OCIONEWSLETTER Issue 13 • OCT 2013
SPOTLIGHT
Paperless Workspace Project (PLWS), an Integrated Case Management Platform Pion Cheng Case Management Automation Business processes in the future will tackle smart jobs: encompassing more skilled workers who much accomplish a greater variety of tasks with relatively fewer resources. Instead of work being parceled out to a sequential progression of service workers on an imaginary assembly line, workers in smart jobs will manage a “case� from start to finish. This is in sharp contrast to an old and outdated mass-production approach. People are always going to be involved in case-based processes because they have the expertise needed to make decisions. They do not need to be involved in gathering, routing, and communicating all of the information necessary to make that decision. When a computer system handles such tasks, there is less chance that they, and the workflows associated with them, are ignored or forgotten. In many situations, automation of tasks within a case-based process allows the system to become the case manager and improves adherence to policies and procedures by relieving each stakeholder from needing to understand the entire workflow. Case management is an example of a dynamic business application that embodies the business process, is built for continuous change, and is designed for people. Earlier process applications that are built on custom code with long deployment and maintenance times are not adapted well to the variable conditions required in case management. Case management is not just limited to legal, social work and government cases. A case starts with content such as an image, email, e-form, and it alters the presentation and rules
2
OCIO NEWSLETTER
INDEX SPOTLIGHT 1
Paperless Workspace Project (PLWS), an Integrated Case Management Platform
FEATURE 4
e-Learning championship series 4 When a Philosopher meets an IT Entrepreneur: Critical Reasoning and e-Learning
9
Introducing the Staff Profile System
16
Use Cases of Security Information and Event Management (SIEM)
DISCOVER & INNOVATE 10
Create Secure Email Attachments Using 7-Zip
BRIEF UPDATES 3
Some Updates on CSC Forums
6
CityU Recognized in the 2013 CIO 100 Awards for Its 334 IT Implementation Project
8
CityU CIO Receives a 2013 Outstanding Performance of IT Excellence Award
8
Central IT Has Moved!
20
LMS Evaluation 2013-2014
IT SECURITY AWARENESS SERIES BY JUCC 14
Security Incident Management
STATISTICS AT A GLANCE 22
Staff and Student IT Courses
GLOSSARY CORNER 24
Massive Open Online Course (MOOC)
based on the case life-cycle stage. In all types, the process and associated content evolves to meet the requirements of the case.
Paperless Workspace Project (PLWS) Paperless Workspace Project aims to provide access to rich process management functionality and content management services via a standard browser-based application. It is ideal for users participating in transactional activities such as processing who need to define, execute, monitor and optimize business processes across departments, systems and applications. It also enables rapid development and deployment of task-specific user interfaces
tailored to process activities that meet the challenge in case of management automation.
Finding the Right Solution Reducing paper is the first step to transaction efficiency and cost reduction, and process improvement is where the biggest gains are to be made. An extension of the Paperless Office Project, the Paperless Workspace Project (PLWS) adopts a case management platform that combines the strengths of business process management and enterprise content management with collaboration tools: • Image processing solutions - provide image capture, digitization, and file conversion capabilities to bring all caserelated content onto a common platform. This provides flexibility in transitioning existing processes into more modern data formats and removes the need for immediate paper-based process changeovers. • Content management solutions - manage secure document access as well as encryption, digital shredding, and support for electronic signatures when required. The ability to maintain version control and set and enforce retention and disposition policies is critical to help improve information accuracy and address regulatory and legal concerns. • Business Process Management suites - complete with process automation and rules engines, allow users to graphically design the path of information from beginning to end and subsequently manage it.
What’s next? Throughout the implementation of Paperless Office Project, the
needs of case management from the HRO and the FO operation were identified. The Duty Visit Application currently operated by paper and manual process is one of the typical case-based processes involving review, approval and collaboration activities. Information is gathered from several stakeholders, and endorsers and approvers make decisions based on this information. The human judgment element introduces a level of unpredictability and thus the path a case takes to completion will always be uncertain. In some cases, a decision will dictate that more information will be gathered before a final outcome can be determined. Other situations may be more straightforward where a decision simply requires an individual be notified that an outcome (approval or denial) has been reached. Upon the integrated case management platform provided by Paperless Workspace Project in place at Q4 2013, the processes of Duty Visit Application will be transformed and targeted to: • Improve service with better, faster, more complete response • Reduce the inefficiency, expense, and risk of paper documents that can be easily misplaced or lost • Manage and associate all types of related information, from scanned documents and digital pictures to applications, email, and more, in a common case folder • Handle unprecedented transaction volumes while maintaining flat resource pools.
