OCIONEWSLETTER Issue 8 • July 2012
SPOTLIGHT
Introduction to IPv6@CityU C Y Kwok IPv4 Address Exhaustion The current version of IP widely deployed on the Internet is IPv4 (IP version 4), which uses 32-bit addresses. The maximum number of available IP addresses is around 4.3 billion, which is much fewer than the population on earth. When the Internet became commercialized in 1995, only 25% of the IP address space was consumed. In 2000, 50% of the IP address space remained, due to dramatic growth of the Internet. Despite various techniques such as CIDR (Classless Inter-domain Routing), NAT (Network Address Translation), etc. deployed to slow down the depletion of the IP address space, its exhaustion is dated. In January 2011, IANA (Internet Assigned Numbers Authority), the organization which manages IP address space globally, assigned its last IP address blocks to the RIRs (Regional Internet Registries). APNIC (Asia Pacific Network Information Centre) ran out of IPv4 addresses in April 2011. Other RIRs will also run out of their address spaces by 2013.
History of IPv6 The IETF (Internet Engineering Task Force) started to design and develop the next generation of IP protocol, which was originally named IPng (IP next generation) but then renamed to IPv6 (IP version 6) later, in 1994. The first set of standards specifying the IPv6 was released in 1995. In the following year an IPv6 testbed, 6Bone, was set up for testing the IPv6 standards and implementations, as well as the transition and operational procedures. 6Bone was retired in 2006, when the Global Unicast prefix 2000::/3 had been made available for general IPv6 address assignment. For years the IPv6
2
OCIO NEWSLETTER
advocators, including the Internet Society, the RIRs, research and education organizations, and even a few governments, have been trying hard to persuade the Internet communities to deploy IPv6. However, lukewarm responses have been received. Many organizations simply Figure 1 do not see there are any urgent needs or incentives to do so. Since many access network providers are reluctant to upgrade their network infrastructure (routers, firewalls, etc.) for IPv6 support, their customers are left unable to connect the global IPv6 Internet. With the exhaustion of global IPv4 addresses approaching, the situation has been improved. More and more access providers are now willing to deploy IPv6 on their network infrastructure and provide IPv6 connectivity to their customers. Positive signs (rise in global IPv6 traffic and increase in number of IPv6 sites) have been observed after the World IPv6 Day and the World IPv6 Launch Day, which were held on 8 June 2011 and 6 June 2012 respectively.
IPv6 Address Format IPv6 uses 128-bit addresses. An IPv6 address is represented as 8 groups of 16 bits each, separated by the “:” character. Each 16-bit group is represented as hexadecimal numbers.
A typical IPv6 address is shown as follows: 2001:0ce0:5:0100:0144:0214:0032:000 4/64 Whereas the notation “/64” at the end is optional and it is used to indicate that the subnetwork prefix is the first 64 bits starting from the left. The leading zeros in each 16-bit group can be removed. The same IPv6 address can be rewritten as 2001:ce0:5:100:144:214:32:4/64
Figure 2
The notation “::” can be used to represent contiguous groups of zeros, but it can be used one and only once for an IPv6 address. For example, 2001:ce0:5:100:0:0:0:0 can be rewritten as 2001:ce0:5:100:: 2001:ce0:5:100:0:0:0:1 can be rewritten as 2001:ce0:5:100::1
IPv6 Features IPv6 is not that different from IPv4. For the protocol layers, Layer2 and Layer4 through Layer7 remain unchanged. Most changes occur in Layer3, such as - Larger address space (128-bit compared to 32-bit) - Multiple IPv6 addresses per interface on a host - Fixed length IPv6 header - ARP is replaced with ND (Neighbor Discovery) protocol - Stateless address autoconfiguration (SLAAC)
IPv6 has been designed to be more secure than IPv4, but the following securities issues have been observed: - IPSEC support is mandatory for IPv6, but it becomes an option in practice - SeND (Secure Neighbor Discovery) is not supported by some end systems and implementation of a PKI (Publickey Infrastructure) for all the end systems and routers is practically difficult if not impossible - Neighbor Discoveries and Router Solicitations are subject to Man-inthe-Middle attacks without SeND - Unlimited size header chain can
make filtering difficult - Potential Denial of Service with poor IPv6 stack implementation on end systems and networking devices - Same security issues as IPv4 in Layer4 and above protocol layers
IPv6 Deployment at CityU CityU is an early player of IPv6. The first IPv6 link was set up in 2001 connecting to 6Bone via the IPv6 gateway of Cisco, as shown in figure 1. The connection was a static IPv6-overIPv4 tunnel operating over the IPv4 Internet. It was mainly used for testing IPv6 routing, as well as DNS, Web and FTP connections, etc. Around 1,000 sites over 50 countries were connected to 6Bone in mid 2003. In 2003, another IPv6 link was set up connecting to Internet2 at Abilene via HARNET (Hong Kong Academic and Research Network), as shown in figure 2. 6Bone was phased out in 2006, thereafter CityU relied on HARNET solely for its IPv6 connectivity. Around 700 IPv6 prefixes were received at that time. The IPv6 sites reachable were almost purely research and education organizations. Little progress had been made in expanding the HARNET IPv6 connectivity between 2003 and 2007. From 2007 onwards, HARNET expanded its IPv6 connectivity steadily by peering with major IPv6 players: - April 2005: CERNET2 (China Education and Research Network 2) - April 2007: HKIX (Hong Kong Internet
Issue 8 • July 2012
- -
- - - - -
Exchange) and TANET (Taiwan Academic Network) Jan 2008: TEIN2 (Trans-Eurasia Information Network) via HKU Aug 2008: ASGCnet (Academic Sinica Grid Computing Centre Network, Taiwan) at HKIX Sep 2008: KREONET (Korea Research Environment Open Network) at HKIX Oct 2008: TEIN3 (Trans-Eurasia Information Network), replacing Internet2 Jan 2010: Google at HKIX Oct 2010: Hurricane Electric at HKIX Apr 2012: Wharf T&T
Over 3,200 IPv6 prefixes were received by HARNET from its IPv6 peers at the end of 2010. As of 12 June 2012, the number of prefixes received by HARNET has increased to 9,435, which indicates there has been a significant growth in the IPv6 Internet during the period. In CityU, dual-stack (IPv4 and IPv6) support has been enabled from the edge routers to the core switches since 2009. Native IPv6 network connections are provided to those departments which require them for testing and research activities. A central ISATAP (Intra-Site Automatic Tunnel Addressing Protocol) server on the network enables departments without native IPv6 network connections to access external IPv6 servers if so desired. Security is one of the main reasons that native IPv6 network connections are not provided to all the departments. Another main reason is to avoid a large-scale address renumbering exercise in the future when CityU will be connected to multiple service providers for IPv6 connectivity. At the moment IPv6 multihoming is only feasible using PI (provider-independent) addresses. CityU owns a PA (provider-aggregation) address space (2001:ceo:5::/48), which is a subset of that of HARNET. The /32 (2001:ceo::/32) address of HARNET is provider-independent. Although around 40 solutions have been proposed for multihoming using PA address, a decision has not been made on which one will be selected as the final standard. Hopefully, with the steady growth of the IPv6 Internet, the various issues such as security, multihoming, etc. can be resolved more rapidly.
