近年經監察院調查發現,公務單位有濫行核定機密、檔案遺失或未經核准而銷毀等情,係因對機密資訊之管制措施,雖已訂定相關規定,惟所屬單位機密處置流程不當,部分人員仍存有便宜行事心態,或僅做形式化之文書報表,未具保密警覺之危機意識,造成單位機密資訊安全維護不易,帶來相當程度的衝擊與妨礙。我國在洩密罪的管制作為上,於國家機密保護法、刑法、陸海空軍刑法、國家安全法與政風機構維護公務機密作業要點等法令規範中,皆有訂定機密維護措施、處置流程與相關罰則預防,然而在處理過程中易衍風險,如何有效降低風險,成為重要議題。本研究以作業風險管理軟體(Operational Risk Management Integration Tools, ORMIT)針對現行機密資訊管控機制進行風險評估問卷調查,藉以發揮其管控效能,降低失效風險發生,從「處理、分發、傳送、保管、清查及銷毀」等6項機密處置流程評估,提出「定期保密安全教育、嚴密機密檔資管理、科技輔助複式稽核、嚴查洩密違規事件、嚴密人員考核管理與定期實施風險評估」等建議方案,供政府及企業實務管制參考。
In recent major incidents involving the disclosure of confidential information, such as the Bradley Manning, Andrew Snowden, and Panama Papers incidents, the leakage channels were individual employees who were members of the internal staff. The incidents have resulted in international panic, disputes, and reflection. A series of leakage incidents have taken place in Taiwan, including the leakage of confidential information by government officers and the stealing of corporate secrets by company employees. These incidents caused have major damage to many organizations, imposing a threat to national security and overall industrial competitiveness. With regard to the management and control of leakage offenses in Taiwan, the confidentiality protection measures, management procedures, and related penalty provisions are stipulated in the Classified National Security Information Protection Act, Criminal Code, Criminal Code of the Armed Forces, National Security Act, and Regulations for Protection of Confidential Business Operations by Government Mechanisms. However, various risks are likely to occur in the management process and the efficient reduction of risks is an important issue. Operational Risk Management Integration Tools (ORMIT) were used to conduct a questionnaire survey regarding the risk assessment aspects of current confidential information management mechanisms in order to explore management efficiency and reduce failure risks. The secrets disposal procedure was evaluated according to six components, including "processing," "distribution," "delivery," "protection," "verification," and "destruction," and based on this, a model was proposed which included the performance of processing by a responsible personnel, effective reduction of personnel familiar with the confidential information, distinction of confidentiality levels for delivery, improvement of protection, regular inventory and inspection, and regular disposal of expired secrets. The proposed model provides a reference for governmental and corporate management.