OCIONEWSLETTER Issue 12 • July 2013
SPOTLIGHT
CityU Receives ISO/IEC 27001: 2005 Certification for Its Paperless Office Service Office of the Chief Information Officer (OCIO) City University of Hong Kong (CityU) recently received the internationally recognized ISO/IEC 27001:2005 Information Security Management Systems (ISMS) certification for the University’s Paperless Office Service. The certification is one of the world’s highest accreditation for information protection and security. To the best of our knowledge, CityU is the first University in Hong Kong and the mainland China to receive this prestigious accreditation. Only a small number of universities have been awarded this certification worldwide, and CityU is proud to be among leading universities in information security. The Paperless Office Service is part of the University’s commitment to sustainability, by reducing paper, energy and space consumption, as well as improving efficiencies. Because of this project, the University was named a 2013 Computerworld Honors Laureate for Sustainability. The Human Resources Office and the Finance Office are currently using this service to provide secure storage for the digitization and processing of our current and past personnel and financial records, as well as to improve efficiencies in document handling. Due to data sensitivity, the ability to provide high levels of information security is a critical success factor. The ISO 27001 standard was first released in 2005. According to the International Organization for Standardization (ISO), “ISO/IEC 27001:2005 is designed to ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to interested parties.” The ISO 27001 standard provides broad coverage and includes security policy; organization of information security; asset management; human resource security; physical and environmental security; communications and
2
OCIO NEWSLETTER
INDEX SPOTLIGHT 1
CityU Receives ISO/IEC 27001: 2005 Certification for Its Paperless Office Service
BRIEF UPDATES 3
Blackboard User Surveys 2013
8
CityU Named a 2013 Computerworld Honors Laureate for Its University Paperless Office Project
9
A Simple Kickstarter-Like Website for Student/ Staff Projects
DISCOVER & INNOVATE 10
Quick Mobile Access to AIMS
IT SECURITY AWARENESS SERIES BY JUCC 12
Security Risks for Web Application
FEATURE 14
Project Management Office (PMO) Implementation for Central IT
16
E-Learning Championship Series (3)
18
The New Data Centre Design and Implementation
21
Engaging Students in Geographically Distributed Classrooms through Echo360 LiveCast – Part 2
STATISTICS AT A GLANCE 23
Central IT Fast Facts (2012-2013)
GLOSSARY CORNER 24
IT Concepts from Wikipedia
operations management; access control; information systems acquisition, development and maintenance; information security incident management; business continuity management; and compliance. The ISO/IEC 27001 international standard defines how organizations should manage information security in a holistic and comprehensive manner. Certification to ISO/IEC 27001 demonstrates the University’s strong commitment to protecting information, and managing information security at a level of international best practice. By attaining this certification, the Paperless Office Service also serves as a showcase on how the best practice could be implemented at other units across the University. The audit for CityU’s certification was conducted by the British Standard Institute (BSI), the wellrespected National Standards
Body and one of the world’s largest independent certification bodies for management systems. The audit consists of numerous rigorous examinations of the overall security measures of the service, including potential security risks, information controls and data processes to ensure the quality of our information security management system. Dr. Andy Chun, Chief Information Officer for CityU, received the ISO certificate from Ms. Beata Tang, General Manager of BSI HK. Dr. Chun commented: “The University is extremely proud to have attained the ISO 27001 certification. This would not have been possible without the concerted efforts and dedication across all teams within Central IT as well as the cooperation of our service users and University management’s commitment.” Dr. Chun also indicated: “The ISO certificate is an affirmation that the University has adopted and complied with the highest known management standards in information security in the world. The project clearly shows the value and strengths of the University’s investments in people, process and technology to enrich the University IT environment and to help achieve our ‘Discover & Innovate @ CityU’ vision.”
Dr. Andy Chun receiving the ISO/IEC 27001:2005 certificate from BSI’s Ms. Beata Tang, General Manager BSI HK. Also present were Mr. Raymond Poon, Director of CSC (second from right), Mrs. WK Yu, Director of ESU (right), Ms. Pion Cheng, Project Manager for the Paperless Office Service (second from left), and Mr. Edmond Tang, Business Development Manager, BSI HK (left).
Issue 12 • July 2013
BRIEF UPDATES
Blackboard User Surveys 2013 Crusher Wong (Figure 6) believed they are in the higher levels - integral, central and exclusive use. Interestingly, more than 87% of the students’ replies indicated such higher levels of use according to their learning experience shown in Figure 2. Plagiarism prevention measures, i.e. Turnitin and SafeAssign, earned high growth of use from both teachers and students while Bb Mobile Learn App and Turnitin GradeMark (inline grading tool) gained the most in adoption by students and colleagues respectively (Figure 3 & 7). Accessing course contents anywhere anytime remained the primary advantage of logging on Bb for students based on their responses presented in Figure 4.
The annual Blackboard surveys to teachers and students were conducted online between March and April this year. The revamped version with fewer questions attracted 282 students and 52 staff members to give feedback. Details can be found within the infographics (Figures 1 to 9) illustrated here. The role of Blackboard (Bb) as the unified Learning Management System at CityU is ascertained when 96% of the surveyed students indicated to have around half or more of courses making use of it (see Figure 1). In terms of overall usage level defined by Gandell et al. [1], over 60% of the responded colleagues
Figure 1
3
4
OCIO NEWSLETTER
Figure 2
Figure 3
Issue 12 • July 2013
Figure 4
Figure 5
5
6
OCIO NEWSLETTER
The most significant discovery in this year’s questionnaire was the utilization of other web services and mobile apps for teaching and learning portrayed in Figure 5 & 9. Facebook, Wikipedia and YouTube stayed at the top and were joined by new comers like WhatsApps, Dropbox and Google Maps. For the first time we learned that Library e-resources were very popular among staff and students.
