International Remote Workers Review Process

ASU continues to drive forward into the globalization of IT and respective support. This article offers resources and guidance available to units that wish to establish international remote workers, while carefully assessing the associated risks.

Guidelines

When reviewing and approving international remote workers, the sensitivity of projects, data, and systems that the worker will need access to in order to conduct of their duties at ASU should be considered in the process. The applicable restrictions for an International Remote Workers will depend on these factors. The following are areas of work that would restrict remote work:

Federally funded research
Federally regulated data (FERPA, HIPAA, ITAR, EAR)
Military Contract data
Corporate/Industry-sponsored research
- Security Magazine “Protecting IP at American Universities”
- Concept Foundation “ipHandbook of Best Practices”
ASU-sensitive data not covered by the above.

US Department of the Treasury Office of Foreign Assets Control (OFAC)

The US Department of the Treasury Office of Foreign Assets Control (OFAC) does not maintain a specific list of countries that U.S. persons cannot do business with.

U.S. sanction programs vary in scope. Some are broad-based and oriented geographically (i.e. Cuba, Iran). Others are “targeted” (i.e. counter-terrorism, counter-narcotics) and focus on specific individuals and entities. These programs may encompass broad prohibitions at the country level as well as targeted sanctions. Due to the diversity among sanctions, we advise visiting the “Sanctions Programs and Country Information” page for information on a specific program.
OFAC’s Specially Designated Nationals and Blocked Persons List (“SDN List”) has approximately 6,300 names connected with sanctions targets. OFAC also maintains other sanctions lists which have different associated prohibitions.
Many individuals and entities often move internationally, and end up in locations where they would be least expected. Accordingly, U.S. persons are prohibited from dealing with SDNs regardless of location, and all SDN assets are blocked. Entities that an SDN owns (defined as a direct or indirect ownership interest of 50% or more) are also blocked, regardless of whether that entity is separately named on the SDN List.
Because OFAC's programs are dynamic, it is crucial to check OFAC's website regularly. Ensuring that your sanctions lists are current and that you have complete information regarding the latest relevant program restrictions is both a best practice, and a vital responsibility in fulfilling your due diligence.
For additional information about sanctions and OFAC, please visit our Frequently Asked Questions.

Employing Foreign Citizen Scientists and Engineers

See Guidance for Employing Foreign Citizen Scientists and Engineers at Department of Defense Science and Technology Reinvention Laboratories (2013-02)
Considerations for Federal research and projects or access to systems processing and/or storing data for such:
- U.S. citizenship is required to be eligible for a U.S. security clearance.
  - A challenge with hiring foreign national researchers has been prolonged security reviews (background investigations) which are required even if the individual will not have access to classified information.
- Access to classified information, however, can be granted through a Limited Access Authorization (LAA) “in those rare circumstances where a non-U.S. citizen possesses a unique or unusual skill or expertise that is urgently needed in pursuit of a specific DOD requirement involving access to specified classified information for which a cleared or clearable U.S. citizen is not available.” LAAs are limited to “individuals who have a special skill or technical expertise essential to the fulfillment of a DOD requirement that cannot reasonably be filled by a U.S. citizen.”
  - LAAs are limited to information at the Secret and Confidential levels only.
  - Interim access is not permitted pending approval of an LAA.
  - The information must be approved for release to the person’s country of citizenship.
  - Access to classified information is limited to information related to a specific program or project.
  - LAA personnel are not permitted uncontrolled access to areas with classified information, or where classified information is discussed.
  - LAA personnel cannot serve as couriers or escorts for classified information outside the location in which access is permitted.
- All requests for initial LAAs must include the following:
  - The location of the classified material in relation to the location of the noncitizen;
  - The compelling reason for not employing a cleared or clearable U.S. citizen;
  - A description of an annual continuing assessment program to evaluate continued trustworthiness and eligibility for access;
  - A plan to control access to secure areas, classified information, and controlled unclassified information.
- In order to issue an LAA, the LAA granting authority must make a written determination that access is essential for a critical mission and no U.S. citizen is available to perform the duties.
- All LAAs must be reviewed annually by the issuing organization to determine if access to classified material continues to be required to accomplish the mission and to verify the LAA remains in compliance with current DOD and local policies.
List of Excluded Countries
- It is the policy of the United States to deny licenses and other approvals for exports and imports of defense articles and defense services destined for or originating in certain countries. For a list of effected countries and the relevant trade policies, please reference this table provided by the U.S. Directorate of Defense Trade Controls.

Banned Companies for Government Contracts

Candidates for Remote Work shall not be employees of (or have ties to) the following parent companies:
- Huawei Technologies Company, ZTE Corporation, Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company, or Dahua Technology Company.
- For a complete list of of subsidiary companies, see this document.
- To view the policies specific to a company, or its subsidiary, review the Electronic Code of Federal Regulations
Candidates for Remote Work shall not employ the use of technology manufactured by these companies and subsidiaries for conducting ASU work (or qualifying work of a sensitive nature).

Conflicts of Interest

A potential hire should not have a member of their immediate family employed by one of the companies outlined as restricted by the US government as high risk.

More resources:

Export Controls and Security

Federal restrictions based on research data sensitivity, such as but not limited to CUI and ITAR.
- For further information see:
  - ASU Research Integrity and Assurance Export Controls and Security
  - ASU Research Administration International Collaboration and Engagement

Documentation

Documentation is an important factor for leadership awareness, review, and any further follow-up from security teams if needed. Documentation should include all of the following:

Business cases for the international remote worker.
Risks associated with:
- Geopolitical hazards
- IT/Technical issues such as internet access, VPN restrictions, firewall restrictions, software licensing
- Logistical issues such as obtaining optimal technological equipment, or not having a secure location in which to perform remote work.

Awareness

The review process needs to bring awareness to ideal stakeholders of the business unit who can make appropriate decisions based on the documentation.

Ensure leadership is aware of the risks associated with international workforce and has provided approvals.
Ensure IT staff supporting the remote workforce is aware of the situation and can effectively support them.
Notify the UTO Security Architect Management. This will ensure that ASU’s security teams are aware of the risk, and tracking appropriately through the Security Operations Center.

Employee Expectations

Set the expectations with the remote worker to follow the ASU policies and standards. They must continue to follow the University Security Policies, even when working outside the country.

ASU equipment, software, and/or credentials may not be shared with other individuals.
Staff should have a dedicated and private environment for conducting business.

Equipment Needs

Identify the equipment that the remote worker may need. This will be important for understanding the technical and logistical requirements and associated risks to assets.

Loaner equipment such as mobile devices, laptops, data backup disks, monitors, etc., commonly used by graduate students and faculty.
Software such as language translation, chat utilities, VPN applications, etc.
Key fobs or Yubikeys, as needed, for multi-factor authentication.

General Best Practices

International Remote Workers should be able to meet Telecommuting, Mobile and Travel Safety Guidance.

Risks

There are many different scenarios that involve numerous risks involving data handling (FERPA, HIPAA, ITAR, EAR, GDPR, research data) and data leaks. To better understand the many risks for different data types, there are several recommended guidelines below:

Risks of hiring international consultants include IP theft, data handling, not revealing all of their known associations, legal contracts being incorrectly signed between consultants and a non-local ASU representative, lack of ASU legal representation in the worker's country of residence, and others.

Locality-specific privacy regulations, sanitizing of ASU data after the end of consulting, locality-specific occurrences of cyber crime and data theft.