OCIONEWSLETTER Issue 17 • OCT 2014
SPOTLIGHT
HRO Work Simplification through Paperless Office INDEX SPOTLIGHT 1
HRO Work Simplification through Paperless Office
FEATURE 6
Managing IT Projects in SharePoint
8
New Database Machine for Banner System
12
Using Office 365 for Education
14
University-wide Network Vulnerability Scanning
BRIEF UPDATES 5
Canvas Implementation Progress
FYI 4
A Glance at the CityU e-Recruitment System
IT SECURITY AWARENESS SERIES BY JUCC 10
Compliance Management
STATISTICS AT A GLANCE 15
About Flipped Classroom
GLOSSARY CORNER 16 Man-in-the-middle Attack
The Enterprise Document Management Team As we all know, people is the most valuable asset of any organization. And our Human Resources Office (HRO) is responsible for helping CityU attract and retain the best talent possible. Through the hard work and dedication of our HRO colleagues, the Office facilitates and coordinates all activities relating to the university’s manpower needs, from recruitment, onboarding, and performance management, to staff development and of course ensuring our HR policies are in line with University mission. To continuously provide reliable and timely HR support on campus, the HRO is a leading champion in the University’s transformation to a paperless environment and work simplification, and a supporter “The Paperless Office Project contributes to our knowledge management strategy. of the University’s sustainability Best practices are now shared and managed. The new EDMS is aligned with HRO’s standard for quality service, efficiency and security,” Ms. Helen Leung noted. commitment.
2
OCIO NEWSLETTER
In 2011, the HRO began a series of projects, including its adoption of an Enterprise Content Management (ECM) system using the EMC Documentum platform. In this issue, we will delve into how this idea and success came about and share HRO’s implementation experience. Ms. Helen Leung, Director of Human Resources, and Ms. Rita Fung, Human Resources Manager, kindly offered their valuable time to share their insights behind the HRO’s “paperless office revolution.” HRO’s paperless transformation first came about because it wanted to work more effectively and efficiently, to streamline its processes and to save physical storage space. And time is money, the HRO not only wanted to save costs but also help the environment through reduced paper and space consumption. In the past, the HRO needed to manage stacks and stacks of personnel folders and documents, not only for the 4,000 or so full-time staff, but also for part-time staff. The files and folders include information and knowledge such as particulars of the recruitment process, staffing decisions, staff development records, remuneration details, etc. Each day, a good amount of time was needed to locate these physical folders and track down documents, which might be on someone’s desk, in filing cabinets, or boxes in storage. As you can imagine, locating or tracking the where about of a particular paper document can sometimes be challenging. Not only does this consume a great deal of manpower and time, but it also puts the University at risk of document loss.
While the HRO was planning its relocation to its new office in AC3, it started to explore the possibility of digitizing their documents, since moving all the documents to AC3 was not practical and a waste of valuable office space. Actually, HRO has been thinking of a more effective document and workflow approach since 2004. Unfortunately, the technology needed was not as mature back then. In 2010, HRO began to revisit this idea again together with the Finance Office (FO), which also faced similar challenges. After considering various approaches, such as the use of microfiche or traditional document management systems (DMS), HRO and FO finally reached the decision to use enterprise content management (ECM) technology that provided electronic document and workflow support as well as strong information security through tightly controlled access and encryption. The Central IT supported this effort with the establishment of an Enterprise Document Management Team (EDMT) which has the responsibility of designing and implementing enterprise-quality document management solutions. Hence the University’s Paperless Office Project was started and the implementation of the University’s Enterprise Document Management System (EDMS) began in 2011 to support secured institutional document capturing, archiving, and retrieval. The EMC Documentum product was selected as the platform for this new service. In terms of implementation process, HRO’s project began with deciding how to organize electronic documents effectively. In the old paper approach,
documents were organized according to the creators or creation dates. Documents categorized this way can be subjective, as the process will depend on the particular practices of the HR staff involved. Different staff may use different “coding” to organize and archive documents. Obviously, this nonstandardized manual approach was not effective, particularly after documents were filed and then needed to be located and retrieved. Moreover, the tightly coupled relationship between the document and the staff who coded and handled it, made the transferal or sharing of responsibilities very difficult. In contrast, when paper documents were scanned and filed using the new EDMS, every single document is automatically assigned with a unique barcode, containing all the relevant metadata for ease of querying and indexing into the central repository. Once digitized, the documents are full-text searchable; any document can now be located and retrieved within seconds with just a few key strokes. Thus, HR personnel are relieved from wasting time in filing and can focus on tasks that better benefit from their professional expertise. According to HRO, one of the most challenging tasks during the design phase was in deciding which set of crucial data should constitute the metadata. The project team wisely adopted a reverse engineering approach by first identifying what search criteria might be used to locate documents. Based on the expected search behavior of different document types, the team created a metadata design
Issue 17 • October 2014
for human input and consequently the processing time needed. With those IT innovations, in October 2013, the project reached its first milestone of completing the digitalization of all regular personnel files. The next task was to handle “subject files,” which were less structured and made categorization more difficult. Over six hundred thousand subject files are now being processed. The plan is to complete this task by the end of 2015.
