(Things to include in your organisational travel policy)
General staff policy
Have a pre-flight checklist to cover your personal baseline
Each staff person has an email address and phone number
Emergency contacts are recorded for each staff member
Travel plans, itinerary and contact info are submitted to office
When a staff member is travelling
Decide on a check-in policy with colleagues/family:
Set reasonable agreed upon check-in times
Specify the channel of communication for the check-in
Establish coded communication that makes it clear that the traveling staff is not under duress if surveillance is likely
Establish a back-up channel for communication in the event that primary communication is not feasible
Create and maintain an up-to-date phone directory to contact all staff in the event of staff emergency - where possible fresh contact info should be submitted prior to travel especially if it will differ from the "phone directory"
Maintain contact information for local authorities, lawyers, or other agencies who would provide assistance in the event of an emergency
When traveling for sensitive work or with sensitive information, it's important to understand the potential risk of unwanted access to this information, and risk mitigation measures. It is vital tobe aware of the nature of the information you will be carrying into and out of the country, and how you will carry it.
Sensitive or revealing information you may carry could include:
Data on people at risk/HRDs you are meeting
Travel plansPasswords/ access codes
Censored/ banned information
Organisation sensitive information
Embarrassing/ incriminating information
Legal - encryption or data not allowed for export
This information maybe stored in/on notebooks, publications, laptops, phones, USBs, CDs,or SD cards. Know where this information is, how sensitive it is, and how to protect.
Preparing your personal devices for travel
How can I protect the content of my devices?
Clear your saved passwords,
Clear your browser history,
Log out of applications with data you want hidden
Separate password manager from your device (save on USB or another device)
Make sure your software is up-to-date:
Install Secunia or similiar software to check software are updated
Anti-Virus (e.g. Spybot or Avast!) (more info: https://securityinabox.org/en/guide/malware))
Prepare a VPN or other connection privacy tool, test!
Download potentially blocked circumvention applications like Tor prior to going in-country (another: https://censorship.no/ )
set up app-based 2FA if available, test!
Print backup codes
install Google Authenticator or Authy or FreeOTP
Ensure devices (laptop, phone, tablet) have device encryption (FDE) enabled
Securing Content of Devices
Minimize content, access to accounts on travel systems
Don't bring sensitive info with you.(email...)
Secure sensitive info before travel: VeraCrypt (https://securityinabox.org/en/guide/veracrypt/linux))
If you don't need it on your phone, you don't want it on your phone
Use a password, not a pin, fingerprint, or face recognition.
If it is sensitive, and you don't need it, take it off for the trip and reinstall when you get back.
Social Media - Operational Security
Think carefully about what information you share
What persons, places, and things are sensitive?
Who can see your posts?
Know what your privacy settings let others see
Get consent before posting information about or photos of others during/after your trip
Wi-Fi Operational Security
Don't connect to random access points if you can avoid it
Turn on your VPN if you can't
Turn off your Wi-Fi when not in use.
Delete old networks from your connection list
Device Operational Security:
Know where your device is,
Don't give easy access to your device,
Don't log in to services on others devices,
Log-out of your device when walking away,
Shutdown when leaving your device somewhere.
Specialized strategies for securing your devices when traveling
Chromebook + burner phone (deal with re-contact; temporary accounts, no PGP?)
Can "powerwash" chromebook on return
VPN setup is either through chrome "apps" (which are new, and a bit unclear in terms of what they protect and how, e.g. tunnelbear's chrome app is only 128bit AES, as opposed to the 256bit of their desktop application) or OpenVPN or L2TP "built in" options, which are very difficult to set up
Knowing when to store your data on a remote server versus protecting the data locally on your computer in an encrypted partition/veracrypt/pgp/etc. archive
It might be best to travel without needed sensitive data, downloading your data from trusted remote server once in-country via VPNs or Tor
But, is knowing the account info to a target place to DL more secure than it locked away locally on an encrypted partition/veracrypt/pgp/etc. archive? In both cases, you likely have some "stub" locally and a password in your manager or brain; remote has the benefit of not having a file someone can take and hammer at offline, but relies on a steady and high-quality connection if the files are of any decent size)
It also needs to take into account where you are likely to be targeted if information / hardware is to be taken. Remote storage is fine if only border crossings are the worry.
Use a locked briefcase as a basic detterent / tamper-proof box to store laptop (if it is tampered, at least the user will know)
If you are using a compatible device, you can consider enabling anti-evil-maid which authenticates whether the device has changed without your knowledge (http://theinvisiblethings.blogspot.de/2011/09/anti-evil-maid.html)).
Decide on more advanced options depending on travel destination, topic/theme of work, or community you're interacting with.