Issue 16 • JUL 2014 SPOTLIGHT

TAG and MADG project sharing series (III):

DEC Technology Adoption Grants for Teaching Innovation Series Angel Lu

In part 3 of this series, we highlight two impressive

projects that received funding from the DEC

“Technology Adoption Grants for Teaching

Innovation” (TAG). The first project was led by Dr.

Sylvia Kwok Lai Yuk-ching from the Department

of Applied Social Studies (SS) called “Technology

Application in the Analysis of Group Dynamics and

Group Work Skills.” The second was led by Terence

C.H. Cheung from the Department of Information

Systems (IS) called “Using Mobile Technology

to Promote Intelligence, Social and Mobile

Learning.” These projects demonstrate the positive

influences brought about on students’ teaching

and learning via technology adoption.

Improving group dynamic and interaction via recording It is not a matter of what the gadgets are, but how

they are applied that brings out their effective

powers. Dr. Kwok transforms a video handset

into an efficacious reflection device to encourage

“Videotaping does help me and students provide more detailed and meaningful feedback,” Dr. Kwok noted appreciatively.

NEWSLETTEROCIO

student engagement. In a typical

practice session, students are

split into individual groups with

assigned roles, either as a social

worker or members. The role-

playing and group performances

are recorded via the video

handsets. Afterwards, the videos

will then be uploaded onto

Blackboard and reviewed by all

students. In class, iPads come in

handy to provide playback which

facilitates more meaningful and

detailed discussions among the

groups. As a result, not only does

the social worker in the group

benefit from a host of feedback

and suggestions aggregated from

Blackboard and other classmates,

but all the other members also

gain knowledge of commenting on

group dynamic and worker’s skills.

Practices make perfect, especially

in the area of social studies that

emphasize on group dynamic

and interaction. However, what

Dr. Kwok aims is further than

mere practice. During the course,

students are encouraged to

“Nowadays, I would like my students to stand up from the C-L-O-U-D (delivery of computing and content over network), as well as the crowds,” remarked Dr. Cheung.

carry out a real-life project with

positive themes. Those genuine

clients, including primary school

children, help create a vivid but

practical learning experience.

These valuable sessions are,

undoubtedly, recorded and shared

among all of the students. Thus,

the recordings are being turned

into a collaboration tool for the

mutual growth of students.

Collaboration on information sharing and e-portfolios Technology is always ever-

changing like the speed of a

lightning bolt while textbooks

usually fall behind the pace due to

their constraints. Dr. Cheung takes

a proactive approach to employ

new ideas from the project on

teaching. Rather than waiting

passively, students are motivated

to attend at least one industrial

seminar during his course to

obtain the latest information and

share immediately via Twitter. In

return, students from the class

of about 140 can acquire new

information and tweet what they

learnt from seminars promptly.

Students are responsible to

summarize and share their

information as a reflection report

on Blackboard. Hence, through

exchanging the most updated

industrial information, students

and speakers of the seminars,

instead of instructors, act as

their facilitators to construct

the knowledge collaboration

platform.

Pragmatism has always been the

core value of Dr. Cheung, as well

as a requirement for students

to follow. Dr. Cheung cultivates

his students to see beyond the

classroom. Therefore, another

indispensable component of

the project is to have students

INDEX

SPOTLIGHT

1 DEC Technology Adoption Grants for Teaching Innovation Series

FEATURE

3 CityU ITSM (ISO 20000) Project Update

7 Canvas Extended Pilot

9 IET/MATE Hong Kong Underwater Robot Challenge 2014

19 Security Information and Event Management (SIEM) Phase 3 Upgrade: More Than Just Service Monitoring

BRIEF UPDATES

12 Migration of Staff Email System from MS Exchange to MS Office 365 Exchange Online

16 A Quick Glance at Computer Courses that Keep Our Staff and Students Abreast of IT Knowledge

18 Prof. Cranor’s Security Blanket

FYI

11 Safe Mode in Android

IT SECURITY AWARENESS SERIES BY JUCC

14 Information Security Updates

STATISTICS AT A GLANCE

22 Central IT Fast Facts (2013-2014)

GLOSSARY CORNER

23 Heartbleed

24 Heartbleed explained by xkcd (comic)

OCIO NEWSLETTER2

take part in authentic projects offered by real

companies. Every mark is counted during these

projects to foster pragmatism. In reality, most

supervisors are reluctant to offer outstanding

appraisals to subordinates so it is challenging

for students to obtain their desired grades. The

intention of the project is to mold students’ attitude

and abilities for their future careers. Coincidentally,

companies can take the chance to overview and

select ideal candidates from the apprenticeships

which make one stone killing two birds in turn!

Competing for an internship is only part of the

beginning. One of the most significant features

of the project is the digital CV or Smart CV which

retains students’ academic footprint, as well as

competition results, intern and working experience,

exchange experience, community services, etc... In

addition, a one-minute self-introduction clip will

be logged into the system and open to the public.

Thanks to the widespread of Internet, students

enjoy an advantage of establishing their web

identities and enhance their online presences,

which become increasingly crucial in this IT-

era. Thus, potential employers will now have an

authentic source to identify their desired talents

while fresh graduates’ employability can also be

improved and targeted.

Students as their own facilitatorsEven though the two projects began with different

aims, they share the same joy of success of

encouraging active participation of students. Upon

receiving the splendid assessment scores from her

students, Dr. Kwok smiled proudly not because of

the magnitude of the scores, but the recognition

from the students. Her future goal will be spending

more time on commenting and modifying those

recordings so that more students can benefit

from the digitalized reflections. Dr. Cheung’s ideas

from the project, on the other hand, are adopted

as a compulsory subject in the Department of

Information Systems. He also hopes that in the

future there will be better social media functions

and features integrated to university platform so

that he wouldn’t have to keep multiple social media

accounts and record participations manually so as

to centralize student learning achievements and

grade student works conveniently. With the wise

application of technology, students no longer take

a passive role, but evolve as their own facilitators in

the process of effective learning and teaching.

FEATURE

CityU ITSM (ISO 20000) Project UpdateChadwick Leung

Project BackgroundIn 2012, Central IT initiated a self-improvement project

to implement an IT Service Management System (ITSMS)

and an Information Security Management System (ISMS)

following ISO/IEC 20000 and ISO/IEC 27001 respectively.

The Paperless Office Service was selected as the first

central service to follow these international standards

as it was the most significant mission critical enterprise

system under development at that time.

ISO/IEC 20000 is a set of governance structure and best

practices to ensure the quality of IT service management.