Issue 13 • OCT 2013
BRIEF UPDATES
Some Updates on CSC Forums Annie Yu Seven CSC Forums for the Academic Year 2012-2013 brought together IT market leaders such as Microsoft, Apple, McAfee and Google to focus on technology updates concerning the latest operating systems for desktops and mobile devices as well as issues relating to the latest green technology and mobile security. And with attendance level at around 750 head count for all these events, many staff and students walked away with solid information to further enhance their IT skills and ideas that they could apply. All seminars lasted 1-2 hours and can be accessed online from any location on campus or via ISP from home. If you missed any of our previous seminars, you can find them at CSC Forum Video Archive. In store for you this academic year is a list of exciting topics including “Google Glass” , ” 3-D Printing” and “Public Cloud Service”, etc. To begin with, the Computing Services Centre has scheduled three CSC Forums in Semester A and a rundown of each is as follows:
• Thursday, 26 September 2013, 4:00 PM Unified Communication and Collaboration Lync Online is an element of the Office 365 product set that provides next-generation communications capabilities including instant messaging (IM), presence, and PCaudio, video, Web conferencing and screen sharing. This informative session will focus on Microsoft’s Lync and Skype and what Microsoft’s vision for the future of communications is. There will also be live demonstration of this powerful communication tool. • Thursday, 17 October, 2013 4:00 PM Enterprise Mobility Management: Secure, Manage, and Empower Mobile technologies are changing the way companies do business. The push towards mobility is especially prominent among organizations that are using mobile technologies to reshape business processes, increase worker productivity through the
access of corporate resources while mobile, and deliver value to their customers. Increasing investments in mobility are forcing IT leaders in large enterprises to address several challenges, from supporting a large number of smartphones and tablets across multiple mobile platforms to developing business applications, and a more complex set of security concerns. Organizations need to utilize a comprehensive, secure, and scalable platform to centrally manage mobility across the enterprise. This seminar will provide best practice and strategies on how organizations can utilize a comprehensive, secure, and scalable platform to centrally manage mobility across the enterprise. • Thursday, 7 November 2013, 4:00 PM Jump Start on Windows Phone Application Development Windows Phone means more — more immersive app experiences; more opportunity to reach a range of devices; more ways to help monetize your applications. Join this session to learn more about designing and developing apps for Windows Phone 8 and take advantage of these amazing benefits.
CSC Forum - Are Your Smart Mobile Devices Secured? Presented by: Mr. Paul Tsang, Senior Sales Engineer, McAfee (Hong Kong) Limited Date: 25 October 2012
CSC Forum Video Archive: http://www6.cityu.edu.hk/cityuvod/ cat/cscforum
3
4
OCIO NEWSLETTER
FEATURE
e-Learning championship series 4 When a Philosopher meets an IT Entrepreneur: Critical Reasoning and e-Learning K P Mark In this issue of e-learning Championship Series, we will present the successful story of a project team with two extreme backgrounds: Dr. Eirik L. Harris, Assistant Professor with academic backgrounds on philosophy and public policy; Mr. Charles Woo, part-time Senior Research Assistant, a young IT entrepreneur who has already founded his own IT business since he was in his undergraduate studies.
The philosopher-technologist combination Dr. Harris is the Principal Investigator (PI) of the CityU Teaching Development Grant (TDG) project “Developing Critical Reasoning Skills in Gateway Education Courses”. The main theme of this TDG project is to develop a series of online modules to help develop critical reasoning skills among students who are taking Gateway Education (GE) courses. “The idea is that these online modules will help students gain a set of skills and tools that can be reviewed and employed not only in GE courses but in students’ other courses and in their lives more broadly,” said Dr. Harris. To many “outsiders” of philosophy, the subject content is always too difficult to understand. As a philosopher, Dr. Harris faces the challenge to deliver this GE course to a large class of students without philosophy training. He
Dr. Eirik Harris believes that multimedia content, personalized content and timely feedback are important to student learning
Mr. Charles Woo demonstrating the interactive multimedia contents produced in this project
understands e-Learning applications would benefit student learning through interactive online activities. Dr. Harris highlighted the value of online learning, “The fact that these modules are online allows for a variety of benefits. First, it is easy to use multi-media. The students watch a series of short video clips on the topics, and can review them as many times as necessary so that they are comfortable with the material. In addition, we have developed exercises and quizzes that respond to the answers that the students give, providing them with guidance depending on the areas in which they are having problems.”
his IT company. His business continues to grow after graduation. Now, his business areas include IT development, IT education and training, as well as retailing.
Without a strong IT expert, developing these applications and the e-learning contents would be too demanding for Dr. Harris. Mr. Woo is the right person to complement Dr. Harris in this project with his unique and special background: while he was in his undergraduate studies, Mr. Woo has already founded
To many people, it sounds surprising for Mr. Woo to put his business aside and work as a part time Senior Research Assistant in this project. “I am very passionate about education. During these years, I have been working on e-learning systems development. Recently, we have expanded our company to provide education and training services to students and teachers.” Mr. Woo explained. When he learnt about this opportunity to work with Dr. Harris on this exciting project, he immediately agreed to join the team as a part-time staff without hesitation. Unlike Dr. Harris, Mr. Woo has a strong sense on IT but knows little on philosophy. “Very often, I know nothing about the content. Dr.
Issue 13 • OCT 2013
Online content on critical thinking
Harris, as the subject matter expert, tells me his expectations on student learning. Then, as the technologist, I will design the e-learning solution for him,” said Mr. Woo. “It is mutually beneficial to work with Dr. Harris,” Mr. Woo further explained. “While I can contribute to the project with my experience on contemporary technical development, I have access to CityU’s state-of-theart e-learning infrastructure. This gives me new inspirations on developing my business on education and training.”
Deliverables from the Project Team The first phase of the project is to develop some interactive online contents for student viewing. “Our project aims to utilize students’ idle time for learning,” Mr. Woo further added. “We always encourage our students to think, but there are only few online resources to stimulate students to think, and often user experience is being ignored.” Mr. Woo stressed on the importance of user experience. “The “8-second rule’ suggests that users can only tolerate 8 seconds to load a web page. Blackboard has a relatively fast loading time, which is essential to reduce the loading time of our module.” The second phase is to develop the online assessment components for the GE course. Dr. Harris valued the timeliness of
Analysis of student performance in the online activities
Blackboard assessment functions. “The online modules allow us to provide more personalized responses to potential student questions by allowing us to give feedback immediately based on the errors that students make on the online exercises. No longer is it necessary for the student to wait several weeks for the instructor to grade the papers and hand back the results. In addition, the feedback can be more substantive.” The built-in Blackboard utilities for online assessment are used as the backbone in this phase. Analysis on student performance on the assessment activities is very useful to the course team. “With Blackboard, we can easily retrieve the statistics. We know what questions are ‘easy’ or ‘difficult’ to students, and also have an idea on how much time they spent on the assessment.” Mr. Woo demonstrated how the analysis was useful for evaluating class performance.
information anywhere and anytime. This enables our students to think and share freely online.” Dr. Harris is eager to expand the project to further develop the modules to cover a wider array of topics in critical reasoning. “Our goal is to have a series of modules which instructors in a wide variety of GE courses, as well as other introductory courses in the department, can choose from and integrate into their courses to the extent that they may be beneficial. In addition, we are hoping to be able to develop apps for smartphones which will give students an even more interactive experience.” This last issue of e-Learning Championship Series ends with the story between Dr. Harris and Mr. Woo. Philosophers and IT experts are generally at the two extremes of the world. This exciting and energetic pair generates a new angle for teaching and learning in philosophy with contemporary technology. It represents the trend of IT-infusion across all disciplines.
