June 2012


Update on Staff Email Service – More About GroupWise Migration
Updates on Establishment of a University Information Security Management Framework
Updated Price List for SPSS Software Licenses
Reminder to Graduates
Annual Notebook Ownership Programme
Secure Development Life-cycle for Web Application – Part 4
July Staff IT Training Programmes

Update on Staff Email Service – More About GroupWise Migration

As previously announced, the new Staff Email Service has been successfully launched on 31 May 2012 to replace the Campus E-mail System.  

During the past month, over 3,000 colleagues have started using their new e-mail accounts while their existing GroupWise accounts are still available for use. If you are not one of them, start using it NOW as the migration of all GroupWise messages to the new Staff Email service will start in mid July. After the migration, you have to use Microsoft Outlook in your daily work to access your mailbox.

Please visit the official website of the Staff Email Service for more information including the user guides, training materials, FAQs, etc.

More about the Migration

ITS is now working with the vendor to prepare for the campus-wide migration exercise. Pilot run will be carried out in the ITS office in early July which will help us to identify any technical or operational issues to be addressed before the migration is conducted campus-wide.

Highlights of the migration exercise are presented below:

The migration exercise will be carried out by phases by departments.

The exercise will cover both the GroupWise online messages and the latest GroupWise Cache/Archive mailbox.

The GroupWise online messages will be migrated on the server side without user interruption. The items to be migrated will include:

  • All messages of total size less than 25 MB and all the  attachments not larger than 18MB per message
  • All items in the GroupWise calendar
  • All personal GroupWise address books, EXCEPT the ‘Frequent Contacts’ address book
  • All personalized folders

On the other hand, the followings have to be done manually after the migration:

  • Re-share all shared folders
  • Re-share all shared personal address books
  • Re-grant the proxy access rights
  • Re-create the signatures
  • Re-define all the message control rules

As for the cached / archived messages, the Technical Delivery Engineers from vendor will visit departments on-site to help colleagues to convert the latest GroupWise Cache/Archive mailbox as an Outlook archive data file (i.e. in .pst format).

The on-site engineers will also help users to setup the Outlook profile for accessing their Staff Email accounts.

In preparation for the migration, a preparation guide will be sent to colleagues prior to their departmental migration exercise.

The whole migration exercise is expected for completion by the end of Q1 2013 and the tentatively schedule is to shut down the GroupWise system in fall 2013.


Up to now, over 30 departments have already scheduled their departmental migration exercise with us. For those which have not yet done so, the departmental CLOs are strongly recommended to contact Mr Simon Suen (simon.suen@polyu.edu.hk / 2766 7718) of ITS for arrangement as soon as possible, so as to schedule the exercise at a time which can best suit their business operation and minimize the impact to their colleagues.



Update on Establishment of a University Information Security Management Framework


The consultation exercise for the establishment of a University Information Security Management Framework drew a good response from the University community. By the end of the consultation period, we have received written submissions from 11 user departments. The views and suggestions received provide useful insights for developing the University information security management framework and they are summarized as below.


Summary of Suggestions and Views

There is general support in the University community for the introduction of a University information security management framework, to strengthen the protection of the University’s information assets and also to provide a standard mechanism to deal with security breaches when they occur.

There is also a view prevalent amongst the respondents that it is very important to ensure the proposed framework shall not be over engineered and turn out to be a bureaucratic structure which slows down the speed of communication and response to security incident. The introduction of the Management Framework is a significant strategic move in the information asset protection and may require resources for implementation. Therefore, support from the senior management is vital to the success of its implementation.
Some respondents suggested to expand the composition of the proposed Information Security Strategy & Policy Advisory Board to include more representatives from administrative and academic departments. It will enable sufficient participation and representation from the user community in the formulation of the information security strategies and policies and hence their implementation will be smoothened.

Some respondents also expressed concerns about the resource implication due to the establishment of the Management Framework and whether support on the policy implementation and training on security incident response would be provided to user departments.


Refined University Information Security Management Framework

After considering all the views and suggestions, the University Information Security Management Framework has been refined with the following modifications:

To ensure that the Management Framework would be a lean organizational structure without losing the originally proposed functionalities, the two newly introduced committees, i.e. Information Security Strategy & Policy Advisory Board and University Information Security Incident Coordination Team, have been merged. With such modification, the functions of the University Information Security Incident Coordination Team will be shared by the Information Security Strategy & Policy Advisory Board and the ITS Security Team. As such, the roles and responsibilities of the Information Security Strategy & Policy Advisory Board and the ITS Security Team in the Management Framework will also be refined to reflect such changes. 

To ensure sufficient participation from the user community and stakeholders in the information security strategy and policy formulation process, the composition of the Information Strategy & Policy Advisory Board is also revised.