On the other hand, ISO/IEC 27001 defines how

information shall be protected. For more details about

the ISO 20000 and 27001 standards, readers may refer to

references material listed under “further readings” at the

end of this article.

The Paperless Office Service is CityU’s Enterprise

Content Management (ECM) system, providing

document archives, document management and

workflow services, within an environmental-friendly and

highly-secured platform. It is part of the University’s

sustainability and work simplification initiatives to reduce

paper consumption, improve security, and optimize

productivity. Major stakeholders and users of the

Paperless Office Service include:

• University Management, to provide vision and strategy

for the Paperless Office Service

• Central IT Management, to oversee project

development and ISO standardization;

• Enterprise Document Management Team (EDMT) within

our Enterprise Solutions Office (ESU), to implement and

maintain the core Paperless Office Service;

• Data Centre Services (DS) Team and Network Services

(NS) Team within our Computing Services Centre

(CSC), to provide critical service components, such

as networking, operating system and database

management, which are essential to the operation of

the Paperless Office Service;

Issue 16 • July 2014 3

• Information Security Unit (ISU) within the Office of the Chief Information Officer

(OCIO), to act as facilitator for the ISO project;

• Paperless Office Service’s major users are from our Human Resource Office (HRO)

and Financial Office (FO), who provide guidance on the direction of Paperless Office

Service, and provide feedbacks to the team.

Among these stakeholders, members of the ESU the EDMT, the DS and the NS teams of

the CSC are the major practitioners.

Implementation of ISO 20000The initial plan was to implement both ISO 20000 and 27001 standards at the same

time. However, after considering the magnitude of work and scale of transform/

change needed, the plan was revised to first start with ISO 27001 (security

management), and then continue with ISO 20000 (service management) after

completion of ISO 27001 implementation.

Through the hard and dedicated work by all the stakeholders, in May 2013, the

Paperless Office Service of the University was successfully assessed and accredited

with ISO/IEC 27001 certification by the British Standards Institute (BSI). After a few

months to solidify our ISMS best practice, the ISO/IEC 20000 project resumed in

October 2013.

This article shares our experience and describes the current progress of our ISO 20000

implementation, from planning, building, to execution.

Critical Success Factors for IT Service Management While improving overall IT service quality is our main objective, acquiring the ISO

20000 certificate serves as a very tangible goal for all the stakeholders to work towards.

Like any other modern organizational function, the right balance of People, Process

and Technology is critical in ensuring IT Service management excellence:

• People (Roles, Communications, Accountability, Skills, Training)

• Process (Management System, Policies, Standards, Workflows and Integration)

• Technology (Tools, Visibility, Measurement, Automation and Repository)

The following diagram illustrates the project activities within People, Process, and

Technology – the 3 keys to success:

Figure 1 Project Timeline

OCIO NEWSLETTER4

Prior to 2014

Document and Establish ITSMS Manual and Procedures In 2012, the scope of ISMS and ITSMS implementation within

the Paperless Office Service was defined, and the supporting

service components were identified. A gap analysis which

covers both ISMS and ITSMS maturity was conducted in July

2012 by an external consultant. Based on the result of gap

analysis, an improvement plan was prepared. The consultant

also provided a set of ITSMS manual and procedure templates

which we then customized to meet the particular needs and

environment of CityU.

ITSM Tool Selection and Setup of iET ITSM Central IT had been using the “iET Help Desk” platform in

handling work request for many years. To save cost and reduce

our learning curve, the “iET Service Desk” was also selected

to support the implementation and operation of various ISO

standard processes and record keeping. In addition, the “iET

Service Desk” is aligned with the Information Technology

Infrastructure Library (ITIL), a standard set of practice for IT

service management.

First and Second Quarters of 2014

iET ITSM Configuration and CustomizationLike any other ITSM platforms, the iET platform required

extensive customization and configuring to meet the specific

needs and requirements of CityU. For instance, before the

iET process flow engine can be used, and the roles, routes

and activities of various processes have to be custom defined

into the tool. Design efforts were made to enable a practical

mode of operation which efficiently meets the ISO 20000

requirements.

Implementing Processes

There are 13 processes defined in the ISO 20000 standard,

including Capacity Management, Change Management,

Configuration Management, Release and Deployment

Management, and Problem Management, just to name a few.

A process flow is a sequence of activities carried out by

different roles of people during various stages. Using the

Change management process as an example, we have

to firstly define the various flows for different situations,

such as Normal Change, Standard Change, and Emergency

Change. The figure below is the flow for Normal Change.

The design of these various process flows requires the

collective work by all affected stakeholders. Once the

processes and their related flows are defined, they are then

implemented within the iET ITSM platform.

CustomizationsDuring the design of process flows, the data involved in the

activities must also be identified, and iET ITSM forms have to be

customized for users to manage these data. For example, the

screen capture shows the look and feel of the customized iET

ITSM change request form.

Figure 2 Example of Change Management Flow

Figure 3 Change Management Form

Issue 16 • July 2014 5

Prepare iET ITSM User and Admin ManualDetailed “User and Admin Manual” was also

prepared to document the customization and

configuration done on iET ITSM, and to facilitate the

adoption of iET ITSM.

Second Gap AnalysisIn January 2014, after the implementation of

ISMS, another gap analysis was conducted and

the implementation plan was revised. The gap

analysis results showed that the maturity levels of

most areas were close to the initial targets, with

few targets already reached. Nevertheless, the

recommendations showed that there are still some

necessary enhancements, documents, change of

practices and improvements required in order to

meet the ISO 20000 requirements.

ITSMS OrientationIn March 2014, an orientation session was

conducted to update Central IT stakeholders about

the status and progresses of ITSMS implementation.

Findings and recommendations from the second

gap analysis, and some main features of the ITSM

tool were reviewed.

Third Quarter of 2014

ITSMS Awareness and iET ITSM User TrainingWe plan to organize ITSMS awareness trainings to

arise the stakeholders’ understanding on needs and

constitution of a reliable ITSMS and the rationale of

such a system. Trainings on the using of iET ITSM

will also be arranged to gear up practitioners with

techniques and knowledge essential for evolving

existing service delivery mechanism with new

processes and technology.

iET ITSM UAT and Trial Run To reduce the time needed by users to get familiar

with iET ITSM, it will be released to practitioners for

trial run. Users will gain hands-on experience with

the tool before involve in formal UAT and to allow

the ISO implementation team to have a deeper

understand on the acceptance level and address

any not yet considered issues.