The Future: Go Mobile The project team is ambitious on developing innovative mobile applications in the next steps. Currently, some mobile application prototypes are being developed. Mr. Woo believes the popular use of mobile devices among students is a new opportunity, “Mobile learning plays an important role in our course. Mobile devices enable our students to have access to, and most importantly, to capture
Prototype of mobile assessment activities
5
6
OCIO NEWSLETTER
BRIEF UPDATES
CityU Recognized in the 2013 CIO 100 Awards for Its 334 IT Implementation Project Office of the CIO IDG’s CIO magazine selected the City University of Hong Kong as a 2013 CIO 100 Award recipient. The 26th annual award program recognizes organizations around the world that exemplify the highest level of operational and strategic excellence in IT. Every year CIO magazine identifies and honors 100 organizations that have distinguished themselves by creating business value through the effective and innovative use of technology. Judging was made by a panel of distinguished IT professionals from diverse industries to evaluate the nominations, looking for unique practices and substantial results. CIO editors then review the judges’ recommendations and voted on the final 100. CityU’s “334 IT Implementation” project was recognized as one of the top IT projects in 2013. The project spanned over 3 years to provide a suite of technology to enable the University to transform itself into a new 4-year Discovery-Enriched Curriculum (DEC), enabling a personalized studentcentric learning experience with freedom in selecting own study paths, as well as exposure to modern teaching/learning pedagogies. The Project involves revamping existing administrative systems to facilitate the management of these flexible student processes as well as creating a new technology-rich teaching/ learning environment to enable a new model of anywhere, anytime, alwayson teaching/learning. The project
Mr. Sunny Lee, Vice-President (Admin) (right), Dr. Andy Chun, Chief Information Officer (center), and Ms. W.K. Yu, Director of the Enterprise Solutions Office (left), sharing the 2013 CIO 100 Award with CityU colleagues.
also includes various IT infrastructure upgrades to support these new capabilities. “For 26 years now, the CIO 100 awards have honored the innovative use of technology to deliver genuine business value,” said Maryfran Johnson, Editor in Chief of CIO magazine and events. “Our 2013 winners are an outstanding example of the transformative power of IT to drive everything from revenue growth to competitive advantage.” Executives from the winning companies were recognized at a black-tie awards dinner at the CIO 100 Symposium & Awards Ceremony, held 13 Aug 2013 at The Broadmoor in Colorado Springs, Colorado.
Dr. Andy Chun, the Chief Information Officer of City University of Hong Kong, commented: “The 334 IT Implementation Project is one of the most ambitious IT projects for CityU, affecting all systems that touches student data and/ or relates to teaching learning, as well as creating many new systems and capabilities. It is indeed a great honor for our work to be recognized by our international peers.” Dr. Chun also pointed out: “This project really represents the collective efforts of the entire CityU community – IT, academic, and administrative units – working together towards our common DEC vision.”
Issue 13 • OCT 2013
Project Details: To accomplish the University’s new DEC vision, on the administrative side the University revised its admissions model and created a new first-year experience. Instead of being admitted into a particular degree/major, students are to be admitted to a college/school and then decide on a degree/major after the first year experience, which has been redesigned to provide students with exposure to a broad range of cross-disciplinary subjects through our new general education program. We branded our general education program as our “Gateway Education” as it acts as a gateway to the students’ future. All gateway courses cover 21st century skills with a particular focus on discovery and innovation. To enable this “business transformation” to work, the University relied on IT to manage and streamline these processes. For example, we created a new admissions system to cater to the new college/school admissions model. We also created a new interview scheduling system to support the University’s objective of interviewing all applicants. We created a new academic advisor and student mentor system, to assign an advisor and mentor to each freshman to guide them through the first year experience. We also created a major/minor selection system to match student interest with major/minor departments. All the above systems were custom designed and built inhouse. Furthermore, we had to revamp our existing student information system (SIS) to cater to the new flexible
curriculum structure; new data codes and structures had to be created, as well as new access control mechanisms to allow cross-disciplinary studies. By leveraging existing IT investments and skill sets, the project saved the University HK$100 million in new SIS/ ERP implementation cost.
to college and cohorts to minimize travel time and campus congestion. Class schedule was staggered to smooth out traffic volume, and class patterns were created to maximize student ability to take GE courses in different disciplines.
The University’s new personalized education model provide a lot of flexibility in study paths – a wide range of general education courses, different majors/minors, double degrees, joint degrees, exchange experience, and internship. To help academic advisors provide accurate advice on potential study plans, and to allow students to play with “what-if” scenarios, we created a new academic advising and degree audit system based on the DegreeWorks product. This system encodes all academic regulations as AI rules to ensure whatever plans students or faculty members come up with will be valid, satisfying all graduation requirements for the University, college/ school, major/minor, general education and language. The same system is used for degree audit purposes to check if all requirements are met before student can apply for graduation.