Endorsement from Information Services Steering Committee

The refined proposal for the 'Establishment of a University Information Security Management Framework' has been re-submitted to the Information Services Steering Committee (ISSC) at its June 2012 meeting.

The ISSC endorsed the refined proposal and agreed to recommend the proposal to the President’s Executive Committee for approval and adoption.



Updated Price List for SPSS Software Licenses


The updated price list for the SPSS software licences for 2012/13 has been posted under the ITS website and is accessible here

Please note that due to the implementation of new acquisition and license code issuance procedures by SPSS for better licensing control, the license code would only be issued by SPSS after they have received and processed the purchase order.

Departments are therefore reminded to provide sufficient time for the processing of the purchase order and not to raise order at last minute.




Reminder to Graduates


The University will continue to provide 2011/12 Semester 2 and Semester 3 graduates with access to the central IT facilities and services until the end of November 2012. Exceptional extension arrangements may be requested in advance and will be considered based on individual circumstances.

If you are graduating this summer, you will be individually notified via e-mail of the expiry date of your NetID and the associated central IT facilities and services available to you. For the PolyU Connect service, as it is a life-long e-mail, communication and collaboration service, it will continue to be available to you after your graduation.  

As your NetID will expire later, please be reminded that you will need to backup your required data on all the systems including the University Portal, myWeb, myStore, Blackboard, etc. before the service expiry date. All data will be deleted after the expiry date and will no longer be recoverable.

Please note in particular that your PolyU Connect account includes a 25GB web storage service, named SkyDrive, whereby you can store and retrieve your documents/files anywhere over the Internet.

It is recommended that you can backup the data stored in the University Portal, myWeb, myStore and Blackboard that you wish to retain to this web storage service. Click here for the guide of using SkyDrive.

If you have any enquiries regarding the expiry date of the central IT facilities and services, or the backup of data, please contact the ITS Help Centre at 2766 5900.



Annual Notebook Ownership Programme


Each year, ITS will, in partnership with the Students' Union, invite vendors to make special offers on notebook PCs to our students, staff, and alumni. The Notebook Ownership Programme has long been well-received by the PolyU community and over 12,000 notebooks / sub-notebooks were sold during the exercise last year. 

This year's notebook programme will commence in August. After thorough evaluation and comparison on the configuration, functionality, discount level, etc. of various brands, the notebooks of two vendors, Acer and Samsung, have been selected for this year's programme.

Details of the programme, including model and price information, road show and purchase period, etc. will be announced as soon as they are finalized.

Watch out for the latest updates in our next issue!



Secure Development Life-cycle for Web Application – Part 4


The Testing Phase

The testing phase of web application development is to ensure that the developed system conforms to the design requirements. In this phase, a security test plan should be developed and followed to verify the web application / website’s security controls are implemented and functioning as designed.

In addition to testing the built-in security controls, security tests should also be done to identify any insecure coding vulnerability as defined by the OWASP (Open Web Application Security Project) and the CWE/SANS top 25 most dangerous programming errors. A web Application vulnerability testing can serve this purpose.

Also, a load test should be performed to ensure the application can handle the designed loading.

Any security flaws identified during security tests and web application security vulnerability assessment shall be corrected before system deployment. In case the security flaws cannot be fixed at the moment or workaround is applied instead, it should be documented and reviewed periodically.

All security tests and corresponding results shall be formally documented in the form of test plan, test case and test report. All these documents shall be submitted to the Business Owner(s) or delegates for acceptance prior to deploying the web application / website into the production environment.

Production data shall NOT be used for testing or development purposes, except where unavoidable and approval is documented. If production data must be used in non-production environment, then the security controls in the non-production environment shall be as strong as the security controls in the production environment.

Besides the tests mentioned above, tests like Integration Testing, Stress Testing and System Vulnerability Testing may be conducted during this phase.

The Deployment Phase

The deployment phase is the phase to integrate the developed system components with the existing production infrastructure. A deployment plan should be prepared and evaluated to ensure that there will be no adverse impact on the existing IT infrastructure and services after the deployment.

Furthermore, the deployment plan should be approved by the Business Owner(s) or delegate(s) and evaluated by relevant stakeholders, including the service owner, about the reasonableness of the plan. If the deployment may have adverse impact on the IT component or services, the deployment should be withheld until the issue is resolved.

Before deployment, unused services, functions or procedures in the servers shall be removed to reduce the attack surface. Also, all the test data and test accounts shall be removed before deploying the web application / website into production environment.

To safeguard an application, security considerations should be taken into account in the whole development life-cycle. Stay tuned with ‘Get Connected’ for the best practices to observe in other phases of the system development life-cycle.



July Staff IT Training Programmes


Training Workshops

You may view the full list of workshops offered in July and make online enrolment via the Staff IT Training Workshop Enrolment System. You will be notified instantly of the enrolment results.


Enquiries: 4566