我國教育體系建構有臺灣學術網路（TANet），其主要服務對象為各級學校師生所需的使用的網際網路環境，服務應用的範圍則以研究、教學及培育資訊素養等之網路應用服務為主。全球資訊網(WWW)在1990年開始人們生活產生密切的關連，因此網路上流通的資訊也愈來愈有價值或具隱私性，資通訊安全即伴隨而生。從以影響個人電腦作業系統及檔案的電腦病毒(Virus)干擾或破壞開始，逐步演變為侵入主機電腦之作業系統或應用程式的弱點，其所造成的影響範圍愈來愈大，攻擊的手法更是多樣。
因應校園網路資源配置及應用服務上的差異，相對網路或系統管理機制需配合採不同的管理措施，規劃不同的資通安全管理政策，同時在客觀環境及需求兼顧實務可執行及達到安全度要求的資安防護能力，如此才能建立符合教育體系特性的資通安全環境。所以本研究即在探討如何規劃一個可信賴的教育體系資通安全管理系統。
隨著雲端應用日趨普及，互聯網、物聯網等技術為我們、企業發展提供更好的技術支援，並降低成本及提高效率，但也伴隨資訊安全管理問題。因此我們從資安發展趨勢，掌握資安攻擊趨勢。從資安事件類型，瞭解如何分類處理資安事件，由對現有資安防護技術的認識，將可在技術面給予資安環境佈署可行的資安防禦偵測機制。另從借鏡全球主要國家的資安現況瞭解資安問題所在，也才能規劃我們所需要的資安政策。
資訊安全制度或機制的建立，即期盼能預防資訊安全事件的發生，如發生資安事件則期待能有效控制風險因此如何規劃一套可信賴的資安模式，並且可以進一步量測、分析它的有效性。因此由定義資安信賴模式要素，來瞭解掌握所要實施範疇或體系的特性及達到所設定的資安服務水準（SLA）進行評估，同時衡量本身所能投入的資安防護資源，及所能承擔的資安風險，以此確認組織或體系內主要影響資安作業的因素。接著針對各項因素接續規劃所要採取的資安模型，依此來達到建立可信賴資安機制的策劃。
在規劃建構整體教育體系的資安防護機制及建立各項防禦措施後，即期待能有效提升資安防護能力，因此成功關鍵因素有四類的資安基礎指標，接著可從管理面、環境面及教育面等三個構面來驗證各項指標模式的信賴度。當要驗證整體教育體系能否達成此一信賴度，將從量化及質化兩個面向來做實質的驗證，以衡量評估所達到的信賴程度。本研究因此提出資安規劃策略「3R」要素-資源(Resource) 投入之合理量、風險(Risk)發生機率及需求(Requirement) 優先性等之平衡決策要素。再依校園內各資訊應用場域的資訊相關設施(含軟硬體系統及資料庫)來看其重要性建構評估因素，彙整出教育體系信賴模式的評估要素，即資安建構「4A」評估要素-資產價值(Assets)、應用服務使用範圍(Application)、承受風險值(Assume)、法規管理度(Administration)。最後再從驗證程序及分析將由所蒐集到資安事件中來檢視，其包括對資安資訊數據進行事先發現、事中處理及事後復回應變等統計分析，結果可做為檢視所能達到的綜合成效，並就驗證結果做為修正資安政策或措施的下一步驟之依據。
最後本研究參酌我國教育體系的網路運作環境及相關資源條件，參考PDCA(規劃-Plan、執行-Do、查核-Check、行動-Act)，提出P2D(CA)2雙循環模式，來持續為教育體系的資安管理系統進行評估。其循環流程為第一循環（計畫、執行、查核、處置）、及第二循環為（精進-Progress、執行-Do、修正-Correct、建議-Advise），期透過此一循環修正程序為教育體系所定訂的資安環境推動策略做定期檢驗，使整個資安防護能力及技術在不斷精進下提升，同時將成本及人力持續不斷的降低精簡，以建構更強固的資安防護能力。
台灣學術網路是建立在一個以開放為原則的網路環境，為兼顧資訊使用安全環境的校園網路，因此教育體系全面從資訊運作相關的政策管理面、環境技術面及人員教育面給予各類配套措施，不斷的精進提升修正各項機制，並以「預防」、「因應」、「處理」等三階段的防護程序，再輔以定期的量化及質化績效評估指標的檢視分析，相信將有助於教育體系建立可信賴的資安機制。

In our country, the Taiwan Academic Network (TANet) is constructed by the education system and its primary service target is providing students at all levels of the school with necessary Internet environment. Also, the service application of TANet is ranged from research, teaching and nurturing information literacy of network application service. The debut of World Wide Web (WWW) in 1990 connected people’s ordinary lives closely and so the flowing information on the Internet is more and more valuable or private. It occurs together with the information and communication security issues. They have made much greater influence than ever, from the influence on operation system and the file viruses interfering or breaking computers, and they have a variety of methods to attack computers.

