Preface
The Executive Board has established a number of policies with respect to Cyber Security, Safety and Privacy. These policies are relevant for everyone using IT services provided by the University or by partners on behave of the University. This includes, but is not limited to, the network on campus, email services, workstations and electronic devices provided by the University and services like Canvas and Afas. Below you will find the policies and codes of conduct everyone, including guests, has to adhere to.
Next you will find a number of guidelines. These guidelines go deeper into specific situations. They describe best practices the University has adopted. If the situation is relevant to your activities with respect to IT services, take note of that document.
Lastly you will also find links to national and international legislation concerning cyber security and privacy and to codes of conduct especially drawn up for researchers.
University of Twente policies and codes of conduct The policies and codes of conduct have been officially established by the Executive Board. Everyone needs to consider this set as "Rule of Law" with respect to the use of IT services.
People should at least read the Policy on Information Security and the Code of Conduct for IT and Internet Use relevant to them. For guests the Staff Code of Conduct is the relevant document. IT staff should also read the Code of Integrity for IT Staff.
University of Twente guidelines Guidelines are documents describing "best practices" on a number of subjects. These guidelines are based on the official policies and explain in detail the standard way the University aims to implement those in special cases.
Guidelines can't describe every possible subject or all possible situations. They are a well-founded interpretation of the policies. Whereas policies need to be strictly adhered to, guidelines can be deviated from if necessary. You do need prior approval if you need or want to deviate. To propose your case, contact one of the IT Security Managers
Privacy statement in the context of streaming and recording lectures within the University of Twente
The platform through which lectures are streamed and/or recorded that is used by the UT is committed to protecting your privacy by keeping the confidentiality and security of your personal data.
Rules for use of non-security cameras
Recordings are not only made for security purposes, but may also be carried out for other reasons. These recordings may be made by the University of Twente itself, but also by anyone present on the university’s site.
Regulations for redundant personal electronic equipment (E-waste regulations)
These regulations specify how devices that have become redundant can be disposed of in a socially responsible way.
Guidelines on Identity & Access Management - Authentication (passwords)
The old password policy is replaced by guidelines on authentication systems and methods. These guidelines are part of a large set of Identity & Access Management documentation. (Updated: 27-2-2023)
Classification guideline (Dutch)
We work with information and systems that must be protected. Protection is provided at the level appropriate to the risks posed for the information in question. The higher the risk, the better the information must be protected.
Use of own devices and applications
While providing standard workplaces, the University of Twente also facilitates the use of own equipment and applications. This memo explains the implications for the support provided and the costs and remunerations.
Software licences
This policy memo sets the framework for purchasing and managing software and the underlying processes. It not only relates to the purchase of new software, but also to requests for software through the University of Twente’s webshop.
Technical Guidelines on SPF
The University of Twente has measures in place to support and promote a safe email environment. Part of that environment is Sender Policy Framework (SPF). These guidelines describe how the University of Twente will implement SPF.
Guideline testing with personal data
How do you test applications containing personal data and still adhere to the General Data Protection Regulation (GDPR).
Guidelines on the destruction of data carriers
When data carriers such as hard discs, tapes, mobile devices, USB sticks etc. are put out of operation or disposed of, the data on them must be adequately destroyed by or on behalf of the owner.
Guidelines on blocking network protocols
The Information Security Policy at the university is based on Zero Trust. Allowing unlimited access to systems on our network is at odds with that policy. Therefore, some measures need to be taken to secure access to our data. (Updated: 17-4-2023)
Arrangement ICT-facilities for ex-UT employees and students
This arrangement relates to persons who terminate an employment relationship with the UT (exemployees) or are written out in a study (ex- students). This includes the users of a guest registration that is terminated.
National and international legislation Legislation, both national and international, that constitute the framework for the establishment of cyber safety.
Codes of conduct for researchers In addition to legislation and specific University's Codes of Conduct, there are national Codes of Conduct for the protection of research details.
Scientific research involving the processing of personal data is covered by the General Data Protection Regulation. When the research extends to medical personal data, adjacent legislation such as the Medical Research Act also applies. This means that the use of data must meet extra conditions. In order to help researchers to act in accordance with this legislation, national special codes of conduct have been drawn up.