Figure 6
Figure 7
Issue 12 • July 2013
Figure 8
Figure 9 Reference: [1] Gandell, T., Weston, C., Finkelstein, A. & Weiner, L. (2000) Appropriate use of the web in teaching higher education, in: B. L. Mann (Ed.) Perspectives in web course management (Toronto, Canadian Scholar’s Press), 61–68.
7
8
OCIO NEWSLETTER
BRIEF UPDATES
CityU Named a 2013 Computerworld Honors Laureate for Its University Paperless Office Project Office of the Chief Information Officer (OCIO)
IDG’s Computerworld Honors Program named the City University of Hong Kong as a 2013 Laureate. Established in 1988, this annual international award program honors visionary applications of information technology around the world that promotes positive social, economic and educational change. CityU’s “University Paperless Office Project” was recognized as one of the top IT projects in the category of “Sustainability;” awarded to organizations that have implemented major IT sustainability initiatives by reducing energy consumption in IT equipment and/or using technology to conserve energy and lower carbon emissions. In total, there were 11 categories of awards with 269 Laureates named from 29 countries, out of 700 nominations. Judging was made by a panel of 22 distinguished judges from diverse industries to evaluate the humanitarian benefits and measurable results of applying technology to meet a specific social or business need. The
University is the only organization from Hong Kong to receive a Laureate this year. This is our second consecutive award; the University was also named a 2012 Laureate last year, for our work in “Digital Access” – ensuring our websites are equally accessible to the visual impaired and the disabled. The “University Paperless Office Project” aims at providing a green IT environment for administrative processing. The project slogan is “Born Digital; Stay Digital” to encourage end-to-end processing in digital form to eliminate paper waste. The project created an enterprise content management (ECM) system built using EMC Documentum and integrated with the University’s Banner enterprise resource planning (ERP) system. It is currently used by the Human Resource and Finance offices to digitize its archive of personnel and financial records and documents with secured storage, as well as to help improve operations efficiencies. The system was first deployed in mid-2012 with additional enhancements rolling out in phases. Because of this
system, we expect millions of pages can be saved each year. The system also makes use of private cloud virtualization on eco-friendly servers, reducing roughly 95 tons of CO2 emission annually. Productivity gained in document handling is roughly 6 times faster. The system was also ISO/IEC 27001:2005 certified for compliance to stringent information security standards. The University estimates cost savings in energy, paper, space, performance, and improved security will pay for itself in just a few years. “Technology continues to play a pivotal role in transforming how business and society functions. For the past 25 years the Computerworld Honors Program has had the privilege of celebrating innovative IT achievements,” said John Amato, vice president & publisher, Computerworld. “Computerworld is honored to recognize the outstanding accomplishments of the 2013 class of Laureates and to share their work. These projects demonstrate how IT can advance organizations’ ability to compete, innovate, communicate and prosper.”
Issue 12 • July 2013
BRIEF UPDATES
A Simple Kickstarter-Like Website for Student/ Staff Projects Office of the Chief Information Officer (OCIO)
CityU recently launched a new online donation website called “Invest in CityU Students and Projects” (iCUSP). The website allows colleagues to propose Discovery-enriched Curriculum® (DEC) projects that CityU students and staff are developing for the benefit of Hong Kong and beyond. The donation portal enables anyone, anywhere in the world to participate in these projects through their generous donations. The idea is similar to Kickstarter, but is scaled down for its first release. All projects contribute to the society in one way or another, under the theme “CityU Wants a Better World” while promoting the DEC development of our students.
Dr. Andy Chun (right) receiving the 2013 Computerworld Honors Laureate medallion, on behalf of the University, from Mr. Scot Finnie, Editor-in-Chief at Computerworld.
The Computerworld Honors Program awards were presented at the Gala Evening and Awards Ceremony on June 3, 2013 at the historical Andrew W. Mellon Auditorium in Washington, D.C. Dr. Andy Chun, the Chief Information Officer of City University of Hong Kong, commented: “Social responsibility and sustainability has always been an important priority for the University. This
strategic project not only brings important business value to the University but also contributes to a greener environment. I am glad to see the University is being recognized for our leadership in this area.” Dr. Chun also pointed out: “This project would not have been possible without the dedication and hard work of the project team, the commitment by the user departments, as well as the vision and support of the University management.”
The project was driven by the Office of the Provost. Colleagues across all disciplines contributed many amazing project ideas. The School of Creative Media assisted with video production to promote these projects. Central IT created the iCUSP website and integrated it with our payment gateway. iCUSP is located here: http://www.cityu.edu.hk/betterworld/
9
10
OCIO NEWSLETTER
DISCOVER & INNOVATE
Quick Mobile Access to AIMS Donny Lai, Gary Fung
The Administrative Information Management System (AIMS) is the main IT system that the entire CityU community uses for day-to-day administrative needs. The AIMS consists of a rich suite of system functions ranging from personal information, leave application, salary information, course-related tasks, student admin, and a range of paperless e-forms. The AIMS is web-based self-service portal developed at
CityU on top of Ellucian Banner, the University’s enterprise resource planning (ERP) system. As part of the University’s mobile strategy, Central IT has developed a new “Mobile AIMS” that allows convenient mobile access of key AIMS functions on Android and iOS smart phones and tablets. Since Mobile AIMS was developed as a native app, it provides all the common touch screen user
interactions, navigation, input methods, and orientation-support found in modern mobile apps, giving AIMS a whole new user experience while leveraging the University’s current investment in AIMS development. The first release of Mobile AIMS provides some of the most frequently used AIMS functions and general academic information. They include:
Issue 12 • July 2013
1. Leave Application & Leave Summary For staff, leave administration is an important feature. Mobile AIMS provides functions for annual leave application, sick leave application and departmental leave summary. For example, with Mobile AIMS, a staff member can easily apply for sick leave while he/she visits a doctor.
