March 2012


FAQs on New Staff E-mail Service Soon to be Launched
New Student Record System (SRS) for 334 - Student Administration Subsystem (Phase 1A) Launched
Update on PolyU Connect - Display Name with Student Number
University Enterprise Content Management Solution
Secure Development Life-cycle for Web Application – Part 1
Participate in the Student Survey on Information Technology to Win a Gift Certificate - Deadline on 3 April
Security Risks of Remote Desktop Access Over the Internet
Web Security Day on 4 May – Security of Web Applications
24-hour Services at Student Computer Centre
April Staff IT Training Programmes

FAQs on New Staff E-mail Service Soon to be Launched


The new Staff E-mail Service will be launched in May 2012 to replace the two existing staff e-mail systems, the Campus E-mail System and the GroupWise Messaging System. 

Are you ready for the launch? Check out the list of frequently asked questions below to  learn more about the new Staff E-mail Service and be prepared for the launch.


Access and Mailbox Quota


How can I access the new Staff E-mail Service?


You can access the new Staff E-mail Service in several ways:

  1. Access using Internet browser (Internet Explorer 7 or above, Firefox 3.x or above and Safari)
  2. Use MS Outlook 2007/2010 to set up a cache mailbox (.ost format)
  3. Use any e-mail client which supports POP3/IMAP protocol to download the messages from the account
  4. Use mobile devices which support the use of Active Sync, e.g. device using Apple iOS, Android and Windows Phone, etc.


What is the new e-mail address and the default login username?


E-mail address: <preferred name>, e.g.

Default login username: <NetID>, e.g.


What is the mailbox quota of the new Staff E-mail Service?  Any regular e-mail purging exercise?


The mailbox size is 25 GB and there will be no regular e-mail purging exercise. However, colleagues are advised to do regular housekeeping activities to remove unwanted messages. You can also offload "old” messages to a local Personal Storage Table file (i.e. .pst file) to leave more room for your online mailbox. A warning message will be sent to you if your mailbox is almost full.



Will my GroupWise account still be available after the launch of the new Staff E-mail Service?


At initial launching, the new Staff E-mail Service will only replace the Campus E-mail System and you can continue to access and receive new messages via your GroupWise account. However, your GroupWise account will ultimately merge with the new Staff E-mail Service upon completion of the data migration exercise which will be conducted by departments starting June 2012. All staff users will then be provided with ONE single e- mail service.   

Campus E-mail System


The e-mail address of the new Staff E-mail Service is the same as the Campus E-mail System. What will happen to my Campus E-mail account?


As the new Staff E-mail Service will use the e-mail domain of the Campus E-mail System, it will replace the Campus E-mail System IMMEDIATELY at its launching date. All new messages sent to <preferred name> or <> WILL NOT be delivered to your Campus E-mail account, but rather be routed to your new staff e-mail account.


Can I still access my Campus E-mail account after the launch of the new Staff E-mail Service?


Yes, you can still login and access your Campus E-mail account till the end of August 2012. However, NO NEW MESSAGES will be received and you can only view the ‘old’ messages received before the launch of the new Staff E-mail Service.


Will the ‘old’ messages in my Campus E-mail account be migrated to my new staff e-mail account?


NO message migration for the Campus E-mail System will be conducted. User may download the old messages using the MS Outlook client (ver. 2007/2010) or any other e-mail clients through POP3/IMAP4 protocol.


I have set an auto-forwarding rule to forward incoming messages in my Campus E-mail account to my GroupWise account. Do I have to set the rule again in my new staff e-mail account? 


You don’t have to do it yourself. We will create the same auto-forward settings in your new staff e-mail account at the launching date.

Settings and Functions


I am currently using third party e-mail client to download messages to my Campus E-mail account using POP3/IMAP connection. Will there be any changes to the POP3/IMAP settings after the launch of the new service?


Yes, you have to update the incoming and outgoing e-mail server to access your new staff e-mail account. Details will be available at the new Staff E-mail Service website to be launched in April 2012.


Does the new Staff E-mail Service support the push e-mail function to mobile devices?


Yes, you can use the push e-mail function with most devices using Apple iOS, Android, and also Windows Phone and Blackberry. You can have all e-mails sent to your new staff e-mail mailbox automatically pushed to your mobile device or you can do the updating manually.

User Guides & Training


Where can I get more information about the use of the new Staff E-mail Service?


User guides will be available at the new Staff E-mail Service website to be launched in April 2012.


Will training be provided on the new service?


Yes, training sessions will be offered to all staff starting end April.




New Student Record System (SRS) for 334 - Student Administration Subsystem (Phase 1A) Launched


To support the new 334 academic structure, the initiative to redevelop the AS Student Record System (SRS) commenced  back in year 2007. For the  tremendous efforts in planning and feasibility studies, a joint project team of AS and ITS was set up for the exercise, and new technologies and tools were adopted for system development and implementation.