The above highlighted only some of the IT work to support the “administration” of the University’s new vision and DEC model of education. On the “pedagogy” side, the University also made numerous advances to provide an innovative and unique learning experience. Firstly, the University promotes an “always on” learning culture, where teaching, learning, and sharing can be performed anytime and anywhere. In 2011, the University launched its mobile-learning initiative through the deployment of mobile apps for our Blackboard learning management system. At the same time, the University has been promoting social-learning using social media tools as well as collaboration through cloudbased platforms, such as Google Apps for Education and Microsoft Office 365 for Education. We also installed new echo360 lecture capturing facilities and video streaming servers to allow faculty members to perform new blended learning and flipped classroom teaching methodology.
The University also designed a new classroom scheduling model to ensure that classes are scheduled in such a way to allow students to take advantage of courses offered by a broad range of disciplines. Scheduling is done through a unique combination of AI clustering and pattern-matching techniques. Students were clustered according
7
8
OCIO NEWSLETTER
BRIEF UPDATES
CityU CIO Receives a 2013 Outstanding Performance of IT Excellence Award Office of the CIO The 2013 Outstanding Performance of IT Excellence Award was organized by e-zone magazine, the Hong Kong Economic Times, and IT Times. The award recognizes individual achievements of IT leaders who have led outstanding performance within their organizations as well as contributed to the IT industry and Hong Kong society. Nominations were open to public, and then assessed by a panel of industry peers. The assessment criteria included excellence in: strategic IT execution; contribution to business, IT industry and society; technology vision and IT leadership; and research and innovation. The award ceremony was held 8 Aug 2013 at the Hyatt Regency
Hong Kong. In total 5 persons received this year’s awards. Besides, Dr. Andy Chun, Chief Information Officer (CIO) of CityU, the following IT leaders were also recognized: Mr. Andy Bien, CIO, Dr. Andy Chun (right) receiving the 2013 Outstanding Airport Authority Performance of IT Excellence Award, from Hon. Charles Mok, Hong Kong; Mr. Rocky Legislative Councilor (IT). Cheng, Deputy GM of Information, Bank of China (HK) Ltd; Mr. group of IT colleagues. Although Ted Suen, Head of IT, MTR Corp Ltd; and the award recognizes individual Mr. SC Leung, Chairman, Internet Society achievements, it would not have been Hong Kong. possible without the support from CityU’s management as well as the hard Dr. Andy Chun commented: “It is an work and dedication of each and every honor to be recognized by my peers, and one in the IT organization at CityU. I to be included into such an outstanding share this award with them.”
BRIEF UPDATES
Central IT Has Moved! Office of the CIO Over the summer, the main offices of Central IT – OCIO, CSC, and ESU – have all moved into the same location, the new AC3 building. CSC continues to operate its data centers in AC1, as well as its Service Counter and Teaching Studios in AC2. The new location at the center of the campus allows Central IT to conveniently work with other administrative units, academic departments and students.
Issue 13 • OCT 2013
FEATURE
Introducing the Staff Profile System Donny Lai, Gary Fung & Edmund Mak
Staff Profile System (SPS) is a system developed by the Enterprise Solutions Office (ESU) of Central IT, which was launched in early July 2013 and is available for all staff now. If you are looking for a self-manageable solution that can produce a single web page of your professional profile and can generate a dedicated link of the profile attachable into the departmental staff list or any social networks, SPS is the right system for you. The system was designed to facilitate academic staff, as well as professional staff, to organize, edit, preview, and publish their personal profiles which can be publicly accessible through the staff list of the corresponding departmental website or via any social networks. The system is hosted in the AIMS and it includes a web-based Staff Profile Editor. All staff can easily access their profile contents through the Staff Profile Editor located under the Staff Services of the AIMS. It needs only three simple steps to publish the personal profile. First, edit and organize your own profile by yourself by filling in the simple e-forms. Second, use the preview function to examine if the edited contents are correct. Finally, decide a unique Publish ID to represent the dedicated link of your profile and then publish
alphanumeric and not being used by other users. Users may thus attach their dedicated profile links into their corresponding staff lists or any social networks, such as personal blog, facebook, linkedin, and etc. The pattern of the profile link will look like as follows: http://www6.cityu.edu.hk/ stfprofile/YourPublishID.htm.
it. Any subsequent profile changes can be updated by the staff and immediately available through the dedicated profile link without the need of any administrative support. Alternatively, each department may nominate one or two supporting staff to have the rights to update the personal profiles for their academic staff. The web design of the profile page is in compliance with the UniversityWide Web Style Guideline. The profile page is basically divided into one main column and one narrow column on the right-side of the page. In the main column, users may edit and organize their academic background, professional background, brief biography, award and achievement, previous experience, research grant, patents, publications, external services, service in CityU, useful links, and four user-defined long item lists. In the narrow side column, users may upload a photo and manage their contact information, links to their social sites, research interests, and four optional user-defined short item lists. The available contents are rich enough to cover and express the characteristics of any professional profile. Each profile will have a dedicated link named with a unique Publish ID which is decided by the user. The Publish ID can be same as the CityU EID if it is simply
If you have not tried the service, please feel free to create your own profile page with the system now. After all, it is the first version. We are looking forward to your valuable feedback so as to help us to define the features of the future release.
9
10
OCIO NEWSLETTER
DISCOVER & INNOVATE
Create Secure Email Attachments Using 7-Zip Office of the CIO
Email is insecure. To avoid unintended eyeballs, sensitive information must be sent as encrypted instead of ordinary attachment in regular email. This article demonstrates how to create an encrypted “.7z� archive.