4. Academic Calendar The academic calendar is another very important piece of information. Mobile AIMS includes quick access to recent academic calendars, which include semester period, exam period, holidays, and other important dates, allowing students/staff to easily make plans for their activities.
2. Class Schedule Convenient access to the class schedule is important for students and teachers alike. Having the class schedule conveniently accessible from a mobile device, students and teachers can instantly check class time and location from anywhere. This is particularly useful at the beginning of each semester. The schedule also shows the instructor’s name and allows students to contact the instructor if needed.
The user experience (UX) design of Mobile AIMS follows the best design practice of other popular apps such as those by Facebook or Google, thus making Mobile AIMS super easy and intuitive to use. It also automatically adjusts its content based on mobile device size and orientation to optimize UX.
3. Useful Directories The ability to easily look up phone numbers or emails of colleagues, teachers, or department general offices is very useful on a smart phone. The first version of Mobile AIMS includes the departmental staff directory, CityU Communications Directory, directory of CityU subsidiary companies & centers, and other useful CityU telephone numbers, as well as emergency numbers. Access to the CityU Communications Directory is particularly useful because it provides very flexible search criteria for searching the contact information of any departments.
Next Release… After all, the main design objective for Mobile AIMS is to enable quick and responsive access to the most popular features of AIMS. Version 1 is just the beginning. We are looking forward to your valuable ideas and feedback to help define the features for the coming release.
Download Now:
11
12
OCIO NEWSLETTER
IT Security Awareness Series by JUCC With an aim to enhancing the IT security awareness of the CityU community, the KPMG was commissioned by the Joint Universities Computer Centre (JUCC) to prepare a series of articles on IT security and they will be adopted and published here for your reference.
Security Risks for Web Application I. Background Industry Story University of Sydney Web Defacement Uncovers Data Breach from 2007 The University of Sydney is working to respond to a complicated situation discovered after a hacker defaced the university’s main website and emailed the defacement to all students in January 2011. While investigating how the front page of the university’s website was defaced, detailed records on former and current students were discovered to be publicly available. The records, part of invoices generated for students using the Higher Education Contribution, contain student names, addresses, email addresses, enrolled courses and course costs. University of Sydney Vice-Chancellor Michael Spence confirmed, in a letter to students, that the university had been made aware of the data breach back in 2007 and the problem had been corrected. However, according to Spence, a software update at some point inadvertently removed the fix and exposed the student information once more. As a result of the breach, New South Wales acting Privacy Commissioner John McAteer has launched an investigation into the University of Sydney incident to determine if the university had violated the NSW Privacy and Personal Information Act of 1998. Web Applications in Universities Web applications are applications that can be accessed over a network such as the Internet or an intranet in a browser-controlled environment. They are usually developed based on the client-server architecture by
using a combination of server-side script (e.g. ASP, PHP, etc) and clientside script (e.g. HTML, JavaScript, etc). A web application can be as simple as a message board on a website, or as complex as a word processor or a spreadsheet, such as Google Docs and Microsoft Office Web Apps. Given the mobility, ease of access and cross-platform nature, web applications are now extensively used within the universities. Typical examples include web-based campus e-mail system, online student information portal, online facility booking system and interactive teaching websites.
II. Management Key Security Risks of Web Applications The introduction of web applications also raises new concerns on information security. Important or sensitive information can be stored within the web applications, such as student personal data, copyright teaching material, and university confidential information. Since the web applications are usually designed to be accessed by large numbers of users, they require a high level of system availability as well as information protection controls. The following describes a few common vulnerabilities of web applications which might cause universities to be exposed to hackers’ attack. 1. Insufficient Validation Checks Without proper validation and escaping mechanism, web applications would accept untrusted data, which could cause injection flaws when deliberate instructions are sent to the database as part of a
SQL query. The attacker’s hostile data can trick the affected systems into executing unintended commands or accessing unauthorised data. In addition, Cross Site Scripting (XSS) may also occur, which allows attackers to execute scripts in users’ web browsers that can hijack user sessions, deface web sites, redirect users to phishing or malware sites, or be forwarded to access unauthorised pages. 2. Broken Authentication and Session Management Web application functions related to authentication and session management may not be sufficiently implemented, which allow attackers to compromise passwords, keys, session tokens, or exploit other implementation flaws to assume other users’ identities. In a recent incident, the AT&T network was found to have session management vulnerabilities, which resulted in iPad user information exploited by the hacker. 3. Failure to Restrict Web Page Access Privileged web pages containing confidential information or powerful configuration access should be protected by web applications through checking the user identifies before processing the web page requests. Lack of comprehensive authentication verification or misconfiguration may allow attackers to access sensitive data or privileged web application functions. For example, direct copy and paste the URL of the configuration page of a
Issue 12 • July 2013
web application in the web browser may allow a hacker to access the administrative function. 4. Exposed Network Traffic Information Information exchanged between web application servers and end user web browsers may not be protected using strong authentication and encryption techniques. Weak encryption, weak algorithm, out-dated authentication method or even data transmission in plain text can adversely affect the confidentiality and integrity of sensitive network traffic for web applications.
Web Applications Development When developing web applications, universities’ software development lifecycle procedure should be consistently followed. Management should pay close attention to a number of security considerations and determine the required security controls during the design stage of a web application development. Key security considerations include (but not limited to): • Authentication Requirements; • Privacy and Integrity Requirements; • Input Data Validation; • Exception Handling and Reporting; and • Audit Trail Logging. At the later testing stage, management should ascertain that sufficient tests are performed to verify the functionalities of the designed security controls prior to the release of the web application to the users.