“The support provided by University leadership was very important to the success of this project,” Ms. Rita Fung pointed out.
that was rich enough to support HRO daily needs and yet not too cumbersome to maintain. However, the real challenge actually came after the EDMS was up and running in mid-2012 – the scanning and digitization of over a hundred thousand documents, spanning over a million pages, that had accumulated over the past 30 years. The HRO team had to do this while new documents were constantly generated each day! HRO used a “farm” of high-speed scanners and a team of support staff to complete this highly laborious task. This task was made more bearable through a few IT innovations, such as the addition of 2D barcodes and patch codes to support the scanning process. Before scanning a particular set of documents, the HR colleague would first identify the type of information contained and insert a set of related reusable patch code to signal to the EDMS on how to process and store that document. In addition, a 2D barcode would be generated to contain related metadata, such as staff information retrieved from University’s Banner ERP system. These two new capabilities greatly reduced the need
The Paperless Office Project has brought many benefits to HRO. Firstly, the project solved the space problem; piles of folders and documents have been reduced. At the macroscopic view, the workflow of HRO is now rationalized because documents can now be generated, logged, indexed and searched at the point of creation with ease and consistency. In addition, the system allows instant sharing and delivery to collaborating departments, such as the Finance Office, which saves unnecessary round-trips among offices and document cabinets. Recognition must be given to the project team who worked so hard over the past few years to implement the system and to persuade, train, motivate, and support other HR colleagues to adopt the EDMS. Most importantly, credit must also be given to University leadership. Ms. Rita Fung, Human Resources Manager, commented: “The persistence, encouragement and support of the project from senior management is the key factor for our success. This remarkable achievement would not have been possible without their long-term support.” The new convenience brought about by the EDMS, i.e. instant search and retrieval of any personnel document, leads to new challenges – how to ensure documents are secure and
accessed on a need to know basis. Ms. Helen Leung, Director of Human Resources, commented: “Through a carefully designed role-based access control, the EDMS is a robust and secured platform to leverage synergy among different HR teams, or even different departments and offices.” Ms. Helen Leung emphasized: “On top of that, the system actually provides a further layer of security by including an access log that generates alerts when there is any suspected abnormal activity.” In addition, the Paperless Office service was certified in early 2013 to be ISO/IEC 27001 compliant for implementing information security best practices at an international level of quality. The service will also be assessed in early 2015 for compliance to ISO/IEC 20000, for conformance to international quality standards for service management. The EDMS has been in daily use by HRO since mid-2012. Any process that does not require physical signatures is now presented in electronic format solely, as far as possible. Besides the EDMS project, HRO has a slew of IT projects to streamline HR-related processes and simplify work. For example, in 2014, HRO deployed Phase 1 of the e-Recruitment system to turn our recruitment process paperless as well. In addition, the 2014 Annual Performance Report for faculty and academic staff has been streamlined to automatically generate personalized report templates that are pre-populated with individual performance data. The e-Duty Visit system, which was built on top of the EMC Documentum platform, was also launched in 2014 to simplify and streamline the application process. These projects and others in various administrative units are contributing to the University’s new Work Simplification initiative, which has the aim of creating a more agile and efficient organization.
3
4
OCIO NEWSLETTER
FYI
A Glance at the CityU e-Recruitment System Wilson Wong
The CityU e-Recruitment System is part of the University’s Paperless Office Project. It is aligned with the Green Campus strategy of the University and is targeted to improve operational efficiency and record management. The Computing Services Centre (CSC) and the Human Resources Office (HRO) jointly collaborated to design this system. Phase I of the system was launched in early August 2014 and comprises of two modules – the Online Jobs Application Module to provide a fast and easy electronic platform
for job applications, and the Administrative Module to facilitate applicant screening by the recruiting departments.
The Online Jobs Application Module This module covers all academic, research and non-academic openings. It provides a userfriendly electronic interface for submitting job applications to the University, including the completion of online application forms and where appropriate, attachment of supporting documents to the System. The module also provides functions to facilitate the applicants to review their recent applications prior to the closing date, edit and re-submit applications if necessary. Applicants may download a PDF version of their applications for reference and it can be used for applying other future job openings offered by the University.