Fourth Quarter of 2014

ITSM System Operation Commencement ITSMS operation will be formally commenced

when Process, People and Technology are ready.

Performance levels will be monitored through self-

assessment. Scoped services will be managed by

the developed ITSMS processes, and practitioners

will start to follow the established system and

procedures while using iET ITSM as an assistant tool.

We will need to continuously operate the ITSMS for

at least 3 months to accumulate enough records as

evidence before the ISO 20000 audit.

First Quarter of 2015ISO 20000 Internal Audit and External AuditInternal audit will be conducted to assess ITSMS

operation and to verify whether expected

results were achieved through the planned

and implemented improvement actions. Once

conformity to the standard is confirmed, BSI, as

Certification Body, will conduct a full audit to

verify compliance of our ITSMS against ISO 20000

requirements. External audit will be performed in

stages include pre-assessment, initial assessment

and final assessment.

Upon completion of external audit with satisfaction,

an ISO 20000 certificate will be issued to the

ITSMS as recognition to the efforts made by all

stakeholders.

Further Readings[1] BS ISO/IEC 20000-1:2011 – Information

Technology, Service management – Service

Management System – Requirements

[2] BS ISO/IEC 20000-2:2012 – Information

Technology, Service management – Service

Management System – Code of practices

[3] BS ISO/IEC 27001:2013 Information technology

- Security techniques - Information security

management systems - Requirements.

[4] The ITIL and ISO 20000 Support Portal, http://

www.15000.net/

[5] itSMF International, http://www.itsmfi.org/

[6] iET ITSM, http://www.iet-solutions.com/en/

products/iet-itsm/

OCIO NEWSLETTER6

City University of Hong Kong (CityU)

has a long history of Learning

Management System (LMS) adoption

since 1998. To provide faculties and

students with the best education

technology, enterprise level LMSs

are evaluated and compared on

regular basis. The evaluation exercise

in 2013[1] identified Canvas by

Instructure as the preferred LMS to

replace Blackboard as the unified LMS

for CityU[2]. With the endorsement

from the senior management, an

extended pilot of Canvas is being

coordinated for the 2014/2015

academic year.

FEATURE

Canvas Extended PilotCrusher Wong

The report of LMS Evaluation

2013 was presented to the

Information Strategy and

Governance Committee (ISGC)

with recommendations in February

2014. Members of the committee

acknowledged the advantages

of Canvas such as user-friendly

interface, integration with third

party web services and outcomes

assessment capabilities, but

concerns on speed and capacity

of Canvas to facilitate all users at

CityU as cloud service hosted in

the US were raised. In response to

these concerns, a modified load

test was performed using technology

provided by Keynote (http://www.

keynote.com/), a global leader in

Internet and mobile cloud testing &

monitoring. The test results showed

consistent and satisfactory average

response time[3] (see Figure 1) for a

user accessing Canvas in Hong Kong

which proved auto provisioning

technology could manage server-

side resources to cope with high

volume access to the system without

noticeable delay. After resolving the

technical concerns, the preparation

of the extended pilot has been back

on track.

Figure 1: Average Response Time (left-side scale) vs Concurrent Users (right-side scale)

Issue 16 • July 2014 7

Figure 2: Canvas Implementation Plan

To facilitate courses joining the pilot in Semester A,

official launch of Canvas is scheduled on 1 August

2014/15. When most of the faculties and students

are enjoying their summer holiday, colleagues in the

Central IT will be busy on final preparation of Canvas

- configuring dataflow from Banner (our Student

Information System), tuning the integration with major

e-learning services such as Turnitin, and migrating

contents from Blackboard for pilot courses. The workflow

is depicted in Figure 2.

At this point, 35 colleagues have pledged to join the pilot

individually and an academic unit has agreed to adopt

Canvas for all courses. If you have courses to teach at

CityU in the coming September, please visit our webpage

at http://go.cityu.hk/yo0bnt to learn more about Canvas

and how you may participate in the pilot. Eventually,

over 100 courses and thousands of students are expected

to participate in the pilot in Semester A 2014 which

will provide a good basis to confirm the advantages

of Canvas. Feedback will be gathered through online

surveys, focus group activities and interviews in

November 2014. If the collective user experience is

satisfactory, we shall seek endorsement from the senior

management to replace Blackboard by Canvas as the

unified LMS at CityU. At the same time, faculties will be

advised to adopt Canvas as much as possible in Semester

B 2014/15. In case of smooth running, over 1,000 courses

will be on Canvas in Semester B 2014/15 and all online

teaching and learning activities will be migrated from

Blackboard to Canvas starting Summer Term 2015.

Reference[1] Wong, C. (2013, October). LMS Evaluation 2013-2014. OCIO Newsletter [Issue

13]. Retrieved from http://issuu.com/cityuhkocio/docs/newsletter_issue_13

[2] Wong, C. (2014, April). LMS Evaluation 2013 Findings. OCIO Newsletter [Issue 15]. Retrieved from http://issuu.com/cityuhkocio/docs/newsletter_issue_15

[3] Viewing Load Test Summary Reports. Retrieved June 16, 2014, from http://www.keynote.com/support/tsp_help/testsummary.shtml#445253

OCIO NEWSLETTER8

BackgroundThe IET/MATE Hong Kong Underwater Robot Challenge 2014 was an annual event that encouraged students from Hong Kong and around the Asia-Pacific region to learn and apply science, technology, engineering, and mathematics skills as they developed the Remotely Operated Vehicles (ROVs) to complete missions that simulated real-world problems from the ocean workplace. ROVs are tethered underwater robots used in scientific research, ocean exploration, homeland security, offshore oil and gas industry, and other industries. 2014 marked the 9th time that Hong Kong has organized such an event.

The competition was held on 12 and 13 April 2014, jointly organized with the College of Science and Engineering of the City University of Hong Kong, and the Hong Kong University of Science and Technology.

The MissionThe theme for the 2014 competition season was “Exploring the Great Lakes: Shipwrecks, Sinkholes, and Conservation in the Thunder Bay National Marine Sanctuary.” This year’s contest highlighted the role of ROVs in (1) exploring, documenting and identifying an unknown shipwreck recently discovered in sanctuary waters;

FEATURE

IET/MATE Hong Kong Underwater Robot Challenge 2014 L F Yeung (EE)

(2) collecting microbial samples

and measuring the conductivity of

the groundwater emerging from

a sinkhole, and (3) removing trash

and debris from the shipwreck and

surrounding area.

