近年來,隨著資訊科技的發達,網際網路的盛行,現代武器系統已逐漸轉型為數位化與網路化,所面臨的考驗已不再是實體的敵人,而是隱藏在網路上看不見的敵人,資訊安全對於國軍而言,不僅僅是機敏資料與數據的保護,更是關係著國家社稷的安危,其可能隱藏之風險與危機,更不容忽視。 本研究以台灣地區通過ISO 27001認證的國軍單位為專家問卷發放對象,提出影響導入ISO 27001的關鍵成功因素及重要的評估因子之層級架構,再透過發放問卷方式,以通過ISO 27001認證的國軍單位及尚未通過ISO 27001認證的國軍各級資安部門成員為對象,並採用層級分析法(Analytic Hierarchy Process, AHP)分析所回收之問卷,進而找出應已通過認證單位及尚未通過認證單位對於關鍵成功因素認知的差異點。 據本研究結果顯示:(一)已通過認證單位及尚未通過認證單位均一致認同第二層級「實體與環境安全」為成功導入ISO 27001的關鍵成功領域,而在第三層級中,「防範外部及環境威脅」及「資訊安全認知、教育及訓練」為成功導入ISO 27001的關鍵成功因素;(二)資訊安全政策導入ISO 27001是可有效降低資安違規事件發生;(三)單位在導入ISO 27001所遇到的窒礙因素有三點:高階主官(管)的不重視、全體同仁的配合度低、經費不足。 綜上所述,期望透過本研究可以讓各單位更為重視資訊安全的重要性,深入了解在推動資訊安全政策導入ISO 27001認證的關鍵成功因素及可能會遇到的窒礙問題,以提供各單位做為參考改進的方向,並以通過ISO 27001國際標準認證為未來目標。
In recent years, with the development of information technology and the popularity of internet, modern weapons systems have been gradually transformed into digitizing and networking. Nowadays the enemy we confront is no longer the tangible one, but the invisible hiding behind the internet. For Taiwan military, information safety is not only the protection of confidential information and data, but also related to the country security, so we cannot ignore the potential risk and danger. The expert questionnaires of this study’s main objective is Taiwan military units who are successfully certificated by ISO 27001, and the study offers the critical success factors which influence the installation of ISO 27001 and the structure of the important assessment factors. Furthermore, the study releases questionnaires to every department of Taiwan military information security including some military units are not certificated, utilizing AHP (Analytic Hierarchy Process) to analyze these returned questionnaires, and then finding out the differences of all participants regarding the cognition of critical success factors. According to the result of this research: (a) participants who have been certificated or not certificated all agreed that “the substance and environmental safety”, one of the 2nd level items, is the main critical success field which is successfully installed into ISO27001, and another 2 factors of the 3rd level items: “prevention from outside and environmental threats”, “cognition of information security, education and training” are the critical success factors successfully installed into the ISO27001; (b) the installation of ISO 270001 of the information security policy has been proven that it efficiently reduced the violation of information security events; (c) There are three hindrance that participants had when installing ISO 270001: superiors did not take it seriously, colleagues did not cooperate with each other and the expense was not enough. To sum up, we expect that participants could put more emphasis on the importance of information security through this study, deeply understand the critical success factors and obstacles that participants might meet while implementing information security policy into ISO 27001, which could provide them with useful reference point; at the same time, it could be the future goal that every military unit get the ISO 270001 international standard certificate.