Figure 1: The Online Jobs Application Module
Interested parties may visit the System at http://jobs.cityu. edu.hk and refer to the Online Application Procedures for details.
The Administrative Module
Figure 2: My Application of the Online Jobs Application Module. Applicants may review and download submitted applications here.
This module provides an effective online recruiting venue for departments to review the job applications anytime and anywhere. All online applications will be instantly channeled to the recruiting departments for review. The
Figure 3: Application List of the Administrative Module
senior management can at the same time have an overview of the applications received, in particular for faculty openings. Recruiting panel members may choose to receive email notifications on the updated status of new applications received for each job opening on a daily, weekly, or monthly basis. The Phase I implementation provides the essential administrative functions such as maintenance of recruiting panel members, uploading of new application/nomination, and provision for personal notes. It is expected that in Phase II, more functions will be available to facilitate the screening process through the defined search criteria, the solicitation of external assessment reports, the online shortlisting and the approval processes. The new CityU e-Recruitment System not only provides a sustainable paperless environment, but also speeds up the entire recruitment process by reducing the cycle time at each stage. The summary of historical data and reports kept in the System will also facilitate analysis for future recruitment and manpower planning.
Issue 17 • October 2014
BRIEF UPDATES
Canvas Implementation Progress Crusher Wong Semester A 2014/2015 reached Week 3, so it would be a good time to review the Canvas pilot in terms of adoption rate. 132 colleagues signed up to be early adopters of Canvas in 182 courses. However, we found there were a lot more according to the Canvas analytics – 216 teachers were running 208 courses on Canvas. The snap shot of analytics report (see Figure 1) was taken on 17 September 2014 by defining the term as 2014/2015 Semester A with both City University of Hong Kong (CityU) and Community College of City University (CCCU) courses. School of Continuing and Professional Education (SCOPE) operated their programmes on Canvas by cohort so the analytics by term did not pick up their activities.
were 29 media recordings. Definition of terms used in the analytics is available at http://go.cityu.hk/hfwiti.
Activity by Category told us students were mostly accessing files and the use of other tools would increase when the typical assessment period commenced. The total page views exceeded 800,000 after less than 4 weeks of intensive use. Grade Distribution did not make any sense at this point and we shall come back on this item at the end of the semester.
Figure 1
The numbers indicated 208 courses were published (available to students) when 216 unique teachers and 10,758 unique students had activities in the last 30 days. 474 Figure 2 pieces of assignments were submitted and 643 discussion topics (we believe they were actually discussion messages) were posted onto Canvas. In addition for the 4,276 files uploaded, there
blue. Orange bars meant there were activities besides page viewings. Figure 1 showed activities had been carried out since 25 September 2014, one week before the semester started. The peaks illustrated 72,315 page views with 248 participations on 1 September 2014 and 55,072 page views with 409 participants on 15 September 2014.
Activity by Date showed how users taught and learnt on Canvas. When there were just page viewings on a given day, the bar would be in
As a modern Learning Management System, Canvas provides real time analytics on different levels within the system. If you are teaching a course on Canvas, you may also check out course level analytics in the sidebar at Home of the course (Figure 2). You will find not only usage of the course but also participations of individual students. Details of course analytics can be found at http://go.cityu.hk/getise.
5
6
OCIO NEWSLETTER
FEATURE
Managing IT Projects in SharePoint Donny Lai The Central IT of CityU has established the PMO (Project Management Office) Practices for better aligning IT development with University strategies
site. Figure 1 shows the homepage of the Central IT Project Management Portal. It integrates with the features of Outlook, Calendar, People, Newsfeed,
Fig. 1 Home page of the Central IT Project Management Portal
as well as bringing in internationally recognized project management best practices. The project management practices and guidelines are tailored for the environment of our IT offices and published under www.cityu. edu.hk/PMO. In order to simplify and standardize the reporting and monitoring process of the IT projects, Central IT customized a set of project management site for recording and monitoring the project progress of the IT projects in the new platform of SharePoint Online which is a part of our Office 365 solution. The new SharePoint platform includes the integration with our email system, provides sophisticated storage for document management, allows discussions through forums, and incorporates with the newsfeed feature for Facebookstyle social communication among the project members. Those features are essential to the project management
OneDrive, and other SharePoint Sites. The first page simply includes the document repository and links to the sub-sites of the IT offices. An IT project is considered to be successful if it can deliver the agreed features and business value on time
Fig. 2 A sample work list of project tasks and activities