FEATURE
Enabling Diversified Pedagogies with New Features of Echo360 Crusher Wong Echo360 lecture capture service is scheduled to expand from 8 rooms to 12 rooms (see Table 1) over the summer 2012 with funding from the Provost. Additional rooms will be equipped with the latest version of Capture Appliances which support full HD video, higher resolution computer graphics and live webcast. When viewers can attend classes remotely with high resolution visual contents, a lecture will no longer be bounded by the number of seats within the venue. Of course, lecture captures are still available for post-class revision as in the original Echo360 adoption. In addition to class capturing, the Personal Capture feature will be available to all CityU members starting from 2012/13 academic year. With a PC or notebook computer, colleagues can produce short video lecture to implement flipped classroom (or flip teaching) initiatives where students come to class for learning activities after conducting self-study by watching a short lecture video clip. Since problem solving exercises and assessment tasks are embedded in class time, instructors may minimize the amount of homework assignments. Hence, student engagement can be maxmized to enhance the effectiveness of learning by simply re-distributing, instead of increasing, course workload. For staff and students searching for a quiet environment for video shooting, the Department of Computer Science, the Library and the Office of Education Development and Gateway Education will operate Echo360 Video Booths. In a nutshell, the booth is a cubicle furnished with a computer connecting to a webcam where Personal Capture software is installed and configured. When colleagues can record their video lectures to enable flipped classroom, students are able to produce video presentations for assessment by course instructors and peers. Want to try out the new Echo360? Just e-mail elearn@cityu.edu.hk for more info. For the history of Echo360 adoption at CityU, please consult Issue 4 of the OCIO Newsletter.
Venues Equipped with Echo360 BUILDING
ROOM #
DESCRIPTION
# of SEATS
AC1
P7907
IS Conference Room
40
REMARK
AC1
P7603
CTL Teaching Studio
26
AC1
B4702
EDGE Room
40
AC1
LT-1
Lecture Theatre 1
300
AC1
LT-4
Lecture Theatre 4
120
AC1
LT-6
Chan Kei Biu Lecture Theatre
200
AC1
LT-7
Lily Chiang Lecture Theatre
120
AC1
P4906
GE Lab
30
HD
AC1
G4302
Classroom
80
no videocam
AC2
AC2-4200
CSC Teaching Studio
36
HD
AC2
AC2-5606
CSC Teaching Studio
60
no videocam
CMC
TBA
TBA
TBA
HD
HD
3
4
OCIO NEWSLETTER
BRIEF UPDATES
CityU Named 2012 Computerworld Honors Laureate Web Redesign Team
On behalf of the City University of Hong Kong, Dr. Andy Chun, the Chief Information Officer (CIO), accepted the prestigious 2012 “Computerworld Honors Laureate” Award in a black tie Awards Gala held at the historical Andrew W. Mellon Auditorium in Washington D.C. on June 4th, 2012. Mr. Brook Colangelo, CIO for the Executive Office of the President of the United States, gave the opening speech. Established in 1988, The Computerworld Honors Program is the longest running global award program that brings together the men, women, organizations and institutions around the world whose visionary applications of information technology promote positive social, economic and educational change. The Computerworld Honors Program is governed by the non-profit Computerworld Information Technology Awards Foundation that was founded by the International Data Group (IDG). CityU received the “Computerworld Honors Laureate” Award in the category of Digital Access for our “University-wide Web Redesign Project” which created an innovative mobile web technology platform that enabled CityU’s hundred websites and hundreds of thousands of web pages to display properly on any mobile device, such as smart phone and tablets, as well as allowed people with disabilities, such as the blind, to conveniently browse our websites through assistive devices like screen readers and Braille devices. This enormous project would not have been possible without the hard work and dedication of close to two hundred IT and non-IT staff across all CityU departments and units.
The Andrew W. Mellon Auditorium in Washington, D.C.
“Several important events in American and world history have occurred in the Mellon Auditorium. President Franklin D. Roosevelt announced the re-institution of conscription in 1940 from the Auditorium stage. The signing of the North Atlantic
Treaty that established NATO occurred in the Auditorium on April 4, 1949. President Bill Clinton signed the North American Free Trade Agreement there in 1994. The 9/11 Commission released its findings in the Auditorium in 2004.” Wikipedia
The Computerworld Honors Program Award Ceremony was held in the Andrew W. Mellon Auditorium
Issue 8 • July 2012
Honorees were presented with a medallion inscribed with the Program’s mission, “A Search for New Heroes.” In additional, CityU was recognized as one of the top five Laureates in the Digital Access category and was a Finalist for the 21st Century Achievement Award. Dr. Andy Chun, the Chief Information Officer for CityU, commented: “The Computerworld Honors Laureate Award is one of the most prestigious and unique IT awards in the world. Unlike other IT awards, this award is dedicated purely to recognizing organizations for their efforts in using IT for the good of society and mankind. This award reconfirms CityU’s organizational commitment to social responsibility. We are indeed very delighted with the recognition of being named a Computerworld Honors Laureate.” “There’s no question technology plays a vital role in driving business forward. It ensures an organization’s ability to compete, innovate, communicate, and to thrive. What the Computerworld Honors Laureates so clearly demonstrate is technology’s role in moving society forward. Computerworld acknowledges and applauds the outstanding work being done by individuals and organizations who have successfully used technology to improve the quality of our lives and that of future generations,” said John Amato, Vice President/Publisher of Computerworld. “Computerworld is proud to name the 2012 class of Laureates and celebrate their initiatives benefiting society through the innovative use of IT.” In total there were 10 categories of Awards: Collaboration, Digital Access,
Dr Andy Chun (right), receives the Computerworld Honors Laureate medallion from Mr Scot Finnie, Editor-in-chief of Computerworld, in Washington D.C. on behalf of CityU.
Computerworld Honors Laureate Medallion (front)
Computerworld Honors Laureate Medallion (back) with the inscription “A Search for New Heroes”
Economic Development, Emerging Technology, Environment, Health, Human Services, Innovation, Safety & Security, and Training & Education. In all, more than 25 countries from all parts of the world were honored. This year, the City University of Hong Kong was the only organization from Hong Kong to receive an award. The Digital Access
category, which we received the award in, is a new category established just last year that aims to raise awareness of the importance of digital inclusion. So far, the City University of Hong Kong is the only organization in the Greater China region to have received an award in the Digital Access category.