Security Testing of Web Application In addition to integrating of security measures during the development phase, conducting security testing is another critical process that
helps to identify vulnerabilities of web applications and protect the information contained therein. To ensure that security testing can accomplish its objective, management should perform the following tasks: 1. Risk Assessment Management should define the scope of the web application testing by identifying high risk web applications, key risk areas of certain web application, and the relevant database with confidential or sensitive information. 2. Owner Identification and Scheduling Management should identify the owner of the web application, and assign adequate time and resources to perform security testing prior to the launch of the web application. 3. Contingency Planning and Impact Analysis Since security testing can involve penetration testing which may have adverse impact on the web applications or other devices and data on the network, appropriate contingency planning as well as impact analysis should be performed prior to the performing of security testing.
Common Security Testing Types 1. SQL Injection Testing SQL Injection is one of the major security threats of web applications. Specific testing should be conducted to detect and prevent the possibility of SQL Injection. The tester should list all input fields whose values could be used in crafting a SQL query and then test them separately, with the objective of interfering with the query and to generate an error.
2. Cross Site Scripting (XSS) Testing XSS flaws can be difficult to identify and remove from a web application. One way to test for XSS flaws is to verify whether a web application will respond to requests containing simple scripts with an HTTP response that could be executed by a user’s web browser. Nessus, Nikto, and some other available tools can also help to scan web applications for these flaws. 3. Authentication Testing In computer security, authentication is the process of attempting to verify the digital identity of the sender. Breaking the authentication mechanism of web applications is always one of the most popular means that a hacker will choose. There are various approaches to test web applications depending on the authentication mechanisms. The generalised approach is to understand how the authentication process works and use that information to explore the possible means hackers may use to circumvent the authentication mechanism. The tester may also refer to the existing attacking techniques to construct test cases for detecting the corresponding security flaws.
Conclusion While web applications offer great convenience and flexibility to universities, they also expose universities’ information systems
13
14
OCIO NEWSLETTER
FEATURE
Project Management Office Donny Lai
and resources to more security vulnerabilities. Hackers may obtain sensitive information or even forge the identities of authorised users for malicious purpose. Management should consider security as a fundamental element when developing web applications and conduct adequate security testing to detect any security flaws.
Copyright Statement All material in this document is, unless otherwise stated, the property of the Joint Universities Computer Centre (JUCC). Copyright and other intellectual property laws protect these materials. Reproduction or retransmission of the materials, in whole or in part, in any manner, without the prior written consent of the copyright holder, is a violation of copyright law. A single copy of the materials available through this document may be made, solely for personal, noncommercial use. Individuals must preserve any copyright or other notices contained in or associated with them. Users may not distribute such copies to others, whether or not in electronic form, whether or not for a charge or other consideration, without prior written consent of the copyright holder of the materials. Contact information for requests for permission to reproduce or distribute materials available through this document are listed below: copyright@jucc.edu.hk Joint Universities Computer Centre Limited (JUCC), Room 223, Run Run Shaw Building, c/o Computer Centre, The University of Hong Kong, Pokfulam Road, Hong Kong
Reference: http://webtrends.about.com/od/webapplications/a/ web_application.htm http://www.owasp.org/index.php/ http://www.owasp.org/index.php/Testing_for_SQL_ Injection_(OWASP-DV-005) http://www.owasp.org/index.php/Cross-site_ Scripting_(XSS) http://www.owasp.org/index.php/Testing_for_ authentication http://www.pcworld.com/businesscenter/ article/221504/8_security_tips_from_the_hbgary_ hack.html http://www.sans.org/reading_room/whitepapers/ engineering/multi-level-defense-socialengineering_920 http://www.iwar.org.uk/comsec/resources/securityawareness/social-engineering-generic.pdf http://www.antiphishing.org http://www.us-cert.gov/cas/tips/ST04-014.html
In 2012, City University of Hong Kong’s Central IT launched a project to establishing a Project Management Office (PMO) to better align IT development with University strategy as well as bring in internationally-recognized project management best practice. Central IT has standardized a common set of project management practice following international standards, such as the guide and practice of Project Management Institute’s (PMI) Project Management Book of Knowledge (PMBOK) and the International Organization for Standardization’s (ISO) new ISO 21500:2012 standard for project management. Project management as described by the PMI is the application of knowledge, skills, tools, and techniques to project activities in order to meet project requirements. It is also the discipline of planning, organizing, motivating, and controlling resources, particularly human resource, to achieve specific and distinct project goals. The primary challenge of project management is to achieve all of the project goals and objectives while tackling and balancing the preconceived triple constraint of scope, time, and budget. Certainly, every project is intrinsically expected to deliver more with less time and budget. In practice, program management also needs to simultaneously deal with the secondary triple constraint of limited resource, expected highly reliable quality, and unpredictable risk. Recently recognized challenge also includes the concerned stakeholder satisfaction. Every company has its own enterprise culture, environment, and practice, and the University’s Central IT organization has no exception. The project management methodology is not a direct process to follow the international standards because the international guidelines and standards are objectively designed to be suitable for large projects and applicable for any industry. Comparatively, Central IT has many small and quick projects that will usually last for less than six months. Thus, our project management methodology tools and templates are designed to accommodate our special needs by balancing the complexity, efficiency, and effectiveness of project management. Briefly, Central IT’s project management methodology is consistent with both PMBOK and ISO21500 in that all projects will be divided into five process groups. They
Issue 12 • July 2013
(PMO) Implementation for Central IT are the process group of project initiation, planning, execution, control & monitoring, and finally closing. During project initiation, a business problem, need, or opportunity is identified. Then a preliminary study will be conducted to investigate the feasibility of the project and the output of project initiation will be a sponsorapproved project charter, which contains the relevant facts, high level project plans, and estimated budget of the project. In order to simplify the paper work of small projects, there is a concise project charter lite form for those projects with project duration less than six months, projected manpower less than six months, and project size less than one million Hong Kong dollars. The next task of project managers is project planning. The planning process involves the use of the planning tools and techniques, such as work breakdown structure (WBS), critical path method (CPM), project evaluation and review technique (PERT), and etc. A project management plan is necessary for any project. It is especially essential for a large project, such as a project that will last for more than a year. Our project management plan template was designed based on the IEEE standard for software project management plans (IEEE Std. 1058-1998). Project Execution and Project Control & Monitoring are simultaneously processes. Monthly project progress report should be produced for management review and risk management. For any issues that will affect the project scope, time, or budget, formal change requests should be issued, processed, and approved by the
sponsor. During project closure, it involves the process of user acceptance of all project deliverables, submission of operation and contingency manuals of the delivered product, if any, post project review and reporting, and finally compilation and archival of all project documents and artifacts. To enhance the competency of project management, the previous experience of completed or failed projects is vital to the knowledge and service of PMO. Thus, documentation, suggestions, and action plans due to the lessons learned from the projects should be discussed and reported through the final meeting of post project review. The PMO of Central IT has prepared a collection of templates to help and guide the management of the IT projects. They are also mapped with the project management processes of PMBOK 5 and ISO21500:2012 so that the standards can be easily referenced and correlated to the templates. The Central IT project management methodology, tools and techniques will be shared in our PMO website, which acts as a central reference for project managers in Central IT as well as IT staff in various University departments and units. The website is currently under the pilot stage and will be available after the final verification. The PMO provides a series of project management trainings to promote the PM methodology and the use of the templates. If you are interested in knowing more about the PMO service, please feel free to contact me at donnylai@cityu.edu.hk.