and on budget. Before a project starts, we need plan ahead to estimate the required time and resource for achieving the expected outcomes and deliverables of the project. In general, there are several basic steps of project planning, which include the determination of key releases or milestones, main project tasks and activities, the share of contribution of the project tasks and activities to the success of the project, and the planned effort (such as in person-days) to be allocated to the tasks and activities. Having the project plan agreed among the project stakeholders and the project team, the project can proceed to execution according to the plan. Then, the task progress and project status are periodically monitored and reported to the management. As shown in figure 2, it is a work list of project tasks and activities. It is a template designed to assist project managers to plan the schedule for the essential tasks and activities of the project, determine the contribution share in percentage, estimate the efforts in person days,
Issue 17 • October 2014
Fig. 3 An excel worksheet for planning and managing project tasks
and update the consumed efforts and task status during the execution of the project. It is necessary to assess the task progress and report the project status monthly by the project managers so as to let project directors and sponsors have the timely response to any unexpected deviations. In the monthly basis, the project managers record the task progress by the data of the utilized planned days, actual days of work, the completeness of the working tasks and activities, and progress status of the tasks and activities. For the completeness of the working tasks and activities, project managers may use the simple scale of 0% for not started, 25% for just started, 50% for half done, 75% for almost finished, and 100% for truly completed. According to the inputs, it is easy to conclude four key figures of the project status. They are the planned percentage being accomplished, the actual percentage of the project work-done,
the planned effort/days being utilized, and the actual effort/days being spent. Highlighted in the figure 2 are the four calculated figures. For assisting the progress tracking, we have developed a customized project task list in SharePoint and an Excel worksheet template (figure 3). Project managers may use either one to easily record the task progress and project status. There is an IT project management site established in the same Sharepoint for each IT office. The site serves two key functions. The Project List and Project History are used for recording the latest status of the IT projects of the IT office. The Maintenance+Support List and the M+S History List are used for recording the monthly efforts spending on the maintenance and support services. For managing all IT projects of the IT offices, the project managers need to monthly update the project list. The four key calculated figures (the planned percentage being accomplished, the actual percentage
of the project work-done, the planned effort/days being utilized, and the actual effort/days being spent) of each projects are required for the calculation of the cost performance index (CPI) and schedule performance index (SPI). If the performance index is 1, the actual performance is equivalent to the planned value. If the performance index is less than 1, it implies the actual performance is below the planned value and a little red bar will be shown below the index. If the performance index is greater than 1, it means the actual performance is better than the planned value and a little green bar will be shown instead. Both the indexes and the colored bars are helpful for illustrating the relative project progress. Figure 4 shows the progress and status of two sample projects in the project list. Their last reporting month is April 2014. Illustrated from the colored bars, Project A obviously performed better than Project B. Both the schedule performance index (SPI) and the cost performance index (CPI)
7
8
OCIO NEWSLETTER
FEATURE
New Database Mach Oracle Project Team
While increasing the number of students and courses at the City University is great news for the University and its student body, it also has the disadvantage of straining the University’s available resources, particularly on the IT side of the campus.
Fig. 4 Centralized Project List for each IT office
were lower than 0.75, that implies the causes should be examined and some remedy actions might be necessary. The project list is an effective single view of all projects. It is useful for showing if the monthly progress of all projects have been updated properly according to the specified reporting month. It is also useful for showing the performance of all projects through the indexes and the colored bars with different length. The project list can be easily rearranged in different sequence or downloaded the whole list to an Excel worksheet for further analysis. All monthly records of the project progress are automatically kept in
the project history list (figure 5). It is useful for the management to query the progress history and track the progress along a time horizon. Certainly, the project history can also be downloaded to an Excel worksheet for further analysis or reporting. The above features of the project management site represent the core information needed for IT offices to monitor and manage the progress of their projects. We envision this initial version of our tool will mature over time with use and experience. We also look forward to your comments and suggestions.
Banner system is the ERP system of the University. The Banner Student System which was first implemented in 1998 supports all kinds of student administration and help students register for courses, check class and examination time-tables, check grades and apply online for various other services. Working with the Banner Student System for enhancing student learning experience is another software, Degree Works, which provides online academic planning tools that help students and advisors see what courses and requirements students need to graduate. Banner has over the past few years showed signs of performance and capacity degradation, during peak usage times particularly for course registration. This has affected course add/drop and registration services, and lowered overall user satisfaction rates.
