Security Policy & Acceptable Use

The success of an organization such as UM increasingly depends on information, new technologies and computer systems. Such information must be properly secured, especially if personal data is stored. In addition, of course, users have to treat this information accordingly.

Information Security Policy

The basis of information security, or cyber security, is a set of guiding principles, laid down in a formally established Information Security Policy (IS policy). Watch this video which explains the IS policy and it's principles. UM's actual Information Security Policy can be found here.

The policy describes how UM provides adequate information security to comply with the relevant legislation and regulations. With the IS policy, UM also aims to contribute to a better quality of information provision and ensure a good balance between functionality, security and privacy.

Obviously, an IS policy itself does not make UM secure. Information security is accomplished, on the one hand, by a set of general security measures and, on the other hand, by human behavior. For that reason an Acceptable Use Policy (AUP) is part of UM's general Information Security Policy. It informs you on specific regulations with respect to the use of ICT facilities and internet at Maastricht University.

Read more about how we can secure UM's IT-landscape together on our Do's & Don'ts page. In addition, this is a good place to remind employees on UM's Codes of Conduct & Regulations specifically the UM Integrity Code of Conduct and for IT-staff the additional Integrity and behaviour code for ICT staff at UM. 

More on Acceptable Use Policies

In the Acceptable Use Policy (AUP), you can read which regulations for ICT and internet use the UM Executive Board has adopted for its employees and students. An AUP is necessary to make it clear to employees and students how they can use UM's ICT facilities to perform their duties or study, without violating (legal) rules and guidelines and without compromising the security of UM’s digital systems. Above all without endangering the safety of other users. Finally, the agreements in the AUP also ensure that your rights as a user of UM's ICT facilities will be respected. Therefore, this AUP is available to every user. All users are expected to familiarize themselves with the UM regulations and the law and, above all, to use their “common sense”.

Users of UM ICT facilities reflect society. This means that users can make mistakes or errors and it is even conceivable that unwanted actions are intentionally committed. No regulations can withstand this. It is of course also conceivable that, despite your precautions, you as a user become the victim of a phishing attack or a virus or malware infection. The AUP explicitly intends to clarify expectations amongst users and between users and system administrators and to provide a framework for communication about these expectations. Users are asked to continue doing this in an open atmosphere. The chance of errors, mistakes and misunderstandings is thus reduced.

The AUP provides measures for cases of undesirable behavior. As a rule, this will be a warning explaining why the present behavior is undesirable and what the consequences of (recurrence) of that behavior are. It cannot be ruled out that cases will arise in which, in the opinion of the Executive Board, the seriousness of the situation requires more severe intervention and a warning is not sufficient and a more severe sanction is appropriate. In all cases, the user is given the opportunity to put forward their views: both sides of the story are important. Legal language is unavoidable in an AUP. A regulation should only be open to a single interpretation. If you are in doubt about the agreements in the AUP, you can always ask your local IT support or Information Manager, your manager or your student councilor, or the ICTS Service Desk how to act in a certain situation.