15
16
OCIO NEWSLETTER
FEATURE
E-Learning Championship Series (3) K P Mark, Angel Lu
Welcome to another round of e-Learning Championship Series. Mobile devices have taken up a significant role in our daily lives, especially in the education field. In this third case of the Series, we are diving into the stories and successful experience relating to mobile technology teaching by Dr. Terence Cheung from the Department of Information Systems and Dr. Ray C. C. Cheung from the Department of Electronic Engineering.
“Location, Mobile and Social”: Learning and Collaborating Everywhere “Learning anytime and anywhere” is not just a literal slogan anymore, because of the portability and mobility of mobile devices. Dr. Terence Cheung coined his e-Learning strategy into an acronym, LMS, which stood for Location, Mobile and Social Learning. The highly portable devices freed learning from the constraints of physical locations and fixed schedules. Incidentally, the instant-on and always-on features from the mobility of the gadgets further put acquaintances at your fingertips. By blending such attributes with social learning platforms like Facebook, Mindmeister, Trello, Google Drive and Calendar, the streamlined learning process motivated students’ engagement. Learners enjoyed the interaction brought about by exchanging feedbacks in the blink of an eye. Dr. Cheung was not, however, fully satisfied with what has been achieved. To excel further, he applied the mobile gadgets learning outside the classroom, for instance, conducting UX (User eXperience) and marketing researches or asking comments and “Like” of sample cosmetics with pedestrians through the employment of iPads, Facebook and cloud services like Google Form. Dr. Cheung’s main focus of adopting technology in learning and innovative teaching paradigms is to equip students with practical skills so that they can have authentic work experience and even better equip themselves for their internships or career choice after graduation. The plan was carried out
Dr. Terence Cheung advocates that authentic work experience with social media is important for students’ career development
smoothly and successfully as appreciation was always received from companies. Besides, the increasing number of start-up businesses from graduates showed clear evidence that peering collaboration and sharing between juniors and seniors would result in innovation as outreach led to discoveries. Embedding these pragmatic objectives in mind, students were required to attend business and technology seminars in their courses to expand their networks and opportunities on new projects and interns. Concurrently, Dr. Cheung will continuously emphasize the adoption of the state-of-the-art technology and social platforms like twitter to enhance the experience of real-time sharing and responses. The best thing is, you will hopefully receive Dr. Cheung’s responses and advice if you send or leave a message on his Facebook page, which has been published to students, no matter whether on schooldays or holidays.
Game Development: Classroom Knowledge to Real Production Focusing beyond the hardware, Dr. Ray Cheung successfully aroused students’ interest in the course taking advantage of the latest fever of Candy Crush
Issue 12 • July 2013
Saga, a multi-platform game created by King.com. “I want my students to be able to implement something that allows their friends and families to play with.”
proved that the project was a triumph to raise students’ curiosity about programming along with their gain of practical knowledge. Next year, the tutorials will be extended to 2 hours in order to provide a better handson experience to students. After all, there is no better way to learn programming than getting your hands wet. Apart from the present adoption of Echo360 to record lectures for revision, the actions performed on the instructor machine may also be recorded for training purposes.
Dr. Cheung believed that such opportunity to engage students to turn ideas into real applications would benefit them far more than just cloning source codes The current decade is often regarded as from textbooks or notes. Dr. the era of smartphones and tablets. The accessibility and mobility of those handy Cheung has set up an Apps gadgets sets up a new platform for educators Lab (https://www.facebook. and learners to explore. It is delighted that we com/CityuAppsLab) to connect the people are one of the participants in this exploration. who are interested to develop mobile apps at Stay tuned for our next issue to join our CityU. Adopting the hands-on approach, Dr. voyage of discovery! Cheung required his students to complete a GEM crush, a simplified classical tile-matching video game Bejeweled, individually or with a partner in 10 weeks. Students learned not only making good use of the game API (Application Program Interface) but also created and combined ideas. One of the most creative products was HKGoldenGems, a combination of a popular computer-fans forum HK Golden and Gem Crush. “Now, I know how the Candy Crush works! I want to join this Apps Lab to learn more!” “I can’t imagine our knowledge learnt from the course can make a real game like Gem Crush!” “I will now think about the logic of the Gem Crush when I am playing similar games!” All these promising Dr. Ray Cheung believes that turning ideas into real applications is the feedbacks from students key to engage and benefit students.
