April 2012


Goodbye to Campus Email System and GroupWise - New Staff Email System to be Launched in May
Reserve Your Seat NOW for Web Security Day on 4 May
Update on Private Cloud Infrastructure (PCI) and Departmental Computing Infrastructure (DCI)
Secure Development Life-cycle for Web Application
CLO Meeting - Update on New IT Initiatives and Provisions
'eduroam' Wi-Fi Service Available at HKCC Hung Hom Bay Campus and West Kowloon Campus
May Staff IT Training Programmes

Goodbye to Campus Email System and GroupWise - New Staff Email System to be Launched in May


Mark this date on your calendar as the University enters a new era of electronic communication -


What will happen on the launching date?

No more Campus Email System?



  • The new Staff Email Service will replace the Campus Email System IMMEIDATELY on its launching d ate.

  • The New Staff Email service will use "@polyu.edu.hk",  which is currently used by the Campus Email System, as the email suffix.

  • All new messages sent to your Campus Email account will be automatically routed to your new Staff Email Service account. Or they would be sent to your GroupWise account if you have set to forward all emails from Campus Email to GroupWise.

  • Starting from 31 May 2012, Campus Email users may use the new Staff Email Service to send and receive emails:



No more GroupWise?  

NO -

  • All GroupWise users WILL NOT be affected at the initial launch.  You can continue to use GroupWise to receive and send messages.
  • However, GroupWise will eventually be phased out upon the completion of data migration from GroupWise to the new Staff Email Service, which will be conducted for departments by phases starting from June 2012. More details on the data migration exercise will be available in our next issue.




How to access the new Staff Email Service?

An official website for the new Staff Email Service (http://www.polyu.edu.hk/email) has been launched through which you can access the new Staff Email Service. You can also find useful information about the service including user guides, training schedules and training materials, FAQs, etc. via the website.


Points to note for Campus Email Users


How to access the Campus Email System after 31 May 2012?


You can continue to access the Campus Email System via the existing URL at: https://webmail.polyu.edu.hk.

However, you can only review ‘old’ messages received before 31 May 2012. All new messages will be routed to your new Staff Email account.


Any preparation needed for Campus Email users? 


  • If you are using some POP3/IMAP email clients, including your mobile devices, to download your Campus Email messages, you have to change the Incoming and Outgoing Server settings as follows: 

    • POP Setting 
      • Server name: pod51012.outlook.com
      • Port: 995
      • Encryption method: SSL

    • IMAP Setting 
      • Server name: pod51012.outlook.com
      • Port: 993
      • Encryption method: SSL

    • SMTP Setting 
      • Server name: pod51012.outlook.com
      • Port: 587
      • Encryption method: TLS  

Remember NOT TO use ‘mail.polyu.edu.hk’ and ‘smtp.polyu.edu.hk’ as the Incoming and Outgoing server settings.

  • After the launch of new the Staff Email Service, the following settings in your Campus Email account, EXCEPT auto-forwarding, have to be re-created in your new Staff Email account:

    • Signature
    • Custom Display Name and Reply-to Address
    • Custom Folders
    • Message Filter Rules
    • Automatic Reply Rule
    • Contacts/Groups in the Personal Address Book (user can use the  Export function to export the address book as a CSV file, then import it to the MS Outlook client)
    • Approved Senders and Block Senders list

  • The daily digest list of quarantined message will no longer be available.

Please also note that in the new Staff Email Service, the actual email address will be shown in all outgoing messages with the following format:<Preferred Address Name>@polyu.edu.hk


Want to know more and get trained?

A series of targeted training workshops and seminars for the new Staff Email Service have been arranged starting from April 2012:    

Workshops for General Users - Jumpstart on New Staff Email Service

  • Overview of the new Staff Email Service
  • Impact to Campus Email users
  • Hands-on practice on using the Outlook client and Outlook WebApp








25, 30 April

10:00 -12:00


All Staff


2, 3, 8, 10, 14, 16 May

2:30 – 4:30


All Staff


More workshops will be organized in the coming months.