The competition also inspired

students to think of themselves as

entrepreneurs and form companies

that design, manufacture, market,

and sell specialised products and

services for shipwreck assessment

and remediation. This required

them to solve problems in

innovative ways, think creatively,

work as part of a team, and

understand all aspects of business

operations—important skills

required in the 21st century that

will make them competitive in

today’s global workplace.

TrainingsIn order to get the teams fully

prepared, a series of workshops

had been held before the

competition. At the first workshop,

each school was given a kit and

shown how to build a simple

underwater robot. The second

workshop was held at the end

of January 2014 to introduce the

concepts of waterproofing and

using electronics underwater.

They were shown how to build

an underwater camera and

light, as well as how to control

the robot motors; again, they

could take away the finished

items. At the third and final

workshop, each school was given

a microcomputer project board

and shown how to program so as

to control the robot’s motors.

Robots from Ranger Group

Issue 16 • July 2014 9

The WinnersThe IET/MATE Hong Kong Underwater Robot Challenge

2014 was one of the 22 regional contests held around the

world and managed by the Marine Advanced Technology

Education (MATE) Center. The contest’s winning teams were

invited to compete in the 13th annual MATE’s international

ROV competition, which was held on 26-28 June 2014 at the

Thunder Bay National Marine Sanctuary facilities in Alpena,

Michigan, USA.

ParticipantsWith around 35 teams, Hong Kong Regional Contest was the

largest of the regional contests worldwide. Over 30 Hong Kong

and 7 overseas schools and universities were participating in

the competition. It was noteworthy that we had one team

who was visually impaired and had successfully completed the

mission.

SponsorsThe IET/MATE Hong Kong Underwater Robot Challenge 2014 was supported by local sponsors, including Hongkong Electric Company Limited, MTR Corporation, Hong Kong Internet Registration Corporation Limited, CLP Power Hong Kong Limited, Analogue Group of Companies, RS Components, ISF Academy and Oceanway Corporation. Local technology professionals volunteered as judges for the competition, evaluating the students’ ROVs, poster displays, and engineering presentations.

Further informationhttp://www.rovcontest.hk/

The following teams had registered for the competition:From Hong Kong• Buddhist Wong Fung Ling College• Chinese International School• CMA Secondary School• Ebenezer School• German Swiss International School• HKTA Yuen Yuen Institute No 2 Secondary School• Hong Kong International School• La Salle College• ISF Academy• King George V School• Kwok Tak Seng Catholic Secondary School • Po Leung Kuk Ngan Po Ling College• Renaissance College Hong Kong• Robotics Service Junior• St Paul’s Secondary School• Salesians of Don Bosco Ng Siu Mui Secondary School• Shau Kei Wan Government Secondary School• City University of Hong Kong• Hong Kong University of Science and Technology• Hong Kong Polytechnic University

From outside Hong Kong• Concordia International School – Shanghai, China• Macao Pui Ching Middle School, Macau• Singapore American School, Singapore• Sekolah Robot Indonesia, Indonesia • SMA Negeri 28 Jakarta, Indonesia• Nanjing Institute of Technology, China• Universiti Teknologi Malaysia, Malaysia• Zhejiang Ocean University, China

Robots from Ranger Group

An advanced robot from Explorer Group

OCIO NEWSLETTER10

AcknowledgementSpecial appreciation for

Professor Robert Li (College of Science and

Engineering, CityU),

Mr. Paul Hodgson (Oceanway Ltd. Co.),

Dr. Robin Bradbeer (IET),

and all the volunteers and supporters who

had contributed to the success of this event.

A robot from the Scout HK group

FYI

Safe Mode in AndroidFrankie Wong

Did you have apps crashing problem on your Android phone?

Sometimes, application’s error may cause your phone running

abnormally. Occasionally, you have to reset the system (restore to

factory setting) in order to return the phone to normal. However, this

causes your personal data being lost, if you have not made backup.

This is very annoying.

How to boot into Android Safe Mode

For Google Nexus series phone: Ensure your device’s screen is on

1. Press & hold the [Power] button.

2. Touch & hold the [Power off] option in the dialog box.

3. Touch [OK] in the following dialog to start safe mode.

Figure 1. Boot into Safe Mode

Issue 16 • July 2014 11

Depending on the brand and model of your Android phone, there are different ways to boot into safe mode. If you are using HTC, Motorola, Sony or Samsung Android phone, you may find the steps in the following link: https://support.norton.com/sp/en/us/home/current/solutions/ v59378086_EndUserProfile_en_usIf your phone model is not listed above, you may ask your salesperson, or search on the web.

Characteristics of Safe ModeYou may find the characteristics of Safe Mode below:

• No third-party apps are loaded when startup. Only the system apps can be loaded.

• “Safe Mode” label is shown at the bottom-left corner.

• After boot into the Safe Mode, you may uninstall mischievous apps, which cause crashing.

• Safe mode will not damage any apps and personal data.

In general, malware apps can be removed by uninstalling them. However, some malware apps cannot be uninstalled properly, as it runs at startup and cause the system crash.

To solve the above problem, we can boot into Safe Mode, and uninstall the mischievous apps. Thesteps are shown as follows:1. Boot into Safe Mode2. Settings -> Applications3. Select the apps you want to uninstall4. Touch [Uninstall]

If you want to understand more about mobile security, please refer to “Guideline of Mobile Security” provided by

HKCERT.

ReferenceBoot into Android Safe Modehttps://support.google.com/nexus/answer/2852139

Guideline of Mobile Security by HKCERThttps://www.hkcert.org/my_url/guideline/13022801

An advanced robot from Explorer Group

With the successful migration of the

University email systems for student and

alumni from the on- premises systems

to Microsoft Office 365 Exchange Online

(“O365”), Microsoft’s cloud solution for

educational institutions in early 2013, the

Information Strategy and Governance

Committee (ISGC) has endorsed the migration

of the University email system for staff from

the on-premises Microsoft Exchange system

(“Exchange”) to O365.

O365 feature highlights:

• 50 Gigabytes (GB) mailbox quota

• Access email, calendars and contacts from

anywhere with PC, Mac, and smartphone via

web browsers, email clients and apps

• Wipe data from mobile device to prevent

unauthorized access in case of loss

• Full O365 suite including MS SharePoint

Online, MS Lync Online, One Drive

• Find out more at http://office.microsoft.

com/en-001/business/what-is-office-365-

for-business-FX102997580.aspx

The migration of staff mailboxes from

Exchange to O365 will be scheduled

department by department starting from

August 2014. The Computing Services Centre

(CSC) will contact departments via their

Departmental Network Administrators (DNA)

to explain the migration steps and to agree

on a time for migration. Staff who will be out

of office on the day of migration can connect

their mobile devices and off campus PCs to

O365 first, then attend to their office PCs any

time after they are back in the office, i.e. there

is no rush to connect all PCs/devices to O365

in one go right after the migration.

