- 期刊
資通安全管理法驗證方案特定要求事項標準化初論:根基於ISO/IEC 27001:2022(E)及ISO/IEC 27009:2020(E)框架
Preliminary Study on the Standardization of Specific Requirements of Cyber Security Management Act Certification Scheme: Based on ISO/IEC 27001:2022(E) and Framework of ISO/IEC 27009:2020(E)
摘要
隨著政府機關對資通安全的重視,我國整體資安防護體系之建立與資安防護能力之提升已日益精進;自2013年行政院資通安全稽核作業計畫於2013年9月2日至10月31日,正式將「資安健診」的資訊安全技術項目控制措施之實作納入評分,並納入2013年12月15日「國家資通訊安全發展方案(102年至105年)」的「行動方案」之中,開啟我國資訊安全管理系統(Information Security Management System,簡稱ISMS)稽核工作的新姿。2022年5月1日,全國認證基金會(Taiwan Accreditation Foundation, TAF)已實施於2022年4月頒佈的《管理系統驗證機構資通安全管理法驗證方案特定要求》,開展我國資訊安全管理系統(Information Security Management Systems, ISMS)實作及其驗證的新頁。於ISMS標準系列,因涉及各國法規及日益增加之控制措施需求,2013-02-07,ISO正式立項進行擴增ISO/IEC 27001與ISO/IEC 27002的規範供需用者採用;以制定所需標準之ISO/IEC 27009的標準化計畫。同前所述,根基於ISO新規,本文參照ISO/IEC 27009之框架,探討前述《管理系統驗證機構資通安全管理法驗證方案特定要求》之ISMS要求事項的標準化及國家通資訊安全發展方案(110年至113年)」中「建立資通系統弱點之主動發掘、通報及修補機制」與「完善政府網際服務網防禦深廣度」之工作項目中的資安弱點通報機制(Vulnerability Alert and Notification System, VANS)及零信任網路(Zero Trust Network,簡稱ZTN)以及端點偵測及應變機制(Endpoint Detection and Response, EDR)宜增加之控制措施的內容及其供應鏈安全實作之議題,做為制訂其標準的基礎。
並列摘要
With the increasing emphasis on information security by government agencies, the establishment of Taiwan's overall information security protection system and the improvement of information security protection capabilities have become increasingly refined. The first shot of the new trend in the audit work of Taiwan's Information Security Management System (ISMS) is the "Information Security Health Diagnosis". Its implementation of information security technology project controls was officially included in the rating of the 2013 Executive Yuan Information Security Audit Operation Plan, and it was included in the "Action Plan" of the "National Information and Communication Security Development Plan ( 102- 105 years)" on December 15, 2013 as well. On May 1, 2022, the Taiwan Accreditation Foundation (TAF) has implemented the Specific Requirements for Information Security Management Law Verification Scheme of Management System Verification Agencies issued in April 2022. Such move has launched a new page of the implementation and verification of Taiwan's Information Security Management Systems (ISMS). Due to the increasing demands for regulations and control measures in various countries, the International Organization for Standardization (ISO) officially initiated a standardization plan to expand the ISO/IEC 27001 and ISO/IEC 27002 standards for users to develop the required standards on 2013- 02- 07. Based on these standards and followed the framework of ISO/IEC 27009, this article firstly explores the standardization of ISMS requirements in the aforementioned "Specific Requirements for Verification Scheme of Information Security Management Law for Management System Verification Institutions", then discusses the control measures should be added to the "Vulnerability Alert and Notification System (VANS), Zero Trust Network (ZTN), and Endpoint Detection and Response (EDR) in the "Improving Defense Depth and Breadth of Government Internet Service Network "work projects and the establishment of active discovery, notification, and repair mechanisms for information security vulnerabilities in the "National Communication Information Security Development Plan ( 110- 113 years)", and finally addresses the issues in the supply chain security implementation.