Preface
The Executive Board has established a number of policies with respect to Cyber Security, Safety and Privacy. These policies are relevant for everyone using IT services provided by the University or by partners on behave of the University. This includes, but is not limited to, the network on campus, email services, workstations and electronic devices provided by the University and services like Canvas and Afas. Below you will find the policies and codes of conduct everyone, including guests, has to adhere to.
Next you will find a number of guidelines. These guidelines go deeper into specific situations. They describe best practices the University has adopted. If the situation is relevant to your activities with respect to IT services, take note of that document.
Lastly you will also find links to national and international legislation concerning cyber security and privacy and to codes of conduct especially drawn up for researchers.
- University of Twente policies and codes of conduct
The policies and codes of conduct have been officially established by the Executive Board. Everyone needs to consider this set as "Rule of Law" with respect to the use of IT services.
People should at least read the Policy on Information Security and the Code of Conduct for IT and Internet Use relevant to them. For guests the Staff Code of Conduct is the relevant document. IT staff should also read the Code of Integrity for IT Staff.
Policy on Information Security
The approach to information security is based on the University’s information security policy. Everyone is responsible for information security.Privacy Policy
The privacy policy regulates the protection of processing in which personal data is recorded. Within the framework of current legislation and regulations, responsibilities and roles are being defined.Staff Code of Conduct for IT and Internet use
The code of conduct sets out regulations on responsible IT and internet use by staff and the way in which checks take place. It aims to achieve a balance between the interests of the University of Twente and the freedom to use IT.Student Code of Conduct for IT and Internet use
The code of conduct sets out regulations on responsible IT and internet use by students and the way in which checks take place. It aims to achieve a balance between the interests of the University of Twente and the freedom to use IT.Code of Integrity for IT Staff
Due to their far-reaching rights, IT staff can collect privacy-sensitive data. This document includes the ethical values and code of conduct to which they are held. "Functioneel beheer" is considered IT Staff in the context of this document.CCTV Monitoring Regulations
These Regulations describe the purpose for which security cameras are used by the university and regulates how the images are used and stored to limit where possible the invasion of privacy of those concerned.Responsible disclosure
The Responsible disclosure policy explains what we expect from you when you have found a weakness in our systems. It also describes how we deal with this and what you can expect from us.Policy on private devices and applications
While providing standard workplaces, the University of Twente also facilitates the use of own equipment and applications. This memo explains the implications for the support provided and the costs and remunerations.
- University of Twente guidelines
Guidelines are documents describing "best practices" on a number of subjects. These guidelines are based on the official policies and explain in detail the standard way the University aims to implement those in special cases.
Guidelines can't describe every possible subject or all possible situations. They are a well-founded interpretation of the policies. Whereas policies need to be strictly adhered to, guidelines can be deviated from if necessary. You do need prior approval if you need or want to deviate. To propose your case, contact one of the IT Security Managers
Privacy statement in the context of streaming and recording lectures within the University of Twente
The platform through which lectures are streamed and/or recorded that is used by the UT is committed to protecting your privacy by keeping the confidentiality and security of your personal data.Rules for use of non-security cameras
Recordings are not only made for security purposes, but may also be carried out for other reasons. These recordings may be made by the University of Twente itself, but also by anyone present on the university’s site.Regulations for redundant personal electronic equipment (E-waste regulations)
These regulations specify how devices that have become redundant can be disposed of in a socially responsible way.Guidelines on Identity & Access Management - Authentication (passwords)
The old password policy is replaced by guidelines on authentication systems and methods. These guidelines are part of a large set of Identity & Access Management documentation. (Updated: 27-2-2023)Classification guideline (Dutch)
We work with information and systems that must be protected. Protection is provided at the level appropriate to the risks posed for the information in question. The higher the risk, the better the information must be protected.Use of own devices and applications
While providing standard workplaces, the University of Twente also facilitates the use of own equipment and applications. This memo explains the implications for the support provided and the costs and remunerations.Software licences
This policy memo sets the framework for purchasing and managing software and the underlying processes. It not only relates to the purchase of new software, but also to requests for software through the University of Twente’s webshop.Technical Guidelines on SPF
The University of Twente has measures in place to support and promote a safe email environment. Part of that environment is Sender Policy Framework (SPF). These guidelines describe how the University of Twente will implement SPF.Guideline testing with personal data
How do you test applications containing personal data and still adhere to the General Data Protection Regulation (GDPR).Guidelines on the destruction of data carriers
When data carriers such as hard discs, tapes, mobile devices, USB sticks etc. are put out of operation or disposed of, the data on them must be adequately destroyed by or on behalf of the owner.Guidelines on blocking network protocols
The Information Security Policy at the university is based on Zero Trust. Allowing unlimited access to systems on our network is at odds with that policy. Therefore, some measures need to be taken to secure access to our data. (Updated: 17-4-2023)Arrangement ICT-facilities for ex-UT employees and students
This arrangement relates to persons who terminate an employment relationship with the UT (exemployees) or are written out in a study (ex- students). This includes the users of a guest registration that is terminated.
- National and international legislation
Legislation, both national and international, that constitute the framework for the establishment of cyber safety.
General Data Protection Regulation (GDPR)
The rules for handling personal information are laid down in European privacy regulation. In this case, the EU General Data Protection Regulation (GDPR) which in Dutch translates to AVG (Algemene Verordening Gegevensbescherming).Cyber Crime Legislation III (in Dutch)
Medical Research involving Human Subjects Act (in Dutch)
This act defines legislation involving the medical research where humans or human parts are the subject of the research.
- Codes of conduct for researchers
In addition to legislation and specific University's Codes of Conduct, there are national Codes of Conduct for the protection of research details.
Scientific research involving the processing of personal data is covered by the General Data Protection Regulation. When the research extends to medical personal data, adjacent legislation such as the Medical Research Act also applies. This means that the use of data must meet extra conditions. In order to help researchers to act in accordance with this legislation, national special codes of conduct have been drawn up.
Use of Personal Data in Scientific Research (in dutch)
Code of Conduct established by the VSNU.Code of Conduct for Health Research
Code of 'Good Conduct' on Health Research, established by Federa.Code of Conduct for Responsible Use of Body Material for Scientific Research
Code of 'Good Use' for the use of body material, established by Federa.