Laptop on desk


Purpose of the Policy

Information Technology (IT) has installed a wireless network on campus, known as All Access, allowing users to access APU computing services from mobile, portable or handheld computers. A portion of radio airspace on the campus now serves as the transport medium for a part of the campus network. The purpose of this policy is to communicate to members of the campus community the potential problems that could result from devices using the same radio frequency managing these wireless spectrums as an institutional resource. APU currently uses the 2.4 GHz and 5 GHz unlicensed and licensed bands for wireless network connectivity. Transmissions within the 2.4 GHz band conform to the IEEE 802.11b DSSS (Direct Sequence Spread Spectrum) wireless LAN specification. Other wireless devices exist in the market place that also employ the same 2.4 GHz frequency band and can cause interference to users of the All Access service. These devices include, but are not limited to other IEEE 802.11x wireless LAN devices (including Apple Airport Base Stations). Other devices that can cause interference include but are not limited to cordless telephones, microwave ovens, cameras, security alarms and audio components IT will approach the shared use of the 2.4/5 GHz radio frequencies in the same way that it manages the shared use of the wired network. In order to assure the highest level of service to the users of APU’s All Access network, all members of the campus community are asked to minimize the potential for interference from those devices. IT’s policy is that any use of these frequencies must be coordinated with our department. In cases where the device is being used for a specific teaching or research application, faculty need to work with the Office of the CIO to identify the special need. While IT will not actively monitor use of the airspace for potential interfering devices, when appropriate, we will attempt to isolate any specific device that is causing interference and disrupting the campus network. In these cases, IT reserves the right to restrict the use of all 2.4 / 5 GHz radio devices in university-owned buildings and all outdoor spaces on the Azusa Pacific University Campuses.


Azusa Pacific University maintains an extensive network infrastructure to support a wide variety of computing needs. The purpose of this policy is to define the server backup process. The backup system is primarily for the restoration of files in a disaster recovery situation but may also be used for restoration of lost or damaged user and system files.


  • backup is the process by which server files are copied from disk to tape and/or disk to disk.
  • backup verify is the comparison of data collected by the backup to the source data.
  • full backup will include all files selected on the backup selection list for each server.
  • An incremental backup will include files changed since the last full or incremental.
  • differential backup will include files changed since the last full, incremental, or differential.
  • duplicate backup is a complete copy of a full backup.

Schedule and Retention

To Disk (MS Exchange Backend Servers Only)

Full backups are run every night (7 days per week), and stored on disk for 7 days.

To Tape (All Other Servers)

Full backups are run the first Friday of each month, and stored in tape libraries 1 year. Incremental backups are run all other Fridays, and stored in tape libraries 3 months. Differential backups are run Monday through Thursday, and stored in tape libraries 3 months. Duplicate backups are run after full backups, and stored in a West Campus vault 7 years.

Verification and Documentation

All back up jobs are automatically verified by the backup software and reviewed on a daily basis.

Restore capability is verified via a manual process performed by the systems engineering backup support team. Every Monday, a sample of the prior full or incremental backup that ran on the prior Friday will be restored to scratch disk to test the availability and viability of backed up data.

The backup system has an internal electronic log of backup job activity. A paper-based backup log of backup job activity is kept and maintained daily by the systems engineering backup support team in the systems engineering office; daily backup job results are emailed to the systems engineering backup support team by the backup system, and are verified and filed. A list of the vault contents (long-term retention location) is contained in the paper-based backup log and also in electronic format.


File restore requests are made via the IT Support Center. Data restores will normally be performed within 24 hours of request in alignment with the retention periods. Files will be restored to the state they were in at the time of the most recent backup or as close to the requested date as possible. The exception to the above: Individual MS Exchange mailboxes, calendars, or public folders will not be restored; restoration of MS Exchange data is limited to systemwide loss or damage.

Computer migration is the process of moving files and programs from one system to another during a routine refresh/upgrade. IT will move the following files, programs, user settings, and preferences during the migration procedure:

  1. Outlook settings
    • Outlook profiles
    • Outlook personal folders (.pst file)
    • Outlook personal address books (.pab files)
    • Other mailboxes set up to open
    • Outlook signatures
  2. Printers
    We will only reinstall APU printers.
  3. Dial-up modem settings
    We will only reinstall APU dial-up.
  4. IE favorites and Netscape bookmarks
  5. File types listed below
    If you have files other than these, IT is not responsible for them. You will need to move them before the migration/refresh. We will search the computer for these files regardless of where they may be stored. The files that we moved will be put back on the machine, after the migration/refresh procedure, in the "My Documents" folder.
    • Microsoft Word (*.doc, *.dot)
    • Microsoft Excel (*.xls, *.xlt)
    • Microsoft PowerPoint (*.ppt)
    • Microsoft Access (*.mdb)
    • Microsoft Publisher (*.pub)
    • Microsoft Outlook (*.pst, *.pab)
    • Microsoft Project (*.mp*)
    • Microsoft Visio (*.vs*)
    • FileMaker Pro (*.fp3, *.fp5)
    • SPSS (*.sav)
    • Micrograde (*.cls)
  6. IT-supported applications
    Further information regarding supported software is available. We will reinstall only supported applications, assuming that there is a valid license for them.
  7. Wireless
    (If the computer has wireless capability)
  8. Background wallpaper

In effect as of October 1, 2002.