Windows user
Download and Install 7-Zip 1. Go to http://www.7-zip.org/download.html and download the installer for your platform
Figure 1) 7-zip Official Website
2. When the download is completed, run the Installer and follow the instructions to install the application
Figure 2) Invoke the Installer
Figure 3) Accept the End User License Agreement
Figure 4) Select features and installation directory
Figure 5) Confirm to Install
Figure 6) Installing . . .
Figure 7) Installation completed
Issue 13 • OCT 2013
Creating a Secure Attachment
Decrypting and Decompressing
1. Right-click the document or directory to be encrypted, select “7-Zip” > “Add to archive…”
1. Copy the email attachment to a directory 2. Right-click the 7z archive, and select “7-Zip” > “Extract to <directory name>” (or other extract options)
Figure 8) Select file to encrypt and compress
2. Enter the name of the “Archive”, and check to ensure that: a. Archive format is “7z” b. Encryption method is “AES-256” c. Enter a password which is complex enough (See note #1 of “DOs and DON’Ts list for Managing Electronic Data/ Information”) Click “OK” to proceed
Figure 12) Select file to decrypt and decompress
3. Enter the password when prompted, and click “OK” to decrypt and decompress
Figure 13) Prompt for password
Figure 9) Check settings of archive
4. The progress will be shown
3. Proceed to create the archive
Figure 14) Decryption and decompression in progress Figure 10) Encryption and compression in progress
4. Archive is created
5. When completed, a new directory containing the extracted files will be created
Figure 11) Encrypted archive generated Figure 15) Directory and files created
5. Attach the encrypted archive to email, as usual
11
12
OCIO NEWSLETTER
Zip as alternative file format Zip is not recommended, though it is widely adopted. However, if “Zip” is not avoidable, please refer to the figure below and select: a. “zip” as Archive format, and b.“AES-256” as Encryption method.
Figure 16) Settings for Zip
Mac OSX User
Download and Install Keka 1. Keka is a free Mac OS X file archiver. Go to http://www. kekaosx.com/en/ and download the installer for your version of OS X
2. Open the package, optionally install the application
Figure 17) Keka Official Website Figure 19) Install Keka
Figure 18) Download the application package
Creating a Secure Attachment 1. Set file type to “7z” and enter a complex password (See note #1 of “DOs and DON’Ts list for Managing Electronic Data/Information”). Do NOT use “Zip”, as Keka is not able to generate high secure Zip files
Figure 20) Select “7z” and enter a complex password
Issue 13 â&#x20AC;˘ OCT 2013
2. Drop the file or directory to be compressed and encrypted to the Keka window
Figure 21) Drag and Drop to encrypt and compress
4. When completed, a new archive will be created
3. Encryption and compression will start automatically
Figure 22) Encryption and compression in progress
5. Attach the encrypted archive to email, as usual
Figure 23) Encrypted archive generated
Decrypting and Decompressing 1. Copy the email attachment to a directory 2. Start Keka
3. Drag and Drop the 7z archive to Keka
4. Enter password when prompted
Figure 26) Prompt for password
Figure 24) Keka startup screen
Figure 25) Drag and drop to decrypt and decompress
5. When done, the file or directory will be extracted
Figure 27) File extracted
Final remarks Email, like any other technologies, is a double-edged sword, so please be reminded to use it with care. If you want to discuss more about the topics, please donâ&#x20AC;&#x2122;t hesitate to leave us a message at infosec@cityu.edu.hk.
13
14
OCIO NEWSLETTER
IT Security Awareness Series by JUCC With an aim to enhancing the IT security awareness of the CityU community, the KPMG was commissioned by the Joint Universities Computer Centre (JUCC) to prepare a series of articles on IT security and they will be adopted and published here for your reference.
Security Incident Management I. Background Industry Story Poor Incident Response Process That Failed to Protect Vital Data In February 2011, HBGary, a technology security company, was found that its Gmail cloud e-mail service was compromised by an anonymous group. An interview with HBGary CEO, Greg Hoglund reveals that the anonymous group gained access to HBGary’s Google-hosted e-mail service through a stolen password. Hoglund became aware that the service was compromised, but was unable to prove his own identity to Google’s help desk quickly enough to have the service shut down before the anonymous group had downloaded HBGary’s e-mail records. This security incident was a successful attack against HBGary, not against Google’s cloud-based e-mail. Google’s standard mechanism for authenticating a customer making service requests involves asking the customer to place a file on its own website. This works well in normal circumstances but failed when HBGary needed to immediately turn off access to its Google services after having already been forced to shut down its own website. No alternate or emergency response mechanisms had been defined in advance. HBGary’s management should have realised that attacks were likely and should have tested its incident-response processes. Security Incident Management Overview Universities are now relying on sophisticated information systems and infrastructures with high connectivity for daily operations and academic research purpose. The complex nature behind these factors can be easily exploited by malicious parties, which makes security incidents inevitable.
An effective security incident management is a balance of driving the impact of the incidents down, while containing and resolving security incidents as efficiently as possible. A good security incident management will also help universities to prevent future incidents.