Before the migration, staff should ensure

that their email clients and email apps

on their PCs and mobile device, e.g. MS

Outlook, iOS and Android are up-to-date;

BRIEF UPDATES

Migration of Staff Email System from MS Exchange to MS Office 365 Exchange OnlineMaria Chin

OCIO NEWSLETTER12

BRIEF UPDATES

Migration of Staff Email System from MS Exchange to MS Office 365 Exchange OnlineMaria Chin

otherwise, they may have problem connecting to O365

that runs on the latest version of MS Exchange. During the

migration period, it normally takes less than two hours, and the

Exchange mailboxes of the staff scheduled for migration will

be temporary inaccessible. After the migration, the staff must

reconfigure their email clients and email apps on their PCs and

mobile devices for connecting to O365. There is no change to

the staff email address on O365, i.e. valid email addresses are

EID@cityu.edu.hk, email-alias@cityu.edu.hk, EID@um.cityu.edu.

hk, and email-alias@um.cityu.edu.hk. Email sent to all of these

email addresses will be received in O365.

More information on the Exchange to O365 migration is

available at http://www.cityu.edu.hk/csc/deptweb/support/

faq/email/o365staff/o365.htm.

For staff who are still using the old JSMS staff email system

which are originally planned for migration to the on premises

Exchange, with O365 available now, their mailboxes will be

migrated to O365 direct. When all staff mailboxes on the on-

premises Exchange and JSMS are migrated to O365, Exchange

and JSMS will stop services and be shut down.

Sign-in page of Office 365

Issue 16 • July 2014 13

I. General Users

Case Study

Stanford University Laptop Theft Calls for Proper Data Backup in Enterprises

A laptop at Stanford University was

stolen in Jun 2008 that contained

over 72,000 pieces of personal data.

The authority has led a task force

to review the University’s policies

and procedures for data protection.

Thefts of data storage devices are not

exceptional. If the theft is taken place

in an enterprise, the loss on critical

data may create disastrous problems

in business operations. Therefore, it is

essential to adopt a proper and reliable

backup solution in enterprises.

Mobile devices, such as laptops, smart

phones are portable information

systems which are often used to store

confidential information, such as

contact list, passwords, and personal

data. While these devices provide a

means for convenient information

processing and communication, they

also pose a risk of data loss in the event

of theft or breaches. Below are some

good practice to reduce the risk of data

loss for your mobile devices.

Dos

• Use password management tool on

start-up of mobile devices.

• Keep your mobile devices in a secure

place, especially when not in use.

• Install antivirus software and a

personal firewall on your mobile

devices.

• Use encryption to lock sensitive data

on the mobile devices.

• Regularly back up data of mobile

devices (e.g. PDA) to a PC to prevent

damage from PDA-specific viruses

and worms.

• Remember to remove any memory

cards before returning a rented

mobile device.

Don’ts

• Don’t leave a mobile device

unattended, even for a moment.

• Don’t download or accept programs

and content from unknown or

untrusted sources.

• Don’t allow common wireless

connections from unknown or

untrusted sources on your device.

• Don’t accept unsolicited file transfers

from other devices via Bluetooth,

SMS, etc.

II. Management

10 Steps to Creating a Campus Security Master Plan

Incorporating construction plans,

ensuring equipment interoperability

and determining future security

personnel needs are just some of

the measures campuses should

incorporate to improve their overall

safety and security.

1. Assemble Your Committee - Build

momentum in the development

of a physical security program

is to create a physical security

committee, which consists of

members in strategic positions of

influence, such as administration, IT,

operations, safety, security, risk and

planning.

2. Determine What Must be

Protected - Understand what

concerns, risks or fears may exist

on campus and why. The responses

are often constructive and

enlightening.

3. Think About Your Long-term

Needs - The security master plan’s

development should also include

long-term system compatibility,

communication infrastructure,

product obsolescence and growing

demands on the security staff.

4. Find Out What Works, What Doesn’t

- The committee should survey

current operational risk mitigation

measures and determine their

effectiveness.

5. Incorporate Campus Construction

Plans - Understand how new

buildings, parking lots, garages,

walkways and other projects will

affect the current physical security

master plan.

6. Can Legacy and New Security

Technology Mix? - With the

convergence of new physical

security technologies, the

integration of existing security

hardware into new security

platforms can be a challenge.

7. Determine Security Personnel

Needs - Documenting

responsibility, service and

deliverables will assist in setting

the groundwork of the return on

investment (ROI) and temper the

overall approval process.

IT Security Awareness Series by JUCCWith an aim to enhancing the IT security awareness of the CityU community, the KPMG was commissioned by the Joint Universities Computer Centre (JUCC) to prepare a series of articles on IT security and they will be adopted and published here for your reference.

Information Security Updates

OCIO NEWSLETTER14

8. Upgrade Your Security Operations

Centre - The increase in response,

consistency and accuracy can

make the difference in a variety of

situations throughout the campus.

9. Don’t Forget About Your Infrastructures - Critical

infrastructures are areas within the

campus that rely on the continuous,

reliable operation of a complex set

of interdependent infrastructures:

electric power, gas, transportation,

water, communications and more.

10. Regularly Audit and Assess Your Plan - to validate the operation and

consistency of the security systems,

security processes and protection

of assets.

III. IT Professional

Best Practice for Firewall

Organizations should be as concerned

with the origins and kinds of Internet-

directed traffic as they are with

incoming requests. Below are some

good practice that organizations

can improve their risk profile by

implementing traffic filtering.

Limit the addresses allowed to send traffic to Internet destinations by configuring policies such as these:

• Only allow source addresses from

the IP network numbers you assign

to trusted segments behind your

firewall(s), including DMZ networks.

• Apply appropriate subnet masks to

trusted networks, i.e., masks that are

sufficiently long to identify only that

fragment of the IP network number

that you are using.

• Block broadcasts from traversing

the firewall’s interfaces. While most

broadcasts will not pass across LAN

segments, take measures to ensure

this is especially true for Internet-

bound packets - or packets destined

for any untrusted segment.

• Block outbound traffic from VLAN

workgroups or entire network

segments that have no business

establishing client connections to

Internet servers.

