Return to:Index of "Economic and Business Issues" || Electronic Research Collections Index || ERC Homepage

U.S. Department of State 
96/06/10 Quick Security Guidelines: Guidelines for Protecting 
U.S. Business Information Overseas 
Released by the Bureau of Public Affairs 
Published by The Overseas Security Advisory Council (OSAC) 
November 1995 
Each day America becomes driven more and more by information.  
Proprietary information is our chief competitive asset, vital to 
both our  industry and our society. Our livelihood and, indeed, 
our national strength depend on our ability to protect industrial 
and economic data. 

This pamphlet outlines some steps that may be taken to protect 
information and to raise the general level of awareness to the 
threat by Americans living, working, or traveling abroad. 
Any information that provides a U.S. company with a competitive 
edge over its competitors, creative or innovative, whose loss 
would negatively impact an investment in time, product, finances, 
plants, or personnel should be protected. 
It could be a trade secret, patent information, or intellectual 
property; a simple improvement in the way a certain American 
industry produces a product or does business; a technical 
modification, new technique, personnel policy, or management 
concept; or employee human resources information. 
Current government and industrial security studies and surveys 
reveal that the majority of competitive information theft cases 
that occur in the United States and overseas involve a company's 
employees, contractors, vendors, and suppliers. 
An employee's rank in the company is not necessarily commensurate 
with the interest of a foreign intelligence agency, who besides 
targeting researchers, key managers, and corporate executives, 
will target: 
--  Secretaries  
--  Computer operators  
--  Technicians  
--  Maintenance personnel 
The latter frequently have good, if not the best, access to 
competitive information. 
Application of need-to-know procedures will help. Carefully 
compartmentalizing competitive information on that basis provides 
two advantages: it slows or stops an information thief, and it may 
provide an indicator of an employee seeking to obtain competitive 
information beyond his or her need to know. 
When local laws allow, it is prudent to conduct background 
investigations on prospective employees. A comprehensive 
background investigation can provide, prior to offering an 
applicant employment with a company, the best information 
concerning the person's social, education, military, credit, civil 
and criminal litigation, and employment histories. 
Recent U.S. Government and security industry surveys regarding 
safeguarding of proprietary information revealed that vendors, 
contractors, and suppliers accounted for almost 15 percent of all 
disclosures, misappropriation, and thefts of U.S. business 
competitive information. Generally these groups should be:  
--  Controlled, documented, and required to wear a photo 
--  Escorted throughout the general premises by the person they 
are visiting  
--  Restricted from unnecessary admittance to high-security areas, 
or escorted at all times 
--  Required to sign nondisclosure and confidentiality agreements 
Public tours of buildings containing competitive information 
should be discouraged. Similarly visitor tours of high-security 
areas should be prohibited.  
All requests for tours by academic, industrial, fraternal, social, 
or media groups should be passed to security departments for 
background checks. 
U.S. businesses or research locations overseas are principal 
targets of those seeking to compromise competitive information. If 
possible, locate corporate offices in facilities totally 
controlled by the corporation.  
Location, Location, Location 
Site location and construction should be the best that will allow 
for normal and prudent security measures.  
Normal security steps dictate that building perimeters and 
internal sensitive areas be secure, and that the general public, 
unescorted visitors, and unauthorized personnel be restricted from 
research, production, and business areas where competitive 
information is used.  
Prudent security steps dictate that existing security controls 
should always be reviewed for improvement or modification and that 
an awareness program, as well as policy and guidelines be 
established to protect competitive information.*  
All windows, external and internal doors, and high-security areas 
should be provided with intrusion alarm monitoring. Alarm systems 
should be supplemented by lighting, as discussed below. The alarm 
signal must be communicated to a location where a speedy and 
appropriate response can be provided. 
The entire perimeter of any office building that serves as a 
perimeter barrier should be adequately illuminated during hours of 
darkness. Other    perimeters, such as walls, fences, and natural 
barriers, should be illuminated to both detect and deter persons 
attempting to gain unauthorized access to the building. Adequate 
interior night lights should be left on whenever the building is 
not occupied. 

Security personnel should control: 
--  Perimeter and internal sensitive area access 
--  Keys and locks supervision 
--  Access card supervision 
--  Employee, visitor, contractor, and vendor identification 
High-Security Areas 
High-security areas include, but are not limited to: design 
studios, strategic planning areas, engineering and research 
facilities, mailrooms, telephone switching rooms, computer 
facilities, and other similar areas. In general, office safeguards 
and possible restriction to a high-security level should be 
provided for: 
--  Designated photo copiers 
--  Encrypted telecommunication equipment 
--  Facsimile machines and other reproduction equipment. If this 
cannot be done, the equipment should be provided with access 
control devices to prevent unauthorized usage. 