The new SRS composes of a number of subsystems and modules, with the two major ones being Admission Administration and Student Administration. It provides four entry points for different types of users – ‘eAdmission’ for applicants, ‘eStudent’ for students, 'eAcademic' for academic staff and ‘asadmin’ for administrative staff. ‘asadmin’ is a consolidated platform for users to access the administrative functions for admission processing, student related processing and user account management.

The Admission Administration subsystem has been on pilot run in December 2010 and full run in November 2011. It is now supporting the admission processing of all types of PolyU programmes. In particular, it will be handling the double cohort admission of both 3-year and 4-year programmes under JUPAS.

The Student Administration subsystem (Phase 1A) has also been launched on 12 March 2012 for all administrative staff after the successful migration of student records from the old system to the new SRS in early March. Phase 1B and 2 of the project will be launched by September 2012 and early 2013 respectively.

The new SRS is now running on the new Administrative Computing Infrastructure (ACI) providing a longer service period, with all of its administrative functions accessible anywhere on the web.

Entry to eAcademic (


Entry to eStudent (


Entry to Admin function (




Update on PolyU Connect - Display Name with Student Number


As conveyed in our last issue, we are working to implement the new e-mail display name format to include the student number for all current students. The new display name format will be fully implemented on 1 April 2012.


The e-mail display name (together with the e-mail address) is as follows:

e.g. Peter Chan [11234567x] <>


Please note that this display name format ONLY applies to ALL 'Current Students' and the display name format for graduated students or alumni will remain unchanged as below:

e.g. Peter Chan [Alumni] <>


All students are reminded that you MUST use either the web version ( or MS Outlook 2007/2010 client to access your PolyU Connect account when communicating with the University. Otherwise, the default display name format may not be supported and it may be difficult for your e-mail recipient to identify your identity.



University Enterprise Content Management Solution


To support more cost-effective and efficient document management at the University and to cater for the future business needs of the University, an Enterprise Content Management solution is needed to handle the existing document management systems (DMS) used by different departments.

By using a common Enterprise Content Management (ECM) platform and with standardised software, the sharing of documents among departments can be made easier and achieve economy of scale. It is envisaged that cost savings and efficiency gain can be achieved upon the implementation of an advanced content management application.

A project to source a suitable ECM solution for the University has been initiated in December 2011. The first phase of the project is to replace some aging departmental document management systems and also the existing GroupWise DMS to align with the roll-out of the new Staff E-mail Service.

It is targeted that the implementation would start by early May 2012 and the ECM platform be ready before September 2012, to be followed by the migration of the existing DMS from September 2012 to the end of the year.



Secure Development Life-cycle for Web Application – Part 1


During November 2011 and February 2012, a security review exercise has been conducted to identify inadequacies on the security protection of the University's web infrastructure and also the websites hosted on the Central Internet Web Hosting Server. The results show that some websites are susceptible to high severity web application vulnerabilities.

These vulnerabilities are mainly caused by insecure coding practices of the web developers and they could be avoided if some basic security controls have been adopted during the website development and in the daily website administration.

Starting from this issue, we will share some security best practices on developing and maintaining a website. Let’s start with the first phase of development, the requirement phase, in this issue.


The Requirement Phase

In general, a System / Software Development Life Cycle (SDLC) composes of the following phases:

It is important to consider security concerns early when you design application functions, and to avoid attempts to add security requirements near the end of project development.

Input Validation Requirements

Very often security requirements are not covered as extensively as functional requirements. But in fact, there can be many instances where functional requirements can be used to derive security requirements.

For example, if the functional requirement is to collect and display the Hong Kong Identity Card number, the security requirements would be to check the length and the number when input and mask the number when display.

Input validation is application's first line of defence. Effective input validation routines will only accept data for processing if such is proven to be good. Otherwise, the data will be rejected with a well-defined and thoroughly tested error message.

Furthermore, designing validation routines is a process that involves different activities or roles. When analyzing the requirements, all the different data fields that will be handled by the application should be listed. For each data field, a list of validation rules should be documented.

Documenting these up front saves a lot of time later on and significant project delays can result when security vulnerabilities are found in penetration testing, or worse, in production. Inconsistent and poorly implemented input validation requirements can also confuse or frustrate users and increase maintenance overhead.


Regulatory Requirements

Besides input validation requirements, regulatory requirements such as the Personal Data (Privacy) Ordinance and the University information security policies and guidelines should be taken into account in system development as sources of security requirements.


Security Requirements for Third Party

Finally, if the system development, application hosting or electronic storage involves third part service provider or vendor (“Third party”), the Third party tender or contract should include security requirements to ensure the University data is safeguarded in the Third party service. Below are some areas to include in the tender or contract:

  • Control of University Data
  • Data Privacy Requirements
  • Compliance with Privacy Regulations and Policies
  • Safeguarding University Data
  • Security and Protection
  • Right to Audit
  • Indemnification
  • Regular Security Assessment
To safeguard an application, security considerations should be taken into account in the whole development life-cycle. Stay tuned with ‘Get Connected’ for the best practices to observe in other phases of the system development life-cycle.