Limit the destination ports on Internet-directed traffic in the following ways:

• Allow outbound connections only

to those services your security and

acceptable use policies allow for

client hosts.

• If you operate an HTTP proxy, or a

proxy system that performs some

form of web URL or content filtering,

only allow outbound connections

through your firewall from the proxies.

• If you provide DNS internally, or use

a split DNS, use internal servers as

forwarders for your trusted network,

and only allow outbound DNS

requests from your DNS servers so

configured.

• Unless your firewall is participating

in routing, block routing protocols

at your firewall. This is important

for entities which use a firewall to

exchange and negotiate PPP over

Ethernet (PPPoE).

• Certain network and security vendors

use unique ports for proprietary (and

secure) management access. Permit

these ports only from hosts used by

the administrators of such equipment.

Copyright StatementAll material in this document is, unless otherwise stated, the property of the Joint Universities Computer Centre (“JUCC”). Copyright and other intellectual property laws protect these materials. Reproduction or retransmission of the materials, in whole or in part, in any manner, without the prior written consent of the copyright holder, is a violation of copyright law.

A single copy of the materials available through this document may be made, solely for personal, noncommercial use. Individuals must preserve any copyright or other notices contained in or associated with them. Users may not distribute such copies to others, whether or not in electronic form, whether or not for a charge or other consideration, without prior written consent of the copyright holder of the materials. Contact information for requests for permission to reproduce or distribute materials available through this document are listed below:

copyright@jucc.edu.hkJoint Universities Computer Centre Limited (JUCC),Room 223, Run Run Shaw Building,c/o Computer Centre, The University of Hong Kong,Pokfulam Road, Hong Kong

Issue 16 • July 2014 15

In 2013-14, the CSC received more than 3,300 applications from students for 77 classes on 14 distinct computer

courses in its Student Computer Literacy Programme, covering Windows 8, computer security, Office 2013, Flash

CS6, Photoshop CS6 and others. The following table depicts the planned courses in Semester A, 2014-15.

Computer Courses in Student Computer Literacy Programme 2014-15

BRIEF UPDATES

A Quick Glance at Computer Courses that Keep Our Staff and Students Abreast of IT KnowledgeJoe Lee

Run Date Time Course

Internal 20-08-2014 (Wed) 10:00-13:00 Introduction to Photoshop CS6

Training 20-08-2014 (Wed) 14:00-17:00 MS Expression Web 4

319 21-08-2014 (Thu) 10:00-13:00 MS Expression Web 4

21-08-2014 (Thu) 14:00-17:00 Introduction to PowerPoint 2013

22-08-2014 (Fri) 10:00-13:00 Introduction to Word 2013

22-08-2014 (Fri) 14:00-17:00 Introduction to Access 2013

23-08-2014 (Sat) 10:00-13:00 Introduction to Flash CS6

23-08-2014 (Sat) 14:00-17:00 Introduction to Excel 2013

320 25-08-2014 (Mon) 10:00-13:00 Chinese Input Method - Chang Jie

25-08-2014 (Mon) 14:00-17:00 Introduction to Photoshop CS6

26-08-2014 (Tue) 10:00-13:00 Introduction to Windows 8

26-08-2014 (Tue) 14:00-17:00 Introduction to Excel 2013

27-08-2014 (Wed) 10:00-13:00 Introduction to Flash CS6

27-08-2014 (Wed) 14:00-17:00 How to secure your computer

28-08-2014 (Thu) 10:00-13:00 Introduction to Access 2013

28-08-2014 (Thu) 14:00-17:00 Advanced Word 2013

29-08-2014 (Fri) 10:00-13:00 Advanced PowerPoint 2013

29-08-2014 (Fri) 14:00-17:00 Advanced Excel 2013

30-08-2014 (Sat) 10:00-13:00 MS Expression Web 4

30-08-2014 (Sat) 14:00-17:00 Advanced to Photoshop CS6

OCIO NEWSLETTER16

Run Date Time Course

Internal 20-08-2014 (Wed) 10:00-13:00 Introduction to Photoshop CS6

Training 20-08-2014 (Wed) 14:00-17:00 MS Expression Web 4

319 21-08-2014 (Thu) 10:00-13:00 MS Expression Web 4

21-08-2014 (Thu) 14:00-17:00 Introduction to PowerPoint 2013

22-08-2014 (Fri) 10:00-13:00 Introduction to Word 2013

22-08-2014 (Fri) 14:00-17:00 Introduction to Access 2013

23-08-2014 (Sat) 10:00-13:00 Introduction to Flash CS6

23-08-2014 (Sat) 14:00-17:00 Introduction to Excel 2013

320 25-08-2014 (Mon) 10:00-13:00 Chinese Input Method - Chang Jie

25-08-2014 (Mon) 14:00-17:00 Introduction to Photoshop CS6

26-08-2014 (Tue) 10:00-13:00 Introduction to Windows 8

26-08-2014 (Tue) 14:00-17:00 Introduction to Excel 2013

27-08-2014 (Wed) 10:00-13:00 Introduction to Flash CS6

27-08-2014 (Wed) 14:00-17:00 How to secure your computer

28-08-2014 (Thu) 10:00-13:00 Introduction to Access 2013

28-08-2014 (Thu) 14:00-17:00 Advanced Word 2013

29-08-2014 (Fri) 10:00-13:00 Advanced PowerPoint 2013

29-08-2014 (Fri) 14:00-17:00 Advanced Excel 2013

30-08-2014 (Sat) 10:00-13:00 MS Expression Web 4

30-08-2014 (Sat) 14:00-17:00 Advanced to Photoshop CS6

Run Date Time Course

321 01-09-2014 (Mon) 19:00-22:00 Introduction to Excel 2013

02-09-2014 (Tue) 19:00-22:00 Introduction to Photoshop CS6

03-09-2014 (Wed) 19:00-22:00 Introduction to Word 2013

04-09-2014 (Thu) 19:00-22:00 Introduction to Windows 8

05-09-2014 (Fri) 19:00-22:00 MS Expression Web 4

06-09-2014 (Sat) 10:00-13:00 Introduction to PowerPoint 2013

06-09-2014 (Sat) 14:00-17:00 Chinese Input Method - Chang Jie

322 10-09-2014 (Wed) 19:00-22:00 How to secure your computer

11-09-2014 (Thu) 19:00-22:00 Advanced PowerPoint 2013

12-09-2014 (Fri) 19:00-22:00 Advanced to Photoshop CS6

13-09-2014 (Sat) 10:00-13:00 Advanced Excel 2013

13-09-2014 (Sat) 14:00-17:00 Advanced Word 2013

In 2013-14, the CSC received more than 700 applications from staff for 58 classes on 28 distinct computer courses

for staff development, covering Windows 8, Use of Mobile Devices, Computer Security, Office 2010, Illustrator CS6,

Dreamweaver CS6, SharePoint 2010 and others. The following table depicts the planned courses in Semester A, 2014-15.