5
6
OCIO NEWSLETTER
BRIEF UPDATES
CityU CIO Receives the 2012 Hong Kong CIO Award! Office of the CIO
universities in this region, creating a very unique 21st century learning experience for our students,” commented Dr. Andy Chun. The award was presented by Computerworld Hong Kong and CIO Connect. Awardees were selected by an independent judging panel consisting of current or former CIOs from leading Hong Kong corporations and organizations.
Dr Andy Chun (right) receives the 2012 Hong Kong CIO Award from Mr Joe Locandro, Director of Group Information Technology, CLP Group.
Dr. Andy Chun, the Chief Information Officer (CIO) of the City University of Hong Kong, was selected as the top CIO for Hong Kong medium enterprises and was awarded the 2012 Hong Kong CIO Award on June 20th 2012 at the Hong Kong Convention and Exhibition Centre.
leveraging technology to transform the University into one that is forward thinking and supportive of the University’s new “Discovery & Innovate @ CityU” vision and culture, providing highly learner-centric and personalized education experience to students with emphasis on 21st century workplace skills.
The Hong Kong CIO Award recognizes CIO leadership and achievements in technology innovation that leads to business value creation and transformation.
“The Hong Kong CIO Award is a great honor and recognition for CityU as a whole. Technology vision can only happen with commitment and participation from everyone in the community. CityU has been fortunate to have a strong track record of being one of the most technology progressive
Dr. Andy Chun was awarded for his vision and leadership in
The Hong Kong CIO Awards consist of 2 award winners, one for large enterprises and one for medium enterprises. The medium enterprise is a new category and Dr. Andy Chun is the first CIO in Hong Kong to receive this award. Dr. Andy Chun, commented: “Being recognized by other CIO peers across different industries is quite an honor; I will truly cherish this award. This award would not have been possible without the wholehearted support and commitment of the entire CityU community in achieving a common goal of providing the best educational experience possible to our students.”
Issue 8 • July 2012
BRIEF UPDATES
Managing Personal Knowledge Bill Proudfit
Knowledge management sounds like something impossible. How can you manage what you know? Knowledge management was popularized in the mid-1990’s primarily by management consultants who were cashing in on 30 years of computerization that had not necessarily made organizations more effective or efficient. First and second generation computer systems had made it possible to have larger production lines with many more staff and arguably much more revenue and profit. In 1995, many senior managers were wondering if their organization should embrace the next generation of personal computing, email and something called the worldwide web. Personal Knowledge Management, PKM, means taking responsibility for what you know, who you know, and what the people around you know that you accept and use for your own understanding of the world. It includes acquiring, creating, and sharing knowledge, developing personal networks, and collaborating with others. The work in most organizations is still done by the individual. That individual needs to manage his or her own personal knowledge to get that work done. They may share some of this personal
knowledge some of the time. If the personal knowledge isn’t well-organized it is doubtful they will be able to share much of their personal knowledge. Knowledge workers do work differently, teaming and collaborating more than ever before and all types of organizations have accelerated rates of innovation to show for it. But knowledge workers almost never actually produce their deliverables collectively. Instead, they cooperate by dividing tasks and then everyone goes back to their workspace to research the subject, write up the report, analyze the problem, communicate with others outside of the group, and so on. They reconvene as a team, share progress, and then disperse and begin to work individually again, which leads to another group activity to review progress and so on. Personal Knowledge Management (PKM) is a conceptual framework used to organize and integrate information so that it can become part of our personal knowledge. PKM is a strategy for transforming what might be random pieces of information into something that is more systematic and expands our personal knowledge. PKM’s strength lies in the fact that it is a personalized system designed by an individual for his or her own use. This means that it is organic, growing and changing with an individual’s personal lifestyle and interests. At the same time PKM acknowledges that the knowledge
is not meant only for purely personal reasons. PKM assumes that the person using PKM skills is participating in the process of managing knowledge in groups, in organizations and in society. PKM is about the importance of integrating, relating and presenting knowledge to other people that may also want to use it. Thomas H. Davenport and Laurnce Prusak define working knowledge as: ‘a fluid mix of framed experience, values, contextual information and expert insight that provides a framework for evaluating and incorporating new experiences and information. (Davenport, 1998) Peter Drucker used the terms ‘knowledge worker’ and ‘knowledge society’ in The Age of Discontinuity (Drucker, 1968). He had used the term ‘knowledge worker’ since the late 1950’s. Drucker believed that information was ‘data endowed with relevance and purpose’ (Avery, 2001). For Drucker, what was key to information becoming knowledge was the application of information to doing something; knowledge was information embodied with action. Drucker recognized that the knowledge worker was an asset that needed to be managed by the organization.
7
8
OCIO NEWSLETTER
However, he understood that because of their specialized knowledge, knowledge workers could not be supervised effectively. The knowledge workers had to manage themselves, which strongly implied that they would have to manage their own personal ‘working knowledge’. This first wave of knowledge management focused on measuring an organization’s intellectual assets and adding value and meaning to its knowledge by asking questions such as: • What do we (the organization) need to know? • Who knows it? • Who needs to know it? • How can the people who need this information access it? Knowledge management provided a framework for sharing organizational information (Avery, 2001). The centrality of sharing knowledge is embedded in almost all knowledge management practices and approaches. At the same time, it is often pointed out that people do not share their knowledge easily or readily. Dave Snowden likes to point out that few people refuse to share knowledge when there is real need but resist greatly vague general requests to give up their knowledge (personal communication). Many knowledge managers are still looking for the holy grail of knowledge sharing, an almost magical combination of process and tools. It seems that it may not be found. By the late 1990’s ‘Knowledge Management’ had become a management buzzword closely connected to the explosion of information in the workplace, the use
of personal computers and the Internet. Thomas Davenport and Larry Prusak were pointing out that information technology was playing a central role in organizational and knowledge management, at the same time emphasizing that the role of information technology in creating ”information ecology” could easily be oversold (Davenport, 1997, Davenport, 1998). In the mid-1990’s, UCLA’s Anderson school of Business began to require all MBA students have personal laptop computers. At the time, this was quite an innovative requirement. It soon became apparent that students needed a framework to manage their personal knowledge that was being collected and kept on the laptop. Personal Knowledge Management (PKM) was seen as an extension of everything the student learned. It was soon recognized that the PKM strategy would be very useful to the graduates in their business roles. The UCLA PKM strategy focused on these concepts (Frand, 1999): • searching/finding • categorizing/classifying • naming things/making distinctions • evaluating/assessing • integrating/relating It is worth noting that these are essentially the same concepts found in most professional-level library science curriculums.
