簡易檢索 / 詳目顯示
| 研究生: |
吳美霞 WU - MEI SIA |
|---|---|
| 論文名稱: |
資安政策推動與評估機制之研究 Implementation and Evaluation of Information Security Policy |
| 指導教授: |
吳宗成
Tzong-Chen Wu |
| 口試委員: |
葉瑞徽
Ruey Huei Yeh 陳正綱 Cheng-Kang Chen |
| 學位類別: |
碩士 Master |
| 系所名稱: |
管理學院 - 管理研究所 Graduate Institute of Management |
| 論文出版年: | 2008 |
| 畢業學年度: | 96 |
| 語文別: | 中文 |
| 論文頁數: | 63 |
| 中文關鍵詞: | 資安政策 、機制 、資安關鍵指標 、資安治理 、資安治理成熟度評估 、策略地圖 、平衡計分卡 |
| 外文關鍵詞: | information security policy, mechanism, key indicators of information security, information security governance, the evaluation of information security governanc, strategy maps, balanced score card |
| 相關次數: | 點閱:241 下載:29 |
| 分享至: |
| 查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報 |
各類資安風險日趨升高,資安事故層出不窮,所導致的損害範圍持續擴大,且已對優質網路化社會的形成產生不同程度的負面影響。在各國相繼投入資源,加強建構資安環境的同時,無論公私部門在資安政策推動與效果之評估上,均面臨相當困境。
本研究參考各國資安政策循環機制與施政概況,並探討政策評估相關文獻,提出一個可適用巨觀層次(國家整體)與微觀層次(個別組織)的資安雛形系統,以協助各機關解決前述困境。該系統的核心-資安策略組織必須取得關鍵的戰略地位且具有形成資安共識與進行社會溝通、擘劃資安願景、設定資安政策目標、資安政策規劃、資源規劃與管理運用、資安政策推動、績效評估等機能。
以珍珠模式(規劃(Plan)、評估(Evaluate)、行動(Act)、調整(Regulate)、持續(Last),PEARL Model)落實資安治理,是本研究的另一個重大發現,該模式具備決策、執行、及監督等三個環節,過程中搭配運用適當的評估工具(資安治理成熟度評估工具與資安關鍵指標),可將一系列資安政策轉化為預定的產出與正向的影響力。
此外,本研究界定資安成功方程式(=函數(平衡計分卡+資安策略組織+策略地圖))為取得資安突破性成果的要徑。其流程為經由資安策略組織建立統合而連貫的策略,並據以建立目標項目與衡量項目,且納入管理。資安策略地圖中的財務構面包含供應端策略與需求端策略,若能妥善加以運用將能發揮組織功能,並彰顯其存在價值。
Since the risks of various kinds of information security increase day by day, the information incidents occur endlessly. The harm they cause is expanding, and thus leads to numerous degrees of detrimental influence on the formation of high-quality networked society. While a great number of governments make enormous efforts to construct an environment of information security by investing all available resources, both public and private organizations are confronted with tremendous difficulties in the promotion of information security policy and evaluation of efficacy.
This study proposes a rudiment of information security system applicable to macro level (entire country) and micro level (individual organization) in order to solve these difficulties, referring to the circulation mechanisms of information security policy and administrative overview of other countries and examining literature related to policy assessment. The core of this system, Strategy-Focused Information Scurity Organization, must obtain key strategic position and contains the following functions: forming the common understanding regarding information security, conducting social communication, preparing the future prospect of information security, deciding the policy objective of information security, planning information security policy, scheming, managing and applying resources, promoting information security policy and evaluating performance.
An additional crucial discovery is that PEARL model (Plan, Evaluate, Act, Regulate, Last) is able to fulfill the management of information security. This model possesses three components such as decision, conduction, and supervision. Accompanied with appropriate tools (the evaluation of information security governance maturity and key indicators of information security), a series of information security can be transformed into expected output and positive influence.