Service Launch Seminars for General Users

  • Overview of the new Staff Email Service
  • Important dates to remember
  • Arrangements during the transition period
  • Impact to Campus Email users and Novell GroupWise users








18 May

2:30 - 4:00


All Staff



23 May

2:30 - 4:00


All Staff



28 May

2:30 - 4:00


All Staff



In-depth Technical Training for Departmental CLOs and Technical Support Personnel

  • In-depth discussion of the new Staff Email Service
  • Detailed data migration arrangements
  • Technical support issues
  • FQAs








22 May

2:30 - 4:30 pm


All CLOs and technical support personnel



24 May

2:30 - 4:30 pm


All CLOs and technical support personnel


Enrolment arrangements for the Service Launch Seminars and the Technical Training will be announced via email shortly.


Customized Training Workshops for Departments

  • Basic operations of the Outlook client and Outlook WebApp
  • Preparation for data migration
  • Use of the migration tool
  • FAQs

Date & Time




Around 2 weeks prior to the departmental data migration exercise, to be confirmed in consultation with departments


All Staff of the Department


In addition to classroom / face-to-face training, a web-based training course on the use of Outlook 2007/2010, of which the new Staff Email Services is based, will also be offered to all PolyU Staff. Details will be announced later.

Departments are welcome to contact Mr Ernest Yu of ITS (Ext. 7940, email: ernest.yu@polyu.edu.hk) for more information or further discussion regarding the roll-out of the new Staff Email System.





Reserve Your Seat NOW for Web Security Day on 4 May


As communicated in our last issue, a Web Security Day will be held on 4 May 2012 to raise the awareness of the PolyU community in web application security.

The half-day event will bring together industry, government and security practitioners to discuss the state-of-the-art in application security.

Details of the event are as follows:


4 May 2012


Lecture Theatre N001


2:00 PM – 5:30 PM

Target Audience

Departmental CLOs / IT Security Officers, IT Support Personnel, Web Account Owners & Administrative Staff


2:00 - 2:15


2:15 - 2:25

Souvenir Presentation




2:25 - 3:10

Security Considerations for Collecting Personal Data thru Internet

Mr Henry Chang
IT Advisor of the Office of the Privacy Commissioner for Personal Data, Hong Kong

3:10 - 3:55

Secure Development Life-cycle Best Practices on Web Application Development

Mr Aung Win Tin
Member of (ISC)2 Application Security Advisory Board (ASAB)

3:55 - 4:15

Tea Break

4:15 - 5:00

A Strategy for Web Application Security at Scale

Mr Henry Ng
Thales Security

5:00 - 5:30

How to Enhance Web Application Security thru ITS Services


Reserve your seat for the Web Security Day HERE AND NOW.

For more information, please contact Mr Joseph Lam (ext. 2405, e-mail: itjkclam) or Mr Carter Lau (ext. 2418, e-mail: cslau) of ITS.




Update on Private Cloud Infrastructure (PCI) and Departmental Computing Infrastructure (DCI)


Since November 2010, the University has started the implementation of the PolyU Private Cloud Service to provide an alternative for departments to buying and maintaining their own servers. 

Following the launch of the PCI service in April 2011, a review has been conducted in the first quarter of this year and the charges for the different service plans will be downwardly revised. Please click here for the revised PCI service plans effective May 2012.

In the near future, we will further strengthen our processor, memory and disk resources to build additional clusters for the PCI and DCI services. The PCI user portal is also under revamp to incorporate the new service plans.

Key Milestones


Request for PCI service is simple, just click…


DCI Service

The DCI service is under development and it is targeted for launching in July / August 2012. Stay tuned to ‘Get Connected’ for more information of this project-based infrastructure service.  