Around the same time, at Milliken University, Peter Dorsey developed in closed cooperation with the university librarians a PKM strategy for undergraduates. This strategy focused on preparing students for knowledge work roles in global business and management. Seven key information skills were identified (Dorsey, 2001) (Avery, 2001): 1. retrieving information 2. evaluating information 3. organizing information 4. collaborating around information 5. analyzing information 6. presenting information 7. securing information Steve Barth has taken Dorsey’s seven skills and expanded them into a comprehensive matrix of critical information processes, skills and tools for personal knowledge management (Barth, 2004). Eight years later and it still summarizes the key skills we all need to manage our personal knowledge. Technology must support a knowledge strategy, not drive it. Davenport’s and Prusak’s sage advice about information technology being oversold in the late 1990’s was not widely takenup. At the end of the first decade of the 21st century the knowledge management world has become littered with stories of knowledge centres no-one uses, KM systems no-one remembers that even exist, repositories with no content,
Issue 8 • July 2012
Reference
Table 3: Information processes, skills and tools PRINCIPLES
PROCESSES
Accessing Information & Ideas
l l
Evaluating Information & Ideas
Browse, buy, subscribe Search (local, network, web) l Reasearch l Asking & Listening l Learning Attribute info & ideas Vet sources l Confirmation l Testing l Question motives
VALUES
SKILLS
TOOLS
l
Transparency Concentricity (spiral out) l Learning & unlearning l Mobility l Persistence
l
Question formation Search techniques Research strategies l Inquiry l “Know the map”
l
l
l
l
l
l
Objectivity Quality and relevance l Message literacy
Source identification,
Push/Pull services Desktop Search Web Meta Crawlers l Contact database l Wireless email, phones, web Collaborative filtering Rating services Trusted recommendations & references
l
l
l
l
l
l
qualification & cultivation l Validation l Judgment l Intuition, feeling
l
Availability & flexibility Version control l Personal Area Networks l Narrative*
Email filtering Discard (carefully)
l
Organizing Information & Ideas
l
Analyzing Information & Ideas
l
l
l
l
l
Analytical techniques Testing hypothesis This category is very practice-specific
l
l
l
Critical thinking Systems thinking Empathy l Narrative*
l
l
l
l
Conveying Information & Ideas
l
Answering Explaining Presenting l Publishing l Teaching
l
l
l
Written word Spoken word What’s left unspoken
l
l
l
Clarity Articulation Context l Language l Narrative*
l
l
l
Collaborating with Info & Ideas
l
Messaging Sharing docs l Workflow l Brainstorming l Meetings & conversations
l
Trust Teamwork, Compromise l Network ethics l Just-in-time collaboration l Gratitude, Generosity
l
l
l
l
l
l
Securing Information & Ideas
l
Backup Inoculation Insulation l Encryption
l
l
l
l
l
l
Confidentiality Privacy Need-to-know l Responsibility l Integrity & confidentiality
l
l
l
Capture, convert text & data l File, archive l Search automation l Map, categorize, index l Internalize & Integrate Sense-Making Hypothesis & Synthesis Identify Trends
Voice, character recognition Journals, diaries, calendars Indexers, links & bookmarks l Personal & enterprise portais l Databases
l
l
l
l
l
l
Outining l Networking
l
l
Emotional intelligence Facilitation l Relationship management l Play l Leadership Self-discipline Threat awareness
Summarizers Spreadsheets Visualization tools Office suites: word processing, spreadsheets, presentations, databases, HTML editors, etc.
Messaging Collaboration apps Mobile communications l Whiteboards, etc l Water Coolers l
Access controls Passwords & encryption Virus filters & firewalls l IP agreements l
Source: Author (based on a framework originally developed by Paul Dorsey)
intranet based knowledge-sites with expired content, knowledge managers who berate employees for ‘not using our knowledge’ and personal directory systems with only the most basic name and contact details. Not all is lost. Personal knowledge management is all about helping us make better decisions. Social networking platforms have made it much easier to collect, use and share our personal knowledge within and across the
communities we participate at work, at school and within our personal networks of family and friends. It is so much easier today than 10 years ago to find and use our personal knowledge across ultra fast networks on a wide range of devices from desktop PCs to smartphones, pads and ultralites. All of these tools facilitate personal productivity, insight into innovative approaches and leads ultimately to better decisionmaking.
Avery, Susan., Brooks, Randy., Brown, James., Dorsey, Paul., and O’Conner, Michael., (2001). ‘Personal Knowledge Management (PKM): Framework for Integration and Partnerships.’ Accepted for Presentation at the Annual Conference of the Association of Small Computer Users in Education (ASCUE), http://www.millikin.edu/pkm/ pkm_ascue.html, Myrtle Beach, South Carolina, 10-14 June 2001. Barth, Steve., (2005). Knowledge management tools and techniques practitioners and experts evaluate KM solutions, chapter 28, ‘Selforganization taking a personal approach to KM’, edited by Madanmohan Rao, Amsterdam & Boston : Elsevier ButterworthHeinemann. Davenport, Thomas H., Prusak, Laurence., (1998) Working knowledge, Boston : Harvard Business School Press. Davenport, Thomas., (1997). Information ecology, New York: Oxford University Press. Dorsey, Paul A., (2001). ‘Personal Knowledge Management: Educational Framework for Global Business,’ Tabor School of Business, Millikin University, http://www.millikin.edu/pkm/pkm_ istanbul.html. Drucker, Peter, F. (1969). The age of discontinuity, London : Heinemann. Frand, Jason, Lippincott, Aura., (2002) ‘Personal Knowledge Management: A Strategy for Controlling Information Overload,’ http://www.anderson.ucla.edu/faculty/ jason.frand/re searcher/articles/info_ overload.html. Frand, Jason., Hixon, Carol., (1999). ‘Personal Knowledge Management: Who, What, Why, When, Where, How?’ http://www.anderson.ucla.edu/jason. frand/researcher/speeches/PKM.htm, Working paper, December 1, 1999.
9
10
OCIO NEWSLETTER
FEATURE
Information Security Plan for the University Vincent Yiu
Information is being regarded as an important asset by more and more organizations. The proper use of information can support decision makers in leading and controlling the direction of the organizations. On the other hand, the mismanaging of information could usually damage an organization in many ways and even leads to its collapse. The University has a strategic goal to ensure the security of information [1]. To achieve the goal, we need an execution plan and this execution plan will be presented in this article. Information security is an important quality indicator, and the plan is actually a Plan-Do-Check-Act (PDCA) cycle.
documents should set the baseline requirements for protecting information resource in the University. To ensure the validness of the ISPS, it will be reviewed and updated regularly as required. Being holistic, the ISPS will cover different areas and all information users of the University during the lifecycle of information, from creating, storing, transferring, processing, archiving and disposing. The set of documents states nontechnical requirements, technical requirements for end users and technical requirements for IT professionals. After all, the set of ISPS is aimed at ensuring that information is being handled consistently and information security is being maintained.