Due to the difference of the campus network resource allocation and application services, the network or system management mechanism should adopt different managing measures, plan different information security management policy, and take into account the objective conditions, executable practice needs and reaching the criteria of information safety, so that we can establish the information security environment which met the characteristics of the education system. Therefore, the present study is to investigate how to plan a credible education system information security management system.

With the growing popularity of cloud applications, the Internet, Internet of Things and other technologies offer better technical support for us as well as enterprise development. It reduces costs, improves efficiency, but accompanied by information security management issues. So, from information security development trends, we could grasp the trend of information security attacks. And from information security event types, we can learn how to classify and handle information security events. Then, from the understanding of current information security protection technology, we can technologically deploy feasible information security defense-detection mechanisms in the information security environment. Also we can review current information security problems from the major countries in the world so that we can plan our information security policy that meets our needs.

Establishing the information security system or mechanism is expected to prevent from the occurrence of security incidents. Also, when there is an information incident, we would look forward to controlling the risk effectively. Therefore, how can we plan a trustworthy information security model that can be measured and analyzed its effectiveness. By the defining the elements of information security trust model, we can understand as well as control over the characteristics of the realm or system to be implemented. Also, we can evaluate the service-level agreement (SLA) while achieving the its setting. Meanwhile, we should measure the information security protection resource that we can invest by ourselves and take the risk for the organization or the system. So that we can ensure the primary factors that can affect information security operations. Then we can continue to plan our information security model by those factors respectively, and also based on these models that we can plan and establish a reliable information security mechanism.

After planning and constructing the overall information security protection mechanism as well as the establishment of the defensive measures in the education system, we can look forward to effectively enhancing the information security protection. Therefore, the successful and key factors are the four categories of information security basic indexes, and following by three dimensions: management dimension, environment dimension and education dimension to verify the credibility of these indexes and models. When verifying the whole education system whether can achieve the credibility or not, we would testify empirically them by the quantitative and qualitative dimensions to measure and evaluate the degrees of its credibility. Therefore, information security planning strategy proposed "3R" elements - Resource、 Risk、Requirement. Then by the Information Technology field for each campus information related facilities (including hardware and software systems and databases) view of its importance to construct assessment factors, compiled a trust model to assess the educational system elements, namely construction of information security "4A" assessment factor - the value of assets (Assets), application service range (Application), risk value (Assume), regulatory management degree (Administration).The verifying process and analysis would be reviewed by the collected information security events, including the pre-treatment discovery, during and post-treatment responses of these information security data. We can have statistical analysis results and the results can be viewed the integrated performance of the achievements. And these verification results can be the further basis of future information security policy or measure modifications.

This study referred to the network operating infrastructure as well as the relating resources of the education system in our country and modified the PDCA model (Plan, Do, Check, and Act). The research proposed a “P2D(CA)2 recursive model” to evaluate the information management system of the education system continuously. The first phase of the cycle is used the “Plan, Do, Check, and Act” model, and the second phase is “Plan, Do, Correct, and Advise” model. We looked forward to reviewing the information security implementing strategies routinely by the modified recursive processes and escalating the information security protection compatibilities and skills. In the meanwhile, we could reduce the implementing cost as well as human resources and minimize its scale. So we could construct a robust information security compatibility.

Taiwan Academic Network is built upon an open-based network infrastructure, and providing campus at all levels with a secured network. So, the education system comprehensively through the information related operations: policy management dimension, environmental technology dimension and the staff education dimension producing various ancillary measures. Continuously improve the correction of sophisticated mechanisms, and by the "prevention", "coping", "treatment" three-stage protection programs supplied by periodic analysis and index review of quantitative and qualitative performance evaluation, we believe the research can contribute to the education system to establish reliable information security mechanisms.

