- 學位論文
資訊安全管理及教育系統之概念式模型與應用
Conceptual Models and the Implementations of the information Security Management and Education System
摘要
資訊安全管理系統(ISMS)是高層管理人員用以避免資安事件、管控資訊安全、減少風險、確保資訊系統持續符合組織及法律要求之一種方法,本文提出概念式資訊安全管理模型(MMISM),為了降低全組織導入ISMS困難度,本文提出PLOAT為ISMS實作模式;MMISM引進自動化技術例如RIAs(Rich Internet Applications)、語意網技術與本體論,另外還應用決策分析方法於ISMS,例如層級分析法(AHP)、模糊層級分析法(fuzzy analytic hierarchy process, FAHP)、灰階關連分析(Grey Relational Analysis, GRA)、模糊偏好關係理論等; MMISM具備完整地架構,清楚、明確地描述導入ISMS方法與步驟,並且對應開發之系統工具,使組織能夠自行進行風險評估與自行導入資訊安全管理國際認證,解開資訊管理黑盒子,落實技術自主性,節省時間、人力、金錢成本,完成法律面與組織內部資訊安全要求,同時解決ISMS難以導入與維護的窘境,讓ISMS具有可攜性,可快速移轉到別的單位,完成資訊共享境界。除此之外,本文應用知識本體論、詮釋結構模式(ISM:Interpretive Structural Modelling)、成熟度概念,與語意網路科技如OWL、SWRL、SQWRL、SPARQL、語意應用程式平臺等,規劃一個資訊安全教育成熟度系統概念式模型(ISEMM),ISEMM主要架構上有五個層次,分別為法律規範層、組識角色層、認證層、課程層、知識層,而底層以知識基本單元為共用元件,藉以連結各層;本文引進ISM方法,希望以科學客觀方法進行階層式設計與因果關係分析,本文舉出範例是用於課程設計;ISEMM引用成熟度關念循序有效地進行資安教育訓練,以語意規則來查詢與推理知識,希藉由自動推理機制達成自動對映,比如說角色層與課程層之對映、知識層與認證層之對映等,使系統具備可擴充性,快速轉換對映到相似領域;總之,本論文引用新科技、提出MMISM與ISEMM等模式,以明確架構與方法,來達成組織降低資訊安全風險之目的。
並列摘要
The main purpose of the presented work is to provide a meta-model to implement the Information Security Management system (ISMS) with effect. Rich Internet Applications (RIAs) are web applications that have many of the characteristics of desktop applications. A contribution of the presented work is the adoption of RIAs and their technologies, MXML and ActionScript 3, to extend the features of the existing ISMS. Multiple criteria decision making (MCDM) refers to find the best opinion from all of the alternatives. Some methods of MCDM used in this paper are Analytic hierarchy process (AHP), Fuzzy Analytic Hierarchy Process (FAHP), and Grey Relational Analysis (GRA). Besides this, ontologies are typically presented as tree structure containing all the relevant entities and their relationships and rules within that domain knowledge. Rules may be used for creating new rules, defining classes and properties of the ontology. To use the ontologies and rules to implement the knowledge management is the other purpose of this work. This system also uses the semantic web technologies, such as semantic web rule language (SWRL), SPARQL, SQWRL to query and infer domain knowledge. There are two models proposed in this paper, the meta model of the information security management (MMISM) and the information security maturity model (ISEMM). There are four parts of MMISM, including security requirement and risk analysis, meta-policy, meta-process and the PLOAT view of the implementation model. For the purpose of expanding the scope of ISMS certification, PLOAT view is proposed and it stands for People, Legal, Organization, Asset and Technology. In ISEMM, there are five levels from top to bottom, which are role, certification, standard, course and knowledge level.
參考文獻
延伸閱讀
- 林勤經、樊國楨、方仁威、黃景彰(2002)。資訊安全管理系統建置工作之研究。資訊管理研究,4(2),43-64。https://doi.org/10.6188/JEB.2002.4(2).02
- 王兪舒(2011)。專業課程導入服務學習教學模式之研究-以資訊安全課程為例〔碩士論文,健行科技大學〕。華藝線上圖書館。https://www.airitilibrary.com/Article/Detail?DocID=U0022-0106201123305200
- 楊宸賓、孫嘉明、周芳銘(2016)。資訊安全防護基準與安全組態管理之結合應用。電腦稽核,(34),66-77。https://www.airitilibrary.com/Article/Detail?DocID=2073090X-201608-201608240072-201608240072-66-77
- 樊國楨(2008)。資訊安全管理系統標準系列及其教育訓練的回顧與前瞻。資訊安全通訊,14(3),25-44。https://doi.org/10.29614/DRMM.200807.0002
- 汪耀華(2004)。A Study on the Information Security Management in National University〔碩士論文,國立臺灣師範大學〕。華藝線上圖書館。https://www.airitilibrary.com/Article/Detail?DocID=U0021-2004200709150945