研究生: |
洪惠菁 Hui-Ching Hung |
---|---|
論文名稱: |
中小企業資通安全檢查之持續監督機制 Continuous Monitoring Mechanism for Cybersecurity Inspection in Small and Medium-sized Entities |
指導教授: |
吳宗成
Tzong-Chen Wu |
口試委員: |
楊維寧
Wei-Ning Yang 葉瑞徽 Ruey-Huei Yeh |
學位類別: |
碩士 Master |
系所名稱: |
管理學院 - 資訊管理系 Department of Information Management |
論文出版年: | 2021 |
畢業學年度: | 109 |
語文別: | 中文 |
論文頁數: | 112 |
中文關鍵詞: | COSO 、NIST CSF 、電腦稽核 、資通安全檢查 、持續性監督 |
外文關鍵詞: | COSO, NIST CSF, CAATs, Cybersecurity Inspection, CM |
相關次數: | 點閱:135 下載:10 |
分享至: |
查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報 |
資訊科技快速發展下,各行各業之經營模式及管理方式有很大的改變。企業的內部作業幾乎是電腦化,更進一步數位轉型中,對外之交易或服務方式,以不同於傳統經營之電子商務B2B或B2C方式在進行,同時提高資通安全風險,要在競爭力與資通安全風險中取得平衡。中小企業在資安資源有限下,遵循國際標準之資安政策是做不到,也不適合,然時時控管資安風險不可免。
本研究提出一個資通安全整合框架,該框架可以幫助中小企業管理階層建置資通安全檢查之持續監督機制,實施有效的資通安全管理。在現有資通安全整合框架之文獻基礎上,以演繹法方式,依據NIST CSF、COSO及COBIT 5等三個管理框架,提出一個資通安全整合框架,併結合COSO監督指引之持續性監督及電腦稽核工具之應用,可進消除不必要的控制流程、及達成持續性之監督效果。整合框架係透過辨識關鍵控制目標關聯至策略業務目標,同時使資訊技術系統目標與業務管理目標維持一致(Goosen and Rudman, 2013),確認資安目標可達成企業目標。本研究提出之資通安全整合框架,並應用持續監督機制,可使中小企業更有效率實施資通安全管理,有助強化中小企業持續監督資通安全檢查之效果,亦可達到企業經營目標。期作為國內中小企業持續性監督資通安全檢查之實務參考。
With the rapid development of information technology, industrial business models and management practices have undergone drastic changes. Most enterprises’ internal operations are computerized, and with further advances in digital transformation, busi-nesses are even conducting external transactions and services through e-commerce, us-ing methods that differ from traditional B2B or B2C operations. In doing so, they must try to balance their need for competitiveness with increased information security risks. Although it is unavoidable that small and medium-sized entities (SMEs) will some-times need to deal with information security risks, it is unfeasible to expect them to fol-low international standard information security policies with their limited information security resources.
This study proposes an integrated information security framework that can help management of SMEs establish a continuous monitoring mechanism for cybersecurity inspection and implement effective cybersecurity controls. This framework is proposed through deductive reasoning based on the existing literature on integrated information security integrated frameworks, as well as these three management frameworks—NIST CSF, COSO, and COBIT 5. By combining COSO’s guidance on continuous monitoring (with computer auditing tools, unnecessary control processes can be eliminated and continuous monitoring(CM) can be achieved. The integrated framework ensures that the information security objectives achieve corporate goals and that information tech-nology system objectives and business management objectives are aligned by identify-ing the key control objectives that are linked to the enterprise’s strategic business objec-tives(Goosen and Rudman, 2013). With the application of a continuous monitoring mechanism, the information security integration framework proposed in this study and can enable SMEs to implement information security management more efficiently, help strengthen the effectiveness of SMEs’ continuous monitoring of cybersecurity inspec-tion, and achieve business goals. This study is intended to serve as a practical reference for domestic SMEs’ continuous monitoring of cybersecurity inspection.
