研究生: |
謝宜庭 Yi-Ting Hsieh |
---|---|
論文名稱: |
由 ISO27001 與 CMMC 的差異分析 來看符合 ISO27001 的企業 該如何導入 CMMC 之方法 ISO/IEC 27001:2013 Compliant Organization to Fulfill Requirements of CMMC based on Gap Analysis between the Standards. |
指導教授: |
查士朝
Shi-Cho Cha |
口試委員: |
羅乃維
Nai-Wei Lo 黃政嘉 Jheng-Jia Huang |
學位類別: |
碩士 Master |
系所名稱: |
管理學院 - 資訊管理系 Department of Information Management |
論文出版年: | 2022 |
畢業學年度: | 110 |
語文別: | 中文 |
論文頁數: | 79 |
中文關鍵詞: | ISO/IEC 27001:2013 、CMMC 、NIST SP 800-171 、差異分析 |
外文關鍵詞: | ISO/IEC 27001:2013:2013, CMMC, NIST SP 800-171, Gap analysis |
相關次數: | 點閱:203 下載:19 |
分享至: |
查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報 |
現今企業越來越依賴資訊科技,資訊安全也變得非常重要。各企業或組織紛紛建立本身的資訊安全骨幹與資訊安全管理制度。而除了自身的資訊安全以外,當企業或組織會使用到其他公司的設備,該公司的資訊安全也必須被要求。而供應鏈安全就是要要求企業或組織的供應上滿足一定的資訊安全要求。就這部分來說,美國國防部也以NIST SP 800-171為基礎訂定一資訊安全成熟度標準:CMMC(Cybersecurity Maturity Model Certification),以此對美國國防部供應商的資訊安全進行規範。
為了因應CMMC的各項規範,本研究基於ISO/IEC 27001:2013:2013控制措施,通過比較研究的方式,以關鍵字比對的方法對映ISO/IEC 27001:2013與CMMC兩標準,通過標準的比對,以差異分析之研究方法找到ISO/IEC 27001:2013有所不同於CMMC之處,以建立可快速由ISO/IEC 27001:2013合規CMMC之補充措施。本研究主要基於已通過ISO/IEC 27001:2013之企業或組織,通過比較研究及差異分析條列出組織要合規CMMC應補足的控制措施,使得企業及組織可以以更小成本合規CMMC。
As organizations more and more rely on information technology, Information security become very important to every organizations. Organizations have established their information security infrastructure and management systems. In addition to the security of an organization herself, an organization may use products or services of other organizations. Therefore, the organization may request their suppliers to follow specified security requirements. In response to the requirements of the supply chain security, the U.S. Department of Defense (DoD) has established an information security maturity standard, Cybersecurity Maturity Model Certification (CMMC), based on NIST SP 800-171, to regulate the information security of DoD suppliers.
Currently, several organizations in Taiwan follow the ISO/IEC 27001:2013:2013 standard to establish their information security management systems. In addition, the organizations may need to comply with the CMMC requirements. Therefore, this thesis performs comparative research on ISO/IEC 27001:2013:2013 and CMMC. Based on the results of gap analysis, this study suggests complementary controls for organizations that comply with ISO/IEC 27001:2013:2013. The organizations can adopt the complementary controls to enhance their existing information security management system to satisfy the CMMC rather than establish new systems from scratch.
[1] 行政院國家資通安全會報技術服務中心. (2020). 資安新聞 美國防部要求承包商須具備網路安全認證. https://www.nccst.nat.gov.tw/NewsRSSDetail?lang=zh&RSSType=news&seq=16355
[2] OUSD A&S. (2022). CMMC Documents. https://www.acq.osd.mil/cmmc/documentation.html
[3] Federal Register. (2022). Federal Acquisition Regulation (FAR). https://www.federalregister.gov/documents/2016/05/16/2016-11001/federal-acquisition-regulation-basic-safeguarding-of-contractor-information-systems
[4] 德明財經科技大學 電子計算機中心. (2022). https://www.takming.edu.tw/cc/ISMS/教育體系資通安全暨個人資料管理規範(附錄A)-0718.pdf
[5] NIST Computer Security Resource Center. (2020). Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final
[6] TechTarget. (2022). Gap Analysis. https://www.techtarget.com/searchcio/definition/gap-analysis
[7] 國家教育研究院. (2012). 比較研究Comparative Research. https://terms.naer.edu.tw/detail/1679273/
[8] National Security & Defense. (2018). CEA Report: The Cost of Malicious Cyber Activity to the U.S. Economy. https://trumpwhitehouse.archives.gov/articles/cea-report-cost-malicious-cyber-activity-u-s-economy/