17
18
OCIO NEWSLETTER
FEATURE
The New Data Centre Design and Implementation John Chan
This is the 2nd of a series of articles focusing on building a modernized Data Centre. As mentioned in the first article, building a modernized Data Centre and making it a success involves many factors, among them include the necessities, the architect, the challenges and/or potential stumbling blocks, and the mitigations of significant risks. These are all areas that must be considered in the design. Once when it evolves, there are other operational factors that must be considered so as to be able to achieve what was originally designed. In the first article “A New Era for Data Centre” (Issue 5 of the OCIO Newsletter),, it was mentioned that there was an urgency of expanding the current Central Data Centre of the University. This article will continue by first focusing on the elements in building a modernized Data Centre based on the “green” technologies.
Why does a Data Centre need to be “green”? Nowadays we talk a lot about how we integrate with “green”, such as deploying green technologies, switching to green devices, etc. Green has become something in which we are already very familiar with. However, when we think of “green”, we normally are referring to the environmental factors that are being affected and their impacts to our daily lives. But how does green integrate with the Data Centre? Apart from modern technologies, there are actually two inter-related elements that constitute the underlying factors affecting the building of a modernized Data Centre. One is the space and the other the power consumption. In order to stay competitive, it is very crucial that the IT spending as well as the ability to improve business agility through IT is
well balanced. These two elements will greatly affect this balance. Space is a very peculiar factor that affects the total cost very much, no matter what. This is especially true in Hong Kong in that the space contributes a very high proportion in the total IT costs, such as the space rental costs. So in that sense, it is normally not always feasible to attain a Data Centre with a large space. However, when the space is scarce, more compact and densely packed equipment must be used. This in turn will produce more unnecessary condensed and localized hotter spots. The adverse effect is that extra energy will be consumed to cool them off, more power consumed, resulting in more operating costs. On the other hand, with a large Data Centre, much more power will be consumed for maintaining it under a normal and suitable operating environment, if traditional methods are still being used. How do we strike the balance? This is where the green technologies for a modernized Data Centre comes in.I It is even more important to use the green technologies to cut down the power consumption costs, not just the environmental factors which we normally think of when deploying green.
How can a Data Centre be “green”? Green is only a concept. To really appreciate it, there needs to be a process upon which we can really comprehend it and eventually realize its value. This process starts with the “design and build”. This is the basic building block. After that, with the provisioning of standard measuring tools, we need to perform continuous monitoring and auditing and making
appropriate adjustments based on the results captured. Until then, we might be able to achieve the most desirable result. This is a life-long process. Regular reviews must be made, preferably once every 6 months. Equipment replenishment evaluation must also be conducted, preferably on an annual basis, in order to retire aged-old equipment or devices which are no longer efficient after prolonged use. To better understand this process, it will be helpful to briefly describe how “green” is measured in a modernized Data Centre as well as the main components that constitute it. In order for the data to be meaningful, all measurements must be made according to well defined standards. Fortunately, as of today, several sets of standard measurements have already existed and are especially adopted by the IT industry. By using these standards, it has become much easier in the design and management of the facilities and equipment in order to achieve the best and optimal energy efficiency.
Our new Data Centre was designed according to the Green Grid methodology. The Green Grid is a global consortium of IT companies and professionals seeking to improve energy efficiency in Data Centres. The organization seeks to unite global industry efforts to standardize a common set of metrics, processes, methods, and new technologies to achieve its common goals. These goals
Issue 12 • July 2013
are to be attained through a series of short term and long term proposals. The consortium published its very first white paper in 2007, titled “Green Grid Metrics: Describing Data Center Power Efficiency”. In that paper, the Green Grid proposed the use of the Power Usage Effectiveness (PUE), which will enable Data Centre operations to quickly estimate the energy efficiency of their Data Centres historically as well as compare the results against other Data Centres, and determine if further improvements need to be made.
How does the PUE affect the Total Cost of Ownership (TCO)? The TCO of a Data Centre can be subdivided into two major components, namely, the Initial Investment plus the Operations Cost. The latter reflects the costs for the overall power consumptions and the cost of maintaining those facilities. Among these costs, the energy consumption (power cost) is a central issue for Data Centres. Power drawn by the Data Centre comprises the power drawn by the IT equipment and for the operations of the supporting facilities. For higher power density facilities, the electricity costs are a dominant operating expense and sometimes account for over 20% (annual cost) of the TCO. To appreciate how the PUE value will affect the TCO, the following table shows the power costs with different PUE values:
In other words, measuring green in the Data Centre is reflected by the corresponding PUE value. A lower PUE value means the Data Centre is greener, as shown in the following description. We will be using the Green Grid
How to achieve the expected PUE?
Level 3 Standard.
During the design and build for achieving the above Level 3, several crucial components were selected and deployed. Among these are the cooling facility, the power facility, as well as the power management solution. Each of these will be briefly described below.
Under this level, all equipment will be measured as shown in the PUE diagram and table, including the IT facilities as well as the Building facilities, and data will be captured continuously. However, when interpreting the results, there are a set of rules and guidelines as well as a required process from Green Grid that needs to be followed when making public claims of a particular PUE value for a Data Centre. Under this bracket, both the credibility and usefulness of the PUE metric will be enhanced. As technology gets further advanced, when comparing our PUE value to the market, we will be able to know any room for improvement and further lower the PUE value.
As shown in the table, different PUE values will have significant impact on the yearly operation costs.
The Cooling Facility There are several major components making up the whole cooling facility, namely, the air-conditioning system, the Chiller Plant to the air-conditioning, and the racking arrangement for more efficient hot-and-cold air interchange. Air-Conditioning System The purpose of the air conditioning system for the Data Centre is to efficiently remove the waste heat of the IT equipment and eject it from the room. In this design, the air conditioning is provided by the establishment of Containment Inline CRAC units. These modular units are mounted among the IT racks.
