Body
The Union Health Information Security Team proposes the practice of maintaining a list of restricted countries from which access to Union Health networks and resources is prohibited by both technical controls and directives to travelling Union Health employees. This list of restricted countries is comprised of the ITAR recognized locations (Country Policies - DDTC Public Portal (state.gov) )as sources of malicious traffic and/or lack of security oversight with risk from and within these regions. These regions are either known sources of persistent malicious traffic, do not recognize a "personal use exemption" for device encryption (for travel), or the export of encryption to these locations is forbidden by the U.S. Dept. of Commerce.
Union Health devices must NOT be taken to these locations, and Union Health resources cannot be accessed from these regions. There should be no expectation of performing Union Health related work.
Prohibited Countries List:
- Afghanistan
- Belarus
- Burkina Faso
- Central African Republic
- China
- Cuba
- Cyprus
- Democratic Republic of the Congo (formerly Zaire)
- Eritrea
- Ethiopia
- Haiti
- Hong Kong
- Iran
- Iraq
- Kyrgyzstan
- Libya
- Nicaragua
- N. Korea
- Russia
- Somalia
- Sudan
- S. Sudan
- Syria
- Ukraine
- Venezuela
- Venezuela
- Zimbabwe
To provide conditional access to Union Health networks and resources from reputable regions of the globe that present minimal malicious traffic, the following should take place:
1. Reputable Country List:
A list of known, travelled countries will be maintained. These countries include regions where Union Health staff commonly travel, such as (but not limited to):
Additionally, travel will be considered for approval to the following regions where the Wasanaar Arrangement (National Contacts - The Wassenaar Arrangement ) allows for the import of encryption of Union Health and personally owned devices:
- Argentina
- Austria
- Australia
- Belgium
- Bulgaria
- Canada
- Croatia
- Czech Republic
- Denmark
- Estonia
- Finland
- France
- Germany
- Greece
- Hungary
- India
- Iceland
- Ireland
- Italy
- Japan
- Latvia
- Lithuania
- Luxembourg
- Malta
- Netherlands
- New Zealand
- Norway
- Poland
- Portugal
- Republic of (South) Korea
- Romania
- Slovakia
- Slovenia
- South Africa
- Spain
- Sweden
- Switzerland
- Turkey
- Ukraine
- United Kingdom
2. User Based Travel Access
Users will be provisioned to the Active Directory Travel Group when travelling to a non-restricted country while they are away and removed from the AD (Active Directory) group when they return to the United States.
3. Integration of Challenge-Based Okta MFA (Multi Factor Authentication)
Union Health resources that require the Okta authenticator app will benefit from this additional layer of protection that would mitigate accidental or negligent acknowledgements to MFA requests. Challenge-based MFA requires the user to match an on-screen code/PIN to their authenticator app.
4. Certificate based device authentication of NSAO
Union health devices that connect to NSAO require certificate-based authentication. This additional layer of security ensures that our trusted devices are verified via this protocol. (Additionally, users are validated by authentication after this initial encrypted connection.)
5. Monitoring and Detection of reputable region source traffic.
Threats from both within the United States and other relatively safe regions of the globe will be persistent. As Union Health monitoring and detection technologies present risks from specific networks, ISPs, or countries, considerations for blocking these sources will be made.