The purpose of this policy is to provide a consistent guide for managing disk space and protecting electronically stored data on Azusa Pacific University’s (APU) network servers. By implementing and maintaining a data retention policy, we will be able to better manage disk space, keep backup times acceptable and ensure the protection of APU’s data.

This policy affects all APU employees and students. Employees or students who violate this policy shall be subject to disciplinary action. This policy applies to all computer systems utilized by APU. This policy is effective upon release.

Definition of Terms

  • data – electronic information that is stored on any disks or tapes, including hard drives, magnetic tapes, floppy disks/removable media, CD/DVD, optical disks.
  • server data – any data that is stored on an APU owned server
  • client data – any data that is not stored on an APU owned server
  • confidential business related data – any data that pertains to student records, employee information or financial data


All business related server data is protected in multiple ways, including redundant hardware and/or magnetic tape backups. All server data is the property of APU. All client data is considered unprotected and should be limited to non-critical, public information with little to no replacement value. Information about APU’s backup system can be found in the IT Backup Policy.

Confidential business related data may only be stored on APU servers and not on client computers, for example, student records may not be stored on desktop or laptop computers. All APU information should be stored on servers (L: or M: drives).

Employees: Network file storage is to be used for institutional documents only. Institutional documents and network file servers are the property of APU and employees should have no expectation of personal privacy associated with the information they store on these systems. Employees are currently given 100mb for their personal network file storage (L: drive) and 500mb for their departmental network file storage (M: drive)1. APU will refrain from accessing system user’s data unless there is a reasonable cause for doing so, APU may review data for any system user at any time for business, policy, security, legal or personnel actions. In the event that non-institutional related data or applications are found on a user’s network file share, the user will be notified and will be expected to delete it within 5 business days of notification. If the user is on vacation or “out of the office”, the users’ supervisor will be contacted.

Employees who leave APU will have their home directories written to CD within 10 days of IT notification of their termination date. This CD will be delivered to the employee’s supervisor. The supervisor is then responsible for the use or disposal of said data.

Students: Students will be given network file storage space on an APU owned server. This data is the property of APU and every attempt to protect privacy will be maintained, but observation of traffic flow and content may be necessary at the University's discretion for security and legal reasons. APU will refrain from accessing student’s data unless there is a reasonable cause for doing so. Students who leave APU will have their home directories removed within 30 days of IT notification.

E-Mail Retention: The e-mail system’s capacity and performance is designed to provide an effective messaging system. Many of the messages that traverse through the e-mail system are temporary or time-sensitive messages that should be discarded routinely. However, depending on the content of the e-mail, it may be necessary to retain e-mail messages for a longer period of time. APU’s e-mail systems will automatically purge messages from some folders within a mailbox after specified periods of time. Messages determined by employees and students to be necessary to keep for historical or other purposes should be archived and backed up by the employee or student in order to retain this data.

APU’s e-mail systems will automatically purge messages within the user’s mailbox after the following time periods:

Inbox and other folders created within the mailbox – 180 days
Sent Items – 90 days
Deleted Items and Drafts – 7 days
Calendar, Tasks and To Do will not be automatically deleted

APU’s e-mail servers are backed up on a regular basis with the backup tapes for these e-mail systems will only be kept for 30 days. These backups are only used for restoring from catastrophic server failures. Employees and students should not expect to be able to recover individual e-mail messages and/or mailboxes from these backups.

General Responsibilities

IT: It is IT’s responsibility to routinely review server capacity to ensure adequacy in meeting the storage needs for APU. It is not feasible to store electronic data on-line indefinitely due to storage costs. It is the responsibility of IT to educate users on how to perform storage management and provide the appropriate tools to do so.

Systems Administrators will take an active role in monitoring the disk space on all servers. Users who are taking up a greater than average amount of disk space will be notified and educated in storage management.

Deans and Directors: Deans and Directors will be assigned the responsibility of managing department-shared folders and the amount of data stored in them. They will also ensure that confidential data is stored appropriately.