II. Management Security Incident Response, Reporting and Escalation Management should design an effective and efficient mechanism of detecting security incidents by utilising human resources (e.g. information security professional, trained users, universities’ IT security staffs) and various technical controls (e.g. intrusion detection software and data leakage prevention tools). In particular, the following areas should be focused on: • Defined personnel or team (e.g. IT Service Desk) as single contact point for handling any reported security incidents; • Detailed procedures for identifying and reporting failures, weaknesses, and suspected activities that may indicate the existence of security incidents; • Regular mechanism to recognise and detect flaws or vulnerabilities with universitie’ security measures, including IT internal controls, operational procedures and security tools; and • Defined criteria for escalating security incidents to appropriate level of management. Online real-time incident reporting and logging systems are highly recommended to facilitate immediate incident response and investigation. Manual incident logs should be used when the incident reporting and logging systems are out of service during total system failures. Management should also consider incorporating automated security incident
detection functionality when developing or implementing new information systems. Impact Assessment To maximise the processing efficiency and minimise the incremental resources universities invest in dealing with the security incidents, an assessment should be carried out for each incident to determine the scope and effect over universities. Key factors to be considered for the impact assessment include: • Whether the security incidents affect single or multiple information systems? • Will the university suffer from reputation damage, financial loss, service interruption or litigations? • Are there any inconveniences / distress / loss caused to relevant parties? Management should establish clear instruction to assign severities for security incidents based on the impact assessment results, which is crucial in determining the next step for universities to handle the incidents. Security Incident Monitoring Due to the various characteristics of security incidents, it may take minutes, hours, days or even weeks to resolve them. Therefore, the status and handling stage of each incident should be closely monitored by universities and tracked throughout the whole process until the incident is closed. Management should mobilise appropriate resources to eliminate any delay noticed in processing the security incidents and to avoid possible escalation in incident impact levels. Evidence Collection and Preservation When security incidents are likely to result in legal proceedings, it is important to clearly document how all evidence,
Issue 13 • OCT 2013
including the compromised systems, has been identified and preserved. Evidence should be collected and preserved according to procedures that meet all applicable laws and regulations so that it is admissible in court. Whenever necessary, advice or instructions sought from legal staff, computer forensic professionals or law enforcement agencies should be sought by management. Security Incident Resolution and Closure Successful resolution of security incidents requires personnel with adequate knowledge and skills. Necessary tools and financial resources should also be made available to the personnel responsible for the incident resolution. Management must provide relevant trainings courses to universities’ IT security staffs or engagement information security professionals if required. Incident reporters and any other affected parties should examine the resolutions to ensure that the security impacts are gone. On the other hand, management should conduct root cause analysis to prevent recurrence of similar incidents in the future. Post Security Incident Review After a security incident is closed, it is critical for management to review the security protections and security incident management process, and to consider whether the process can be improved. This is especially valid for new types of incidents, particularly those having severe or costly impact over universities. The following aspects can be considered during the post security incident review: • Gaps or difficulties encountered during the incident handling process, in terms of resources, information, internal controls and staff skills • Damage caused by the incident, including monetary cost and reputation loss • Experiences learnt that can improve the effectiveness and efficiency of the incident handling process Based on the post security incident review outcome, management should be able to identify:
• Any vulnerabilities in existing security measures • Any missing security incident management procedures, communications unclear, or stakeholders that were not appropriately considered • Any undertrained IT security staff or lack of appropriate tools • Any update to the impact assessment scheme The ultimate objective of the review is to determine the improvements that lead to prevention of future incidents and reinforcement of existing information security controls.
III. General Users Roles and Responsibilities of the General User As the first line of defence, securityconscious users will often be best placed to identify a potential security breach or a weak link. University staff and students should attend the security awareness trainings, workshop or online courses and familiarise themselves with the following: • Identification of security incidents: understand what constitutes a security incident and potential security threats. Also, be able to determine the existence of security incidents and internal control weakness • Reporting procedures of security incidents: understand the procedures to report security incidents and the specific individual responsible • Preserving evidence: understand the importance of maintaining evidence related to security incidents and the proper ways to retain the information for subsequent investigation and resolution • Identification of security incidents: understand what constitutes a security incident and potential security threats. Also, be able to determine the existence of security incidents and internal control weakness • Reporting procedures of security incidents: understand the procedures to report security incidents and the specific individual
responsible • Preserving evidence: understand the importance of maintaining evidence related to security incidents and the proper ways to retain the information for subsequent investigation and resolution Furthermore, the staff and students are responsible for: • Report all (suspicious) security incidents to responsible party (e.g. IT Service Desk) • Respond to requests required by universities’ IT security staff, and engaged information security professionals or other incident handling parties for additional information in a timely fashion • Assist in the resolution of security incidents in a timely fashion • Examine resolutions and confirming that security incidents have been resolved
Conclusion An effective security incident management process is not an isolated component, but rather consists of a number of operational and technical elements. These elements provide the necessary functions to support efficient handling of security incidents and continuous improvement on universities’ information security environment.
