研究生: |
黃憶萱 I-Hsuan Huang |
---|---|
論文名稱: |
整合ISO 20000-1與ISO 17025的檢測實驗室實作機制:以某資安中心網路安全檢測服務為例 Mechanism of Testing Laboratory conforming to ISO 20000-1 and ISO 17025: A Case Study of Network Security Testing Service in a Information Security Center |
指導教授: |
查士朝
Shi-Cho Cha |
口試委員: |
羅乃維
Nai-Wei Lo 葉國暉 Kuo-Hui Yeh |
學位類別: |
碩士 Master |
系所名稱: |
管理學院 - 資訊管理系 Department of Information Management |
論文出版年: | 2021 |
畢業學年度: | 109 |
語文別: | 中文 |
論文頁數: | 71 |
中文關鍵詞: | ISO/IEC20000-1 、ISO/IEC17025 、檢測實驗室 |
外文關鍵詞: | ISO/IEC20000-1, ISO/IEC17025, testing laboratory |
相關次數: | 點閱:736 下載:0 |
分享至: |
查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報 |
在資訊科技產業不斷更新變化的時代,許多企業資訊安全意識逐漸提昇,對於自身提供的資訊服務都希望有嚴謹的把關,因此需要做好資訊服務的檢測,來避免許多資安問題的發生。然而,如何確保檢測的品質,就成為需要考慮的問題,因為檢測資訊服務本身需要使用到非常多資訊系統,像是過去台科大資通安全研究與教學中心就使用 ISO/IEC 20000-1 為基礎去確保檢測服務的品質。然而,隨著 ISO/IEC 17025 標準的推動,目前也可以更進一步套用 ISO/IEC 17025 來確保檢測結果的品質。
本研究基於一個已經通過 ISO/IEC20000-1 建立基本資訊服務檢測制度的情境,提出一個通過 ISO/IEC 17025 的方法,透過標準的比對,找到需要補足的地方,而可以快速符合這兩項標準。而本研究的貢獻,除了提出這樣的方法外,也對此兩項標準進行比較,以供相關檢測服務單位參考。整體來說,本研究主要基於已通過ISO/IEC20000-1認證的前提下,要建置一個網路檢測實驗室,而在實驗室建立的初期,藉由在擁有服務管理標準的制度下,來建立網路檢測實驗室,能夠讓整個建置流程較為快速,也能夠有系統的去實施。
Currently, organizations usually rely information systems to provide services or support daily operations. The cybersecurity of the information systems become the necessities of organizations. On the other hands, organizations are requested to hire people outside the organization to evaluate cybersecurity of the systems. Although people outside the organization are considered to be objective in cybersecurity evaluation, we usually need a means to ensure the quality of the evaluation process. As the tasks of cybersecurity evaluation is highly relied on evaluation tools, evaluation organizations, such as the security center in the NTUST, usually follow the ISO/IEC 20000-1 to ensure the evaluation quality. As the Taiwan Accreditation Foundation provides the certifications of ISO/IEC 17025 recently, cybersecurity inspection labs can further follow the ISO/IEC 17025 to ensure the integrity of inspection results.
In light of this, this study proposes a fast-track scheme for a ISO/IEC 20000-1 complaint organization to satisfy the requirements of ISO/IEC 17025. This study first maps the requirements of the ISO/IEC 20000-1 to ISO/IEC 17025. Therefore, we can identify the additional requirements to satisfy ISO/IEC 17025 if we have satisfied the ISO/IEC 20000-1. This study uses the security center of NTUST as the case study to validate the proposed scheme. Consequently, the study can hopefully contribute to the quality of cybersecurity inspection.
[1] 財團法人塑膠工業技術發展中心(2017). ISO/IEC17025測試實驗室輔導分析技術暨整體解決方案 [線上論壇]. 取自https://www.pidc.org.tw/analysis.php?id=37
[2] DIGITIME. (2016). ISO/IEC 20000 打造資服界領導品牌.取自https://www.digitimes.com.tw/iot/article.asp?cat=130&id=486356
[3] 質量與檢測(2019). 新版ISO/IEC17025中的變化?取自https://kknews.cc/zh-tw/news/mraj54z.html
[4] Wikipedia.ISO/IEC17025.取自https://en.wikipedia.org/wiki/ISO/IEC_17025
[5] TAF財團法人全國認證基金會. (2018). 調整符合ISO/IEC 17025: 2017認證實驗室之認證. 取自https://www.taftw.org.tw/wSite/ct?xItem=2085&ctNode=30&mp=1
[6] ISO. (2017). General requirements for the competence of testing and calibration laboratories, ISO/IEC17025:2017
[7] Bsi. (2019). ISO/IEC20000服務管理標準改版重點與新舊版差異說明https://www.bsigroup.com/localfiles/zh-tw/e-news/no189/iso-20000-service-management-nelson-tang.pdf
[8] ISO. (2011). Information technology — Service management — Part 1: Service management system requirements. ISO/IEC 20000-1:2011
[9] iThome. (2019).數位創新與跨界生態圈浪潮下,以ISO/IEC 20000-1:2018國際標準引領.取自https://www.ithome.com.tw/pr/128822