近年來資訊系統漸漸走向符合安全規範導向,各種相關法案孕育而生,諸如:美國沙賓法案(Sarbanes-Oxley Act)與健康保險可攜性及責任法案(Health Insurance Portability and Accountability Act, HIPPA)是許多立法機關管理資訊系統的起步。同時國際間也提出了很多的標準,例如:ISO 20000、ISO/IEC 17799…等,用以不斷的改善系統品質和安全性。 資訊專家們為了實踐內部控管,必須隨時受到許多來自內部或外部的稽核,其中最大的挑戰來自於如何在價值導向的組織架構中遵從法規,並且需要一套能夠自動化符合安全規範的資訊系統來輔佐,進行持續稽核,使資訊系統能夠時時刻刻保持在安全且符合資安法規的狀態。 在本論文中,提出了一個符合安全規範的資料存取監控系統,該系統不僅結合了自動遵循法規的持續稽核,還利用考慮到了ITIL(IT Infrastructure Library)中的問題管理、變動管理與建構管理進行流程改善,以便更能夠受到管理。為了說明此方法如何運作使資訊系統符合安全法規,特別地在如何將安全法規轉換來控管安全以及使用稽核規則。並且在最後,使用一個商業可利用的真實技術案例來證明可行性與其優點。
Information technology is becoming compliance driven. The US Sarbanes-Oxley Act and the Health Insurance Portability and Accountability Act (HIPAA) are just two of the many legislative initiatives that are changing how IT services are managed. IT professionals are now subject to numerous internal and external audits, with a focus on IT internal controls. The challenge is to continue performing as a value-driven organization while complying with regulatory oversight. In this thesis, a compliance-driven process improvement framework based on security policy lifecycle is proposed and discussed. This framework not only incorporates the concept of continuous auditing for automated compliance but also considers ITIL’s change management for process improvement. To illustrate how this framework can be used to guide security policy enforcement, a special focus is placed on how policies can be transformed to security control and auditing rules using a disclosure centric analysis. Finally, an implementation with real case scenarios using commercially available technology is constructed to demonstrate the feasibility and benefits of such compliance-driven process.