--  Executive offices, research labs and work areas 
--  Lockable file cabinets and desks and vaults to secure 
competitive information 
--  Keys, combination locks, and access cards to maintain the 
effectiveness of these devices 
Certain offices or portions thereof may require designation as 
high-security areas if: 
--  Highly sensitive competitive information is present. 
--  Access is limited and entry is restricted to only those 
persons who possess special identification and who are 
specifically permitted entry. 
--  A higher level access control device is used above that 
operating at the perimeter of the building. 
--  A procedure, such as a receipt and copy accountability system, 
is established for the authorized removal of all competitive 
information, blueprints, drawings, and other documents contained 
in these areas. 
Storage Facilities 
Provide secure facilities for the storage of competitive 
information such as desks, offices, safes, vaults, filing 
cabinets, etc. 
Clean-Desk Policy 
--  Encourage a clean-desk policy for all offices during non-
business hours. 
--  Require a clean-desk policy in high-security  
Cleaning and Maintenance 
Cleaning and maintenance should be done during times when 
responsible company supervisors are present to monitor such 
Disposal of Competitive Information 
Each work area must have adequate shredding capabilities or 
controlled disposal functions. Make each functional area 
responsible for verifying that competitive information is properly 
Easily accessed and intercepted telecommunications present a 
highly vulnerable and lucrative target for anyone interested in 
obtaining competitive information. Increased usage by businesses 
of these links for bulk computer data transmission and electronic 
mail makes telecommunications intercept efforts cost effective for 
intelligence collectors worldwide.  
U.S. companies should: 
--  Assume that all overseas telecommunications are intercepted, 
recorded, and organized into reports and reviewed for economic 
--  "Button-up" all competitive information communications to 
maintain their competitive edge. 
U.S. companies should be aware of, and sensitize their employees 
overseas to, the fact that: 
--  All foreign telephone systems are either owned or controlled 
by the host government. This allows the government to easily 
monitor transmissions of selected U.S. corporations. 
--  Intelligence agencies of third-party nations, terrorists, and 
criminals monitor electronic transmissions.  
--  Business and technical data obtained from U.S. corporations 
may be, and often are, provided to foreign competitors and  
potential customers. 
--  Personal information obtained may be used to kidnap executives 
for financial gain or  
political purposes. 
--  Electronic equipment, such as facsimile machines, telephones, 
and desktop computers, may be altered to make electronic 
monitoring easier. 
Telecommunications monitoring may be done at a phone company's 
switching facilities; phone lines may be tapped or bugged; or 
microwave transmissions may be intercepted anywhere between the 
two microwave towers.  
Telephones do not necessarily cease transmitting once they are 
hung-up. Conversations taking place near a phone may be 
transmitted to the foreign state's telephone system switching 
facility and can be monitored anywhere between the phone and that 
Many telecommunications transmissions will contain "key words" 
used to identify information of interest to a third party. A key 
word can be the name of a technology, product, project, or 
anything else that may identify the subject of the transmission. 
Encryption should be the first line of defense since it is easier 
for foreign intelligence services to monitor lines than to place 
"bugs," however, encryption will provide little, if any, security 
if a careful examination for audio "bugs" elsewhere in the room is 
not conducted. 
Most international U.S. corporate telecommunications are not 
encrypted. Some countries do not allow encryption of 
telecommunications traffic within their borders, but it should be 
considered, where feasible, for any transmission of competitive 
About half of all overseas telecommunications are facsimile 
transmissions which, because they are emanations, may be 
intercepted by foreign intelligence services since many of the 
foreign telephone companies are foreign owned.  
In addition, many American companies have    begun using what is 
called electronic data interchange, a system of transferring 
corporate     bidding, invoice, and pricing data electronically 
overseas. This type of information is invaluable to many foreign 
intelligence services that support their national businesses. 
Video Conferences 
The threat is essentially the same as that to other types of 
telecommunications. Adversaries can purchase or replicate specific 
equipment used by an American company and then either tap into the 
line or use other means to monitor both audio and video. 
Although encryption is available for some video conferencing 
installations, many countries do not allow any type of encryption 
and others allow only that type which they can break. 
Electronic Transmissions 
Most foreign common carriers are government controlled or owned. 
Trade secrets, data, marketing strategies, and personnel 
information that are discussed or sent over host country telephone 
lines are easily obtained by foreign interests. 