Staff Computer Courses 2014-15

Date Time Course

04/09/14 & 11/09/14 09:30-17:15 Microsoft Access 2013 - Introduction

18/09/14 09:30-17:15 Adobe Dreamweaver CS6 - Introduction

25/09/14 & 3/10/14 09:30-17:15 Microsoft Access 2013 - Advanced

09/10/14 09:30-17:15 Adobe Dreamweaver CS6 - Advanced

16/10/14 09:30-17:15 Microsoft Outlook 2013 and Exchange

23/10/14 09:30-12:30 Effective Use of iPhone & iPad

23/10/14 14:15-17:15 Introduction to Windows 8.11

30/10/14 09:30-17:15 Getting Started with Power Query for Excel

06/11/14 09:30-17:15 Adobe Illustrator CS6 - Introduction

13/11/14 09:30-17:15 Adobe Acrobat

20/11/14 09:30-17:15 Adobe Illustrator CS6 - Advanced

27/11/14 09:30-17:15 Microsoft Word 2013 - Advanced

04/12/14 09:30-12:30 Introduction to Windows 8.11

04/12/14 14:15-17:15 Social Networks and Mobile Security

11/12/14 09:30-17:15 Microsoft Excel 2013 - Introduction

18/12/14 09:30-17:15 Microsoft Outlook 2013 and Exchange

23/12/14 09:30-17:15 Microsoft Excel 2013 - Advanced

30/12/14 09:30-17:15 Microsoft PowerPoint 2013 - Advanced

08/01/15 09:30-12:30 Effective use of Android Mobile & Tablet

08/01/15 14:15-17:15 Introduction to Windows 8.11

Issue 16 • July 2014 17

The above is an image of a quilt art work

(63.5”x39”) called “Security Blanket” created by

Prof. Lorrie Faith Cranor, Associate Professor at

CMU and Director of the CyLab Usable Privacy

and Security Laboratory (CUPS). The art work

was derived from her research on password

security. The quilt shows the top 1000 most

popular passwords out of the 32 million

passwords that were stolen from the RockYou

site by hackers and made public. Passwords

are like our “security blankets” unfortunately

Prof. Cranor found that most of them are not

BRIEF UPDATES

Prof. Cranor’s Security BlanketAndy Chun

really secure. Hope you do not see your

password in the quilt!

Prof. Cranor explains her work on the

“Security Blanket” in her blog: http://lorrie.

cranor.org/blog/2013/08/12/security-

blanket/

She also gave an interesting TED talk

recently titled “What’s wrong with your

pa$$w0rd?”:

http://www.ted.com/talks/lorrie_faith_

cranor_what_s_wrong_with_your_pa_w0rd

OCIO NEWSLETTER18

In 2011, CSC implemented and deployed HP’s

ArcSight Express solution (hereafter “Express

SIEM solution”) as CityU’s central Security

Information and Event Management (SIEM) system.

Subsequently, in 2013, the Express SIEM solution

was further enhanced with the ArcSight Logger

solution, allowing extended retention of access,

security and system logs.

Since then, several hundreds of our central servers

as well as network and security devices have

been feeding their access and security logs to this

Express SIEM solution. This represents a core service

that supports daily network and service operational

monitoring as well as forensic analysis of security

incident.

With the success of the Express SIEM deployment,

we decided to extend the benefits of the SIEM

solution by consolidating all central IT systems

with their system and security log files to the SIEM

platform. To enable this, we upgraded our SIEM

solution from Express to the ArcSight Enterprise

SIEM solution in early 2014.

For more information on the Express SIEM

implementation, please refer to our previous

articles in this OCIO Newsletter:

• Overview of Security Information and Event

Management (SIEM) Part 1 http://issuu.com/

cityuhkocio/docs/newsletter_issue_9

• Overview of Security Information and Event

Management (SIEM) Part 2 http://issuu.com/

cityuhkocio/docs/newsletter_issue_10

In this article, we will discuss the features that are

implemented during the 2014 Enterprise SIEM

upgrade project.

1. Enhancing overall event processing capacity As mentioned earlier, the major goal of the

SIEM upgrade is to support the processing of

events sent from all central IT services. Hence,

the new Enterprise SIEM solution must meet

the performance requirements of this task. The

following areas were enhanced during the SIEM

upgrade exercise.

a. Licensed event processing capacity (license limit) The licenced event processing capacity was

expanded from 1000 events per second (EPS) to

5000 EPS. This dramatic increase enables the new

SIEM solution to handle the increased event-

feeds from all central IT systems. In addition, the

total supported devices increased from 500 to

1500.

b. Upgrade the server hardware and storage capacity (hardware limit)

Different from the Express SIEM solution which

was prebuilt and ran in a relative low-end server

appliance, the new Enterprise SIEM solution

is software-based. This means systems can be

installed and deployed in any supported server

hardware platform and be scaled up according to

performance needs.

To maximize processing capacity, we deployed the

Enterprise SIEM systems as virtual machines (VMs)

supported by high-end servers with sufficient

storage capacities. This way, besides changes in

VM allocation, we still have expansion capability to

flexibly scale up the processing power of the SIEM

solution just by enhancing the server hardware

such as CPU, memory, storage, etc., or even adding

physical servers to the infrastructure that supports

the VM as needed to cater for future growth.

FEATURE

Security Information and Event Management (SIEM) Phase 3 Upgrade: More Than Just Service MonitoringAlex Lam

Issue 16 • July 2014 19

2. Enjoying the benefits of enterprise grade VM environmentOne of the major benefits of the

Enterprise SIEM solution is the support

of VM environment. By installing the

Enterprise SIEM solution within the

University’s standard VM infrastructure,

the new SIEM system can directly enjoy

all the benefits of our private cloud,

such as:

a. Dynamically scaling the performance and storage capacity of the SIEM systems as needed

b. Leverage existing VM backup and restore procedures

VM is well known in its support

of flexible and efficient backup

and restore. The SIEM systems

can immediately follow the well-

established procedures and use the

equipment currently deployed in the

VM infrastructure of the University

data center.