Copyright Statement All material in this document is, unless otherwise stated, the property of the Joint Universities Computer Centre (JUCC). Copyright and other intellectual property laws protect these materials. Reproduction or retransmission of the materials, in whole or in part, in any manner, without the prior written consent of the copyright holder, is a violation of copyright law. A single copy of the materials available through this document may be made, solely for personal, noncommercial use. Individuals must preserve any copyright or other notices contained in or associated with them. Users may not distribute such copies to others, whether or not in electronic form, whether or not for a charge or other consideration, without prior written consent of the copyright holder of the materials. Contact information for requests for permission to reproduce or distribute materials available through this document are listed below: copyright@jucc.edu.hk Joint Universities Computer Centre Limited (JUCC), Room 223, Run Run Shaw Building, c/o Computer Centre, The University of Hong Kong, Pokfulam Road, Hong Kong
Reference:
https://wiki.internet2.edu/confluence/display/itsg2/Informatio n+Security+Incident+Management+(ISO+13)#InformationSec urityIncidentManagement%28ISO13%29-Overview http://www.ogcio.gov.hk/eng/prodev/download/g54_pub.pdf
15
16
OCIO NEWSLETTER
FEATURE
Use Cases of Security Information and Event Management (SIEM) Alex Lam 1. Backgrounds
Management (SIEM) Part 1 and 2” if you want to know or recall some Since the deployment of SIEM background knowledge of SIEM. solution in 2011, the Central IT Details of these document are listed as of CityU has made use of the follows: Security Information and Event • http://issuu.com/cityuhkocio/docs/ Management (SIEM) system to Figure 1. Objectives of SIEM Deployment newsletter_issue_9 collect the raw log and events from • http://issuu.com/cityuhkocio/docs/ different categories of devices that the scope of the damage. newsletter_issue_10 constitute the central IT services. • The automatic alerting and reporting With the integration of the usedmechanism will also streamline the 2. Objectives of the SIEM defined rules and the intelligence workflow of the security incident deployment of log aggregation, normalization handling procedure. The objectives of the deployment of and correlation, the SIEM system c. Support the security and threat central SIEM system are described as provides many automatic security management system follows: alerting and reporting functions • After detecting and reporting for a. Provide centralized log collection and that cannot be achieved manually security events, the SIEM system consolidation through the use of any individual will automatically feed the details of • The SIEM system provides a central device alone. the event to the security and threat storage pool of the raw log and events management system. This automated collected from different categories Through the presentation of process improves the efficient and of IT devices, such as firewall, IPS, several use cases, this article effectiveness of the existing security network routers and switches, will show how the SIEM system and threat management system. Windows and Unix servers, etc. treats the collected raw logs as d. Assist security compliance monitoring • A software component called the building blocks to create use with better visibility ‘Connector’, which understands cases that achieve these security • By storing and presenting the service specific log format, will categorize, related functions. In addition, we and security status in a structured normalize and store the log in a will also present some use cases way according to the controls of central pool. By using different types with creative idea to integrate the industrial standards, the SIEM system of connector, various category of SIEM system with the IT service can provide support, evidence and raw log and events can be parsed, monitoring system and helpdesk measurement of the service against normalized and stored in central pool. system. With these innovative industrial security and service b. Support realtime security and service enhancements, we can maximize management standards. status monitoring the benefits and total values • With the security events and service • Based on the centralized pool of log provided by different components status being monitored, the SIEM and events collected from a broad of our central IT governance system can determine the up-tocoverage of event sources, the SIEM system. minute security and service status of system can make a better event the monitored services. The service correlation and generate alerts in the You can refer to our previous status can then be made visible to the early stage of a security incident. This articles “Overview of Security operation and management staff. will prevent further attack and reduce Information and Event
Issue 13 â&#x20AC;˘ OCT 2013
3. Use Cases of the SIEM deployment Several use cases that are being implemented to support the functions of the SIEM deployment are presented in this section. a. Provide centralized Log collection and consolidation
b. Support real-time security and service status monitoring
c. Support the security and threat management system
d. Assist security compliance monitoring
17
18
OCIO NEWSLETTER
4. Outcomes of the SIEM Deployment After the deployment of SIEM system, the benefits to the Central IT are listed and discussed in this section. a. Provide a unified pool of raw logs and events of central IT services • A central log repository for further Log Correlation and Security Analysis • A software component called ‘Connector’ that understands different log format will categorize, normalize and store the log in a central pool. Figure 2. Collection and Storage of raw log via different Connectors
b. Improve the IT and Security operational effectiveness and efficiency • Generate pin-pointed alerts, out of millions of events, that require further actions • SIEM has been migrated into daily operation of network and security management • It becomes standard workflows that implements our Network Policy • The Firewall alert handling procedure as shown below explains how the SIEM can streamline the workflow of a security incident detected from firewall log
Figure 3. Streamline of the workflow of security incident handling
c. Promote and facilitate smooth integration of IT and Security standards • The event logs that are collected by the SIEM system preserve the evidence for achieving industrial security standards. e.g. ISO-27001:2005 • By logging of the service security and event status in a structured way, the SIEM system can assist the measurement of the service operation against industrial security and service management standards. • The following diagram shows how the SIEM can promote and facilitate smooth integration of existing IT operations with the industrial security standards.
Figure 4. Promote and facilitate the smooth integration of IT security standards
Issue 13 â&#x20AC;˘ OCT 2013
d. Enhance service and security status visibility by integrating SIEM with IT service management system â&#x20AC;˘ The overall status of a composite service can be evaluated by feeding its sub-services status to SIEM. Based on the service rules and the correlation engine, the SIEM will evaluate the overall service status. â&#x20AC;˘ The up-to-date overall security and IT service status can be displayed in the Dashboard, thereby increase the visibility of the IT service and security status
Figure 5. Enhance the visibility of security and service status
Figure 6. Evaluate service status using different service dimensions
5. Conclusion In this article, we have briefly described several real life use cases of the SIEM system deployed in Central IT of CityU. We have collected various categories of raw logs and events using different types of connector. After going through the log aggregation, categorization and normalization process, the log are stored in central repository for further event processing.
Our initial goal of the SIEM deployment is very simple. We want to provide a central log repository that can be used to identify automatically the security incidents and streamline the workflow of incident handling. However, during the course of our deployment, we have a better understanding of the flexibility of the SIEM system. With some innovative idea in mind, we are now extending
our SIEM system and trying to build some use cases that integrate our SIEM system with IT service monitor system, helpdesk system and security compliance monitoring system. Ultimately, the goal of the SIEM deployment is extended to maximize the total benefits and values generated from the SIEM system and other cooperating IT governance systems.
19
20
OCIO NEWSLETTER
BRIEF UPDATES
LMS Evaluation 2013-2014 Crusher Wong
City University of Hong Kong (CityU) has a relatively long history of e-learning. With the adoption of WebCT in 1998, we had gone through a period of organic development until the deployment of Blackboard (Bb) as the unified Learning Management System (LMS) in 2005. Through the 8 years of planned development, Blackboard Learn has established as a mission critical component of the e-learning ecosystem at CityU accommodating 40,000 logins via web browsers and an addition of 8,000 logins from mobile apps on a school day. Blackboard Inc. licenses the use of Blackboard Learn to CityU through an annual subscription model with a 5-year contract which will expire on 30 June 2014. While negotiating on the Bb contract renewal, the possibility to discover a next generation LMS to better support CityU’s DEC strategy is re-examined by performing an LMS Evaluation. Of course the result may confirm Bb remains the most suitable LMS available in the market for CityU as happened in the 2010 evaluation.