Electronic Media Path 
Electronic data is recovered easiest when a signal is not 
multiplexed or mixed with other data signals, i.e., data 
transmitted from a telephone  
instrument to a telephone switch. Only a minimal investment is 
required to retrieve data not masked with other voice or data. For 
this reason, it is better to use standard dial-up versus dedicated 
Data and voice that is routed on major transmission paths--such as 
microwave or satellite transmission--have less likelihood of being 
monitored by hackers or low-cost monitoring operations, because 
the cost of sifting through such a volume of information to access 
target is often cost prohibitive. However, a well-financed 
intelligence gathering operation may find satellite or microwave 
transmissions the best intercept opportunity, since they can be 
monitored at great distances with little or no threat of 
Suggested Telecommunication Countermeasures  
Below is a list of suggested actions that may be taken in order to 
improve the security of your telecommunications transmissions. 
--  Whenever possible, use your corporate transmission facilities 
instead of those of the host government. 
--  Encrypt electronic transmissions whenever possible. Computer 
links, facsimile transmissions, E-mail, and voice transmissions 
can all be encrypted.  
--  The National Institute of Standards and Technology (NIST) 
conducts validations of products for conformance to cryptographic 
standards for encryption and publishes the results quarterly in 
the "Validated Products List."  
      Subscriptions are available from: 
      National Technical Information Service 
      U.S. Department of Commerce 
      5285 Port Royal Road 
      Springfield, VA  22161 
--  Neutralize the vulnerability of telephones. A small, company-
controlled switch installed within the facility can help ensure 
that conversations are not transmitted through handsets that are 
"hung-up," and also can serve to decrease the threat of covert 
line access. 
--  Avoid "key words" or phrases that may be used by intelligence 
agencies and others to search recorded conversations for subjects 
of interest. Examples would be project names, product names, the 
names of persons of interest (e.g. heads of state, CEOs, etc.) and 
classification labels such as sensitive and "company 
--  Positively identify all parties participating in phone 
conversations or receiving the facsimile transmissions. 
--  Always keep at least one phone and facsimile machine secured 
in a container equipped with a combination lock, and restrict 
access to the combination. This will help maintain the integrity 
of that equipment. 
--  Check connecting lines to telecommunication devices 
(telephones, computers, fax machines, etc.) monthly to ensure that 
the line has not been replaced or modified by unauthorized 
--  Placing stickers on phones warning of hostile monitoring will 
be helpful to maintain awareness. 
Computers can pose enormous security problems. While they contain 
great volumes of information, they also concentrate it, and if not 
protected, they can make the task of the information thief much 
When the facility is located overseas, the following additional 
security issues should be considered. 
Because one cannot assume that employment practices are the same 
from country to country, it is not always possible to dictate what 
employees can do or where they can go. 
For example, in some countries you are not permitted to log the 
fact that a specific person accessed a specific data set at a 
certain time on a certain date, because such a log could be 
misused to inappropriately monitor work habits, speed, and 
Similarly, in some countries, there are resident fire marshals in 
the facility who do not work for the enterprise, but are 
authorized access to each and every part of the physical facility.  
Magnetic Media Control 
Managers must be sensitive to mailing or physically carrying 
magnetic media between countries.  
The information on magnetic media may be vulnerable during 
interaction with the local customs authorities, which could be far 
more damaging to a business.  
In either mailing or carrying, accountability is lost once the 
material is turned over to local customs personnel to be 
"cleared." Often, the time involved, as well as the other details 
of what "cleared" means, are not always spelled out to   private 
Distributed Printer Control 
Physical access to printers used within a computing center is 
usually well controlled. However, small, powerful, printing 
facilities, which can be readily hooked-up with printed output 
routed   directly to such devices by any employee, are coming 
increasingly into use. It is strongly recommended that attention 
be given to ensuring that: 
--  Printed output may be picked up only by the information owner 
or his or her representatives.  
--  Printers are placed in a room having a controlled-access 
Cellular PCs 
The cellular portable computer is relatively new technology, 
having unique security considerations that one might easily 
overlook. The system is essentially a personal computer with an 
integrated modem, which is a device used to change signals 
understood by telephone technology into signals understood by 
computers, and vice versa. There is also a built-in cellular 
telephone that allows a person with a single action to place a 
call to a computer system, connect the personal computer to it, 
and interact with a host computer. Sometimes overlooked with this 
technology is the fact that cellular telephones: 
--  Use radio frequencies to communicate 
--  Are vulnerable to unauthorized interception, recording, and 
subsequent analysis. Monitoring equipment is readily available to 
foreign intelligence services and to the more sophisticated 
business espionage agent. 
Virus Contamination and Detection 
Although it is a standard precaution to take  
special care when receiving a PC program from someone because of 
the possibility of virus contamination, it is exponentially 
greater during  
foreign travel. 
