資訊安全風險評估與管理之研究 摘 要 由於電腦的普及和網路的快速發展,使資訊科技已成為人們生活中不可缺少的一部分。然而,對於危害資訊安全所產生的不確定性卻普遍存在各個組織。然而回顧過去相關文獻,我們發現大部分研究均偏重於資料加密處理,網路安全防護或是電子商務安全機制建立等方面,對於風險管理確保資訊安全的探討仍相當缺乏。因此,本文之主要目的在於討論資訊安全的需求與無法落實的原因,並從風險管理的角度,建立一套資訊安全風險評估模式,對資訊安全的風險進行有效的管理。 為求達到有效評估及確保資訊安全之研究目的,本研究採用BS7799資訊安全管理規範及風險管理之方法。其探討的範圍為資訊安全威脅來源、數位資訊威脅型式評估、數位資訊風險評估以及數位資訊管控方式等。在資料分析結果顯示,以BS7799為基礎之資訊安全風險管理模式,除了可以提供資訊安全威脅來源的方式與數位資訊保全與管控的對策之外,更可彰顯出組織資訊安全風險問題之所在,而且透過本研究模式所建立的資訊安全概念與數位資訊保全的方式,並應用風險管理的方法,更可以達成組織人員對危害資訊安全事件之具體認知,進而有效加以管理及規範與建立完善的資訊安全。 在資料分析結果顯示,以BS7799為基之資訊安全風險管理模式,除了可以提供資訊安全事項的優先處理順序與相關對策外,更可彰顯出組織資訊安全風險問題之所在,而透過本研究模式所建立正確且全般的資訊安全概念,並以運用風險管理方法,更可以達成組織人員對危害資訊安全事件之鉅體認知,從而有效加以管理及規範與建立完善的資訊安全。 關鍵字:資訊安全,BS7799
Abstract This research analyzes the problem of internal security breaches, the most proportion of information security events, with the methodology of crisis management. In this thesis, we gather theories and rules in the way of management and technology that were offered by domestic or foreign specialists and scholars. Besides, we apply the current information security specifications - BS7799 as the standard, and contribute a fundamental for continued research subject - how to prevent the information security events from improper embezzlement of organization internal staffs. In the first step of the experiment is to create information security consciousness among members of the organization with BS7799 standard. Second, in this model of assessment of risk management is then mapped out using confidentiality, integrity, and Availability as its three measures. Finally, according to the result of data analyses, it was enable use to produce a set of priorities concerning information security as well as suggestions of proper responses. In other words, using the model to assess the environments of an organization can indentify potential problems of information security within organization. In the application of information technology booming era, the awareness of information security have raised because enterprises are highly dependant on information systems and networks for continuing serving customers without system failure. After the enterprise implement a concept information security management, can they achieve their expectation to protect our organization’s information system security? When the enterprise faces risks of information assets and requires taking actions, how do they invest properly under the budget in order to gain the best return on investment in information security? An enterprise can use the methodology of information security risk assessment to findout risks from information asset in business process for resource control. The quantitative risk assessment uses quantify method to assess security event occurrence and influence; therefore, the quantitative risk assessment can provide an effective method and assign suitable resources to manage an asset in the enterprise. Nowadays, Taiwan does not have many quantitative risk assessment methodologies; guess and subjective estimation are used mostly. This is not able to obtain an objective assessment result based on experience or knowledge to manage asset risks. With the universal application of information technology (IT) on business, the impact of information security accidents to business operations is also critical with each passing day. Even so, the existent academic researchers and business managers still focus on the technical issues of information security control, and overlook the important issues of managing information security control and integration. Therefore, the existing enterprises often get half the result with twice the effort on the works of information security control. The research’s main results are: (1) the more the high-level managers value the information security, the more the extent of information security control is; (2) the more the extent of cognitive information security is, the more the effectiveness of information security control is; (3) the more the level of information security control is, the more the effectiveness of information security control is; and (4) the more the applications of the enterprise information technology, the more the level of information security control is. Key words : Informaton security, BS7799