Moreover, this study defines the equation of information security achievement as Function ( Balanced score card + Strategy-Focused Information Security Organization + Strategy map) and regards it as the fundamental step for breakthrough results of information security. Through Strategy-Focused Information Security Organization, the process is to build an integrated and interconnected strategy, on which basis object items and weighing items can be established. The financial faucet of the tactics map includes strategy for both supply and demand ends. If well applied, its function will be magnified and value be manifested.
壹、 中文文獻
[1] 行政院國家資訊通信發展推動小組網頁:問題集FAQ之NICI小組的架構與分工,網址:http://www.nici.nat.gov.tw/content/application/nici/faq/guest-cntgrp-browse.php?ordinal=100200410003(2008.3)。
[2] 行政院國家資訊通信發展推動小組網頁:國家資通訊發展方案(2007-2011),網址:http://www.nici.nat.gov.tw/content/application/nici/generala/guest-cnt-browse.php?cnt_id=2283(2008.3)。
[3] 國際數據資訊公司(International Data Corporation; IDC),全球資通安全市場規模分析,2006年12月。
[4] 吳定,公共政策,國立空中大學,台北縣,2003年。
[5] 台灣經濟研究院/資策會「資安關鍵性指標之綜合規劃研究計畫」,2007年12月。
[6] Ranjit Kumar著,胡龍騰 黃瑋瑩 潘中道 合譯,研究方法 步驟化學習指南,學富文化事業有限公司,台北市,2000年。
[7] 行政院科技顧問組,2008資安政策白皮書,2008年3月。
[8] 行政院研究發展考核委員會/資策會「國家資通安全技術服務與防護管理計畫-資安規範整體發展藍圖」,2005年10月。
[9] 韓國在線,網址:http://www.korea.net/(2008.5)。
[10] 中華民國資訊管理學會/資策會「資安治理機制與資安建設持續發展規劃委託研究計畫」,2008年3月。
[11] 台灣經濟研究院/資策會「資安關鍵性指標之綜合規劃研究」,2007年12月。
[12] 逢甲大學公共政策研究所楊志誠,政策規劃、執行與評估,網址:http://www.gipp.fcu.edu.tw/teacher/young/young-5.doc(2008.3)。
[13] 吳安妮,以平衡分卡推動策略與績效管理,網址:http://www.dsc.com.tw/bsc/bsc_a/bsc_a1.htm (2008.4)。
[14] 張培仁,會議簡報,2008年5月。
[15] 周育仁、詹富堯,國政研究報告,憲政(研)097-007號,不同憲政體制下的政府負責機制:兼論我國現況,網址:http://www.npf.org.tw/particle-4154-2.html(2008.4)。
[16] 世界銀行(World Bank),公司治理架構圖,1999年。
[17] Robert S. Kaplan and David P. Norton著,陳正平等譯,策略地圖:串聯組織策略從形成到徹底實施的動態管理工具,臉譜出版,城邦文化發行,台北市,2004年。
貳、 英文文獻
[18] U.S. National Institute of Standards and Technology, Information Security Handbook: A Guide for Managers, 2006.
[19] U.S. Department of Homeland Security, The National Strategy to Secure Cyberspace, 2003.2.
[20] IT Governance Institute, COBIT 4.1, 2007.5.
[21] Japan National Information Security Center, Secure Japan 2006& Secure Japan 2007, 2006-2007.
[22] TAKASHI ISHITOBI,. Information Security Governance in Japan: Assistant Director, Office of IT Security Policy, Ministry of Economy, Trade and Industry, 2005.
[23] Legislative Assembly of Ontario. Bill 198, Available from: http://www.ontla.on.ca/bills/bills-files/37_Parliament/Session3/b198ra.pdf(2002).
[24] Koji Nakao( KDDI, Japan), Overview of Security Standardization in Japan, Available from:http://hnrc.cau.ac.kr/swis2007/5presentation.pdf(2008.5).