Employees: Employees will store only institutional/business-related data that needs to be backed up on a regular basis on the network. Employees will be allowed a reasonable amount of personal storage space on their home directories and are responsible for being good stewards of said space. Employees will remove any files that no longer need to be shared or stored on the servers.

Students: Students will be allowed a reasonable amount of personal storage space on their home directories and are responsible for being good stewards of said space. Students will remove any files that no longer need to be shared or stored on the servers.

Purpose of the Policy

The purpose of this policy is to ensure the security of administrative information that is processed, stored, maintained, or transmitted on computing systems and networks centrally managed by Azusa Pacific University, and to protect the confidentiality of that data. This policy is designed to protect data from unauthorized change, destruction, or disclosure, whether intentional or accidental.


This policy applies to any Information Technology (IT) employee, permanent or temporary, that has access to data (staff). It regulates the use of the systems, applications, and applies to all computer programs used to access data, as well as the computers and terminals that run the programs including workstations to which the data has been downloaded.


It is the responsibility of staff to protect data from unauthorized change, destruction or disclosure. This policy governs all IT maintained applications that provide access to data (systems), and defines the responsibilities of staff that maintain or use those systems. It should be noted that, in general, IT is not the Data Owner, but IT is the custodian of the data. It is the owner who has the authority to grant or revoke access to data or systems which use data.2 It is IT's responsibility to implement specific procedures which enforce access authority and establish guidelines and standards for systems and data security under this policy.

It is also IT's responsibility to establish and promulgate procedures for the dissemination of this policy. Each individual is responsible for carrying out his or her responsibilities under this policy.

Violations of this policy include, but are not limited to: accessing data or systems which the individual has no legitimate access to; enabling unauthorized individuals to access the data; disclosing data in a way which violates applicable policy, procedure or other relevant regulations or laws; or inappropriately modifying or destroying data. Violations may result in access revocation, corrective action up to and including dismissal, and/or civil or criminal prosecution under applicable law.

Definition of Terms

custodian of the Data – the entity or office that is delegated by the Data Owner the responsibility of performing management functions for the data.

data – administrative information that is processed, stored, maintained, or transmitted on computing systems and networks centrally managed by IT.

data owner – the entity or office that is authorized to collect and manage the data as official record3.

staff – any Information Technology (IT) employees (permanent or temporary) who have access to data.

systems – all IT maintained central administrative systems that provide access to data.


Appropriate system-specific standards should be created locally for each system (as defined above). There are at least four areas in which system standards must be defined: authorization to access, termination of computer access, safeguarding accounts and passwords, and user-identification and password standards. Standards in other areas may be added as appropriate for the individual systems.

Authorization to Access

Only those users who have valid business reasons (as determined by the Data Owner) for accessing computers, systems, or data will be granted access. Access privileges are normally determined by a person's job duties. Access is granted by means of a Network ID and password. Access is to be used only for the specific business purposes required to process the data.

Termination of Computer Access

When a user no longer works for the organization or assumes different job duties within the organization, it is the responsibility of their manager or supervisor to request that their user-id be deleted, at the latest, by the date of termination or transfer. If a transferred employee needs access in a new job, a new user-id must be obtained. User-ids will be terminated if they are not used for one fiscal year. Access to computer accounts may be suspended at any time if security violations or misuse are suspected. A user-id will be suspended when an incorrect password is entered five consecutive times.

Safeguarding Accounts and Passwords

Access to computer accounts must be protected, at minimum, by a user-identification (user-id) and password. It is the responsibility of the user to safeguard his/her user-id and password. A user-id is not to be shared; the password is not to be divulged to others.

User-Identification and Password Standards

A user-id and password must be required to access any system. A user-id must be at least six characters long. Passwords must be at least six characters long. Restrictions on password complexity are system dependent. Passwords must be changed at least once every 180 days.

Guidelines for Administrative Data Security

Application Security Administrator

Each application system shall have an Application Security Administrator designated by the Data Owner. This individual is responsible for authorizing access privileges to the application, for ensuring that employees who receive user-ids have proper authorization, and for monitoring Data access violations. All such authorizations and approvals must be in writing.

System Security Administrator

Each computer system shall have a designated System Security Administrator. This individual is responsible for creating user-ids with the associated access privileges granted by the appropriate Application Security Administrator, for maintaining an appropriate level of overall system security, and for monitoring the system for security violations. This individual shall also maintain records for all accounts including appropriate signatures and granting associated access privileges. Such records shall be maintained for two years after account termination.

Individual Responsibilities

Individual employees are responsible for maintaining the security and confidentiality of data in their possession, such as hardcopy reports or data downloaded to their workstations. Individuals must report to the appropriate security administrator any known breach of application or system security. Individuals who have constructive suggestions to improve security are encouraged to propose them.