Fig. 5 Project History List
In response, the Central IT of the University has launched a project to review the entire system with a goal to resolve existing problems and ensure it is robust
Issue 17 • October 2014
ine for Banner System enough to handle future growth by maintaining system stability, response time, availability and end-user experience. Any solution must also enhance database performance for longerterm requirements by expanding capacity to accommodate increased peak registration workloads, consolidate other databases, such as Degree Works, and to improve data processing and SQL/reporting performance. Because Banner is based on an Oracle enterprise database and has been running on Oracle Sparc hardware, the Central IT explored with Oracle on possible means to resolve the capacity and reporting problems and build a future-proof online system. A few hardware options were assessed and compared, including the Exadata Database Machine, which it describes as the highest performing and most available platform for running Oracle Database. Exadata’s modern architecture features scale-out industrystandard database servers, scaleout intelligent storage servers, and an extremely high-speed InfiniBand internal fabric that connects all servers and storage. Unique software algorithms in Exadata implement database intelligence in storage, PCI-based flash, and InfiniBand networking to deliver higher performance and
capacity at lower costs than other platforms. Exadata runs all types of database workloads, including online transaction processing, data warehousing, and consolidation of mixed workloads. It is said to be fast and simple to implement and an ideal foundation for a consolidated database cloud.
Other features include: Oracle Exadata Smart Scan: Data-intensive workloads, such as reports and data warehouse queries are offloaded to Oracle Exadata’s intelligent storage server software running in Oracle Exadata storage, boosting performance and return on investment. Oracle Exadata Smart Flash Cache: Oracle Exadata’s storage hierarchy of DRAM, Flash, and disk automatically migrates data to ensure the best performance and the lowest storage cost. A proof of concept on the Exadata to address the resource demand for course registration was undertaken. Oracle performed load testing on Banner student course registration based on the University’s load testing scripts on a baseline number of 900 concurrent users with a target of 3,000. In its proof of concept study, Oracle also ran Degree Works data extraction as well as selected
PL/SQL and SQL queries extracted from Banner system to demonstrate further what Exadata can offer. The company also leveraged the smartscan feature of the machine to show how some modifications on SQL could provide better performance. Load testing on course registration was able to handle 3,000 concurrent users with room to handle more. The Degree Works data extraction job could process 13,900 student records in 2 hours. With this level of performance gain it is estimated by Oracle that the daily batch processing job could be reduced from 17 hours to just 4 hours and that the system could run much more complex reports and extended analytics. The University was satisfied with the proof of concept result, and acquired an Exadata X4-2 Eighth Rack which is the entry model. Installation and implementation is in progress. The University targets to get the system up and running for the course registration exercise in December.
Oracle Exadata
9
10
OCIO NEWSLETTER
IT Security Awareness Series by JUCC With an aim to enhancing the IT security awareness of the CityU community, the KPMG was commissioned by the Joint Universities Computer Centre (JUCC) to prepare a series of articles on IT security and they will be adopted and published here for your reference.
Compliance Management I. Background Industry Story INTERNET LAW - Hong Kong’s Criminal Copyright Infringement: What Constitutes a Copy Capable of Distribution? Hong Kong not only tightened its copyright laws, but its authorities are actively prosecuting copyright violations - a smart move in an increasingly globalised economy. In the case of Chan Nai Ming vs. HKSAR, the respondent was charged with attempting criminal copyright infringement for unlicensed dissemination of copyright films via the Internet, particularly through the use of “BitTorrent” technology. It was proven that respondent downloaded a copy of the copyright film in his computer’s hard drive and made arrangements to allow transmission of this file. Thus, a digital copy constitutes a copy under Hong Kong’s copyright law and distribution of copyright works through software of other technological means may constitute distribution under the same law. See the article: http://www.ibls.com/ internet_law_news_portal_view. aspx?s=latestnews&id=2257
Compliance Management Overview Compliance management is the procedure adopted by universities to comply with applicable statutory, regulatory and contractual requirements related to information security. It is an integrated approach implemented within universities which usually include the following components:
• Identification of Compliance Requirement on Information Security; • Monitoring of Compliance Status; • Reporting on and Handling of Noncompliance; and • Education and Training.
II. Management Identification of Compliance Requirement on Information Security In Hong Kong, there are a variety of statutory and regulatory requirements applicable to information security. The following lists a few legislations that are closely related to university environment. • Personal Data (Privacy) Ordinance In order to protect the privacy interests, this Ordinance includes any data relating directly or indirectly to a living individual, from which it is practicable to ascertain the identity of the individual. Alternatively speaking, the Ordinance applies to any person who controls the collection, holding, processing or use of personal data. There are many kinds of information governed by the Ordinance in universities and such information is usually stored and processed within the information systems. For example, student records with application information and examination scores; employment records with HKID numbers and home addresses. • Copyright Ordinance The Copyright Ordinance currently in force in Hong Kong provides comprehensive protection for recognised categories of literary, dramatic, musical and artistic works,
as well as for films, television broadcasts and cable diffusion, and works made available to the public on the Internet. Copyright penetrates the daily operations of universities in every aspect. Research papers, patents and software are common things that come with copyright issues. The convenience brought by the Internet through resource sharing also created more possibilities for violating this Ordinance. • Crimes Ordinance The Crimes Ordinance has extended the meaning of property to include any program or data held in a computer or in computer storage medium as “Property”. Therefore, criminal activities (e.g. misuse, damage, unauthorised access, etc.) made to properties should be charged under the Crimes Ordinance. Compared to business organisations, universities are relatively open environments with many places accessible by the public. Especially many universities offer the students or the public with free access to their wireless network and websites, containing a wide range of electronic resources including e-books, teaching materials or even software. Besides the statutory and regulatory requirements, there are also contractual requirements that universities have to comply with. Universities should ensure that all contracts with third parties are regularly examined for any contractual requirements relevant to information security.
