Preface
The Executive Board has established several Cyber Security, Safety and Privacy policies. These policies are relevant for everyone using IT services provided by the University or partners on behalf of the University. This includes but is not limited to the network on campus, email services, workstations and electronic devices provided by the University and services like Canvas and Afas. Below are the policies and codes of conduct everyone, including guests, must adhere to.
Next, you will find several guidelines. These guidelines go deeper into specific situations. They describe best practices the University has adopted. Note that document if the situation is relevant to your IT services activities.
Lastly, you will also find links to national and international legislation concerning cyber security and privacy and to codes of conduct specially drawn up for researchers.
- University of Twente policies and codes of conduct
The Executive Board has officially established the policies and codes of conduct. Everyone needs to consider this set as a "Rule of Law" concerning the use of IT services.
People should at least read the Policy on Information Security and the Code of Conduct for IT and Internet Use relevant to them. For guests, the Staff Code of Conduct is the relevant document. IT staff should also read the Code of Integrity for IT Staff.
- Policy on Information Security
The approach to information security is based on the University’s information security policy. Everyone is responsible for information security.
Updated: 15 June 2023 - Privacy Policy
The privacy policy regulates the protection of processing in which personal data is recorded. Within the current legislation and regulations framework, responsibilities and roles are being defined.
Updated: 2 June 2023 - Staff Code of Conduct for IT and Internet use
The code of conduct sets out regulations on responsible IT and internet use by staff and how checks take place. It aims to balance the interests of the University of Twente and the freedom to use IT.
Updated: 15 June 2023 - Student Code of Conduct for IT and Internet use
The code of conduct sets out regulations on responsible IT and internet use by students and how checks take place. It aims to balance the interests of the University of Twente and the freedom to use IT.
Updated: 15 June 2023 - Code of Integrity for IT Staff
Due to their far-reaching rights, IT staff can collect privacy-sensitive data. This document includes the ethical values and code of conduct to which they are held.
Updated: 15 June 2023 - CCTV Monitoring Regulations
These Regulations describe the purpose for which security cameras are used by the university and regulate how the images are used and stored to limit, where possible, the invasion of privacy of those concerned.
Updated: 7 June 2024 - Reading Guide CCTV monitoring regulations
This reading guide has been drawn up to clarify the CCTV monitoring regulations. - Responsible disclosure
The Responsible disclosure policy explains what we expect from you when you have found a weakness in our systems. It also describes how we deal with this and what you can expect from us.
Updated: 4 June 2023 - Use of personal applications
Employees and their guests can use (cloud) applications not provided by the University of Twente.This policy aims to make employees and their guests aware of these risks and to give them perspective for action. - Bring your own device policy
Employees, students and external parties often use their own equipment for their work or study. This equipment is called Bring Your Own Device (BYOD).
- Policy on Information Security
- University of Twente guidelines
Guidelines are documents describing "best practices" on a number of subjects. These guidelines are based on the official policies and explain in detail how the University aims to implement those in special cases.
Guidelines can't describe every possible subject or all possible situations. They are a well-founded interpretation of the policies. Whereas policies must be strictly adhered to, guidelines can be deviated from if necessary. You do need prior approval if you need or want to deviate. To propose your case, contact one of the IT Security Managers
- Guidelines on Identity & Access Management - Authentication (passwords)
The old password policy is replaced by guidelines on authentication systems and methods. These guidelines are part of a large set of Identity & Access Management documentation.
Updated: 4 October 2023 - Guideline for updating computer systems
The patch management guideline of the University of Twente (UT) describes the measures and procedures for effective implementation of patch management.
Updated: 6 September 2024 - Knowledge and information security while traveling abroad
Are you travelling abroad for work soon? Business trips abroad involve espionage risks. The same applies to long-term work abroad. - Privacy statement in the context of streaming and recording lectures within the University of Twente
The platform through which lectures are streamed and/or recorded that is used by the UT is committed to protecting your privacy by keeping the confidentiality and security of your personal data. - Rules for use of non-security cameras
Recordings are not only made for security purposes, but may also be carried out for other reasons. These recordings may be made by the University of Twente itself, but also by anyone present on the university’s site. - Regulations for redundant personal electronic equipment (E-waste regulations)
These regulations specify how devices that have become redundant can be disposed of in a socially responsible way. - Classification guideline
We work with information and systems that must be protected. Protection is provided at the level appropriate to the risks posed for the information in question. The higher the risk, the better the information must be protected.
Updated: 29 April 2024 - Guidelines on email message authentication (SPF, DMARC, DKIM)
The University of Twente has measures in place to support and promote a safe email environment. Part of that environment is the authentication of email messages through SPF, DMARC and DKIM.
Updated: 27 June 2023 - Guideline testing with personal data
How do you test applications containing personal data and still adhere to the General Data Protection Regulation (GDPR).
Updated: 30 January 2024 - Guidelines on the destruction of data carriers
When data carriers such as hard discs, tapes, mobile devices, USB sticks etc. are put out of operation or disposed of, the data on them must be adequately destroyed by or on behalf of the owner. - Guidelines on blocking network protocols
The Information Security Policy at the university is based on Zero Trust. Allowing unlimited access to systems on our network is at odds with that policy. Therefore, measures need to be taken to secure access to our data.
Updated: 21 October 2024 - Arrangement ICT-facilities for ex-UT employees and students
This arrangement relates to persons who terminate an employment relationship with the UT (exemployees) or are written out in a study (ex- students). This includes the users of a guest registration that is terminated.
Updated: 8 July 2024
- Guidelines on Identity & Access Management - Authentication (passwords)
- National and international legislation
Legislation, both national and international, that constitute the framework for the establishment of cyber safety.
- General Data Protection Regulation (GDPR)
The rules for handling personal information are laid down in European privacy regulation. In this case, the EU General Data Protection Regulation (GDPR) which in Dutch translates to AVG (Algemene Verordening Gegevensbescherming). - Cyber Crime Legislation III (in Dutch)
- Medical Research involving Human Subjects Act (in Dutch)
This act defines legislation involving the medical research where humans or human parts are the subject of the research.
- General Data Protection Regulation (GDPR)
- Codes of conduct for researchers
In addition to legislation and specific University's Codes of Conduct, there are national Codes of Conduct for the protection of research details.
Scientific research involving the processing of personal data is covered by the General Data Protection Regulation. When the research extends to medical personal data, adjacent legislation such as the Medical Research Act also applies. This means that the use of data must meet extra conditions. In order to help researchers to act in accordance with this legislation, national special codes of conduct have been drawn up.
- Use of Personal Data in Scientific Research (in dutch)
Code of Conduct established by the VSNU. - Code of Conduct for Health Research
Code of 'Good Conduct' on Health Research, established by Federa. - Code of Conduct for Responsible Use of Body Material for Scientific Research
Code of 'Good Use' for the use of body material, established by Federa.
- Use of Personal Data in Scientific Research (in dutch)