中文部份
[1] 中國國家標準(CNS 27001)：「資訊技術-安全技術-資訊安全管理系統－要求事項」，經濟部標準檢驗局，取自於http:// www.cnsonline.com.tw/?node=result&generalno=27001&locale=zh_TW，民國103年5月1日。
[2]中國國家標準(CNS 27005)：「資訊技術-安全技術-資訊安全風險管理」，經濟部標準檢驗局，取自於http:// www.cnsonline.com.tw/?node=result&generalno=27005&locale=zh_TW，民國103年5月1日。
[3] 朱麒華：「網路頻寬與資訊安全」，國家教育研究院第71期電子報，民國102年9月。
[4] 行政院：「建立我國通資訊基礎設施安全機制計畫（90年至93年）」，計畫報告，民國90年1月。
[5] 行政院：「建立我國通資訊基礎建設安全機制計畫(94-97)」，計畫報告，民國93年5月。
[6] 行政院：「國家資通訊安全發展方案（98年至101年）」，計畫報告，民國98年1月。
[7] 行政院：「國家資通訊安全發方案(102年至105年」，計畫報告，民國102年12月。
[8] 行政院主計總處：「電腦應用概況報告」，計畫報告，民國100年10月。
[9]行政院研究發展考核委員會：「臺灣數位機會發展現況」，計畫報告，民國102年12月。
[10] 行政院研究發展考核委員會：「G-ISAC事件類型定義說明」,技術報告，民國101年6月。
[11]行政院研究發展考核委員會：「行政院及所屬各機關資訊安全管理規範(修訂版)」，民國94年7月。
[12] 行政院研究發展考核委員會：「101年個人/家戶數位機會調查報告」，計畫報告，民國101年09月。
[13] 行政院資通安全辦公室：「國家資通安全通報應變作業綱領-政府資通安全組工作報告」，技術報告，民國100年。
[14] 行政院經濟建設委員會：「振興經濟方案擴大公共投資建設計畫」，計畫報告,民國98年2月。
[15]宋振華、楊子劍：「組織資訊安全體系與資訊安全整體架構」．資訊系統可信賴作業體制研討會論文集，頁114-125，地點：交通大學，民國90年12月。
[16] 李東峰：「企業資訊安全控制制度之研究」，第三屆全國資訊管理博士生聯合研討會論文集，頁1-22，地點：中央大學，民國90年4月。
[17]洪國興、季延平、趙榮耀 ：「資訊安全評估準則層級結構之研究」，圖書館學與資訊科學,第29卷2期，頁22–44 ,民國92年10月
[18]吳琮璠：會計財務資訊系統第2版，智勝出版，民國94年9月。
[19] 教育部：「臺灣學術網路骨幹架構圖」，取自於教育部全球資訊網站(http://www.edu.tw/userfiles/url/20130605105646/ TANet %E6%9E%B6%E6%A7%8B%E5%9C%96.pdf)，民國103年03月31日。
[20]教育部：「101年臺灣學術網路危機處理中心(TACERT)營運計畫」，期未報告，民國101年12月。
[21] 教育部：「臺灣學術網路簡介」,取自於教育部全球資訊網站（http://www.edu.tw）,民國103年2月1日。
[22] 教育部：「102年度臺灣學術網路危機處理中心計畫」，期未報告，102年12月。
[23] 教育部：「教育體系資通安全管理規範」（A-ISMS），技術報告，民國98年6月。
[24] 教育部：「102年度教育機構資訊安全管理制度驗證中心計畫」，期未報告，102年12月。
[25] 教育部：「AISAC分享平台暨協同聯合防禦縣市網miniSOC建置專案計畫」，期未報告，102年12月。
[26] 教育部：「教育部103-105年度教育學術資訊安全監控中心計畫」，計畫報告，102年12月。
[27] 教育部：「素養與倫理推廣計畫」，期未報告，102年12月。
[28] 教育部：「資通安全學程推動計畫」，計畫報告，民國102年2月。
[29] 教育部：「教育學術資訊分享與分析中心建置計畫」，計畫報告，民國102年1月。
[30] 教育部：「公私立大專校院個人資料保護安全管理施行專案計畫」，期未報告，民國102年12月。
[31] 教育部：「校園軟體測試計畫」，計畫報告，民國103年1月。
[32]樊國楨、方仁威、林勤經、徐士坦：「資訊安全管理系統驗證作業初探」，頁105-125，經濟部標準檢驗局委辦計畫報告，民國90年。
英文部份
[33] American government, "Comprehensive National Cybersecurity Initiative(CNCI),"Technical report, March 2010.
[34] Bell, David E. and LaPadula, L. J.,"Secure Computer Systems: Mathematical Foundations," MITRE Corporation, 1973.
[35]Bell, David E. and LaPadula, L. J.,"Secure Computer System: Unified Exposition and Multics Interpretation," MITRE Corporation, 1976.
[36] British Standards Institution(BSI) , “BS7799-2 Information Security Management-Part2 : Specification for Information Security Management System,”Technical report, 1999.
[37] Chuang Y. H., Chen C.Y., Wu T. C. and Chao H. C., "Establish a secure and trustworthy ubiquitous ICT environment for educational systems: A case study", Journal of Intelligent Manufacturing, Vol. 23, Issue 4 , pp. 965-975, August 2012.
[38] Chu, H., Deng, D., Chao, H., & Huang, Y.," Next generation of terrorism: Ubiquitous cyber terrorism with the accumulation of all intangible fears,"Journal of Universal ComputerScience, Vol. 15, Issue 12, pp.2373–2386, 2009.
[39] Eloff, M. M. and Von Solms, S. H., "Information security management : An approach to combine process certification and product evaluation,"Computers &Security, Vol. 19, Issue 8,pp.698-709, 2000.
[40] Flynn, N. L., "The e policy handbook：Designing and implementing effective E-mail , Internet, and Software policies,"New York : American Management Association, 2001.
[41] Farn, K., Lin, S., Lo, C., "A study on e-Taiwan information system security classification and implementation,"Computer Standards & Interfaces,Vol. 30, Issues 1–2, pp.1-7,2008.
[42] Frederick, C. ,Information assurance technical framework. Release 3.1. National Security Agency, 2002. https://www.iad.gov/library/ -iacf.cfm , Accessed 25 April 2010.