Answering the questions in the checklist below can identify 
opportunities to improve the security of your computer software 
and hardware. 
Computer Security Checklist 
International Travel 
--  Does the local power supply match your system's requirements?  
--  Are electrical power transformers, filters, surge protectors 
or uninterruptible power supply (UPS) units available to protect 
your equipment? 
--  Does the government impose restrictions on the import of 
computer hardware and software into the country? 
--  Will the computer be used in a low humidity area where damage 
from static electricity may be sustained?  
--  Are carpets treated?  
--  Are humidifiers available? 
--  Will the computer be used in a hot, dusty  climate?  
--  Are office temperature controls sufficient?  
--  Are dust covers available? 
Physical Security 
--  Is the work area kept clear of soft drinks,  coffee and other 
liquids, that, when accidentally spilled, may damage equipment? 
--  Are diskettes physically labeled and handled as directed by 
the manufacturer? Are sensitive diskettes sufficiently write-
protected to avoid accidental or malicious damage or destruction? 
--  Are backup copies stored off-site? 
--  Is the computer sufficiently protected from acts of sabotage, 
tampering, and theft? 
--  Are modems (particularly those with an automatic answer 
feature) disconnected or powered off when not in use? 
--  Are printer ribbons, sensitive printouts, and diskettes 
burned, shredded, or degaussed as appropriate to prevent 
inadvertent information disclosure? 
System Security 
--  Are spare, user-serviceable parts available in the event of 
--  Are backup copies of software and data produced periodically? 
--  Has a backup system (contingency) been identified to continue 
critical operations in the event of a failure or disaster? Has it 
been tested? 
--  Are sufficient controls in place to prevent violation of 
manufacturers' copyrights and license agreements? 
--  Are software controls present to authenticate individual 
system users? 
--  Are passwords changed frequently and are they easily guessed? 
--  Is a security erase or file scrub program present on the 
system that will overwrite sensitive data on the hard disk when a 
file is deleted? Is it used? 
--  Are system hardware and software controls present to 
authenticate individual system users? 
Virus Protection 
--  Are software and data diskettes received from reliable, 
trustworthy sources? 
--  Is software received from outside sources scanned for computer 
viruses with current virus detection software? 
Computer Security Guidance 
Under the Computer Security Act of 1987, the National Institute of 
Standards and Technology (NIST) develops standards and guidelines 
for the protection of sensitive information. 
For a listing of available documents, including  
ordering information, request a free copy of  
Publications List 91 from the following: 
CSL Publications Technology Building 
Room B64  
National Institute of Standards  
    and Technology  
U.S. Department of Commerce  
Gaithersburg, MD  20899 
Telecommunications technology provides for  
electronic "highways" that now enable a person to  directly access 
a computer system on another continent. Many U.S. corporations are 
dependent for their very survival on data being stored and 
processed on these computer systems. It is therefore mandatory 
that access control security software and procedures are 
implemented for any computer interfacing with a network or 
telephone system. Hacking into computers is now a standard tool 
for those involved in espionage and computer crime. Once an 
intruder has gained entry, he or she may be able to view, change, 
or destroy valuable company data and information. Electronic 
terrorism, placing a corporation's information assets at risk, 
also is possible. 
Consider the following tips to reduce the possibility of 
unauthorized access through networks: 
--  Apply access control software and procedures to the 
corporation's networks; keep the intruder off the "highway."  
--  Ensure that the corporation's computer systems are protected. 
--  Mandate that all users change passwords at least once every 60 
days, allow no more than three consecutive invalid passwords 
before suspending a user ID, and ensure that all passwords are at 
least six characters in length. Also, encourage employees to use 
passwords that do not relate to their lives (names of family, 
pets, sports teams, etc.). Hackers often gain entry by simply 
guessing passwords.  
--  Control the phone numbers to the corporation's networks and 
computer systems as competitive information. Minimize their 
distribution and notify corporate employees that the numbers 
should be guarded. 
--  Test corporate networks for the existence of unauthorized 
modems that could provide   access to eavesdroppers. 
--  Encrypt computer-to-computer sensitive transmissions, 
including electronic mail. 
--  Require all personnel to agree in writing before they are 
granted access to corporate  networks and computer systems, that 
they will keep competitive information confidential, and that they 
will abide by the corporation's information protection standards. 
Many of the same principles that apply to maintaining a safe and 
secure office apply equally to a residence. These elements will 
vary depending on the foreign environment and the associated risk 
factors. As a general rule, competitive information should not be 
taken home. However, should it become necessary, the level of 
protection afforded competitive information in the home must be 
equal to or greater than the standard of protection it is afforded 
in the office. 
