It offers a generic framework with pointers for all types of things to consider, while zooming in on the inclusion of digital security in such a policy document. This page is likely most relevant to a manager and/or human resources.

"Here's a blockquote using Markdown. This one's for you Sara!"

— First Draft Marcel

Introduction

- What is the goal of this travel policy (digital safety? physical safety? managing expenses?) Describe what is covered and what is not in 2-3 sentences. Here is a start, based on the v1 of the introduction...

This article will focus mostly on the development of a travel policy from a digital safety perspective. It is not a physical travel safety or high-risk travel policy. Rather, it aims to provide a decent standard for "normal" circumstances. For more information on how to develop a policy fit for investigative journalism outlets and higher-risk environments/locations, Also see "[Template] Travel Safety & Security Policy".

• Why do you need one: remind the reader of what's at stake, why a policy is important to protect your reporters (I'm assuming this is for "managers"). Maybe link to an article describing related risks. 2-3 sentences.

A travel policy is useful thing to have for many purposes: financial, compliance, donor relations, public relations, etc. It also streamlines, and internally disseminates, your policies and practices, reducing questions or friction. As such, digital safety is not the primary reason for introducing a travel policy.

*- What makes a good policy: 2-3 features (e.g., comprehensive?, clear?); plus the goal of a policy (e.g., the policy is a means to manage digital safety risks while traveling). 1-2 sentences

But if you do (or have one you want to update), this page provides some guidance on how to incorporate digital security in a clear and comprehensive manner (while only briefly touching on various other considerations). Not only does this serve as a repeated reminder for people of the specific digital safety requirements while traveling. It also, with other templates and policy suggestions in this repository, aims to help you incorporate digital security advise in a wide variety of relevant structures, documents and procedures in your organization with the main aim of enhancing and deepening digital security awareness amongst your team.

-What should this travel policy cover? Give a sense of the main sections of a travel policy (before, during and after travel). 2-3 sentences

The policy (template) is split into three sections: before, during and after travel. Each section has a dedicated digital safety article, as well as pointers towards security-related elements in other articles.

• Follow ups: if you want the team to write the policy for you (click here); if you want to have a look at a template (click there)

If you want the First Draft Media and DSaaS teams to advise you on your specific needs, or draft a travel policy with/for your organization, send us an email at contact@firstdraft.media.

v1

If your organization is looking to develop or update a uniform travel policy, congratulations. International travel is a big thing in many sectors, always surrounded by a lot of rules, regulations and difficulties if the rules are not clear to everyone. It can as such be tremendously useful to have those centralized. A travel policy has digital and physical safety elements. But it also has many others: approval processes and financial guidelines for instance. And reporting and documentation obligations. In this policy doc, we'll provide some guidance for wider travel policy framework, but we will zoom in on those elements that tie in with digital security.

An easy way to create some structure to the policy document is to categorize the items in 3 containers: before travel, during travel and after travel. We'll do the same here. Note that First Draft Media can also help your organization with travel policy development. Shoot them a line at contact@firstdraft.media if you are interested in wider support.

If you have a solid travel policy and are looking for a separate yet detailed travel safety policy only, fit for investigative journalism outlets and higher-risk environments/locations, instead visit "[Template] Travel Safety & Security Policy" in the DSaaS repository.

--------------------------------------------------------------

Part 1. Before travel

1.1 Approval

This section should cover the process of approving travel. You could just write from whom permission should be obtained, and when, but we prefer a form employees can fill. Such a form would include destination, reasons for travel, a quick travel budget, etc. Employees can then fill the form and email it to get the travel approved. A form could, for instance always prompt people to pinpoint an emergency contact. This keeps such information readily available in your organization. Another nice security tip is to include the government travel advice for the destination in your request form. People then have to look up the country status to fill it in the form. Your local example should replace this link for the Netherlands: https://www.nederlandwereldwijd.nl/reisadvies or the US: https://travel.state.gov/en/international-travel/travel-advisories.html

Many foreign ministries also have general travel instructions and tips for their nationals available. You can also refer to those (in the resources section). In the Netherlands, that would for instance be this link: https://www.netherlandsworldwide.nl/travel-abroad.

1.2 Contact

This section should cover who else in your organization should be in the loop about the travel. So beyond who signs off on the request, who do you send the signed request to for information? People like line managers and HR for instance.

In terms of security, here you can (well, should) instruct that the person traveling should have a conversation with your security manager about the trip. If you use the digital safety checklist [link to template], it can be part of that conversation.

Regardless of the purpose of travel, the destination or the duration, all international travel on behalf of [company] requires a security conversation. Please schedule a chat with the Security Manager soonest after approval is obtained. In any case, do so before booking any tickets or accommodations as security considerations may inform such choices as well.

