研究生: 林宸竹
論文名稱: 一個考量符合性與風險資訊呈現之資訊安全風險管理系統
An Information Security Risk Management System Considering Compliance and Risk Information Visualization
指導教授: 查士朝
Shi-Cho Cha
口試委員: 羅乃維
Nai-Wei Lo
Li-wei Yang
學位類別: 碩士
系所名稱: 管理學院 - 資訊管理系
Department of Information Management
論文出版年: 2010
畢業學年度: 98
語文別: 中文
論文頁數: 58
中文關鍵詞: 資訊安全風險管理決策支援ISO 27001ISO 27005
外文關鍵詞: Information security risk management, Decision support, ISO 27001, ISO 27005
為建立風險管理程序,組織需要去維護風險與資安事故的龐大資料。然而,這是件非常繁瑣的工作,因此本研究設計與實作名為Risk Patrol的資訊系統來協助組織執行風險管理程序。此系統的架構依循ISO 27005的精神,可有效協助組織依照ISO 27001標準建立資訊安全管理制度時,規劃與執行所需要之風險管理的工作。並透過資訊系統的輔助,而追蹤組織風險控管的有效性與以避免人為疏漏。除此之外,本系統並提供組織的管理者或利害關係人風險的匯總資訊,以便其了解組織整體的風險狀況,進而協助風險控管的決策進行。如此,可望運用本文所提出之系統促進組織整體的資訊安全。

Considering security and convenience in information systems and services of organizations, organizations need to implement information security risk management processes to identify potential information security incidents and to evaluate loss expectancy of the incidents. Consequently, organizations can adopt appropriate or cost-effective countermeasures to control the incidents.
To establish risk management processes, an organization needs to maintain huge amount of data about risks or potential incidents. Obviously, it would be a tedious work to maintain the data. Therefore, this study proposes an information system, called Risk Patrol, for an organization to perform risk management processes. While many organizations establish information security management systems based on ISO 27001, the proposed system follow ISO 27005 to help organizations to comply the requirements about risk management in ISO 27001. In addition, the proposed system also contributes to provide an integrated view for managers or stakeholders of an organization to know risks of the organization. The managers and stakeholders can then decide how to treat the risks based on the system. Therefore, the proposed system can contribute to improve organizational security.

1. 緒論 1.1. 研究背景 1.2. 研究動機 1.3. 研究目的與貢獻 1.4. 論文結構 2. 背景知識與文獻探討 2.1. 資訊安全風險管理 2.2. ISO 27001與ISO 27005 2.3. 資訊安全風險管理工具 3. 需求分析 4. 架構概述 5. 主要元件 5.1. 資產與關聯管理 5.2. 威脅弱點與控制措施管理 5.3. 風險評鑑 5.4. 可接受的風險等級管理 5.5. 控制措施建議 5.6. 風險處理與追蹤 6. 需求驗證 7. 結論與未來展望 8. 參考文獻