中文文獻:
吳東憲、黃士銘、黃劭彥與曾惠瑛,2016。以創新擴散理論探討導入持續性稽核技術影響因素。中華會計學刊,第十二卷第二期:315-358。
孫嘉明、邱靜宜與林宜隆,2017。持續性稽核技術整合架構-以主計資訊系統為例。電腦稽核,第三十五期:80-95。
林宜隆、邱靜宜、孫嘉明,2015。行政院主計處委託研究-主計資訊系統導入持續性稽核技術之研究。行政院主計處。
李培群,2010。IT控制架構COBIT之探討(上)。證交資料,第579期:專題研究。
周濟群,2019。邁向自動化科技化監理—RegTech、RPA與持續性稽核。會計研究月刊, (407):59-64。
美國COSO委員會原著,王怡心、周靜幸、黃琬玲編譯, 2009。COSO內部控制監督指引。中華民國內部稽核協會,台北。
美國COSO委員會原著,王怡心、陳錦烽編譯,2008。COSO財務報導的內部控制:較小型公開發行公司指引。中華民國內部稽核協會,台北。
美國COSO委員會原著,王怡心、楊文安編譯,2013。COSO 內部控制-整合架構。中華民國內部稽核協會,台北。
王健全等撰稿,2020。中小企業白皮書。中小企業處出版,台北。
行政院,2018。108年國家資通安全情勢報告,台北。
ISACA國際電腦稽核協會原著,林宜隆、楊明荔、黃淙澤等編譯,2014。企業IT治理:營運架構。CAA中華民國電腦稽核協會,ISACA國際電腦稽核協會臺灣分會。台北。
ISACA國際電腦稽核協會原著,林宜隆、楊明荔、黃淙澤等編譯,2014。企業IT治理:促成流程與方法。CAA中華民國電腦稽核協會,ISACA國際電腦稽核協會臺灣分會。台北。
ISACA國際電腦稽核協會原著,林宜隆、楊明荔、黃淙澤等編譯,2014。企業IT治理:建置。CAA中華民國電腦稽核協會,ISACA國際電腦稽核協會臺灣分會。台北。
英文文獻:
Bakari, J.K., Tarimo, C.N., Yngström, l., Magnusson, C. & Kowalski, S. (2007). Bridging the gap between general management and technicians – A case study on ICT security in a developing country. Computers &Security, 26: 44-55.
Bleinstein, S.J., Cox, K., Verner, J. & Phalp, K.T. (2005). B-SCP: A requirements analysis framework for validating strategic alignment of organizational IT based on strategy, context, and process. Information and software technology, 48: 846-868.
Ettish, A. A., El-Gazzar, S., & Jacob, R. A. (2017). Integrating internal control frameworks for effective corporate information technology governance. Journal of Information Systems and Technology Management: JISTEM, 14(3), 361-370.
Goosen, R. & Rudman, R. (2013). An Integrated Framework to Implement IT Governance Principles at aStrategic and Operational Level for Medium-To Large Sized South African. Businesses. InternationalBusiness & Economics Research Journal, 12(7), 835 - 854.
Hardy, G. (2006a). Guidance on aligning COBIT, ITIL and ISO 17799. Retrieved from: http://www.isaca.org/Journal/Past-Issues/2006/Volume-1/Documents/jpdf0601-Guidance-on-Aligning.pdf
Hardy, G. (2006b). Using IT governance and COBIT to deliver value with IT and respond to legal, regulatory and compliance challenges. Information security technical report, 11: 55-61.
IT Governance Institute.(2001).Board Briefing on IT Governance.
Lin, H., Cefaratti, M., & Wallace, L. (2012). Enterprise Risk Management, COBIT, and ISO 27002: A Conceptual Analysis. Internal Auditing, 27(2), 3-12.
Muller,R. (2009). IT governance report slated. Retrieved from: http://mybroadband.co.za/news/general/7242-it-governance-report-slated.html
IBM. (2006). Igniting innovation through business and IT fusion. Retrieved from : http://www-935.ibm.com/services/fr/cio/flexible/flex_wp_gts_fusion_business_it.pdf
Innotas. (2010). The CXO’s guide to IT governance. A roadmap to driving top-down alignment between business & IT strategy. Retrieved from: http://solutioncenters.cio.com/innotas_governance/registration/5962.html?source=ciozne
Institute of Directors Southern Africa (IODSA). (2009). King Report on corporate governance for South Africa (King III). Retrieved from: http://c.ymcdn.com/sites/www.iodsa.co.za/resource/resmgr/king_iii/king_code_of_governance_for_.pdf
ISO,ISO/IEC 17799 Information technology-Security techniques-Code of Practice for Information security management, 2005.
Rudman, R. J.(2010). Framework to identify and manage risks in web 2.0 applications. African journal of business management, 4(13): 3251 – 3264.
Rudman, R.J. (2008b). IT governance: a new era. Accountancy SA, March 2008: 12 – 14.
Shilts, Josh.(2017). A framework for continuous auditing: Why companies don't need to spend big money. Journal of Accountancy; 223, 3;38-42
Smit, S. (2009). Defining and reducing the IT gap by means of comprehensive alignment. Stellenbosch:University of Stellenbosch. (Unpublished master’s thesis).
Soedarsono, Slamet; Mulyani, Sri; Tugiman, Hiro; Didik Suhardi. (2019). Information Quality and Management Support as Key Factors in the Applications of Continuous Auditing and Continuous Monitoring: An Empirical Study in the Government Sector of Indonesia. Contemporary Economics, vol. 13, no. 3, 335-350.
The Economist. (2006). Great expectations: The changing role of IT in the business. September 2006.Retrieved from: http://graphics.eiu.com/ebf/PDFs/GTF_article_1_September_06_FINAL.pdf
Trautman, L., & Price, K. Al., (2011). The Board’s Responsibility for Information Technology Governance. The John Marshall Journal of Computer & Information Law, 28 (3), 312-342.
Weill, P. and Broadbent, M., 2000, Management IT infrastructure: A strategic choice, Framing the Domains of IT Management: Projecting the FutrueThrough the Past,edited by Zmud, R. W., Cincinnati, OH: Pinnaflex Educational Resources, 329-354