Re: Foreign Nationals

[randy marchany <marchany () VT EDU>]

It gets a lot more complicated than that. Basically, we now have to deal
with ITAR (International Traffic in Arms Regulations). You probably have a
Research and Compliance office and they should have all of the information
you'll need to learn. For example, VA Tech's ITAR info is at
http://www.oesrc.researchcompliance.vt.edu/itar. Basically, these
regulations specify controls needed if foreign nationals are doing research
in a number of areas. Things like physical security of devices become more
obvious if you have to comply with ITAR. EAR (Export Administration
Regulations) are another set of regulations that will require additional
study and work.

Aren't you glad you asked the question? :-)

-Randy Marchany
VA Tech IT Security Office & Lab

On Wed, May 30, 2012 at 9:41 AM, Dean Halter
<dean.halter () notes udayton edu>wrote:

> Nation-state cyber activity has come up and we are being asked to
> examine our IT security posture with respect to our foreign national
> population.  In general we employ a typical layered approach with
> assigned user accounts, network admission control, firewall, employee
> background checks, process/confidentiality agreements surrounding
> access to administrative and finance systems, etc.  Outside of areas
> w/ specific export control or contractual requirements, I’m wondering
> if others have considered/implemented additional controls or practices
> specific to this constituent group supplementing their general network
> security or to further restrict/monitor access to sensitive
> administrative services or data resources.
>
> Thanks in advance,
> Dean
> ___________
> Dean Halter, CISA, CISSP
> IT Risk Management Officer, UDit
> University of Dayton
>
> "Security is a process, not a product."  Bruce Schneier