Standards for Everyone
Figure 1) Information Security Plan as a Plan-DoCheck-Act cycle
Plan – Establish the University’s Information Security Baseline The first step is to plan for the information security baseline to which all members of the University shall conform. The baseline will be documented as a set of formal Information Security Policies and Standards (“ISPS”) with reference to the requirements stated in ISO 27001 [2] within 2012. This set of
Non-technical requirements and technical requirements for end users fall into this category. Non-technical requirements usually govern user behaviors, for example: General buildings, offices, rooms and facilities should be protected by ensuring that all doors and windows remain closed and locked while unoccupied. Manned reception desks should be used to restrict access to office containing confidential information. Shredding is mandatory when disposing of DVD or printed copy of confidential information.
•
• •
The technical requirements for end users aim at setting the best practice to be followed by the general users. Many of us have to use IT equipment in their dayto-day activities, and the end users should have a reasonable IT proficiency. Examples are: E-mail that contains any information of the Institution classified as “HIGHLY CONFIDENTIAL” or “CONFIDENTIAL” must have authorization from respective information owners and be encrypted for transmission and storage. Latest security patches for firmware, operating systems are applied; automatic update of security patches must be enabled.
•
•
Technical Standards for IT Professionals To support the operations of the University, we are depending on a world class infrastructure consists of a wide range of hardware, software and services. Our professional IT staff, from Central IT or Departmental IT, are responsible for supporting the operation as well as security of the IT services. Certainly, some expertise knowledge is essential to enable them to perform these tasks and the technical standards for IT Professional should only apply to IT staffs when performing their duties. Examples are: The University shall segregate the network environments according to the usage and classification of information
•
Issue 8 • July 2012
being transmitted in the network. Secured network is only accessible to staff, appropriate contractors and third party users on a need-toknow basis. The owners, controllers or custodians must implement application and platform configuration management and hardening.
•
Do – Implementation of ISPS The People-Process-Technology (“PPT”) triangle will be used to plan for the implementation of the ISPS. The success of information security management relies on all three aspects, and the inadequacy in any of them will result in breakdown of information security.
People This is no doubt the most challenging part. We have a few thousands of staff and tens of thousands of students in the University. The spectrums of information security awareness and information security proficiency are extremely wide. Meanwhile, everybody has a different personal valuation system, for example, some consider privacy of their personal information very important and unauthorized use is a serious offence, while some may think that there is nothing that needs to hide. This also depends largely on management’s commitment to information security. Anyway, the public expectation on the University is high and probably much higher than any other types of organizations. Therefore, we have
to communicate with our members to ensure that they are aware of their responsibilities and provide appropriate trainings to enable them to protect the information they handle. There are many possible ways, and we will have to decide what to be done by the first quarter of 2013 when the ISPS is endorsed among the options, for example: Prepare a series of web-based trainings and quizzes, and it is mandatory for the users to take the quiz. Require the users to pass the quiz to use our IT service, or require the users to re-take the quiz regularly and more frequently if failed Enforce password policy, and require the users to change password on a regular basis Liaise with the academic departments and administrative units to organize information security awareness sharing section Regularly contribute articles about information security to OCIO newsletter
•
• • •
Above all, the individuals’ willingness and eagerness to adapt to the University’s ISPS and the Information Age is the most crucial factor, and hopefully, the management will create more incentives for us.
Process There are uncountable processes in the University, and we will identify some of the critical processes, review these processes and enhance them where appropriate. The processes in
Central IT will be visited first. To strengthen the processes, we usually apply some management controls and operational controls principles. Examples of critical processes and some of the related controls are: Physical entrance to secure areas, such as Data Centre o Approval is required before entering secure areas and approval records must be kept o Record the entry and departure timestamp of visitor Change management o Changes shall be raised formally using a Request for Change (“RFC”) form o Changes shall be reviewed and approved by Change Management Committee (or Change Advisory Board) Disposal of Information processing equipment (e.g. computer, tablet) o Check storage media to ensure that confidential data are securely overwritten
•
•
•
The transition of process must be carefully planned, monitored, and refined as necessary. The processes in CityU Paperless Services will be reviewed and enhanced to verify the applicability of the ISPS starting from the third quarter of 2012.
11
12
OCIO NEWSLETTER
Technology
to consider security requirements early in the software development lifecycle, and avoid web application vulnerabilities. Our Computing Services Centre (“CSC”) is regularly scanning our web applications for vulnerabilities. We will also keep an eye on the trend of web attacks [6] [7] and provide advisory services to software application development teams. User Data o The University has a number of public web services, for the delivery of information to general public as well as sharing of information among authorized users. Occasionally, information is misplaced. We will sample check the user data to ensure that appropriate protection are in place. In particular, we will attempt to find unencrypted confidential or personal information hosted in CSC servers.
This is typically the most straightforward part, as a wide range of benchmarks and technologies are available to measure and enhance security postures in general. Starting from the fourth quarter of
•
Figure 2) Risk level in different layers of web applications
2012, we will enhance the security level from four aspects:
•
•
Network o Among the four components, network is the most mature. Different network topologies and network equipment are well studied and relatively stable [3] [4]. We will propose the network segregation requirements and network infrastructure, based on de facto standards. Host platform, including hardware, operating systems and packaged software, e.g. Database o Based on industry benchmarks [5], we will derive a set of configurations for host hardening. These configurations aim at reducing the chance of platforms being compromised. Application o Cyber-attacks are getting more and more focused on web based applications. To defense against web attacks, the best practice is
•
Check – Review the Effectiveness of Our Security Controls To identify inadequacies and potential areas for improvements, we will conduct internal assessments at regular intervals and as necessary. For critical services, we may also invite third party independent auditor to access our processes. CityU Paperless Service will be the first service to be testified against the ISO 27001 standards. It is a general misperception that the aim of information security audit or assessment is spotting errors. In fact, the primary goal of security audit or security assessment is to present the auditee or assessee with an objective and unbiased view of their situation, by which they may improve their position.
Information Security assessment will start in the third or fourth quarter of 2013, and I shall submit another article describing the details of information security assessment.
Act – Take actions to improve the security level of the University Based on the result of information security assessment, we have to propose and take a number of corrective actions and preventive actions. Corrective actions are actions taken to eliminate the root causes of issues, while preventive actions are actions taken to eliminate potential causes. Both corrective and preventive actions are tailor made on a case-by-case basis. The planned actions will serve as input to another round of Plan-Do-Check-Act cycle for the University’s Information Security Management.
Emerging Risks Among all the trends, the most dangerous one in my view is the wide adoption of mobile device, i.e. smartphones (iPhone and Android phones) and tablets (iPad and Android based tablet computers). While providing services at our fingertips, these devices also drastically increase the chance of information leakage. We will closely monitor the risk trend of mobile devices, and I would like to remind you of the responsibility and importance of protecting your own devices against loss and misuse.
Issue 8 • July 2012
IT Security Awareness Series by JUCC With an aim to enhancing the IT security awareness of the CityU community, the KPMG was commissioned by the Joint Universities Computer Centre (JUCC) to prepare a series of articles on IT security and they will be adopted and published here for your reference.
