摘要
行政院科技顧問組於「國家資通訊安全發展方案(98年-101年)」中,將推動資通安全治理納為行動方案之一,並提供適用於政府機關之資通安全治理成熟度評估工具,期望藉由此方案落實我國政府機關的資通安全治理制度。 本論文研究目的,係透過評估工具評估x政府機構資通安全治理成熟度,搭配深入訪談了解其資通安全工作落實程度與現況,進一步探討未來落實資通安全治理可能遭遇之困難。並採用個案研究的單一個案類型為研究方法,針對x政府機構進行資通安全治理成熟度評估,了解該單位資通安全治理成熟度與實際情況,研究成果對x政府機構之資通安全治理提出其落實程度、可能遭遇之問題、改善項目及時程建議。 本論文研究對象之業務對於IT之依賴度非常高,而評估結果發現機關資通安全治理整體性之成熟度與加權平均落在「持續改善」。因此,表示x政府機構在資通安全治理方面,需加強實施風險管理為主要目標,在落實上仍需加強制訂流程來改善資通安全政策與程序,配合定期檢查與稽核相關程序,並持續改善以達良好成效。
並列摘要
According to the RDEC (Research, Development and Evaluation Commission, Executive Yuan) and Technology Advisory Group, ”National In formation and Communications Security Development programme (2009-2012)” in promoting information and communication security control will accept one of the options for action, and to provide authority for information on government departments communication security governance maturity assessment tool, expected by the implementation of this program our government authorities information and communication security management system. The purpose of this study is to assess the maturity of x-governmental organizations information and communication security governance by adopting assessment tools the maturity of with intensive interviews to understand the extent of implementation of information security and current practices. As well as what difficulties that the organizations of managing information and communication security will foresee. To adopt a single case study is the research method of this study in order to understand the actual situation of information and communication security governance maturity in the target organizations. The outcome of this study is to state the current level of information and communication security management, possible encounter issues, action items for improvement, and schedule for x-governmental organizations. In this research, the target organizations' operation has a high dependence on IT services. The assessment result shows that the overall weighted average maturity of information and communication security governance falls on ”continuous improvement” category. That means x-governmental organizations in information and communication security governance need to be enhanced in the areas of risk management as the major objectives, developing a process to improve information and communication security policies and procedures, requiring regular inspections and audit procedures, and continuous improvement in order to achieve at a good level of information security management.