2020年初COVID-19疫情爆發後，全球各地皆受到一定程度的衝擊影響、企業持續營運也受到干擾。過去僅部分受到採用與重視的遠距工作型態再次成為主流，並極有可能因為資通訊科技的進步而成為新常態，即便疫情結束後繼續保留遠距工作方式。然而疫情期間也產生了許多新興型態的威脅與弱點，例如通訊平台漏洞攻擊，以及數位轉型造成的網路流量激增等。這些風險都將影響到遠距工作者的資料機密性、完整性及可用性，同時影響組織產出。因此，在組織持續營運受到干預及使用者面臨新型態風險的情況下，發展一具資安韌性之遠距工作框架勢在必行。

本論文主要參考NIST所發佈的遠距工作安全企業指引，對指引中的控制措施進行解讀、詮釋並修正過時或不普遍的控制措施。同時補充資安韌性、資安治理及風險評估等概念至本安全框架中，使企業能在面對不利條件時仍維持預計的產出。並透過風險評估理解自身安全態勢及資安需求，接著依照自身需求與企業規模選擇對應的控制措施，以及透過上下階層協同合作有效導入框架，藉此滿足遠距工作安全。

After the outbreak of COVID-19 in the early 2020, the crisis has ubiquitously impacted the general public and disturbed the business continuity globally. The partially adopted and valued telework has now become prevalent in a different way, and due to the advancement of information and communication technology, it is conceivable that telework will become the New Normal, meaning telework will continue to be adopted even if the crisis has subsided. However, several new and advanced threats have arisen during the pandemic outbreak, for instance, the exploit of communication platform’s vulnerability and the unprecedented surge in internet traffic because of the digital transformation. All of these threats could potentially pose harm to the confidentiality, integrity and availability of teleworker’s information and organization’s outcome simultaneously. Therefore, it is imperative to develop a framework of securing cyber-resilient telework.
In this thesis, we refer to the enterprise telework security guide published by NIST, then interpret most of the security controls mentioned in the publication and revise the other, while integrating trending concepts such as “cyber resilience”, “infosec governance” and “risk assessment” into the proposed framework. Enabling enterprises to delivery their expected outcome, despite adverse conditions; and recognize their security postures and security requirements based on risk assessment results, then determine the corresponded security controls according to their security requirements and business scales, and implement the framework effectively by means of hierarchical collaboration; thus achieving telework security.

[1] D. J. Bodeau and R. Graubart, Cyber Resiliency Engineering Framework. The MITRE Corporation, 2011.
[2] Cyber Readiness Institute, Making Your Remote Workforce Cyber Ready. 2020.
[3] P. A. Grassi, M. E. Garcia, and J. L. Fenton, Digital Identity Guidelines. National Institute of Standards and Technology, 2017.
[4] J. Groenendaal and I. Helsloot, "Cyber Resilience During The COVID-19 Pandemic Crisis: A Case Study," Journal of Contingencies and Crisis Management, 2021.
[5] International Labour Office, An Employers' Guide on Working From Home in Response to The Outbreak of COVID-19. ILO, 2020.
[6] R. Kissel, A. Regenscheid, M. Scholl, and K. Stine, Guidelines for Media Sanitization. National Institute of Standards and Technology, 2014.
[7] R. Kissel, K. M. Stine, M. A. Scholl, H. Rossman, J. Fahlsing, and J. Gulick, Security Considerations in the System Development Life Cycle. National Institute of Standards and Technology, 2008.
[8] H. S. Lallie et al., "Cyber Security in The Age of Covid-19: A Timeline and Analysis of Cyber-Crime and Cyber-Attacks During The Pandemic," Computers & Security, vol. 105, p. 102248, 2021.
[9] National Institute of Standards and Technology, Security Requirements for Cryptographic Modules. National Institute of Standards and Technology, 2019.
[10] J. Padgette, K. Scarfone, and L. Chen, Guide to Bluetooth Security. National Institute of Standards and Technology, 2017.
[11] S. W. Rose, O. Borchert, S. Mitchell, and S. Connelly, Zero Trust Architecture. National Institute of Standards and Technology, 2020.
51
[12] K. Scarfone, W. Jansen, and M. Tracy, Guide to General Server Security. National Institute of Standards and Technology, 2008.
[13] K. Scarfone, M. Souppaya, A. Cody, and A. Orebaugh, Technical Guide to Information Security Testing and Assessment. National Institute of Standards and Technology, 2008.
[14] N. Shevchenko, "Evaluating Threat-Modeling Methods for Cyber-Physical Systems [Blog post]." [Online]. Available: http://insights.sei.cmu.edu/blog/evaluating-threat-modeling-methods-for-cyber-physical-systems/
[15] N. Shevchenko, T. A. Chick, P. O'Riordan, T. P. Scanlon, and C. Woody, "Threat Modeling: A Summary of Available Methods," Carnegie Mellon University Software Engineering Institute 2018.
[16] M. Souppaya and K. Scarfone, Guide to Enterprise Telework, Remote Access, and Bring your Own Device (BYOD) Security. National Institute of Standards and Technology, 2016.
[17] M. Souppaya and K. Scarfone, Guidelines for Managing the Security of Mobile Devices in the Enterprise. National Institute of Standards and Technology, 2013.
[18] M. S. Souppaya, K., User's Guide to Telework and Bring Your Own Device (BYOD) Security. National Institute of Standards and Technology, 2016.
[19] A. Sturgeon, "Telework: Threats, Risks and Solutions," Information Management & Computer Security, 1996.
[20] G. Wangen, "Information Security Risk Assessment: A Method Comparison," Computer, vol. 50, no. 4, pp. 52-61, 2017.
[21] T. Weil and S. Murugesan, "IT Risk and Resilience—Cybersecurity Response to COVID-19," IT professional, vol. 22, no. 3, pp. 4-10, 2020.
[22] World Economic Forum, COVID-19 Risks Outlook A Preliminary Mapping and Its
52
Implications. World Economic Forum, 2020.
[23] H. Yang, C. Zheng, L. Zhu, F. Chen, Y. Zhao, and M. Valluri, "Security Risks in Teleworking: A Review and Analysis," 2013.