Final Remarks Information security management relies on the effort of every members of the University, and the failure in ensuring information security could seriously damage the reputation of the University. During the course of enforcing security controls, many of us may experience certain degree of inconvenience, and thank you for your understanding in advance. If you want to discuss more about the topics, please don’t hesitate to leave me a message at infosec@ cityu.edu.hk.
Reference [1] Office of the Chief Information Officer, Information Technology Strategic Plan 2010-2015, 2011. [2] BS ISO/IEC 27001:2005 Information technology - Security techniques Information security management systems - Requirements. [3] SANS, “The Top Cyber Security Risks,” SANS, 9 2009. [Online]. Available: http://www.sans.org/top-cybersecurity-risks/. [Accessed 29 5 2012]. [4] The Office of the Government Chief Information Officer, Internet Gateway Security Guidelines [G50] Version : 4.0, 2009. [5] Centre for Internet Security, “Download CIS Benchmarks Free of Charge,” [Online]. Available: http:// benchmarks.cisecurity.org/enus/?route=downloads.benchmarks. [Accessed 29 5 2012]. [6] SANS, “CWE/SANS TOP 25 Most Dangerous Software Errors Version 3.0,” SANS, 27 7 2011. [Online]. Available: http://www.sans.org/ top25-software-errors/. [Accessed 29 5 2012]. [7] OWASP, “OWASP Top 10 -2010 The Ten Most Critical Web Application Security Risks,” OWASP, 2010.
Data Encryption I. Background Industry Story Desktop Encryption Project - University of Wisconsin-Madison Laptops, desktops and other portable media that store restricted data are of great concern since they can be easily lost or stolen due to the distributed nature of their physical location and system administration. The purpose of desktop encryption is to render data on desktops and laptops unreadable so that risk is reduced if a computer storing restricted data is lost, stolen, compromised or disposed of improperly. To mitigate or reduce the risks, the campus has approached the security vendor and implemented the following data encryption mechanisms: • • • •
Full disk encryption for most flavors of Windows File and folder encryption for same flavors of Windows Full disk or file/folder encryption for Windows Mobile devices Centrally managed configuration and escrow of encryption keys
The Office of Campus Information Security (OCIS) has purchased 2000 licenses for campus use. These licenses are available to anyone wishing to participate in the project at no cost.
Data Encryption With the growing amount of confidential information stored on end user devices, there are many threats causing such confidential information to be accessed by unauthorised parties. Some threats are unintentional, such as device loss or theft, while others are intentional, for example, malware threats, also known as malicious codes. Data encryption leverages mathematical calculations and algorithmic schemes that transfer plain text into cipher text, a non-readable to unauthorised parties. As data encryption implant security controls inside sensitive data itself, it is now one of the most effective means to prevent leakage of sensitive information over transmission via the Internet.
II. Management Data Encryption Management Data encryption can be either locally or centrally managed. Centralised management is more commonly deployed and performed through specific data encryption management utilities or together with the operating system’s configuration utilities. Centralised management is recommended for most cases, because it enables effective and efficient encryption task management.
13
14
OCIO NEWSLETTER
However, management may still choose to deploy storage encryption locally without a centralised management capability. This is generally acceptable for standalone or very small-scale deployments, especially for data that need to be encrypted quickly.
Data Encryption Planning and Implementation A successful deployment of new encryption technologies very much relies on a step-by-step planning and implementation process which minimises unforeseen issues and helps to identify potential pitfalls. The following are the major task during planning and implementation phase:
1. Identify Requirements In the beginning of the process, management should identify the needs to encrypt information on universities’ information systems and/or end user devices, determine which device or data needs encryption, and define related performance requirements. The requirements include: • External Requirements - such as legal requirement to protect privacy and personal data; • System and Network Environment - data encryption solutions should be compatible with universities’ existing IT environment (in terms of availability and efficiency) and able to provide the necessary protections without introducing conflicts and inefficiencies; and • Support Limitations - identify any possible violations to the terms of a software support contract or the warranty of products used with the relevant device. 2. Design a Solution Based on the requirements identified in the previous phase, management should design a solution to realise the requirements. Major aspects of a solution design of data encryption include: • Cryptography - encryption schemes and algorithms, such as Advanced Encryption Standard (AES), Secure Sockets Layer (SSL); • Authentication - authentication methods and authenticator protection. For example, passphrase, security token, public/private keys; • Solution Architecture - selection of data encryption devices and software and location of centralised data encryption management;
• Other Security Controls - additional controls that complement the data encryption implementation, such as policies regarding acceptable use of data encryption technologies; and • Minimum Requirements of Hardware - selection of hardware, including application servers, storage equipment and end user devices based on the requirements from product vendor and university’s performance requirements. 3. Test a Prototype It is recommended to perform implementation testing in laboratories or on test devices. The following components of the solution should be tested and evaluated: • Addressing Requirements - Each type of sensitive or critical data identified according to the information gathered during stage 1 should be protected with appropriate encryption methods; • Encryption Management - Robust testing of authentication should be performed, especially for centralised authentication solutions. Also, administrators should be able to configure and manage all components of the solution effectively and securely; • Performance and Compatibility - The solution should be able to provide adequate performance during normal and peak usage. Management should also ensure that the solution does not affect or interfere the use of existing operating system configurations and software applications; • Recovery - The solution should be tested to determine how well it can recover from failures, such as loss of encryption keys, damaged device hardware or software, and power loss; and • Implementation Security - Vulnerabilities and weakness of storage encryption itself should be investigated and corresponding mitigation controls should be developed and tested. 4. Solution Deployment and Monitoring Gradual migration of the new solution enables administrators to evaluate the impact of the solution and resolve issues prior to the deployment to the whole university.
Issue 8 • July 2012
Monitoring is essential to the successful deployment of a data encryption solution. It is to manage the solution by operating the deployed solution and maintaining the security storage architecture, policies, software and other solution components. Typical activities include: • Testing and applying patches to storage encryption software; • Monitoring the storage encryption components for operational and security issues; • Periodically performing testing to verify that storage encryption is functioning properly; • Performing regular vulnerability assessments; and • Receiving notifications from vendors of security problems with storage encryption components, and responding accordingly.
III. General Users Roles and Responsibilities of a General User 1. User Awareness General users should comply with the data encryption policies set up by the management and be aware of their roles and responsibilities when they come to sensitive data stored in their device or in the campus network. 2. Encrypting Sensitive Files Users should encrypt sensitive data according to the university’s policy. They can make use of data encryption software when they need to send sensitive files over unknown or insecure network. Strong passwords, created in line with the security policy, should be used for encryption when files are being transferred into removable media or through email. Users must not record the passwords in plain text or release to unauthorised parties. 3. Portable Media Protection Data encryption also has vulnerabilities that hackers may decrypt the encrypted data using advanced techniques or simply via social engineering. While encrypted removable storage device provide protection from unauthorised access, general user should also physically secure their mobile devices and removable media.