Issue 17 • October 2014
Monitoring of Compliance Status Once identified the applicable statutory, regulatory and contractual requirements that are applicable to universities, management should invest appropriate resources to know whether these requirements are complied with relevant parties. The compliance lies with the process or asset owners, therefore, they own the responsibilities to ascertain the process or procedures in place to ensure the compliance. Periodic checking can be performed to collect compliance status from the process or asset owners, including noncompliance issues occurred, changes to processes that may affect universities compliance with certain statutory, regulatory or contractual requirements. The checking results should be reviewed by the management to ensure any noncompliance issues are timely followed up for further remedial action.
Reporting on and Handling of Noncompliance Noncompliance reported to the process or asset owners should be timely dealt with and escalated to senior management level as appropriate. The remediation should be identified and timely deployed. Management should also monitor the progress of remedial actions till completion. For substantial noncompliance issues, including singular or systemic / recurring ones, they should be attended with higher priority and considered for more frequent monitoring. Universities may utilise their existing incident handling and escalation procedures to incorporate the noncompliance reporting and handling process. Noncompliance can be defined as one of the incident types with possible consequences anticipated and corresponding handling procedures designed.
Education and Training Achieving compliance requires the commitment not only from the
management but also the efforts from the staff members, students and third party contractors. Adequate trainings should be delivered to them to introduce the relevant statutory, regulatory or contractual requirements and necessary steps towards full compliance. The training can include the following points: • Legislations in Hong Kong that have applicable sections related to information security; • Procedures that should be followed in order to comply with the above legislations; and • Reporting procedures for noncompliance. Process or asset owners should inform the relevant personnel (e.g. Compliance Officer) regarding any changes to the statutory, regulatory or contractual requirements, as well as the resulting changes to the operational procedures.
III. General Users Roles and Responsibilities General users play a vital role in the compliance management of universities. They must understand what should do and what should not do in order to achieve compliance with the relevant statutory, regulatory and contractual requirements. The following are some of the major responsibilities for general users in the compliance management: • Attend the trainings and familiarise themselves with the legislations and contract terms related to information security; • Follow the instructions and established procedures by universities to ensure compliance or avoid noncompliance; • Consult the responsible staff (e.g. Helpdesk, Process or Asset Owners) when they cannot tell whether certain actions may lead to noncompliance issues; • Be alert and report to the right party for any noncompliance noted; and
• Assist the management in investigating and remediating noncompliance issues.
Conclusion With the increasingly tightening of statutory, regulatory or contractual requirements on the information security, universities should invest sufficient resources to ensure that adequate controls are implemented to achieve effective compliance management process. Such process should govern the whole compliance lifecycle including compliance requirement identification, monitoring, noncompliance handling and user education. Reference: http://www.pcpd.org.hk/english/ ordinance/ordglance.html http://www.ipd.gov.hk/eng/pub_press/ publications/hk.htm http://www.infosec.gov.hk/english/ ordinances/corresponding.html http://policy.cqu.edu.au/Policy/policy_ file.do?policyid=1843 http://benchmarks.cisecurity.org/tools2/ windows/CIS_WindowsXP_Benchmark_ v2.01.pdf
Copyright Statement All material in this document is, unless otherwise stated, the property of the Joint Universities Computer Centre (“JUCC”). Copyright and other intellectual property laws protect these materials. Reproduction or retransmission of the materials, in whole or in part, in any manner, without the prior written consent of the copyright holder, is a violation of copyright law. A single copy of the materials available through this document may be made, solely for personal, noncommercial use. Individuals must preserve any copyright or other notices contained in or associated with them. Users may not distribute such copies to others, whether or not in electronic form, whether or not for a charge or other consideration, without prior written consent of the copyright holder of the materials. Contact information for requests for permission to reproduce or distribute materials available through this document are listed below: copyright@jucc.edu.hk Joint Universities Computer Centre Limited (JUCC), Room 223, Run Run Shaw Building, c/o Computer Centre, The University of Hong Kong, Pokfulam Road, Hong Kong
11
12
OCIO NEWSLETTER
FEATURE
Using Office 365 for Education Andy Chun, Crusher Wong, and Maria Chin
Microsoft Office 365 (O365) is a cloud-based service that offers a suite of productivity tools that are built around the Microsoft Office platform. Being cloud-based with mobile app support, the O365 platform is convenient for various types of online collaboration and sharing within the higher education environment. CityU began to deploy O365 in 2013. Currently, all students have migrated to using O365 for their email services, while staff and alumni are being migrated at this time. The O365 environment provide CityU students/teachers with more flexibility, allowing them to share and learn anytime anywhere on practically any device. At CityU, we have students and teachers running in separate O365 tenants on the cloud. There is a “T1” cloud for students, and a “T2” cloud for staff. If staff needs close interactions with students, they may considering getting a separate account in T1 as well. O365 consists of a suite of tools, including Exchange Online, Lync Online, SharePoint Online, Newsfeed, OneDrive, as well as access to the Office Online and Mobile Apps. The following highlights how some of these tools can be used in teaching and learning.
