Professional Documents
Culture Documents
Acceptable Use Policy
Acceptable Use Policy
Policy
Document Type
Corporate Policy
Confidential
Purpose
The purpose of this policy is to provide employees with a set of rules in using ASML assets.
Information security is an important aspect of ASML’s corporate culture and is supported by the ASML
Code of Conduct, especially the business principle: “We protect our assets”. The Acceptable Use
Policy further details the Information Security policy.
Scope
This policy is binding for all Employees.
In the context of this Policy, an Employee is defined as: any person on ASML’s or an Affiliate’s payroll
or temporary workers assigned by a staffing agency who are under ASML’s or an Affiliate’s direct
supervision or control.
Requirements
Employees have direct access to all kinds of ASML information. This information exists in several
formats, like physically on paper or digitally on ASML provided or supported devices. You either have
access to this information or have it under your direct control. You are responsible to protect any
ASML information that you have access to.
Confidential
f) Not leaving your device unattended in ASML public spaces (such as in the Plaza or in
hallways).
Additionally, ASML has controls in place for monitoring all information and activities on its
information systems and its communications infrastructure. Access to applications and data is
being logged and can be traced back to users.
Confidential
AUP4.2: It is not allowed to modify the ASML network infrastructure.
All cabling, wiring and wired and wireless network equipment within ASML offices and that which
connects ASML offices to external parties is under full control of ASML IT and Corporate Real
Estate (CRE). Only IT and CRE are permitted to make any changes, additions, or deletions to this
infrastructure.
AUP4.3: ASML provides information systems and services required for the performance and
fulfillment of job responsibilities. These services, such as e-mail, voice mail, telephone, and Internet
access, but also the use of IT systems such as a laptop/desktop and a home/shared directory, are for
the purpose of increasing productivity and not for non-business activities. However, occasional and
reasonable personal use of ASML electronic communication services is permitted, provided this does
not interfere with work performance or violate the ASML Code of Conduct.
AUP4.4: It is prohibited at any time on ASML information systems to generate, access, display, or
disseminate any material that violate or advocate the violation of the ASML Code of Conduct, ASML
Corporate Social Media Guidelines, or any laws & regulations.
ASML will report violations to the relevant authorities in any case it is required by applicable rules
and regulations or when deemed necessary by ASML (e.g. internal policies, procedures and
guidelines).
AUP4.5: ASML controls electronic personal data processed through ASML information systems to
protect health, safety and security and to ensure integrity.
The information systems and networks within ASML are property of ASML and are meant for
business purposes only (AUP4.3). ASML has the right to process employee related data if
needed to protect health, safety and security and to ensure integrity, in compliance with
applicable privacy laws and regulations.
ASML processes personal data of its users as described within the ASML Privacy Notice for
Workers. In particular, and with specific regards to the protection of health, safety and security
and to ensure integrity, ASML processes personal data based on legitimate interests, for example
to be able to detect fraud and prevent crime and to monitor, detect and protect the organization,
its employees, systems, network, infrastructure, computers, information, intellectual property and
other rights from unwanted security intrusion, unauthorized access, disclosure and acquisition of
information, data and system breaches, hacking, industrial espionage and cyberattacks.
ASML also monitors employee accounts to observe compliance with ASML's policies and
regulations, such as the Code of Conduct and ASML Policies. These policies can be found on the
Corporate Policy Portal.
Therefore, employees should be aware that ASML might access their data stored on ASML
information systems or otherwise processed in or through ASML IT infrastructure.
AUP4.6: Content inspection of encrypted communication may occur, provided that such inspection
does not conflict with (privacy) laws and regulations.
Confidential
AUP5.3: In order to protect the ASML environment, ASML has taken a number of security measures
such as virus / malware and access management controls. It is not allowed to disable or remove
these measures.
AUP5.4: ASML reserves the right to conduct software audits on ASML owned devices at any time.
