being loaded on or accessed from any device |
Mobile Phones/Devices: Smartphones also contain Institutional Data or software (such as GlobalProtect, VPN, OneDrive, SharePoint, Email, etc.). Therefore, best practice for traveling to Country Group 1 and Country Group 2 is a simple travel phone (i.e. a non-smartphone with basic capabilities – calling, texting) The University does not provide or reimburse for travel phones (i.e. non-smartphones) for emergency calls and texting. Travelers who decide to bring their smartphones are still required to remove all Northwestern applications and data before traveling to Country Group 1.
Standard Implementation
Here’s what you need to do, broken down by country group. If you work with regulated data or have specific contractual obligations, additional requirements may apply. Contact the Information Security Office or Northwestern University Export Controls and International Compliance (“ECIC”) website. if you’re unsure.
Country Group 1
You must travel with a clean loaner laptop, or a personal device with all Northwestern applications and data removed. If you use a loaner laptop, stick to the software and tools specifically approved for it. To request a loaner laptop, contact your local IT support or Northwestern IT for information on what loaner laptops are available to them, as well as any potential costs of using the service.
Country Group 2
We strongly recommend traveling with a clean loaner laptop or a personal device with no Northwestern data. If you choose to bring your own University device instead, you must ensure it meets the requirements below and you may not take or access any data or software that is restricted by license or contract. Research grant, contract, and compliance obligations remain in effect while you’re abroad.
- Software: The device must have all standard Northwestern software and data protection configurations enabled, including the GlobalProtect VPN, Endpoint Detection and Response software (Crowdstrike), disk encryption, MFA, password protection, software firewall, and updated for vulnerabilities. While standard University software is not restricted to Country Group 2, there may be additional research or analysis software (such as MATLAB or STATA) that are restricted. Additionally, some Northwestern systems (such as Google Workspace or VPN) may not be accessible from Country Group 2.
- Data: Travelers must remove all data from their device that is restricted from use in Country Group 2 by regulation or contract.
- Systems Access: Travelers may access Northwestern resources from their device, limited to non-sensitive data (Public, Level 1, or limited Level 2). Use the Northwestern-provided VPN software (GlobalProtect) before accessing any University systems or data.
Country Group 3
You may travel with your University-device or personal device. That said, take only the data you actually need. The less you carry, the lower the risk. You’re responsible for knowing whether your research grants, contracts, or other obligations impose any additional requirements for your destination. If you have questions, contact your local IT support or Northwestern IT for information on what loaner laptops are available to them, as well as any potential costs of using the service.
Remedies and Compliance
If your situation doesn’t fit neatly within these guidelines, or if you need an exception, contact the Information Security Office before you travel. Exception requests are reviewed in consultation with Export Controls and International Compliance, and we’d rather work through it with you in advance than deal with a problem after the fact.
Not following this Standard can have real consequences for you and for Northwestern. Depending on the situation, this may include restrictions on your use of University technology resources, as outlined in the Appropriate Use of Electronic Resources Policy, Faculty Handbook, Staff Handbook, or Student Handbook. In cases where a violation results in the loss or unauthorized disclosure of regulated information, civil or criminal penalties under federal law may also apply.
Definitions
Institutional Data: All data that the University is responsible and accountable for protecting. This data includes, but is not limited to, data the University owns, collects, intellectual property owned by faculty or others, staff data, student data, faculty data, research data, personal information, alumni data, vendor and contractor data, and data that the university shares or provides to third parties for storage, processing, and analysis.
Northwestern- or University-owned Systems or Devices: ICT (including, without limitation, laptops, desktops, tablets, mobile phones, and IoT devices) that are the responsibility of the University to account for and provide appropriate safeguards. This includes ICT purchased (either directly or by reimbursement) from a University chart of accounts, or devices with documented ownership or responsibility transferred to the University from another institution or organization (such as ICT loaned to a laboratory or department).
Personal or Personally-owned Devices: ICT (including, without limitation, laptops, desktops, tablets, mobile phones, and IoT devices) that are wholly owned by an employee, student, or affiliate of the University. This includes devices for which a user receives a stipend or subsidy, such as a mobile communication allowance.
University Business: Any activity carried out under the auspices of Northwestern University and in furtherance of the University’s mission.
Related Policies, Standards, Guidelines or Procedures
- Information Security Policy
- Export Controls Compliance Policy
- Appropriate Use of Electronic Resources
- Data Classification Policy
- Northwestern IT Travel Guidance
- Export Controls and International Compliance Travel Guidance
- Office of Global Safety and Security Travel Policies
Contact Information
The following office can address questions regarding this Standard:
Northwestern Information Technology, Information Security Office
- phone: (847) 491-4357 (1-HELP)
- email: security@northwestern.edu
Important Dates
Effective Date
June 1, 2026