Sections 1.3 to 1.7 are more practical or financial in nature and to not touch on digital security as much (with the exception of accommodation for very high-risk travel). The are still included here as placeholders to fill according to your practice / standards.

1.3 Travel Documents

This section discusses documents/things people might need, if costs are covered (or not, or up to a point, or are part of per diem rules) and if help is available obtaining them (e.g. HR). This can include visa, vaccinations, waivers for medicine, etc.

1.4 International Transportation

This details the rules especially. Coach or business? Train or plane? And if you allow people to extend their trip for personal use, let people document prices of different itineraries to determine personal versus company costs, etc.

1.5 Accommodation

This determines the rules for accommodation. Price range, star ratings allowed, and if you for instance let people book their own or insist on HR or an agent doing it centrally.

1.6 Expenses

And your rules regarding local expenses. (Airport) transportation, meals, miscellaneous. And if your organization uses reimbursement, per diem (or both).

1.7 Travel and working hours

It's worth saying something about working hours during travel. Do you accept overtime while traveling? Does that group dinner apply? And what about the travel day itself? And what if that is on a Sunday, or a part-time day?

1.8 Security Checklist for Travel

This section should include pointers, entire checklists, or should refer to the separate travel security policy. One size definitely does not fit all. In our repository, we have included two 'extremes': the full digital safety version, for investigative journalists in hostile environments, and a light/checklist version for visiting a conference. At least and always include the latter and, based on your threat model, consider expanding.

Or consider including some basics (like below) AND refer to the travel policy.

Devices. What am I going to bring? Will I use it/need it? Bring what you need, but no more.

• [ ] Pick the devices you'll bring.
• [ ] Apply privacy screens to your devices to avoid shoulder surfing.
• [ ] Enable (long) passcode/passwords to unlock devices. Avoid simple PIN codes or obvious patterns. If available/provided, use a Security Key.
• [ ] Create a backup for each device you're bringing. Using Time Machine or similar apps can prove critical if your device is lost, stolen, or compromised.

Data. What documents, photos, and videos do I have on the devices I’m bringing with me? Maybe that super secret project report can be transferred off to an external drive and doesn’t need to be on your laptop for this conference.

• [ ] Review data stored directly on your device.
• [ ] Offload any sensitive or unneeded files to the cloud or offline storage.
• [ ] Ensure full-device encryption.

Software and Accounts. Does my device have what I need in order to be productive and secure while traveling?

• [ ] Install a VPN to use over open conference, hotel, and airport WiFi networks (insecure WiFi networks can allow others to easily watch your internet activity). Not sure which one to use? Look here for recommendations.
• [ ] Make very sure your device software is up to date. Do you have the habit of hitting "remind me later"? Well, don't. Unpatched software is a security breach waiting to happen. Preferably enable auto-update but at least update before travel.
• [ ] Use a secure method to chat with people, like Signal.
• [ ] Turn on two-factor authentication for work and personal email, collaboration, and file sync accounts. Here's a good tutorial.

More physical safety measures could look something like this:

**Physical safety and Awareness. **If something happens, who knows where I am? And do I have access to emergency contacts and important documents? And then some?

• [ ] Memorise at least one emergency phone number.
• [ ] Carry a printed emergency card (basic ID info, medical notes, emergency contacts, insurance hotline).
• [ ] Provide a clear itinerary including accommodation details, arrival/departure times, and key contacts so that colleagues know how to reach you in an emergency.
• [ ] Research local laws, customs, and regulations that may affect journalists or researchers. Respect local conditions and avoid unnecessary risk.

Part 2. During Travel

2.1, 2.3 and 2.4 are again placeholders with little to no digital security-specific relevance. They are, however, important to consider for your wider travel policy. We believe it also helps adaptation/awareness to "weave" digital security into the wider policy design in this - or a similar - manner.

2.1 Representation

Here, you can specify that during work travel, your team represents the company, pretty much 24/7. That they are expected to abide by local laws and customs. Specify if/how they are expected to reference the company when introducing themselves. Consider if specific rules apply (or don't apply) to freelancers traveling on your dime.

2.2 Security

Here, you highlight the security precautions people should take during travel. Again, your threat model should determine if you go for the 'light' security advice here, or for the more detailed model for high-risk travel (or anything in between). What follows are the examples for 'simple' business travel and investigative reporting outlets.

Note that this travel advice does NOT deal with critical situations such as reporting on wars, disasters or serious political unrest. That should always be accompanied by dedicated training, special equipment and support. See for instance https://newssafety.org/providers/ or find a local provider.