Software not licensed to ASML on the ASML managed part of the device will be removed.
Confidential
External to ASML
AUP6.4: It is allowed to have an external company email account registered within ASML instead of
an ASML personal email account if there is a business need to do so. In this case the ASML personal
email account is deleted together with the corresponding mailbox.
Requirements are:
a) The line manager must approve this change.
b) The external email address must be clearly recognizable as belonging to the company of the
employee.
AUP6.5: The external company email account may be used for ASML business related email
communication provided that information is adequately protected in line with the information
classification and the Knowledge Protection Policy.
Confidential
AUP9.2: Employees may post ASML related content to blogs, forums or other social media only if and
when the content does not violate the Code of Conduct and complies with ASML Corporate Social
Media Guidelines. Only “Public” classified technical information should be shared 1 and when
approaching to media outlets, you should obtain upfront approval from Corporate Communications.
Responsibilities
Corporate Communications
Corporate Communications is responsible for creating, maintaining and publishing of the Social Media
Guidelines.
Corporate Legal
Corporate Legal is responsible for providing legal advice and/or actions in relation to this policy.
Employee
All Employees at all locations are responsible for adhering to the policy statements above.
Human Resources
HR is responsible for sharing this policy towards Employees.
Policy Owner
Security Strategy, Risk & Architecture is responsible for creation, maintenance and publishing of this
policy.
Deviations
If it is necessary to deviate from the minimum requirements in this Policy or other ASML policies
referred to in in this Policy, the responsible manager should request a waiver from the Policy Owner.
It is only permissible to deviate from this Policy after a waiver has been requested and approved.
In case of any doubt or clarity as to the scope, the content or the interpretation of (parts of) this Policy,
advice must be asked from the direct manager and/or the Policy Owner.
1
Technical information is classified as “public” when available on public ASML channels (like ASML.com), when
mentioned in ASML presentations that are labeled “public”, or included in ASML-authored papers published in
official scientific journals. If this is not the case, the technical information should be submitted to and approved by
ASML’s Technical Publication Board (TPB) - TPB@asml.com.
Confidential
Definitions
The centralized information security definitions apply to this document as published on the
Information Security intranet page.
References
Related Regulation, Legislation or external Related Internal Documents
standard
Speak Up Policy
Ownership
Policy Owner CISO
Contact for Policy Information or Feedback information.security.policies@asml.com
Approval
Policy Owner
Aernout Reijmer, CISO
Revision history
Author Date Version Status Description
Rowald Herijgers July ‘21 2.1 Final Front page template adjustment
Rowald Herijgers March ‘21 2.0 Final Final version approved in Security
Committee 23 March 2021
Rowald Herijgers February ‘21 1.8 Final Draft Security Committee feedback
processed, final version for approval
Security Committee
Confidential
Rowald Herijgers Jan 2021 1.7 Draft Review processed: SRMs, Privacy
Office, Legal, Comms, IT SDM
Rowald Herijgers Nov 2020 1.6 Final Draft Policy rationalization project, Sector
Security Risk Manager feedback
processed.
Rowald Herijgers Jan 2020 1.5-1.52 Draft Privacy Office adjustment of the
privacy statement in the policy. Kept
as input for rationalization of the
policy later this year.
Rowald Herijgers 15-May-19 1.4 Final Minor update: Policy Owner: CISO,
email address, Policy review cycle
and scheduled review date. Also
new information.security@asml.com
email address added.
Hotze de Jong, Sandra 8-Aug-12 1.0-1.3 Final Approval page has been added,
Konings and Wim additionally changed into policy
Sonnemans format, updated with new Code of
Conduct text an updated with
recently created related policies.
Obsolescence
This Policy Acceptable use of IT systems policy v1.4
replaces Mobile Device Management - Acceptable use of Smartphones and Tablets v4.12
IT Security Standard – Use of e-mail accounts v1.0
Confidential