Despite the many possibilities offered by current video conferencing solutions, business trips to conferences or other external appointments are an integral part of the working world. Since the route to the event or the venue itself are not under the control of the University of Ulm, special security measures are advised:

• On the road, traveling

  • When traveling, ensure that a mobile device is regularly connected to the Internet or corporate network for anti-malware and software updates.
  • Avoid confidential conversations with third parties.
  • Luggage and IT equipment should never be left unattended.
  • IT equipment should always be stored out of sight of third parties, for example in the trunk.
  • Unauthorized third parties should not be able to view monitor content and keyboard entries, for example on public transportation, in cafés and restaurants.
  • Care should be taken to ensure that unauthorized third parties are out of earshot during confidential telephone calls.
  • If Internet access is not available, data held locally should be backed up regularly and synchronized with the University's network in a timely manner.
  • If possible, only the information and equipment needed for work outside the university should be taken along.
  • Before the start of the trip, it should be ensured that hard disks and mobile data carriers are encrypted.

• Dealing with mobile Internet and hot spots

  • After a successful connection to the Internet (e.g. via hotel WLAN, free WLAN, local network cable, etc.), a secure VPN connection to the network of the University of Ulm should always be established. Only then is it ensured that transmitted data is protected and that all services of the kiz can be accessed.
  • Wireless technologies in public areas, such as trains or restaurants (without VPN) should always be avoided.
  • All connection attempts and file transfers that are not self-initiated and not expected at the moment should be rejected.

• Mobile devices incl. smartphones/tablets

  • Mobile devices must not be left unattended or lent out. They must always be protected from access by unauthorized persons.
  • Mobile devices should be protected from unauthorized viewing, for example by using a privacy film.
  • Login data (password, PIN) etc. must not be affixed to the IT device.
  • All devices must require the entry of a password / PIN when activated and when accessed. The minimum length of the password must be at least 6 characters.
  • The use of biometric authentication methods (fingerprint, facial recognition, palm vein scanner) may replace password entry.
  • The time to re-authenticate after user inactivity shall be a maximum of 3 minutes.
  • The rights of all applications shall be controlled and restricted as far as possible (e.g.: Word processing requires the right to use GPS, but does not need it).
  • The operating system and all applications shall be kept up to date.
  • All devices shall require PIN/password entry when turned on.
  • The option of "remote wipe" (resetting the device to factory settings) should be enabled.

• Data storage and mobile data media

  • As a rule, only data required for official business should be taken on a business trip.
  • Only encrypted data carriers should be used for transporting official data. It should be checked whether sharing via the "CloudStore" of the kiz can replace physical transport.
  • It must be ensured that confidential data cannot be viewed on the monitor by unauthorized persons (e.g. attaching a screen foil).
  • The desktop of the PC is to be kept tidy when working off-site or together with external persons at the monitor.
  • It must be ensured that notes and moderation media (flipcharts, whiteboards, etc.) with confidential content are taken down and taken away or disposed of/cleaned securely.

• Reporting security incidents or the loss of devices and data

  • In the event of data protection/ and information security incidents (e.g., loss of data), the Data Protection Office and/or the CISO of the University of Ulm must be informed immediately.
  • Lost or stolen devices should be reset to factory settings via "remote wipe". Please note that local data on self-administered devices is not automatically backed up by the kiz. The backup of this data must be performed by the respective administrator himself.

---

Further information can also be found on the pages of the BSI (Federal Office for Information Security).