U.S. export control laws control exports of sensitive equipment, software and technology, and also prohibit transactions with certain foreign individuals and states. Under U.S. export control laws, sharing of controlled data may require a government approval or license before it may be shared with non-U.S. persons, regardless of location.
Cloud Computing Considerations
University faculty and staff should exercise caution when using cloud services and handling export controlled information. In general, cloud services do not offer a sufficient level of security to ensure that export controlled data and information is adequately protected. If you are not sure if your technology/information is subject to export control regulations, contact the export control office, email@example.com, for assistance.
Export controlled materials should be safeguarded in a manner that securely protects the information. Examples of best practices that should be considered when handling export controlled information include the following:
- Storage of export controlled materials on an isolated network which is physically secured.
- Avoid storing export controlled materials on laptop computers or removable storage devices (e.g., USB drives, DVDs). Encryption should be utilized if storage on a laptop or removed storage device is unavoidable and is required for CU Denver | Anschutz Medical Campus issued laptops.
- Avoid remotely accessing export controlled materials. If export controlled materials must be accessed remotely, VPN or some other form of secure communication should be used.
- Export controlled materials which are no longer needed should be disposed of in a manner that is consistent with any contractual obligations that may exist and appropriate data sanitization and disposal methods should be followed.
- If a security breach is suspected, contact the Office of Information Technology and the export control office as soon as possible.
Traveling with laptop computers, web-enabled cell phones and other personal equipment
Laptop computers, web-enabled cell phones, and other electronics containing encryption hardware or software and/or proprietary software may require an export license if traveling to certain destinations. An export license may be required to take any items to or through any U.S. sanctioned country (e.g., Iran, Syria, Cuba, Sudan, and North Korea). See additional information on the international travel page by clicking here.
APS 6005 University Policy (IT Resource User Responsibilities)
Mobile Phone Encryption
OIT Encryption Requirements
ORC Policy for Mobile Devices
Careful Computing: http://www.cu.edu/careful-computing
Office of Information Technology: http://www.ucdenver.edu/about/departments/ITS/Pages/OIT%20Home.aspx
Office of Information Technology, Security and Compliance Team: UCD-OIT-RAC@ucdenver.edu.
BIS January 11, 2011 Cloud Computing and Deemed Exports Advisory Opinion, and BIS January 13, 2009 Application of EAR to Grid and Cloud Computing Services:
Addressing Export Control in the Age of Cloud Computing