Give us a call (Mr Raymond Tam, Email: 'itraymon', Ext. 5921) if you need further information or discussion on the PCI service and the support you need. Our colleagues are more than happy to visit your department for interactive discussion.




Secure Development Life-cycle for Web Application Part 2 - The Design Phase


MP900424389[1].jpgIn our last issue, we have started to share some security best practices on the different phases of developing and maintaining a website. Following the requirement phase in the last issue, let’s talk about the next phase of the system development life-cycle, i.e. the design phase.

The design phase identifies the overall design and structure for the application based on the requirement previously defined. In this phase, the security architecture and design guidelines are also defined. Again, it is important to consider the security concerns carefully and early when designing the features, and to avoid attempts to add security requirements near the end of the project.


Design for Confidentiality

Confidentiality design considerations are about data disclosure protection, if it is determined in the requirement phase that confidentiality protection mechanism is required, those requirements need to be designed here.

Below are some cryptographic techniques that should be considered for providing confidentiality to sensitive data:


Encryption uses bi-directional algorithms in which human readable information (clear text) is encrypted into human unreadable information (cipher text) and the original clear text can be determined from the cipher text when it is decrypted.

Data encryption should be considered when sensitive data is in storage, transit and archive. Common examples of algorithm are Advanced Encryption Standard (AES) and RSA algorithm.


Hashing is a one-way function. Unlike encryption, the hashed data or information cannot be converted back to the original data. One can determine if the original value has changed or not by re-hashing the input and comparing the value.

Passwords should always be hashed and never encrypted as hashing provides more heightened security. Common examples of algorithm are MD5 Message-Digest Algorithm and Secure Hash Algorithm (SHA).


Masking is a mechanism in which the original text is either asterisked or replaced by another character. In the case of credit card numbers, it is required in the Payment Card Industry (PCI) Data Security Standard that the first six and last four digits are the maximum number of digits to be displayed while the others should be masked out.


Design for Integrity

Data integrity ensures trustworthiness of information over its entire life-cycle. It can be achieved through:

Hashing functions

A variable size input is passed through an algorithm such as MD5 or SHA and produce a fixed-size output. In order to assure the file being transferred is not modified, MD5 checksums have been widely used. However, it has been discovered that MD5 is not collision free, meaning that the same checksum can be created for two files and so this cannot safeguard against malicious tampering of files.

Digital signatures

Digital signatures are created using a public-key signature algorithm such as the RSA public-key cipher. It helps to prove the origin of the signed content.

Below is a summary of how it can ensure data integrity:

  • A one-way hash of the document is produced.
  • The hash is encrypted with the private key, thereby signing the document.
  • The document and the signed hash are transmitted.
  • The recipient produces a one-way hash of the document.
  • Using the digital signature algorithm, the recipient decrypts the signed hash with the sender’s public key.
  • If the signed hash matches the recipient’s hash, the signature is valid and the document is intact.

Resource locking

By locking a record being updated in the database from any concurrent changes, the integrity of data is maintained.


Design for Availability

Availability refers to the accessibility of systems. Highly available systems aim to remain online at all times and resilient to disruptions such as power outages, hardware failures and system upgrades or modifications. According to the service level of the solution, load balancing or failover features should be incorporated in the design if appropriate.


Design for Auditing

Auditing is the logging of time (when) and actions (what) that are taken by an actor (who) on an object (where). Actions should cover sensitive data creation, deletion, update and read or some other administrative actions. The solution design should provide an audit mechanism to track these actions and actions to be audited should be configurable in order to balance system performance and accountability.

Moreover, the solution design should be built with a mechanism to ensure the integrity of the audit records and prevent unauthorized deletion and modification of audit data. Also, it should provide a user interface for authorized users to review audit information.


Other Design Considerations

Besides the design considerations covered above, areas including but not limited to user management, authentication, authorization, accountability, session management, transport security, tiered system segregation, privacy, backup and restore should also be considered in the solution design.

