結合隱私衝擊分析的資訊安全風險評鑑

隨著國際標準及個人資料保護法的公布，企業逐漸重視個資保護相關議題，尤其以擁有大量客戶敏感個資的電信業與金融業，如何針對存在於企業內的個資進行適當的保護，必須進行全面的風險評鑑作業以了解每個個資活動的重要性及其風險，然而目前相關研究大多著重在特定的應用範圍作為隱私衝擊分析之主體，不適用於內含眾多類別個人資料的企業組織，且無法同時結合隱私衝擊分析至原先的風險評鑑方法論，因此我們提出了一種可達成個人資料保護法法規的隱私衝擊分析方法，透過識別企業組織提供之重要產品服務及其業務流程，分析出關鍵資產，其中資產又分為實體、軟體、服務、資訊及人員五大類，在資訊類資產中針對含有個資之項目額外執行隱私衝擊分析的評估，以確定該個資之重要程度，此方法優勢在於對於已通過ISO／IEC 27001認證的企業組織，不必重新執行完整個人資料風險評鑑，並可快速結合至組織現有遵循ISO／IEC 27005的風險評鑑方法，以節省人力及時間成本的耗費並簡化後續管理及處理，本方法論，主要是由五個部分組成：（一）識別產品服務及業務流程、（二）識別資產、（三）隱私衝擊分析、（四）風險評估、（五）風險管理。

關鍵字

隱私衝擊分析；個人資料；風險評鑑方法

並列摘要

With the publication of the international standards and the personal data protection law, enterprises focus on privacy protection related issues. Especially for telecommunications industry and Financial Industry which have large number of customers' sensitive data. Enterprises need to enforce risk assessment to realize the importance and risk of each process, which process personal data. However, in most current privacy impact analysis method, they only concern one subject to analysis the privacy impact. It is not suitable for the company which contains many types of personal data. For this reason, we propose a model, which combine the privacy impact analysis and risk assessment. First, we identify the important service/products and their business processes, and then recognize the assets depend on the result. We classify asset into five categories: physical, software, service, information and people. And if information asset which contain personal data, it must execute privacy impact analysis additionally. In our method, it is no need to carry out privacy impact analysis again and can fit original risk assessment system quickly when enterprises get the certificate of ISO 27001. We not only simplify the management process but also save manpower and time costs. In our method, it contains five parts: a) Identification products and services and business processes. b) Identification assets. c) Privacy impact analysis. d) Risk assessment. e) Risk management.

並列關鍵字

無資料

參考文獻

Alberts, C., Dorofee, A., Stevens, J. a n d W o o d y , C . （ 2 0 0 3 ） , ‘Introduction to the OCTAVE approach’, Software Engineering Institute （SEI）, Carnegie Mellon University, Pittsburgh, USA.

Google Scholar

Bouti , A. and Kadi , A. D., "A state-of-the-art review of FMEA/ FMECA", International Journal of Reliability, Quality and Safety Engineering, vol. 1, pp. 515-543, 1994

Google Scholar

BSI, “BS 10012 Data Protection – S p e c i f i c a t i o n F o r A P e r s o n a l Information Management System,” British Standards Institute, 2009.

Google Scholar

Ekelhart, A., Fenz, S. and Neubauer, T. "Ontology-based Decision Support for Information S e c u r i ty R i s k M a n a g e m e n t " , ' I n t e r n a t i o n a l Co n f e r e n c e o n Systems, 2009. ICONS 2009. IEEE Computer Society, 2009, pp. 80-85

Google Scholar

Ekelhart, A, Fenz, S and Neubauer, T, "AURUM: A Framework for I n f o r m a t i o n S e c u r i t y R i s k Management," in Proceedings of the 4 2 n d H a w a i i I n t e r n a t i o n a l Conference on System Sciences, v o l . 42. W a i k o l o a , H I : I E E E Computer Society, 2009, pp. 10.

Google Scholar

國際替代計量

結合隱私衝擊分析的資訊安全風險評鑑

全文下載

主題瀏覽