Outlook Online – The most common use of O365 is probably for its Exchange email service. Outlook Online allows teachers and students to communicate on any device with a browser as well as through the Outlook Web App (OWA) mobile app for iOS, Android or Windows Phone. Outlook Online has a tight integration with MS Office, so you can edit MS Word, Excel, and PowerPoint documents right inside the browser online or native on desktop. Calendar Online – With O365, the Calendar can be accessed on any browser or mobile device via OWA mobile app, allow teachers/students to easily check their own schedule anytime anywhere. For staff within T2, Calendar will allow departments to easily find out when colleagues are free to schedule meetings. If teachers want, they can share part of their calendar, such as their office hours, with students so that they can sign up for meetings. However, the teacher will need to get an account in T1. CSC has prepared a separate account for teachers in the student T1 tenant, if teachers would
like to use this feature or simply have a separate email account for teaching purposes, they can simply activate their accounts on the student tenant. Office Online and Mobile apps – O365 allows MS Office documents to be viewed and edited on any device through browsers, on desktop (if Office is installed) or on the Office Mobile app. For example, since MS Word, Excel, and PowerPoint files can be edited right inside a browser, teachers and students can conveniently work from any machine on or off campus. OneDrive – This is cloud storage and allows students/teachers to quickly create MS Office files and share with one another, either for viewing or for editing as preferred and set by the owner. For example, in T1, students in a team can collaborate and work on the same set of documents via OneDrive. While in T2, colleagues collaborating on research can work on the same reports and papers together at the same time.
Issue 17 • October 2014
Lync Online – Lync provides video calls and instant messaging, allowing virtual face-to-face teaching and instructions. SharePoint Online – There are many different potential usages of SharePoint Online. It can be used as a basic document management system (DMS) or as a basic learning management system (LMS). For example, in T2, departments may
use SharePoint Online to create an interactive departmental knowledge management portal for department to share documents, policies, guidelines, and best practices internally. Teachers may create a “sub-site” in T1 to use as a course site to share course announcements, documents, assignments, and schedule (as an example, please see “Toyan’s Site” below). The Newsfeed feature acts like Facebook, and allows one to easily share statuses, photos and links as well as Office documents. Toyan’s Site is an example of how to use SharePoint Online to
manage her final year project. The menu on the left hand side illustrates various tools, such as Mailbox, Timetable (of classes) and Pictures (photo album), that are available for learning activities. Tools can easily be added and configured by the user herself. In particular, the Project Timeline app is shown in the home page screen to remind the user of the progress of her final year project. With total control of the site in terms of contents, features and users, SharePoint Online supports not only self-directed learning but also social interactions for knowledge building.
13
14
OCIO NEWSLETTER
FEATURE
University-wide Network Vulnerability Scanning The Office of the Chief Information Officer
Starting September 2014, as part of the University’s new Vulnerability Management initiative, the Information Security Unit (ISU) of the Office of the Chief Information Officer (OCIO) will perform routine network vulnerability scanning. The main objective is to obtain a clear and accurate security posture of our campus network, and to identify any potential security risk or issue. Any discrepancy between the actual status and the perceived/ expected status also hints how well we understand our systems, and how well our systems are managed. An everyday analogy is the need to perform regular vehicle inspection, attempting to find problems early on and letting us better understand the performance of our own cars through indicators.