To safeguard an application, security considerations should be taken into account in the whole development life-cycle. Stay tuned with ‘Get Connected’ for the best practices to observe in other phases of the system development life-cycle.




CLO Meeting - Update on New IT Initiatives and Provisions


Regular meetings with the departmental Computer Liaison Officers (CLOs) are held to update them with our latest IT services and provisions and for ITS to better understand the needs of departments. Over 100 departmental Computer Liaison Officers (CLOs) or their representatives attended the recent CLO meeting held on 12 April 2012 at the Senate Room.



Mr Gerrit Bahlman, DoIT, welcoming all CLOs to the meeting.

A major focus of the meeting is the roll-out of the new Staff Email Service which is scheduled in end May 2012. During the meeting, the implementation schedule, migration plan, user training arrangements, etc. of the staff email project were highlighted.

Mr Ernest Yu of ITS highlighting the latest development of the staff and student email projects.

The latest developments in the following areas were also introduced / reported during the meeting:

  • Update on Student Record System Redevelopment
  • Update on PolyU Connect Service  
  • Update on LMS Transition
  • University Information Security Management Framework 
  • Findings of Security Review on the Central Internet Web Hosting Platform
  • Update on Departmental Computing Infrastructure (DCI) and Private Cloud Infrastructure (PCI)
The presentation materials of the CLO meeting have been posted on the CLO Portal under the 'Information' section. CLOs may share the information with colleagues in your department/office as appropriate.




‘eduroam’ Wi-Fi Service Available at HKCC Hung Hom Bay Campus and West Kowloon Campus


To provide staff and students with wireless access while visiting other local and overseas universities, PolyU has joined the 'eduroam' initiative which is a wireless LAN mutual access initiative among member institutions around the world. By configuring the wireless LAN parameters of your mobile devices, you can conveniently access the wireless LAN at all ’eduroam’ member institutions locally and overseas.

Starting 23 April 2012, HKCC has become a member of ‘eduroam’ and all PolyU staff and students can now access ‘eduroam’ WiFi service in both the Hung Hom Bay campus and West Kowloon campus of HKCC.

Click here for the configuration procedures to access the ‘eduroam’ WiFi service.

Click here for more information about eduroam Hong Kong.



May Staff IT Training Programmes


Training Workshops

You may view the full list of workshops offered in May and make online enrolment via the Staff IT Training Workshop Enrolment System. You will be notified instantly of the enrolment results.

Online Courses

  May Online Courses


Access 2007: Level 1, 2, 3 & 4

  Access 2007: New Features
  Acrobat 9.0 Pro: Level 1 & 2
E Excel 2007: Level 1, 2, 3 & 4
  Excel 2007: New Features
  Excel 2007: VBA
G GroupWise 7.0 Level 1-1: Using GroupWise E-mail
  GroupWise 7.0 Level 1-2: Organizing E-mails and Address Book in GroupWise
  GroupWise 7.0 Level 1-3: Using GroupWise Calendar and Resources
  GroupWise 7.0 Level 2-1: Exploring Advanced Mail and Message Features
  GroupWise 7.0 Level 2-2: Exploring WebAccess, Rules and Access Rights
P PowerPoint 2007: Level 1 & 2
  PowerPoint 2007: New Features
  Project 2007: Level 1 & 2
  Publisher 2007
S Security Awareness (Part 1): Protecting Information and Countering Social Engineering
  Security Awareness (Part 2) : Maintaining Computer and File Security
  Security Awareness (Part 3): Promoting E-mail Security and Proper Responses to Security Incidents
  SharePoint Designer 2007: Level 1 & 2
V What's New in Visio 2007
W Windows Vista : New Features
  Word 2007: Level 1, 2 & 3
  Word 2007: New Features


Please click here for the detailed description of each course. To enrol, please complete and return the web-based proforma reply and you will be informed of the enrolment results in early May via e-mail.

Enquiries: 4566