Guidelines for an International Remote Workers Review Process
ASU continues to drive forward into the globalization of IT and respective support. The following documents are tools that are available to units that wish to establish international remote workers, while carefully assessing the associated risks.
In general, the following items should be considered in the process for reviewing and approving international remote workers:
What restrictions will apply to International Remote Workers will depend on the sensitivity of projects, data, and systems that the worker will need access to for the conduct of their duties at ASU
Federally regulated data (FERPA, HIPAA, ITAR, EAR)
ASU-sensitive data not covered by the above
US Department of the Treasury Office of Foreign Assets Control (OFAC)
OFAC does not maintain a specific list of countries that U.S. persons cannot do business with.
U.S. sanctions programs vary in scope. Some are broad-based and oriented geographically (i.e. Cuba, Iran). Others are “targeted” (i.e. counter-terrorism, counter-narcotics) and focus on specific individuals and entities. These programs may encompass broad prohibitions at the country level as well as targeted sanctions. Due to the diversity among sanctions, we advise visiting the “Sanctions Programs and Country Information” page for information on a specific program.
OFAC’s Specially Designated Nationals and Blocked Persons List (“SDN List”) has approximately 6,300 names connected with sanctions targets. OFAC also maintains other sanctions lists which have different associated prohibitions.
Many individuals and entities often move internationally, and end up in locations where they would be least expected. Accordingly, U.S. persons are prohibited from dealing with SDNs regardless of location, and all SDN assets are blocked. Entities that an SDN owns (defined as a direct or indirect ownership interest of 50% or more) are also blocked, regardless of whether that entity is separately named on the SDN List.
Because OFAC's programs are dynamic, it is crucial to check OFAC's website regularly. Ensuring that your sanctions lists are current and that you have complete information regarding the latest relevant program restrictions is both a best practice, and a vital responsibility in fulfilling your due diligence.
For additional information about sanctions and OFAC, please visit our Frequently Asked Questions.
Currently sanctioned countries include, but are not limited to:
Balkans, Belarus, Burma, Cote D'Ivoire (Ivory Coast), Cuba, Democratic Republic of Congo, Iran, Iraq, Liberia, North Korea, Sudan, Syria, and Zimbabwe.
Cautious consideration should be taken for citizens of these countries or for individuals working abroad in these countries.
Employing Foreign Citizen Scientists and Engineers
Considerations for Federal research and projects or access to systems processing and/or storing data for such:
U.S. citizenship is required to be eligible for a U.S. security clearance.
A challenge with hiring foreign national researchers has been prolonged security reviews (background investigations) which are required even if the individual will not have access to classified information.
Access to classified information, however, can be granted through a Limited Access Authorization (LAA) “in those rare circumstances where a non-U.S. citizen possesses a unique or unusual skill or expertise that is urgently needed in pursuit of a specific DOD requirement involving access to specified classified information for which a cleared or clearable U.S. citizen is not available.” LAAs are limited to “individuals who have a special skill or technical expertise essential to the fulfillment of a DOD requirement that cannot reasonably be filled by a U.S. citizen.”
LAAs are limited to information at the Secret and Confidential levels only.
Interim access is not permitted pending approval of an LAA.
The information must be approved for release to the person’s country of citizenship.
Access to classified information is limited to information related to a specific program or project.
LAA personnel are not permitted uncontrolled access to areas with classified information, or where classified information is discussed.
LAA personnel cannot serve as couriers or escorts for classified information outside the location in which access is permitted.
All requests for initial LAAs must include the following:
The location of the classified material in relation to the location of the noncitizen;
The compelling reason for not employing a cleared or clearable U.S. citizen;
A description of an annual continuing assessment program to evaluate continued trustworthiness and eligibility for access;
A plan to control access to secure areas, classified information, and controlled unclassified information.
In order to issue an LAA, the LAA granting authority must make a written determination that access is essential for a critical mission and no U.S. citizen is available to perform the duties.
All LAAs must be reviewed annually by the issuing organization to determine if access to classified material continues to be required to accomplish the mission and to verify the LAA remains in compliance with current DOD and local policies.
List of Excluded Countries
It is the policy of the United States to deny licenses and other approvals for exports and imports of defense articles and defense services destined for or originating in certain countries. This policy applies to the following countries:
Afghanistan, Belarus, Burma, People’s Republic of China, Côte d’Ivoire, Cuba, Cyprus, Democratic Republic of the Congo, Eritrea, Fiji, Republic of Guinea, Haiti, Iran, Iraq, Kyrgyzstan, Lebanon, Liberia, Libya, North Korea, Pakistan, Somalia, Sri Lanka, Sudan, Syria, Venezuela, Vietnam, Zimbabwe.
Banned Companies for Government Contracts
Candidates for Remote Work shall not be employees of (or have ties to) the following parent companies:
Huawei Technologies Company, ZTE Corporation, Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company, or Dahua Technology Company.
For a complete list of of subsidiary companies, see this document.
Candidates for Remote Work shall not employ the use of technology manufactured by these companies and subsidiaries for conducting ASU work (or qualifying work of a sensitive nature).
Conflicts of Interest
A potential hire should not have a member of their immediate family employed by one of the companies outlined as restricted by the US government as high risk.
Export Controls and Security
Federal restrictions based on research data sensitivity, such as but not limited to CUI and ITAR.
Documentation is an important factor for leadership awareness, review, and any further follow-up from security teams if needed. Documentation should include all of the following:
Business cases for the international remote worker.
Risks associated with:
IT/Technical issues such as internet access, VPN restrictions, firewall restrictions, software licensing
Logistical issues such as obtaining optimal technological equipment, or not having a secure location in which to perform remote work.
The review process needs to bring awareness to ideal stakeholders of the business unit who can make appropriate decisions based on the documentation.
Ensure leadership is aware of the risks associated with international workforce and has provided approvals.
Ensure IT staff supporting the remote workforce is aware of the situation and can effectively support them.
Notify the UTO Security Architect Management. This will ensure that ASU’s security teams are aware of the risk, and tracking appropriately through the Security Operations Center.
Set the expectations with the remote worker to follow the ASU policies and standards. They must continue to follow the University Security Policies, even when working outside the country.
ASU equipment, software, and/or credentials may not be shared with other individuals.
Staff should have a dedicated and private environment for conducting business.
Identify the equipment that the remote worker may need. This will be important for understanding the technical and logistical requirements and associated risks to assets.
Loaner equipment such as mobile devices, laptops, data backup disks, monitors, etc., commonly used by graduate students and faculty.
Software such as language translation, chat utilities, VPN applications, etc.
Key fobs or Yubikeys, as needed, for multi-factor authentication.
General Best Practices
International Remote Workers should be able to meet Telecommuting, Mobile and Travel Safety Guidance.
There are many different scenarios that involve numerous risks involving data handling (FERPA, HIPAA, ITAR, EAR, GDPR, research data) and data leaks. To better understand the many risks for different data types, there are several recommended guidelines below:
Risks of hiring international consultants include IP theft, data handling, not revealing all of their known associations, legal contracts being incorrectly signed between consultants and a non-local ASU representative, lack of ASU legal representation in the worker's country of residence, and others.
Locality-specific privacy regulations, sanitizing of ASU data after the end of consulting, locality-specific occurrences of cyber crime and data theft.