19
20
OCIO NEWSLETTER
Comparing the Inline CRAC arrangement with other architecture, the airflow paths are shorter and more clearly defined. This will have 2 impacts. First of all, this saves energy for the shorter air movement. Secondly, all the rated capacity of the CRAC will be utilized; thus higher power density can be achieved.
To improve overall energy efficiency, the units are set to operate at 15oC chilled water supply temperature. Chiller Plant The overall Chiller Plant sub-systems for the new Data Centre comprises the existing building-based chilled water system using a heat exchange plus an alternate outdoor air cooled chiller being set up as the backup supply. The whole composure was designed to run 15 - 23oC chilled water temperature environment. This set-up will reduce 30% energy usage. Containment and Racking To significantly reduce the energy loss, a lot of improvements have been made in the design of the IT racking arrangement. Traditional set-ups did not take the cold and hot air mixture impact into consideration. Recent studies have shown that it is very crucial to separate the cold air that is provided by the Chiller Plant from the hot air that is emitted from the IT equipment. This brings in the idea of the containment solution. There are two approaches to this. One is the Hot Aisle Containment (HAC) and the other the Cold Aisle Containment (CAC). In both approaches, each two rows of the IT racks will be arranged to face each other. The Containment is then constructed at the space between the 2 rows. In the HAC, the rear ends of the
racks within the 2 rows will be facing each other, trapping the hot air inside the containment. On the other hand, the CAC will have the other way round, with the containment trapping the cold air. Both approaches have their own pros and cons on energy saving versus costs and comfort.
In the new Data Centre, the HAC was chosen for two reasons. First of all, setting up HAC will allow hotter water flowing back to the Chiller Plant, thereby allowing more energy saving efficiency. Secondly, since the new Data Centre is bounded within a large building surrounded by other facilities which have sufficient air-conditioning, the cool air loss from the Data Centre to the outside will be very minimal or even none, making the HAC still a very energy saving set-up. Inline CRAC units are integrated into these rows. The units will supply cold air directly to the equipment as well as to the whole room.
The Power Facility The power or electrical facility is the key element in the new Data Centre. It comprises the Uninterruptible Power Supply (UPS) and the Electrical System.
Models with high energy efficiency capability in variable loading situations were chosen. These have 92% to 94% power efficiency, with 0.99 input power factor and 0.9 output power factor. To further improve the energy saving, the UPS is designed with the Energy Saving System (ESS) green feature. By using this feature, the power converters are idle under normal operating conditions, meaning that the UPS will supply main power directly to the equipment, in a simple sense. When the main power is lost or exceeds a preset output threshold, normally below 2ms, it will immediately switch to supplying power through the power converter. Battery power is then drawn to the equipment. The ESS feature has a significant impact on the energy saving, as there will be no power conversion going through the power converter when supplying the power to the equipment. Furthermore, it will prolong the lifespan of the Power Supply Unit (PSU) installed inside the IT equipment. Electrical System The most essential component of the electrical system consists of the main switch board, which distributes the main power to the other major areas, including power to the UPS system, power to the air conditioning system, as well as the General Power Supply. Power Analyzers will be installed in different parts of the electrical system. These will be used to collect data for calculating the PUE measurement.
Power Management Solution
UPS The UPS system was designed to support all the IT equipment in the new Data Centre, according to the N+1 concept, meaning that if one UPS fails, it will not affect the whole operation.
The power management solution is the most important component in the whole design. Without it, we will not be able to accurately calculate the achievable PUE value. Furthermore, proper integration of this solution with a well-defined set of rules for operating and managing the Data Centre will allow us to use our limited space and energy resources more efficiently.
Issue 12 • July 2013
The solution consists mainly of the Intelligent Power Bars (iPDUs) and the energy management software.
Intelligent Power Bars At each rack, two Intelligent Power Bars (iPDU) were installed. Besides providing power to each equipment as normal power bar does, the iPDU will provide power usage information down to the bar and socket level. Not only power readings can be obtained, it can also provide temperature and humidity data within the rack. By using these data, we will be able to calculate the PUE value and fulfill the Green Grid Level 3 Standard requirements. Besides, it will increase the Data Centre’s reliability, provide better utilization of the rack spaces and better capacity planning for server replacement. Energy Management Software There are two distinct functions provided by the software. First of all, using the software, we will be able to monitor and manage multiple iPDUs concurrently, as well as remotely control the power to the bar, even down to each individual outlet. Secondly, the software will be able to capture all energy data, again even down to the individual outlet, as well as properly analyze those data. Based on the analysis, further tuning, adjusting, or initiating replacements will be made possible as a follow-up.
What’s next? Given all of the above equipment and set-up does not mean “green” will come in automatically. This is only the initial stage. The crucial step that comes next is on operation control, management, and measurement. As mentioned at the beginning, appreciation of green in a Data Centre is a manyyear process for as long as the Data Centre exists. The PUE value is a very good indication of how it goes. But a good value this year does not guarantee it will be the same next year. Without proper control and auditing, it will be doomed to drop. As for this new Data Centre, an indicative PUE value can only be obtained when we have started to use it, when more and more IT equipment such as servers, storage, devices, etc. come into existence, and when real life data are actually captured and analyzed. In about a year’s time, when we perform the initial auditing, we will be able to really appreciate how much we have done to achieve green.
FEATURE
Engaging Students in Geographically Distributed Classrooms through Echo360 LiveCast – Part 2 K P Mark
In the previous issue, we have introduced the new Echo360 LiveCast features and explored its potential in engaging Locations of LiveCast venues remote students in geographically distributed classrooms. In this issue, we will discuss the challenges faced by the e-learning team during the initial stage of the two remote sites: Shenzhen and Hefei.