Participate in the Student Survey on Information Technology to Win a Gift Certificate - Deadline on 3 April


As communicated in the our last issue, PolyU has participated in the 2012 ECAR (EDUCAUSE Center for Applied Research) National Study of Undergraduate Students and Information Technology, with a view to better understanding students’ use of information technology in their study.

ALL undergraduate students are invited to participate in the survey which will take less than 15 minutes to complete. You will be asked questions about your experiences with, and attitudes toward, information technology and your learning experience.


You will have a chance to win either a US$50 or US$100 gift certificate to awarded by EDUCAUSE!

Your responses to the survey will be completely confidential. The results of the survey will help the University to further enhance your learning experience with the more effective use of IT.

Deadline: 3 April 2012



Security Risks of Remote Desktop Access Over the Internet


It may be convenient to use the Remote Desktop Protocol (RDP) for accessing systems over the Internet, especially in server environments. However, exposing RDP to direct connections is risky.

This setup not only gives remote attackers the opportunity to guess logon credentials, but also exposes the Windows systems to two newly discovered security threats targeting the security vulnerabilities in Microsoft’s implementation of RDP.


Beware of Security Vulnerabilities


The most serious vulnerability does not require authentication and can allow an attacker to execute remote code with SYSTEM privileges. An attacker who has successfully exploited this vulnerability could completely take over the affected system; while an unsuccessful attempt will crash the system.


The second RDP issue is an unauthenticated denial-of-service vulnerability. An attacker who has successfully exploited this vulnerability could cause the RDP service to become unable to support any client requests.


For more information, please refer to the security alert on RDP vulnerabilities that has been published on the ITS Security Theme Page.



Web Security Day on 4 May – Security of Web Applications


Webapplication.jpgWith rapid global penetration of the Internet and smart phones and the resulting productivity and social gains, the world is becoming increasingly dependent on its cyber infrastructure.

Criminals, spies and predators of all kinds have learnt to exploit this landscape much quicker than defenders have advanced in their technologies. Security concerns have rapidly moved up the software stack as the Internet and web have matured. Security / privacy has become an essential concern of applications and systems throughout their lifecycle.

To raise the awareness of the PolyU community in web application security, ITS will organize the Web Security Day on 4 May 2012. The event will bring together industry, government and security practitioners to discuss the state-of-the-art in application security. Some topics of interest include:

  • Security Considerations for Collecting Personal Data thru Internet by The Office of the Privacy Commissioner for Personal Data, HKSAR Government
  • Secure Development Life-cycle Best Practices on Web Application Development  by (ISC)2 Application Security Advisory Board
Invitation with more details of the event will be sent to departments in April. In the meantime, if you would like to learn more about the event, please contact Mr Joseph Lam of ITS at Ext. 2405.



24-hour Services at Student Computer Centre


24-hours services are now available at the 3/F of the Student Computer Centre at Li Ka Shing Tower until 23 April 2012 to support the high usage demand during the end of semester period.

Visit us anytime to do your assignment or to study for your exam.




April Staff IT Training Programmes


Training Workshops

You may view the full list of workshops offered in April and make online enrolment via the Staff IT Training Workshop Enrolment System. You will be notified instantly of the enrolment results.

Online Courses

  April Online Courses


Access 2007: Level 1, 2, 3 & 4

  Access 2007: New Features
  Acrobat 9.0 Pro: Level 1 & 2
E Excel 2007: Level 1, 2, 3 & 4
  Excel 2007: New Features
  Excel 2007: VBA
G GroupWise 7.0 Level 1-1: Using GroupWise E-mail
  GroupWise 7.0 Level 1-2: Organizing E-mails and Address Book in GroupWise
  GroupWise 7.0 Level 1-3: Using GroupWise Calendar and Resources
  GroupWise 7.0 Level 2-1: Exploring Advanced Mail and Message Features
  GroupWise 7.0 Level 2-2: Exploring WebAccess, Rules and Access Rights
P PowerPoint 2007: Level 1 & 2
  PowerPoint 2007: New Features
  Project 2007: Level 1 & 2
  Publisher 2007
S Security Awareness (Part 1): Protecting Information and Countering Social Engineering
  Security Awareness (Part 2) : Maintaining Computer and File Security
  Security Awareness (Part 3): Promoting E-mail Security and Proper Responses to Security Incidents
  SharePoint Designer 2007: Level 1 & 2
V What's New in Visio 2007
W Windows Vista : New Features
  Word 2007: Level 1, 2 & 3
  Word 2007: New Features


Please click here for the detailed description of each course. To enrol, please complete and return the web-based proforma reply and you will be informed of the enrolment results in early April via e-mail.

Enquiries: 4566