Preface
The Executive Board has established several Cyber Security, Safety and Privacy policies. These policies are relevant for everyone using IT services provided by the University or partners on behalf of the University. This includes but is not limited to the network on campus, email services, workstations and electronic devices provided by the University and services like Canvas and Afas. Below are the policies and codes of conduct that everyone, including guests, must adhere to.
Next, you will find several guidelines. These guidelines go deeper into specific situations. They describe the best practices the University has adopted. Note that the document is relevant to your IT services activities.
Lastly, you will also find links to national and international legislation concerning cybersecurity and privacy and to codes of conduct specially drawn up for researchers.
University of Twente policies and codes of conduct
The Executive Board has officially established the policies and codes of conduct. Everyone needs to consider this set as a "Rule of Law" concerning the use of IT services.
People should at least read the Policy on Information Security and the Code of Conduct for IT and Internet Use relevant to them. For guests, the Staff Code of Conduct is the relevant document. IT staff should also read the Code of Integrity for IT Staff.
University of Twente guidelines
Guidelines are documents describing "best practices" on a number of subjects. These guidelines are based on the official policies and explain in detail how the University aims to implement those in special cases.
Guidelines can't describe every possible subject or all possible situations. They are a well-founded interpretation of the policies. Whereas policies must be strictly adhered to, guidelines can be deviated from if necessary. You do need prior approval if you need or want to deviate. To propose your case, contact one of the IT Security Managers
Guidelines on Identity & Access Management - Authentication (passwords)
The old password policy is replaced by guidelines on authentication systems and methods. These guidelines are part of a large set of Identity & Access Management documentation.
Updated: 20 May 2025
Guideline for updating computer systems
The patch management guideline of the University of Twente (UT) describes the measures and procedures for effective implementation of patch management.
Updated: 6 September 2024
Knowledge and information security while traveling abroad
Are you travelling abroad for work soon? Business trips abroad involve espionage risks. The same applies to long-term work abroad.
Privacy statement in the context of streaming and recording lectures within the University of Twente
The platform through which lectures are streamed and/or recorded that is used by the UT is committed to protecting your privacy by keeping the confidentiality and security of your personal data.
Guidelines on using Personal Certificates
These guidelines help implement personal certificates for, for instance, email. For TLS certificates, see the guidelines on using TLS certificates.
Guidelines on using TLS certificates
These guidelines help implement certificates on computer systems and for other purposes. This document also lists the allowed CAs and how the University limits the use of other CAs.
Updated: 13 November 2025
Rules for use of non-security cameras
Recordings are not only made for security purposes, but may also be carried out for other reasons. These recordings may be made by the University of Twente itself, but also by anyone present on the university’s site.
Regulations for redundant personal electronic equipment (E-waste regulations)
These regulations specify how devices that have become redundant can be disposed of in a socially responsible way.
Classification guideline
We work with information and systems that must be protected. Protection is provided at the level appropriate to the risks posed for the information in question. The higher the risk, the better the information must be protected.
Updated: 29 April 2024
Guidelines on email message authentication (SPF, DMARC, DKIM)
The University of Twente has measures in place to support and promote a safe email environment. Part of that environment is the authentication of email messages through SPF, DMARC and DKIM.
Updated: 27 June 2023
Guideline testing with personal data
How do you test applications containing personal data and still adhere to the General Data Protection Regulation (GDPR).
Updated: 30 January 2024
Guidelines on the destruction of data carriers
When data carriers such as hard discs, tapes, mobile devices, USB sticks, etc. are put out of operation or disposed of, the data on them must be adequately destroyed by or on behalf of the owner.
Review: 25 november 2025
Guidelines on blocking network protocols
The Information Security Policy is based on Zero Trust. Allowing unlimited access to systems on our network is at odds with that policy. Therefore, measures need to be taken to secure access to our data.
Updated: 3 November 2025 (v1.9)
Arrangement ICT-facilities for ex-UT employees and students
This arrangement relates to persons who terminate an employment relationship with the UT (exemployees) or are written out in a study (ex- students). This includes the users of a guest registration that is terminated.
Updated: 8 July 2024
National and international legislation
Legislation, both national and international, that constitute the framework for the establishment of cyber safety.
Codes of conduct for researchers
In addition to legislation and specific University's Codes of Conduct, there are national Codes of Conduct for the protection of research details.
Scientific research involving the processing of personal data is covered by the General Data Protection Regulation. When the research extends to medical personal data, adjacent legislation such as the Medical Research Act also applies. This means that the use of data must meet extra conditions. In order to help researchers to act in accordance with this legislation, national special codes of conduct have been drawn up.
