Information Security Policy & Acceptable Use

The foundation of information security, or cybersecurity, is a set of guiding principles laid down in a formally adopted Information Security Policy. Watch this video explaining the policy and its principles and read the current UM Information Security Policy.

The policy describes how UM ensures adequate information security in order to comply with relevant laws and regulations. Through the policy, UM also aims to contribute to higher-quality information provision and to strike an appropriate balance between functionality, security and data protection.

Of course, an Information Security Policy alone does not make UM secure. Information security is achieved partly through a set of general security measures and partly through human behaviour. That is why an Acceptable Use Policy (AUP) forms part of UM’s overall Information Security Policy. The AUP informs you about specific rules and regulations relating to the use of ICT facilities and the internet at Maastricht University.

Read more about how we can work together to secure UM’s IT landscape on our Do's & Don'ts page. This is also a good place to remind staff of the UM Codes of Conduct & Regulations, in particular the UM Integrity Code of Conduct. For IT staff, the additional code for ICT staff also applies.

The Acceptable Use Policy (AUP) sets out the regulations for ICT and internet use that have been established by Maastricht University’s Executive Board for its staff and students. An AUP is necessary to make clear how employees and students may use UM’s ICT facilities in the course of their work or studies, without breaching (legal) rules and guidelines, without endangering the security of UM’s digital systems, and, most importantly, without compromising the safety of other users. In addition, the agreements laid down in the AUP ensure that your rights as a user of UM’s ICT facilities are respected. For this reason, the AUP is made available to every user.

All users of UM’s ICT facilities are expected to be familiar with UM regulations and applicable laws, and above all to use their “common sense”.

UM’s user community reflects society as a whole. This means that users may make mistakes or errors, and it is even possible that undesirable actions are carried out deliberately. No set of regulations can fully prevent this. It is also possible that, despite taking precautions, you may still become a victim of a phishing attack or a virus or malware infection. The primary aim of the AUP is to clarify expectations between users themselves and between users and system administrators, and to provide a framework for communication about these matters. We therefore ask that this be done in an open and transparent manner. This helps to reduce the likelihood of errors, mistakes and misunderstandings.

In cases of undesirable behaviour, the AUP provides for appropriate measures. In most cases, this will involve a warning explaining why the observed behaviour is undesirable and what the consequences of that behaviour, or its repetition, may be. It cannot be ruled out that, in certain cases, the seriousness of the situation may, in the judgement of the Executive Board, require more decisive action, making a warning insufficient and a heavier sanction appropriate. In all cases, the user will be given the opportunity to present their side of the story, in line with the principle of hearing both sides.

Legal language is unavoidable in an AUP, as regulations must be open to only one interpretation. If you are unsure about any of the provisions in the AUP, you can always ask your local IT support staff, your Information Manager, your manager or study adviser, or the ICTS Service Desk for guidance on how to act in a particular situation.