4. Data Loss Reporting In case of any loss or theft of devices and media, user should report to the IT department immediately for any remediation and follow-up actions.
Conclusion To achieve all-rounded security of the IT environment in the university, data encryption plays an important role to protect sensitive information. Management should gather requirements, identify constraints and define appropriate solutions to implement data encryption within their universities. General users should be well aware of their own responsibilities towards data encryption and comply with relevant policies and procedures established by management to prevent the confidentiality, integrity and availability of sensitive data from being compromised.
Reference: http://www.infosec.gov.hk/english/computer/encrypt.html http://csrc.nist.gov/publications/nistpubs/800-111/SP800-111.pdf Copyright Statement All material in this document is, unless otherwise stated, the property of the Joint Universities Computer Centre (“JUCC”). Copyright and other intellectual property laws protect these materials. Reproduction or retransmission of the materials, in whole or in part, in any manner, without the prior written consent of the copyright holder, is a violation of copyright law. A single copy of the materials available through this document may be made, solely for personal, noncommercial use. Individuals must preserve any copyright or other notices contained in or associated with them. Users may not distribute such copies to others, whether or not in electronic form, whether or not for a charge or other consideration, without prior written consent of the copyright holder of the materials. Contact information for requests for permission to reproduce or distribute materials available through this document are listed below: copyright@jucc.edu.hk Joint Universities Computer Centre Limited (JUCC), Room 223, Run Run Shaw Building, c/o Computer Centre, The University of Hong Kong, Pokfulam Road, Hong Kong http://csrc.nist.gov/publications/nistpubs/800-111/SP800-111.pdf http://www.truecrypt.org/ http://www.winzip.com/index.htm
15
16
OCIO NEWSLETTER
DISCOVER & INNOVATE
Launching CityU’s New Mobile Apps Vicker Leung
Mobile computing is one of the most influential IT topics in recent years. Similar to social networking and cloud computing, the mobile ecosystem (including mobile devices and mobile apps) dramatically changes how we consume information and where we spend our precious time. According to the mobile statistics by mobiThinking [1], the population of mobile users is around 1.2 billion in 2011 and estimated to have a steady growth in 2012. Besides, there are over 1 million mobile apps currently available through the various app markets. Mobile devices and apps are everywhere, and to better leverage the opportunities created by this ecosystem, CityU initiated several projects including the Mobile Learning Scheme and DEC Mobile App Development Grants (MADGs).
Mobile Web and Mobile App In 2011, the University launched “University-wide Web Redesign Project”, revamping over a hundred web sites across all departments and units. One of the major benefits of this exercise is to make all the web pages mobile-friendly. Currently the mobile web pages serve well as an information portal. To take a step ahead, it should also be able to provide functional services to our staff and students through mobile devices, which enriches their overall
experience working and studying in CityU. In order to deliver supreme performance and to fully utilize mobile device capabilities such as camera, GPS and push notification, we need a more powerful platform than the mobile web pages, which are our native mobile apps. In the coming months, CityU will be launching several new mobile apps to provide functional services, e.g. mobile apps for the CityU NewsCentre and CityU CAP system. (We will introduce these apps in separate articles in the coming issues of OCIO Newsletter.) Just like Central IT, some academic departments and administrative units may also be considering developing mobile apps to further extend their reach of services. To share our experience, the following highlights the approach we used in mobile app development.
Packing Up the Content Before starting any development, we should think carefully about what kinds of content or feature should be included in the mobile app. Given that most of our web pages are mobile-friendly, we can simply focus on those items that are currently difficult or inaccessible on mobile devices, putting them at the top priority before enhancing existing items.
Mobile application storyboard by OCIO
Illustration by XKCD http://xkcd.com/773/
To prevent building unused fancy apps, it is also important to understand what the end users’ (our colleagues and students) expectations are. The best way to understand them is to approach them directly through surveys or interviews. Once you have done some studies, you will be amazed by how much your ideas differ from what they are expecting.
Designing for Mobile Once the scope is carefully set, we can start to prototype the mobile application. Putting aside the mobile operating system and programming languages, there is a very important area we should be careful of, i.e. the design of a mobile user interface. User Interface (UI) is crucial because no matter what kind of underlying technologies you are using, it is the UI that the users are interacting with. UI design is even more critical in the case of mobile apps because of the limited canvas together with screen variations.
Issue 8 • July 2012
FEATURE
Experience of using GROU.PS - a Social Networking Site (SNS) in a Teaching Environment To get a quick experience on how the UI layout fits on mobile devices, we can make use of the techniques of paper prototyping together with storyboarding. And to tackle the screen dimension and pixel density differences across smartphones and tablets from various manufacturers, a responsive UI design can be applied, which is very similar to that in modern web page design.
CityU NewsCentre mobile application working across devices of different brand, size and orientation
Reference [1] Global mobile statistics 2012: all quality mobile marketing research, mobile Web stats, subscribers, ad revenue, usage, trends... (2012, February). http://mobithinking.com/ mobile-marketing-tools/latest-mobilestats [2] Kissane, E. (2011). The Elements of Content Strategy. A Book Apart. [3] Hoober, S., Berkman, E. (2011). Designing Mobile Interfaces. O’Reilly Media. [4] Neil, T. (2012). Mobile Design Pattern Gallery. O’Reilly Media.
Jeffrey C. F. Ho In semester B 2011/2012, I was invited by the Office of the CIO to participate in a pilot of using a social networking site (SNS) in a teaching environment. I would like to share my experience here. First of all, let me give you some background. The SNS is called GROU.PS (http://grou. ps), which is a Facebook-like service that is designed for private social networking in companies/organizations. In my case, the service was open to students and teachers of several CityU courses including the pilot. The course I taught was about interactive digital communication. The plan of using the GROU.PS was treating it as one of the communication channels between the instructor (me) and the students, e.g. announcements, discussion, sharing, chatting. It was not used as a website for course materials. Lecture slides and assignment materials were not put on GROU.PS. 1. Initial Participation Most of the students who took the course were from the Department of Media and Communication (COM) and the School of Creative Media (SCM), plus several exchange students. They are not very tech-savvy but they have been familiar with other social network services publicly available like Facebook, Weibo, etc. So when students were introduced to GROU.PS, they had some basic idea of what it is. But there were some difficulties in getting the students to use it in the first place.
