簡易檢索 / 詳目顯示

回結果列表
研究生: 林宸竹
CHEN-CHU LIN
論文名稱: 一個考量符合性與風險資訊呈現之資訊安全風險管理系統
An Information Security Risk Management System Considering Compliance and Risk Information Visualization
指導教授: 查士朝
Shi-Cho Cha
口試委員: 羅乃維
Nai-Wei Lo
楊立偉
Li-wei Yang
學位類別: 碩士
Master
系所名稱: 管理學院 - 資訊管理系
Department of Information Management
論文出版年: 2010
畢業學年度: 98
語文別: 中文
論文頁數: 58
中文關鍵詞: 資訊安全風險管理決策支援ISO 27001ISO 27005
外文關鍵詞: Information security risk management, Decision support, ISO 27001, ISO 27005
相關次數: 點閱:253下載:12
分享至:
查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報

    • 為兼顧組織資訊系統與服務的安全及便利,近來組織常建立資訊安全風險管理程序,以找出可能發生的資訊安全事故,並且依其對組織的衝擊及發生機率等因素,找出一個最有效率與效果的方法來處理潛在的資訊安全事故。
    為建立風險管理程序,組織需要去維護風險與資安事故的龐大資料。然而,這是件非常繁瑣的工作,因此本研究設計與實作名為Risk Patrol的資訊系統來協助組織執行風險管理程序。此系統的架構依循ISO 27005的精神,可有效協助組織依照ISO 27001標準建立資訊安全管理制度時,規劃與執行所需要之風險管理的工作。並透過資訊系統的輔助,而追蹤組織風險控管的有效性與以避免人為疏漏。除此之外,本系統並提供組織的管理者或利害關係人風險的匯總資訊,以便其了解組織整體的風險狀況,進而協助風險控管的決策進行。如此,可望運用本文所提出之系統促進組織整體的資訊安全。

    Considering security and convenience in information systems and services of organizations, organizations need to implement information security risk management processes to identify potential information security incidents and to evaluate loss expectancy of the incidents. Consequently, organizations can adopt appropriate or cost-effective countermeasures to control the incidents.
    To establish risk management processes, an organization needs to maintain huge amount of data about risks or potential incidents. Obviously, it would be a tedious work to maintain the data. Therefore, this study proposes an information system, called Risk Patrol, for an organization to perform risk management processes. While many organizations establish information security management systems based on ISO 27001, the proposed system follow ISO 27005 to help organizations to comply the requirements about risk management in ISO 27001. In addition, the proposed system also contributes to provide an integrated view for managers or stakeholders of an organization to know risks of the organization. The managers and stakeholders can then decide how to treat the risks based on the system. Therefore, the proposed system can contribute to improve organizational security.

    1. 緒論 1.1. 研究背景 1.2. 研究動機 1.3. 研究目的與貢獻 1.4. 論文結構 2. 背景知識與文獻探討 2.1. 資訊安全風險管理 2.2. ISO 27001與ISO 27005 2.3. 資訊安全風險管理工具 3. 需求分析 4. 架構概述 5. 主要元件 5.1. 資產與關聯管理 5.2. 威脅弱點與控制措施管理 5.3. 風險評鑑 5.4. 可接受的風險等級管理 5.5. 控制措施建議 5.6. 風險處理與追蹤 6. 需求驗證 7. 結論與未來展望 8. 參考文獻

    [1]中華民國資訊安全學會, 資安治理推動方案與落實電子化資安管理初探, 資訊安全通訊, 15卷4期, pp 1-23
    [2]行政院國家資通安全會報 (2004) 政府機關(構)資訊安全責任等級分級作業實施計畫,
    建立我國通資訊基礎建設安全機制計畫(94年至97年)
    [3]Anderson, A. M. (1991) Comparing risk analysis methodologies. Proceedings of the IFIP
    TC11, Seventh International Conference on Information Security (IFIP/Sec '91),pp. 301-311
    [4]Andreas Ekelhart, Thomas Neubauer, Stefan Fenz (2009) Automated Risk and Utility Management, Information Technology: New Generations, 2009. ITNG '09. Sixth International Conference on , vol., no., pp.393-398
    [5]callio. http://www.callio.com
    [6]COBRA. http://www.riskworld.net
    [7]CounterMeasures. http://www.countermeasures.com
    [8]CORAS. http://coras.sourceforge.net/
    [9]CRAMM. http://www.cramm.com
    [10]EAR / Pilar. http://www.ar-tools.com/
    [11]Eloff JHP, Labuschagne L, Badenhorst KP (1993) A comparative framework for risk analysis methods. Computers & Security, vol 12, no 6, pp 597–603
    [12]GSTOOL. http://www.bsi.bund.de/gstool
    [13]ISO/IEC (1998) Information technology – security techniques – management of information and communications technology security – part 3: Techniques for the management of IT security. ISO/IEC TR 13335- 3 Tecnhical Report
    [14]ISO/IEC (2005) Information technology – security techniques – information security management systems – requirements. ISO/IEC 27001:2005 International Standard
    [15]ISO/IEC (2007) Information technology - Security techniques - Code of practice for information security management, ISO/IEC 27002:2007 International Standard
    [16]ISO/IEC (2008) Information technology – Security techniques – Information security risk management. ISO/IEC 27005:2008 International Standard
    [17]MODULO. http://www.modulo.com/
    [18]Philippe Jorion (1997) Value at Risk 2e. McGraw-Hill
    [19]Shi-Cho Cha, Li-Ting Liu, Bo-Chen Yu (2009) Process-Oriented Approach for Validating Asset Value for Evaluating Information Security Risk. IEEE Computer Society ,CSE '09: Proceedings of the 2009 International Conference on Computational Science and Engineering, pp 379-385
    [20]Shi-Cho Cha, Pei-Wen Juo, Li-Ting Liu, Wei-Ning Chen (2009) Duplicate Work Reduction in Business Continuity and Risk Management Processes. Security Informatics, Annals of Information Systems Vol. 9, pp 155-170
    [21]The Committee of Sponsoring Organizations of the Treadway Commission (COSO) (2004)
    Enterprise risk management - integrated framework. COSO Publications
    [22]The ISO 27000 Directory. http://www.27000.org
    [23]Whitman ME, Mattord HJ (2007) Management of Information Security, 2nd edn. Course Technology

    QR CODE