Information security

SURF helps institutions of higher education to secure information. We develop common policies and tools. We support education institutions in striking a balance between security, privacy assurance, accessibility and usability.

Geen toegang - toegangspoortjes

Information security guidelines

Universities of applied sciences and research universities have a lot of information security knowledge and experience. SURF has brought this knowledge and experience together for a number of frequently occurring issues and questions in guidelines and starter kits that will quickly help you to develop information security at your institution.

Model Information Security Policy

The Model Information Security Policy (PDF, in Dutch) makes it easy for you to set up a policy for information security or to revise the existing policy. This model makes it easy to exchange experiences in information security with other institutions. Using this model makes it easier to exchange information security experiences with other settings. This model, revised in 2020, has been developed within SCIPR (SURF Community for Information Security and Privacy) and has been favourably received by the SURF Committee for Information Security.

There is also a Baseline Information Security Higher Education (PDF, in Dutch) on information security. This baseline describes the basic measures that an educational and research institution must implement and the additional measures that are required for highly sensitive data. The detailed list of measures is available in the SCIPR collaboration environment.

Information security in vocational education and training ('mbo')

SaMBO-IT worked with SURF and Kennisnet to launch the Information Security Policy Taskforce to encourage information security in vocational education and training ('MBO') in 2014. This Taskforce uses higher education materials and has brought these together for MBO.

Information Security Starter Kit

The Information Security Starter Kit (in Dutch) describes the 5 phases an organisation has to go through to set up and enforce information security. The starter kit can also be used as a reference tool to see how your institution is doing. It starts with some simple steps to achieve quick results and it ends with a description of process-based information security assurance in the organisation. SCIPR created the starter kit.

Information Security Starter Kit

The baseline informatiebeveiliging ho-2015 describes a pragmatic approach to set up and maintain continuity plans. The described methodology will make the way you provide information more robust in just a few months. The starter kit consists of a main document and a large number of sample documents. These can be accessed by the SCIPR participants. SCIPR created and updates the starter kit.

Acceptable Use Policy Guidelines

The Acceptable Use Policy Guidelines describe how your institution can best draw up an application regulation for information services to employees and students. The guidelines include 2 usable models Acceptable Use Policies: 1 for employees and 1 for students. Both are available in Dutch and English. SCIPR keeps these guidelines up-to-date. The 2013 review takes into account social media and cloud computing.

Integrity Code Guideline

A number of institution employees have access to a great deal of confidential information – such as personnel data and study progress data – for their work. Administrators especially are expected to handle this with integrity. The entegrity Code Guideline (in Dutch) offers some guidance in this respect. The guideline contains a practical and usable model integrity code. SCIPR continuously updates the guideline.

Classification Guideline

A classification of information and information systems makes it possible to devise tailored information security. By taking the right amount of security measures, institutions hedge the risks associated with the provision of information and the possible impact on the organisation. The classification system deals with the security aspects of availability, integrity and confidentiality and takes into account different levels of security. SCIPR updates this guideline and publishes an updated version regularly. The questionnaire associated with the guideline is available on the private SCIPR Intranet site. Opposite you will find an overview of the Starterkit_Business_Continuity_Management (in Dutch), with CIA triad classification. You can also use the Privacy Impact Assesment (PIA), in Dutch, guide for the classification of systems that process personal data.

Guideline for the Information Security Officer Job Profile

The SURFibo-model-aup-employees-V4.0CC-UK (in Dutch) gives job descriptions for the most common security jobs. SCIPR created the guideline together with the 'Platform voor Informatiebeveiliging'. This platform also offers a more extensive and generally applicable version with job profiles (in Dutch).


If you are an information security officer in higher education, you can also obtain the available documents in Word format on the SCIPR Intranet site or contact Remco Poortinga.