Timeline: November to December 2012 Led by Prof. Doug Vogel (IS) and me (OCIO), the working group conducted several visits to CityU Shenzhen Research Institute (SRI), where numerous students enrolled in IS8003. During the first visit, the working group attended IS8003 remotely in Shenzhen through the traditional video conferencing with Adobe Macromedia Breeze, which was already phased out by Adobe Macromedia. User experience of the video conferencing at SRI deteriorated due to frequent breakdowns. Echo360 LiveCast was evidently a better alternative to improve the user experience and students’ engagement.
IS8003 in Shenzhen using Breeze
21
22
OCIO NEWSLETTER
Although Echo360 LiveCast could be operated merely with an Internet browser and a speaker at the remote site, there were several unexpected challenges with the local settings that took some time to resolve. For example, a piece of local security software installed at SRI computers was preventing Echo360 LiveCast from running smoothly. Moreover, we also discovered that the misconfiguration of time zone settings at SRI local computers eventually led to the dysfunctional behaviour of Echo360 LiveCast. It was resolved after the cause was located and rectifications were performed.
Timeline: January 2013
Kong to Hefei since there was no direct flight between the two places. The most convenient way was to take a direct flight from Hong Kong to Nanjing first, then interchanged for a train to Hefei. The typical classroom setting in Hefei was equipped with a video projector and a speaker only. Therefore, normally one student was required to bring a personal notebook computer so that the whole class could watch the IS Seminar through the computer projector. As the audio and video quality transmitted through Breeze was somewhat disappointing, some students eventually discontinued to attend the seminars and preferred to watch the video capture after the seminars.
There was a group of PhD students located in Hefei under the mainland collaboration scheme between the University of Science and Technology of China and CityU’s IS Department. In order to enhance their learning experience at the remote campus, I flew to Hefei to assist with the setting-up of Echo360 LiveCast.
The first Echo360 LiveCast in Hefei
Potential Expansion of Service
Typical classroom setting in Hefei
Snapshot at Hefei train station
LiveCast brought significant advantages to teaching staff at CityU and students at Hefei as the campuses were geographically apart. The solution of LiveCast saved a great deal of time travelling back and forth from Hong
colleagues. The event was a success with respect to the system performance of audio and video quality, which exceeded the participants’ expectation. Apart from the quality, Hefei students also praised in their feedbacks the stability of the system as there was no interruption during the LiveCast. More importantly, its simple operation on the Internet browser made learning easier.
Network connectivity in Hefei was a real trial of LiveCast in the first instance. For example, the WiFi access point in the classroom was discovered to have no Internet connection and the bandwidth at Hefei was remarkably lower than that of Shenzhen. As a result, we were concerned about the quality of Echo360 LiveCast even though we had worked out a protocol for it at the remote classrooms. The first LiveCast was held in the afternoon of 22 January 2013 under close monitoring by our e-learning team
Apart from the seminars and lectures, this technology is also suitable for conducting student presentations across campuses. Instead of face-to-face presentations, students can pre-record the presentation with Echo360 and share the presentation on the BlackBoard. Instructors and peer students can then comment and make instant feedback online. This allows students across different geographical locations to collaborate and share their ideas without adopting expensive technology. Echo360 has been proven to be an effective tool to help students learn and engage in the lessons. We are pleased to provide support to departments and teachers who are interested in adopting LiveCast in their courses. You are very welcome to contact us at elearn@cityu. edu.hk for suggestions and support.
Issue 12 • July 2013
STATISTICS AT A GLANCE
23
24
OCIO NEWSLETTER
GLOSSARY CORNER
IT Concepts from Wikipedia Andy Chun (ed.)
Information Security – ISO/ IEC 27001 is an information security management system (ISMS) standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). It formally specifies a management system that is intended to bring information security under explicit management control. Being a formal specification means that it mandates specific requirements. Organizations that claim to have adopted ISO/IEC 27001 can therefore be formally audited and certified compliant with the standard. Service Management – ISO/IEC 20000 is the first international standard for IT service management. It is based on and intended to supersede the earlier BS 15000 that was developed by BSI Group. It was originally developed to reflect best practice guidance contained within the ITIL (Information Technology Infrastructure Library) framework, although it equally supports other IT Service Management frameworks and approaches including Microsoft Operations Framework and components of ISACA’s COBIT framework. Project Management – ISO 21500 provides guidance for project management and can be used by any type of organization, including public, private or community organizations, and for any type of project, irrespective of complexity, size or duration. It provides high-level description of concepts and processes that are considered to form good practice in project management (from www.iso.org). It is aligned with the Project Management Institute’s (PMI) A Guide to the Project Management Body of Knowledge (PMBOK® Guide).
This article uses material from Wikipedia. The Author(s) and Editor(s) listed with this article may have significantly modified the content derived from Wikipedia with original content or with content drawn from other sources. The current version of the cited Wikipedia article may differ from the version that existed on the date of access. Text in this article available under the Creative Commons Attribution/ShareAlike License.
Editorial Box OCIO Newsletter Advisory Board Dr. Andy Chun (OCIO) Ms. Annie Ip (OCIO) Mrs. W K Yu (ESU) Mr. Raymond Poon (CSC) Mr. Peter Mok (CSC) Ms. Maria Chin (CSC) Publishing Team Ms. Noel Laam (CSC) Ms. Annie Yu (CSC) Ms. Joyce Lam (CSC) Mr. Ng Kar Leong (CSC) Mrs. Louisa Tang (ESU) Ms. Doris Au (OCIO) For Enquiry Phone 3442 6284 Fax 3442 0366 Email csc@cityu.edu.hk OCIO Newsletter Online http://issuu.com/cityuhkocio