Business travel:

• [ ] Use a VPN. When connecting to airport, conference, or hotel Wi-Fi, always use your trusted VPN. This ensures your communications stay encrypted and safe from prying eyes.
• [ ] Don’t Plug It In. Free USB drives from vendors? Skip them! They can carry malware, as seen in real-world cases like the John Deere incident. Also avoid unknown cables and public charging stations—they can be used for “juice jacking” attacks that compromise your device.
• [ ] Keep Track of Your Devices. Never leave electronics unattended. Theft and tampering are real risks. Lock your screens, use strong passcodes, and enable device tracking features.
• [ ] Be Cautious with Public Computers & Conversations. When using shared computers or discussing sensitive topics, be aware of who might be watching or listening nearby.
• [ ] Stay Alert for Phishing. If an email or message feels off—don’t click! Avoid suspicious links and unexpected attachments. If you need to access an account, go directly to the official site instead of following email prompts.

But if you send investigative reporters into the field, or work with exiled journalists, You'll want to be a whole lot more detailed and specific. So consider including a selection of elements below (or come talk to us for a tailored plan):

To reduce exposure:

• [ ] Use a neutral or non-identifying email address when making bookings
• [ ] Do not publicly share your itinerary, hotel, or transport plans
• [ ] Avoid connecting travel details to your professional affiliation unless operationally necessary

Hardware/device safety:

• [ ] Do not share chargers, cables, or USB devices with unknown parties
• [ ] Avoid plugging devices into publicly exposed USB ports
• [ ] When working in public, avoid sitting with your screen visible from windows or cameras
• [ ] Bring your primary hardware security key; keep backup keys securely at home
• [ ] Log out of accounts you don’t need on the trip
• [ ] Keep devices with you whenever possible
• [ ] Avoid coat checks, cloakrooms, or leaving bags unattended
• [ ] Do not leave devices in lobbies, airport seating areas, or cafes
• [ ] When moving around at night or in unfamiliar areas, carry only what you need

Situational awareness, transport & accommodation:

• [ ] Stay aware of your surroundings
• [ ] Avoid discussing work in public spaces
• [ ] Keep a low profile and avoid drawing attention
• [ ] Do not display valuables or expensive gear unnecessarily
• [ ] Choose reputable transport providers
• [ ] Share your accommodation details with your designated contact
• [ ] Inspect hotel rooms for obvious security risks
• [ ] Do not rely on hotel safes; they are easily accessed or bypassed

And if you suspect a device is compromised:

• [ ] Stop using it
• [ ] Contact the designated security point immediately
• [ ] Provide details of the suspected compromise
• [ ] Do not attempt self-repair or investigation

2.3 Record Retention

This section specifies what people need to retain for administrative purposes - and where/how. Every receipt of every expense? Or, in the case of a per diem, still hotel bills and boarding passes, for instance? On your drive, or emailed to HR or Finance?

2.4 Consent

Relatively new, it is increasingly important to have consent for, for instance, adding individuals to mailing lists. So when travel includes networking, we always find it to be useful to specify something in a travel policy to that aim:

At [company], we always want to expand our network. But consent is very important. When meeting new people and receiving contact details, consider inquiring if we can sign up people to our newsletter or other mailing lists. And with approval, note this and follow up. You can write that consent on a business card you receive, for instance. Or put it in your notes so you don’t forget.

Part 3. After Travel

3.1 Reporting

In this section, you create a format for reporting on travel, with a deadline. A fillable template might be handy. If you use a CRM system, it's helpful to ensure new contacts are fed into the system.

3.2 Financial Closeout

Specify what financial steps are still needed. A claim form perhaps? And what bills/proof of payment they need to provide to whom.

3.3 Security (Debrief)

This section covers how employees (and others) round-up the security element of the travel after return. It's very personal to your organization and, again, your threat model and the type of travel common in your organization, to what extent you'd want to make a detailed debrief mandatory. And what kind. A quick debrief with the security manager never hurts. And it never hurts to make that a standard so it does not slip.

If you expect some travel in your organization to have a psychosocial impact, that is also definitely something to deal with. Organizations like the Global Center for Journalism and Trauma provide excellent resources and support.

Below is a suggested closeout on security for higher-risk outlets:

Safety Check-in

• [ ] Confirm your safe return with the designated security or safety contact(s).
• [ ] Confirm your safe return with HR. Do you think you need any support? Let them know!

Debrief

Share any observations, concerns, or incidents that occurred during the trip, including:

• [ ] Digital security issues
• [ ] Suspicious activity
• [ ] Questions or areas needing improvement

Device Review

• [ ] If you believe a device was accessed, report it immediately for technical review and forensic assessment.

List of related documents and links

Provide a list of associated docs your company uses (and where people can find them), like, for instance:

• Travel request form
• Travel security checklist and/or Travel Policy
• Quick travel checklist
• Travel report template
• Etc.

as well as web links to useful information you come across while developing the policy.