A favorite technique of information thieves is the examination of 
trash containers. Consequently, the disposal of competitive 
information should not be done at home. Such materials should be 
transported to the workplace where they may be properly destroyed. 
Access to residential buildings where competitive information is 
located must be limited to only authorized persons. This will 
require appropriate locking devices and an alarm system that will 
detect an attempted intrusion and alert authorities and other 
responsible parties. A specific area or areas within the residence 
should be designated for working on competitive information.  
Access should be limited to authorized family and service 
personnel. Such information, when left unattended, should be 
secured in an appropriate container. Control of the keys for these 
containers should be limited. 
Cleaning activities should be done only when competitive 
information items are cleared from the area, secured, or when the 
area is monitored by the owner, custodian, or user of the 
Residences and residential buildings should have appropriate: 
--  Access controls to restrict unauthorized   persons and 
--  Locking devices on exterior windows and doors 
--  Intrusion-control alarm systems where     possible 
--  Procedures for the positive identification of visitors and 
utility personnel prior to entry 
Within the residence, the work area should include the following 
life and safety equipment:  
--  Flashlight 
--  First-aid kit 
--  Emergency radio and/or cellular phone 
--  Fire and smoke alarms  
--  Safehaven  
Specific areas for competitive information work should include: 
--  Limited access to only authorized persons 
--  Lockable desk and computer equipment and files 
--  Procedures imposed for access safeguards on computer equipment 
--  Storage of authorized company software on designated computer  
--  An appropriate shredder 
--  Limited cleaning conducted only in the    presence of the 
employee or other responsible person 
Travel With a Laptop Computer 
Business personnel who travel should adopt normal and prudent 
computer safeguards while traveling.  
--  Leave a laptop unattended while in an airport terminal, 
checking in and out of hotels, or at a business location 
--  Operate a computer while in public areas such as airport 
waiting rooms, cafeterias, or snack bars 
--  Check a laptop with luggage. Laptops should always be stowed 
in carry-on baggage that will stay with the traveler at all times 
--  Check a laptop in a temporary airport or train station storage 
locker even for a short time 
Working in Hotels With a PC 
Hotel rooms are not secure. Leaving important company information 
in your room, even in a locked briefcase or PC, is an invitation 
for material to be copied or photographed while you are out. Hotel 
vaults are not much better. Foreign intelligence officers can gain 
access without you becoming aware of the compromise. 
Reduce hard copy material as much as possible and carry what you 
must take on your person, possibly on disk, or secure it in a 
company vault. 
U.S. business travelers should not assume that the U.S. standards 
in telecommunication security will be the case when traveling 
overseas. The quality of service, as well as the technical 
standards and conventions used, vary dramatically from country to 
Scientific Conferences 
Historically, scientific conferences and trade association 
meetings have been targeted by some foreign intelligence agencies. 
Today these meetings are still targeted, but the goal is to learn 
economic information that will improve the position of our foreign 
competitors. Individuals collecting this type of information may 
be managers, corporate officers, sales people, and other business 
people, scientists, engineers, and other technical personnel. 
There is a growing trend for foreign corporations to employ former 
intelligence officers for industrial work. Protect yourself by 
practicing discretion and remembering that not only time, but 
information, is money. 
Discussions on airplanes are overheard by those around you. 
Eavesdropping can result in gathering meaningful information in a 
radius of 6-8 seats. Recent revelations in the media specifically 
mention valuable information gathered by eavesdropping on 
conversations held on aircraft and in bars and restaurants. 
Destruction of Information Waste 
--  Keep unwanted material until you can dispose of it securely.  
--  Paper should be burned or shredded. If shredded, the type of 
shredder should cut horizontally and vertically.  
--  Floppy disks should be cut in small pieces and discarded. 
Necessary Communications 
--  Avoid sending facsimiles or conducting sensitive conversations 
on local or international telephone lines. 
--  Fax, telex, and data systems are all vulnerable to 
interception, particularly in overseas hotels.  
--  On important issues, go to the extra trouble of identifying 
company travelers for the purpose of carrying information rather 
than entrusting it to less secure electronic means. 
Be Alert!!! 
Be aware of new acquaintances who probe for information or attempt 
to place you in a compromising situation. In an unusual situation, 
have an American colleague present. The watchword in travel while 
in foreign countries is discretion. 
We hope this pamphlet provided you with some basic information you 
should consider in dealing with important issues.  For a more 
detailed discussion, please review our expanded version, 
Guidelines for Protecting U.S. Business Information Overseas, 
available through the Overseas   Security Advisory Council. 
To the top of this page