How is it done? We use Tenable Nessus for network vulnerability scanning. Periodic linear scans of all campus IP address are scheduled to run. The scanner is configured to scan only the vulnerabilities exposed on network level, and run in “safe” mode, i.e. no intrusive scanning. In other words, the scanning will be broad but shallow. Again, using vehicle inspection as an analogy, basic inspection covers only simple checks such as brakes, emission and oil
level; however, sophisticated examination such as engine analysis is beyond scope. Our scanning is initiated from the Office of the Chief Information Officer (OCIO) subnet. If users detect suspicious scanning activities and are unsure whether it is an attack or our legitimate scanning, they are advised to contact infosec@um.cityu.edu.hk to verify.
What will we do if problems are found? It depends on the severity of the problem. Unfortunately, there is no such thing as absolute security in the world we live in. In general, for non-critical issues or potential problems, a record will be made so that we can keep an eye on it. On the other hand, if a critical issue is identified, we will use IP information to trace the issue back to the system owner, and alert him/her to the problem so that he/she can make immediate remediation. In general, we do not take down a system because of potential problems. Systems are usually taken down only if they have been found to be compromised.
Are there more examples of critical issues? Normally, we consider an issue as critical if the vulnerability is easily exploitable, and the consequence of which is
disastrous. For instance, it is a concern if a system is not patched with the latest updates, and a known vulnerability is left open which allows attackers to take over control of the system. A trespassed system can lead to disclosure of sensitive or confidential information, and be used as a tool to attack other systems on campus or elsewhere on the Internet. With the vehicle analogy, it is normally not a major problem if the air-conditioning malfunctions. However, it is a threat to both the driver and the other road users if the braking system does not work well.
Will ISU and Central IT be able to fix my system? Yes and no. If it is a network or operating systems problem, the ISU and the Central IT are well-equipped to provide advice on possible remediation to try. However, computer systems are much more than just network and operating systems. The most valuable part is of course the application, which contains business-specific data and logic. There is no easy way for a third-party to solve security issues within applications. Only the company or persons who designed and developed the original source codes of the application have enough detailed technical and business knowledge
Issue 17 • October 2014
to efficiently and effectively fix security issues within an application program. We can only offer very limited support at the application level. I guess no Ferrari owners will drive his/her car to a Lamborghini garage for maintenance, right? Hence, users will need to seek support from their vendor or the in-house developer on application-level issues.
STATISTICS AT A GLANCE
Final remarks The campus network and the Internet are valuable shared resources; all of us will need to use it with reasonable due care. We recommend that the system should always be updated with latest patches, anti-virus software enabled and users should refrain from browsing suspicious sites or clicking suspicious links. For system administrators, regular monitoring of the system is crucial.
As the saying goes, “computer is a double-edged sword”, so please use it with care to avoid needless loss or damage to yourself and the campus. We thank you for your support! If you have more questions on this University-wide Network Vulnerability Scanning exercise as well as any other questions about information security, infosec@ um.cityu.edu.hk is always at your service.
15
16
OCIO NEWSLETTER
GLOSSARY
IT Security from Wikipedia Andy Chun (ed.)
Man-in-the-middle Attack is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. The attacker must be able to intercept all messages going between the two victims and inject new ones, which is straightforward in many circumstances (for example, an attacker within reception range of an unencrypted Wi-Fi wireless access point, can insert himself as a man-in-the-middle). A man-in-the-middle attack can succeed only when the attacker can impersonate each endpoint to the satisfaction of the other — it is an attack on mutual authentication (or lack thereof ).
Social Engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional “con” in that it is often one of many steps in a more complex fraud scheme. The term “social engineering” as an act of psychological manipulation is also associated with the social sciences, but its usage has caught on among computer and information security professionals. All social engineering techniques are based on specific attributes of human decision-making known as cognitive biases. These biases, sometimes called “bugs in the human hardware,” are exploited in various combinations to create attack techniques. This article uses material from Wikipedia. The Author(s) and Editor(s) listed with this article may have significantly modified the content derived from Wikipedia with original content or with content drawn from other sources. The current version of the cited Wikipedia article may differ from the version that existed on the date of access. Text in this article available under the Creative Commons Attribution/Share-Alike License.
Editorial Box OCIO Newsletter Advisory Board Dr. Andy Chun (OCIO) Ms. Annie Ip (OCIO) Mrs. W K Yu (ESU) Mr. Raymond Poon (CSC) Mr. Peter Mok (CSC) Ms. Maria Chin (CSC) Publishing Team Ms. Noel Laam (CSC) Ms. Annie Yu (CSC) Ms. Joyce Lam (CSC) Mr. Ng Kar Leong (CSC) Ms. Kitty Wong (ESU) Ms. Doris Au (OCIO) For Enquiry Phone 3442 6284 Fax 3442 0366 Email csc@cityu.edu.hk OCIO Newsletter Online http://issuu.com/cityuhkocio