Training and Testing

Application system developers and installers shall provide user training on security issues when new systems are installed. Copies of production data should not be used for purposes that may compromise the confidentiality of individuals or organizations.

Separation of Responsibilities

There shall be a distinct separation of job duties and responsibilities such that no one person has the authority and the ability to circumvent the normal checks and balances of the systems. For example, except for an organization that has a sole programmer, no single individual should hold the responsibilities as an Application Programmer and Production Control personnel; or Application Programmer and Database Administrator; or Production Control personnel and Database Administrator. For applications that contain mission-critical, financial or confidential data, maintenance responsibility for the database and system software shall reside in a separate organizational unit. The approval of access privileges to an application shall be in a separate unit from that of the implementer of the access privileges.

Data Disposition

All data shall be properly disposed of when it has exceeded its required retention period, or it is no longer needed for the operation of the organization. This includes output such as paper listings, CDs, magnetic tapes, microfiche, etc.

Appendix A – Policy Routing

Status: Approved
Edit Date:
This policy was approved by the IT Cabinet on April 9, 2002.
This policy was approved by the UIMC on ________________

Approved by: John C. Reynolds, Vice President for Information Technology/CIO
Author: John C. Reynolds, Vice President for Information Technology/CIO

Purpose of the Policy

Azusa Pacific University (APU) recognizes that it is operating in a very dynamic environment and, as such, seeks to ensure that computer needs that could not have been anticipated in the normal planning and budgeting cycle for a department can be met without delays that would negate the benefits to be derived from meeting the need. This policy is to ensure that computers purchased by departmental funds, outside of the University computer budgeting process, will fulfill the purposes and provide the benefits to the University for which they were purchased.


APU has established a budget review process to ensure that computer purchases are clearly support the planned fulfillment of its mission and goals. APU also recognizes that God is sovereign and that opportunities to advance the mission of APU will appear that cannot be anticipated. These may require the acquisition of computers for which funds had not been budgeted for Information Technology (IT). Departments that are called to help meet the challenges of advancing the mission of APU through these opportunities may have funds available to purchase these computers. However, APU recognizes that the total cost of ownership of such a purchase extends beyond the initial expenditure for the hardware and software. There are unseen costs that would typically be included in IT’s budget. They include labor and materials costs for setup, regular maintenance, problem resolution, server services, and network services. For departmental computer purchases, the funds for those costs have not been budgeted, but must nevertheless be provided to ensure that IT can pay for these critical services and materials. Thus, all these factors must be addressed in any computer purchase, and especially those by departments.


This policy applies to all computers for use by part-time and student employees of Azusa Pacific University purchased from department funds outside of the APU budget process. The following issues are addressed in this policy:

  • Criteria for the justification for the acquisition of computers.
  • Financial responsibility of departments that fund the acquisition computers.
  • Criteria for inclusion in the computer refresh cycle.
  • IT service commitment.


Departments will be permitted to fund the purchase of desktop computers out of the departmental budget. The dean of the department or a delegate of the dean must agree to the conditions below to secure approval for the purchase. The CIO, or his delegate, may deny the purchase of the computer if, in his judgment, there are extenuating circumstances that would preclude the use of the computer for its stated purpose.

  1. Computers funded by departments will be used only for part-time staff and student workers. This process will not be used to acquire computers for full-time staff and temporary staff.
  2. The department will comply with the policies governing the provisioning of computers to part-time staff and student workers.
  3. The department will fund the incidental nontechnical costs of placing a computer in its area. These include, but are not limited to:
    1. Furniture
    2. Workspace
    3. Peripheral devices
  4. The department will transfer $6,000 to IT at the time of approval. This amount will be to provision, for a four-year period:
    1. The desktop computer
    2. Delivery of the desktop computer to the department
    3. Setup and maintenance of a network connection
    4. Server space
    5. Hardware setup and support, and
    6. Standard software setup, licensing, and support
  5. The department will comply with APU’s policies and guidelines for ergonomic compliance in the intended placement and use of the computer.
  6. The need for the use of this computer will be reviewed by IT no later than 18 months after delivery, and must be reconfirmed before the computer can be replaced after four years. If the need cannot be reconfirmed, the computer will be removed at the end of the four-year period.
  7. Should the need be reconfirmed prior to the end of the four-year period, the department will take one of the following steps:
    1. Request and secure approval through the standard APU budgeting process to increase the refresh budget by $2,000 in order to include the computer in the standard refresh cycle, or
    2. Commit to transferring $6,000 to IT to replace the computer after four years, and continue provisioning of all services for an additional four-year period.

Any questions relating to the contents or implementation of this policy should be addressed through the Chief Information Officer.