[43] Humphrey, A. , "SWOT analysis for management consulting,"SRI Alumni Newsletter (Stanford Research Institute-SRI International ) , December 2005.
[44] International Telecommunication Union (ITU), "The world in 2013 ICT facts and figures - ITU world telecommunication /ICT Indicators database,"http://www.itu.int/en/ITU-D/Statistics/Documents/facts/ICTFactsFigures2013-e.pdf, Accessed 20 December2013。
[45] ISO/IEC27001,Information technology – Security techniques -- Information Security Management Systems -- Requirements,Technical report,2005.
[46] ISO/IEC 17799:2005(E). Information technology—code of practice for information security management,Technical report, 2005.
[47] ISO/IEC 27001:2005(E), Information technology – Security techniques – Information security management systems – Requirements,Technical report, 2005.
[48] ISO/IEC, The ISO Survey of Certifications – 2009, http://www.iso.org, Accessed 30May2014.
[49] Kang, S., Park, J. H., Kahn, M. K., and Kwak, J.,"Study on the common criteria methodology for secure ubiquitous environment construction,"Journal of Intelligent Manufacturing,Vol. 23, Issue 4,p933,2009.
[50] Kabay, M. E.,The NCSA guide to enterprisesecurity, McGraw-Hill, 1996, New York.
[51]Lai, S., Hsieh, M., & Kuo, W.,"Design and implementation of an intelligent defense system against network security incidents,"Journal of Internet Technology, Vol. 1, No. 1, pp.119–125, 2003.
[52] Moulton, R., "A strategic framework for information security management,"Proceedings of the 14th Computer Security Conference. October 1991, Washington D.C..
[53]Norman, H. A. ,"Foundation of information integration theory,"The American Journal of Psychology, Vol. 95, No. 4,pp.708-711, 1982
[54] National Institute of Science and Technology(NIST), Federal Information Processing Sttandards(FIPS)140-2,Technical report,2001.
[55] Rossouw, V. S.,"Information security management: The second generation,"Computers& Security,Vol. 15, Issue 4,1996.
[56] Rusell, D. and Gangemi, G.T., Computer security basics.California, O’Reilly & Associates Inc, 1992.
[57] Reid, R.C. and Floyd, S.A.," Extending the risk analysis model to include market –insurance,"Computers & Security, Vol. 20, No. 4, pp.331-339, 2001.
[58] Schultz, E.E., Proctor, R.W. and Lien, M.C., "Usabilityand security an appraisal of usability issues inInformation security methods,"Computers& Security, Vol. 20, No. 7, pp.620-634, 2001.
[59] Sherwood, J.," SALSA : A method for developing the enterprise security architecture and Strategy,"Computers& Security, Vol. 15, Issue 6, Pages 501–506, 1996.
[60]Seth G. , "POC, Prototype, or Pilot? When and Why,"http://contenthere.net/2007/03,Accessed 20May2013.
[61] Sardana, A., Joshi, R. C., Kim, T., and Jang, S.," Deciding optimal entropic thresholds to calibrate the detection mecha-nism for variable rate DDoS attacks in ISP domain: honeypot based approach,"Journal of Intelligent Manufacturing,Vol. 21 No. 5 pp.623-634, 2008.
[62]Tononi, G., "Consciousness as integrated information: a provisional manifesto," The Biological Bulletin,Vol.215, No.3, pp.216–242, December 2008.
[63]U.S. President Barack Obama,"Cyberspace policy review,"Technical report, May 2009.
[64] Wright, M. , "Third generation risk management practices,"Computer Fraud & Security,Vol. 1999, Issue 2, pp.9-12, 1999.
[65] William, E. D.,Out of the crisis, MIT center for advanced services, Cambridge, Mass., 1986.
[66] World Economic Form(WEF)，"The global information technology reoprt(GITR) 2010-2011,"Technical report,April 2013.