Intended Outcomes of LMS Evaluation The LMS Evaluation Project will produce the following intended outcomes: 1. Identify strengths and weaknesses of each candidate LMS to meeting CityU’s DEC needs in terms of teaching, learning, networking, collaboration and quality assurance: a. built-in features for teaching and learning
Figure 1
b. integration with third party web services such as Turnitin and Echo360 c. mobile support d. integration with CityU student information system (Ellucian, formerly known as Banner by SunGard Higher Education) e. support for social networking and social learning f. flexible e-portfolio support g. support for tracking and mapping between course, programme, department (or faculty) and university outcomes 2. Examine the sustainability, flexibility, reliability, security and cost of each candidate LMS 3. Recommend an LMS for the next five to ten years based on above findings
4. Design procedures to implement the recommended LMS if a new LMS is selected
Candidates for Evaluation Currently, three candidates were identified as CityU’s potential future LMS – Blackboard Learn (current), Canvas, and Moodle. Background information of each LMS is listed in Figure 1 and their market share is illustrated in Figure 2 produced by Delta Initiative [1].
Project Timeframe The project began in May 2013 with comparison of features, services model and cost. Departmental e-Learning Coordinators met in June to officially kick off the evaluation.
Issue 13 • OCT 2013
We are now at the pilot stage in semester A 2013/14 to generate practical knowledge and gather user opinions. The timeline is depicted in Figure 3.
Figure 2
LMS Pilot Over the summer, Instructure Inc. and various Moodle Partners were contacted to prepare for the pilot. Moodlerooms Inc., the largest Moodle Partner from the US, was invited to facilitate the Moodle pilot since their customized Moodle platform Joule had been serving over a quarter of Moodle institutions worldwide (see Fig.2). Although Moodlerooms Inc. was acquired by Blackboard Inc. in March 2012, they operate independently and act proactively to offer CityU the pilot. A total of 16 colleagues are piloting Canvas and/or Moodlerooms Joule 2 with over 800 students registered in 9 different courses currently (semester A 2013/14 as indicated in #3 of Project Timeframe). No major issue is encountered so far. Pilot users’ experience and feedback will be collected via online survey and interviews in November 2013. For the majority at CityU not involved in the pilot, vendors’ demonstrations in October 2013 will be the opportunity to see individual LMS products and learn about their vision in the future of e-learning. Please keep track on CityU Announcement Portal (CAP) and e-Learning website at http://go.cityu.hk/ elearn for details of the LMS Evaluation Presentation Series. In addition to
Figure 3
collecting feedback from pilot users, all staff and students are welcome to express their views anonymously at http://go.cityu.hk/wvotnd. Opinions will be consolidated into a recommendation document to assist decision making by the upper management in February 2014.
[1] BERGEN, P. F. (2013). The State of the Learning Management System at The University of Chicago and Beyond [Newsletter]. https://itservices.uchicago. edu/connect/article/state-learningmanagement-system-universitychicago-and-beyond
21
22
OCIO NEWSLETTER
STATISTICS AT A GLANCE
Staff and Student IT Courses
Issue 13 • OCT 2013
23
24
OCIO NEWSLETTER
GLOSSARY CORNER
IT Concepts from Wikipedia Andy Chun (ed.)
Massive Open Online Course (MOOC) is an online course aimed at largescale interactive participation and open access via the web. In addition to traditional course materials such as videos, readings, and problem sets, MOOCs provide interactive user forums that help build a community for the students, professors, and teaching assistants. MOOCs are a recent development in distance education. Although early MOOCs often emphasized open access features, such as open licensing of content, open structure and learning goals, and connectivism, to promote the reuse and remixing of resources, some notable newer MOOCs use closed licenses for their course materials, while maintaining free access for students. In the fall of 2011 Stanford University launched three courses, each of which had an enrollment of about 100,000. “The New York Times dubbed 2012 ‘The Year of the MOOC,’ and it has since become one of the hottest topics in education. Time magazine said that free MOOCs open the door to the ‘Ivy League for the Masses.’”. This has been primarily due to the emergence of several well-financed providers, associated with top universities, including Udacity, Coursera, and edX. In Sept 2013, edX announced a partnership with Google to jointly develop the edX open source learning platform, Open edX, and expand the availability of the platform and its learning tools to individuals and institutions. The new site for online learning, MOOC.org, will provide a platform for colleges, universities, businesses and individuals to produce online and blended courses. MOOC.org will be built on Google infrastructure.
This article uses material from Wikipedia. The Author(s) and Editor(s) listed with this article may have significantly modified the content derived from Wikipedia with original content or with content drawn from other sources. The current version of the cited Wikipedia article may differ from the version that existed on the date of access. Text in this article available under the Creative Commons Attribution/Share-Alike License.
Editorial Box OCIO Newsletter Advisory Board Dr. Andy Chun (OCIO) Ms. Annie Ip (OCIO) Mrs. W K Yu (ESU) Mr. Raymond Poon (CSC) Mr. Peter Mok (CSC) Ms. Maria Chin (CSC) Publishing Team Ms. Noel Laam (CSC) Ms. Annie Yu (CSC) Ms. Joyce Lam (CSC) Mr. Ng Kar Leong (CSC) Ms. Kitty Wong (ESU) Ms. Doris Au (OCIO) For Enquiry Phone 3442 6284 Fax 3442 0366 Email csc@cityu.edu.hk OCIO Newsletter Online http://issuu.com/cityuhkocio