By adopting standard procedures and

using existing backup equipment,

SIEM operation is more cost effective

and lowers its total cost of ownership

(TCO).

c. Improving server redundancy under VM infrastructure

Although the SIEM system do not

support the automatic failover

to different ESX/I hosts, we can

still enjoy the manual VM image

migration feature which can restore/

recovery to different ESX/I host in

case there is any hardware failure

or handling problem during major

software changes. This provides a

“redundancy” solution to the SIEM

systems and is easy to draw its

disaster recovery plan (DRP).

3. Enhancing the protection and isolation of the raw system and security event resourcesThe Enterprise SIEM solution provides

granular role and user rights assignment

in the access of authorized events and

security log. This has the following

benefits:

• As sensitive information are stored

within our logs, this security feature

enhances the protection and isolation

of the raw system and security logs,

allowing us to follow the “need-to-

know” principle of security protection

requirement in assigning access

privileges.

• The side effect of the access right

restriction is the tremendous

reduction in log volume and access

time in retrieving relevant event logs.

This greatly improves the efficiency

and effectiveness in performing

security and forensic analysis.

4. Enhancing service dashboard deploymentThe SIEM project also created a

framework to present the service level

and health status of an IT service that

is dependent of other sub-services.

This provides a bird’s eye view of the

status of different services using “traffic

light” presentation. With the advance

and massive deployment of virtual

machine (VM) technology in central IT

services, we have enhanced the service

dashboard framework to support the

redundancy features of VM technology.

A sample of the service dashboard is

shown as follows.

Figure 1. Sample of a Service Dashboard – Provide an Eye-Catching view of service status

OCIO NEWSLETTER20

5. Consolidating the SIEM systems with standard event processing framework From our experience in using and

customizing the SIEM systems, we found

that many event handling procedures

are generic and are defined repeatedly.

We have consolidated and defined

those commonly used event handling

workflows as a standard event handling

framework in the new SIEM solution.

The use of this standard framework

provides consistency and is more

effective for different administrators

when creating new system or security

event handling procedures. The benefits

will be even more noticeable when

more services are deployed using these

standard framework.

SummaryThis paper described how we extended

the benefits from the successful Express

SIEM implementation in 2011 to the

current Enterprise SIEM in 2014. One

of the major goals of the upgrade is

to enhance the SIEM systems with

sufficient processing and storage

capacity to handle the event and

security processing needs to support all

central IT services.

Although the total event volume size

has increased, with the fine-tuned roles

and responsibilities defined in the new

Enterprise SIEM solution, administrators

only access events and resources that

they are authorized to view. This greatly

reduces administrators’ time when

working with event logs. In addition,

with the deployment of a standard

event handling framework that captures

common workflows, this improves

the consistence and effectiveness in

performing daily event handling as well

as security and forensic analysis.

Furthermore, having service statuses

available, the new SIEM provides a

basic service dashboard. Instead of

correlating many different monitoring

graphs to get service statuses, the new

dashboard provides a “bird-eye” view

of service status with its service level

represented as simple as “Red-Yellow-

Green” traffic-light. This creative idea

provides a pin-pointed, eye-catching

and easily understandable service

dashboard in a single view.

With the above new features and

innovative ideas, the new Enterprise

SIEM solution is truly a unified,

transparent and scalable platform

for event and security monitoring for

central services. With all the flexibility

and creative ideas built into the

solution, we have transformed our SIEM

solution from just a service monitoring

and threat management tool to become

an important and core component

in the University’s enterprise service

governance framework.

Issue 16 • July 2014 21

STATISTICS AT A GLANCE

OCIO NEWSLETTER22

GLOSSARY CORNER

IT Security from WikipediaAndy Chun (ed.)

Heartbleed is a security bug in the OpenSSL

cryptography library. OpenSSL is a widely used

implementation of the Transport Layer Security (TLS)

protocol. Heartbleed may be exploited whether the

party using a vulnerable OpenSSL instance for TLS as a

server or a client.

Heartbleed results from improper input validation (due

to a missing bounds check) in the implementation of

the TLS heartbeat extension, the heartbeat being the

basis for the bug’s name. The vulnerability is classified

as a buffer over-read, a situation where software allows

more data to be read than should be allowed.

A fixed version of OpenSSL was released on April 7, 2014, on the same day Heartbleed was

publicly disclosed. At that time, some 17 percent (around half a million) of the Internet’s secure

web servers certified by trusted authorities were believed to be vulnerable to the attack, allowing

theft of the servers’ private keys and users’ session cookies and passwords. The Electronic Frontier

Foundation, Ars Technica, and Bruce Schneier all deemed the Heartbleed bug “catastrophic”.

Forbes cybersecurity columnist Joseph Steinberg wrote, “Some might argue that [Heartbleed] is

the worst vulnerability found (at least in terms of its potential impact) since commercial traffic

began to flow on the Internet.”

A British Cabinet spokesman recommended that “People should take advice on changing

passwords from the websites they use... Most websites have corrected the bug and are best

placed to advise what action, if any, people need to take.” On the day of disclosure, the Tor Project

advised anyone seeking “strong anonymity or privacy on the Internet” to “stay away from the

Internet entirely for the next few days while things settle.”

As of May 20, 2014, 1.5% of the 800,000 most popular TLS-enabled websites were still vulnerable

to Heartbleed.

This article uses material from Wikipedia. The Author(s) and Editor(s) listed with this article may have significantly modified the content derived from Wikipedia with original content or with content drawn from other sources. The current version of the cited Wikipedia article may differ from the version that existed on the date of access. Text in this article available under the Creative Commons Attribution/Share-Alike License.

Issue 16 • July 2014 23

Editorial BoxOCIO Newsletter Advisory Board Dr. Andy Chun (OCIO) Ms. Annie Ip (OCIO) Mrs. W K Yu (ESU) Mr. Raymond Poon (CSC) Mr. Peter Mok (CSC) Ms. Maria Chin (CSC)

Publishing Team Ms. Noel Laam (CSC) Ms. Annie Yu (CSC) Ms. Joyce Lam (CSC) Mr. Ng Kar Leong (CSC) Ms. Kitty Wong (ESU) Ms. Doris Au (OCIO)

For Enquiry Phone 3442 6284

Fax 3442 0366

Email csc@cityu.edu.hk

OCIO Newsletter Online http://issuu.com/cityuhkocio

GLOSSARY CORNER

Heartbleed explained by xkcdCreative Common comic from xkcd.comOriginal webpage: http://xkcd.com/1354/

OCIO NEWSLETTER24