Registration In order to use GROU.PS, students were required to register with their CityU email addresses and their registrations were approved later. This was to make sure that only students in the designated courses could use the site. However, this seemed to be a barrier to attract the student to register and to start using the site. After the students were told how to register, not many of them registered at once. The number grew slowly. There may not be an immediate motivation for them to register on the site. Some students said that they actually knew some other students taking the course so they were not eager to get on there and meet new friends. Online Discussion Owing to the time limitation in the lecture, discussions on some topics were moved to GROU.PS. Students were asked to participate in the forum there. Since then, more students started registering for the service. Although faceto-face interaction was not available, online discussion gave every student the opportunity to express their views on the topics. Students responded to others’ views and the discussion became lively. With the profile pictures displayed next to every post, students knew who they were responding to (instead of students’
17
18
OCIO NEWSLETTER
full names which others may not be familiar with). Setting requirements for students to participate in a social network may not be effective because they may just do what is required. At least, it made the students to have a look of what the SNS was and had a taste of it. 2. Informal Environment Once students have registered on GROU.PS, they can login and explore the features. Some students gave positive feedback on the Facebook-like interface saying that it was easy to use. They could change their profile pictures, made connections with other accounts as ‘friends’ and updated their statuses. Students were not required to use these features. Interestingly, a majority of registered students uploaded profile pictures of themselves, which was a positive sign of their participation. The SNS provided an environment that is not as formal as the lecture room and other online communications like emails. To a certain extent, the informality seemed to encourage student participation. Updating Status and Asking Questions Students sometime update their statuses. Some statuses were about they were rushing to the lecture. Some were about their thoughts on assignments. This became an opportunity for me as the instructor to have some ideas of what the students thought about the course materials. This gave me opportunities to help students by leaving comments or directions with the ‘comment status’ feature. This form of communication was relatively informal in the sense that 1) the ‘status’ was about themselves, so they did not need to worry too much about whether their English sentences were grammatical; 2) students might not even have a specific question but just some struggle; 3) the Facebook-like interface and features gave an impression of casual and
open environment. The informal environment encouraged students to express themselves. Another observation was about asking questions through the ‘private message’ feature. Through the private message feature, students seemed to have less hesitation in asking questions. Students were willing to ask questions that they felt were too `obvious’, which they usually did not ask in class or by email. Students gave feedback saying that the informal settings made them less worried about the language they used. They felt free to write short messages with various kinds of symbols to express themselves (e.g. >.<, :-), :D ), just like what they normally do on other SNSs. This is an interesting experience for me as an instructor. I got to know more about my students and engage with them whenever I had access to the Internet. Making Friends However, in terms of making friends, not many students tried to do so. One reason was that they met some other students before and they may have ‘friend connections’ on other SNSs like Facebook. I did ask a question on GROU.PS to see if students did make new friends through the service. Some of them replied and said they didn’t. Sharing A SNS in a teaching environment can potentially be a platform for sharing supplementary materials. Examples are case studies found by the instructor on the web and interesting news read by a student. On GROU.PS, there is a sharing feature that supports various formats like hyperlinks, videos and images. Students and the instructor can view and comment on shared posts. Discussions can be initiated. Throughout the course, students
posted only a few interesting videos and pictures. This might be because sharing content found on the web requires copying and pasting URLs. Sharing feature for GROU.PS is not well supported by other websites. Many websites like BBC.co.uk offer a button to share content to social networks like Facebook or Twitter. GROU.PS is often not supported. The inactive sharing of web content may have led to another issue. Habit to Login Regularly Students gave feedback that they did not have a habit to regularly login GROU.PS and check out what was going on there. Apart from the fact that the sharing activities there were not as active as what they saw on Facebook, a reason raised by students was that the site required a set of login different from the one used in other CityU systems, and they might not be able to remember their passwords. This contributed to the fact that not every student checked out the site regularly. 3. Conclusion Using a SNS in a teaching environment has been an enjoying experience. Although there were obstacles in getting the students to register in the first place, the environment provided the possibilities of different interactions between me and the students. Furthermore, the interface of GROU. PS is user-friendly and is easily understood by students. More attention may be required to think of ways to encourage students to participate in it more regularly and how the issue of separate login required by GROU.PS can be solved. I would like to thank Dr. Crusher Wong and Mr. Vicker Leung of the Office of the CIO in supporting me throughout the pilot.
Issue 8 • July 2012
Statistics at a Glance (2011–2012)
19
20
OCIO NEWSLETTER
IT Tools
IT Tools – Social-Learning Andy Chun (ed.) This new “IT Tools” column introduces some useful tools and apps for teaching, learning, or research. Most of the tools/apps highlighted will be free or at low cost. In this issue of the OCIO Newsletter, I have selected a few “Facebook-like” socialnetworking platforms that can be used to create an independent social network for your class, transforming student e-learning experience to a social-learning experience with knowledge sharing and collaboration. Some of our colleagues use Facebook for teaching. However, many faculty and students prefer to keep private life separate from University life. So there is a need for Facebook-like features outside of Facebook. The following social network platforms have many common features. They are all cloud-based, which means you can start using them instantly. They have “Facebook-like” features, such as activity streams, sharing of photos and videos. The tools support user-created content through blogs, forums, chats, etc. to facilitate discussion and knowledge sharing. A great way to use these tools is to create a social network or group for each of the class you are teaching. You can then use this network to share class updates, study activities, assignments, events, etc. You can create opportunities for discussion through posting questions in forums. Blog posts from students are great ways to share and learn from peers. All these tools are quite easy to set up and use.
Ning (http://www.ning.com/) Launched in October 2005, Ning is a cloud-based platform that allows anyone to quickly create and customize a private/public social network. Ning used to be free, but started a paid-only model in 2010. However, the fee is still quite low for the basic network (US$2.95/ month). Incidentally, the word “Ning” is Chinese for “peace” (寧). GROU.PS (http://grou.ps/) Launched in February 2006, GROU.PS is also a cloud-based social network platform. Just like Ning, it used to be free, but started charging in 2010. The fee for a basic network is still quite low (US$2.95/month); just like Ning.
edmodo (http://www.edmodo.com/) Launched late 2008, unlike Ning or GROUP.PS, edmodo was designed just for teachers and students. edmodo is currently free. The user interface is Facebook-like and provides many LMS features, such as assignment posting, submission, commenting and grading. Students can share through posts. Teachers can also create polls and post topics for discussion among the students. Hopefully you will find these social-learning tools useful for your teaching. Let me know if you use them in your class and whether the experience was successful or not. Also let me know if you have other social-learning platforms to recommend.
Editorial Box OCIO Newsletter Advisory Board Dr. Andy Chun (OCIO) Ms. Annie Ip (OCIO) Mrs. W K Yu (ESU) Mr. Raymond Poon (CSC) Mr. Peter Mok (CSC) Ms. Maria Chin (CSC) Publishing Team Ms. Noel Laam (CSC) Ms. Annie Yu (CSC) Ms. Joyce Lam (CSC) Mr. Ng Kar Leong (CSC) Mrs. Louisa Tang (ESU) Ms. Doris Au (OCIO) For Enquiry Phone 3442 6284 Fax 3442 0366 Email cc@cityu.edu.hk OCIO Newsletter Online http://issuu.com/cityuhkocio
Theme photo on the cover courtesy of Peter Mok (CSC)