- 學位論文
應用於IT治理之資訊安全管理平台設計與建置
Design and Implementation of an IT Governance Framework for Security Improvement
摘要
資訊治理(IT Governance)是一個管理IT環境的流程,而這些管理工作主要是在於IT系統的維護與運作上。其目的主要是在於讓資訊技術徹底落實業務上的需求,並且透過一個有效的管理流程使得企業的IT更有效率。 然而,在組織落實IT治理的策略中,若沒有對於資訊系統進行適當的監視與控管將導致企業IT系統進入失控的狀態。一般企業IT組織中,通常會有負責資訊系統管理的單位。資訊系統管理者會依據企業所制訂之策略來管理企業的資訊系統。但是,當管理者對於組織的政策有所誤解時,企業的資訊管理就會出現問題。這個問題是不容易被發現的,因為系統依然正常地在運作。一直到某人注意到此問題並且向組織回報後問題才會被發現。在組織接獲問題回報後,組織必須展開一連串的活動以進行補救之措施。這些補救措施非常耗費時間和金錢。 因此,本研究之主軸在於提供一個監控的機制,讓問題在發生前就能被偵測出來,並且進一步避免問題產生以降低企業組織在IT管理上之成本。本論文主要談論一個IT治理的架構用以偵測系統上之安全議題。本架構會對於系統的存取控制表(Access Control List)進行監控並且產生即時的報表做為釐清問題的依據。除此之外,本架構也落實變更(Change)及配置(Configuration)管理以提供一個持續改善的模型。為了比較新舊問題,變更及配置的流程需要更進一步地分析。在系統中,先前發生過的問題會被記錄下來,而新的問題則無法在列表上找到。因此,當新的問題發生後,組織將會針對此問題對系統進行修正以改善目前系統之安全性問題。本論文已經完成監控與變更和配置管理用以改善企業資訊系統的安全。
並列摘要
Information Technology (IT) governance is the process by which decisions are made around IT environment. This is governing decision making in important IT operational areas. This terminology is involving the policy to drive the governance into effective IT organization. The policy sometime drives the organization into disaster without monitoring to control the direction as IT governance already created. IT organizations originally have IT governance which is managed by an administrator, person in charge have policy to handle this problem within this domain. A problem is arising when administrator has been conducted fault decision to interpret organization policy. This fault was undetected until someone noticed the problem and reported to organization, then some particular action will be arranged to deal with. Those process obviously waste time and money. This research is conducts to provide solution addressed to the problem that mentioned above. We proposed a design of IT Governance framework on problem detection of security system. This architecture monitoring the Access Control List concurrently generates real time result and then it also conducted change and configuration in order to improve the security assurance. The process of change and configuration need analytical action in order to comparing between new problems and previews problems are on the list and then when system encounter new problem that not on the list, the system will be deliver as a new problem solution considering as improvement on security domain. Finally the thesis has been done monitoring and change and configuration to conducted framework for security improvement.
參考文獻
延伸閱讀
- 林勤經、樊國楨、方仁威、黃景彰(2002)。資訊安全管理系統建置工作之研究。資訊管理研究,4(2),43-64。https://doi.org/10.6188/JEB.2002.4(2).02
- 楊欣哲、林裕倫(2014)。企業資訊網站設計之資訊安全的評估模式與評量工具之研究。資訊管理學報,21(2),107-137。https://www.airitilibrary.com/Article/Detail?DocID=16085752-201404-201405150023-201405150023-107-137
- 楊宸賓、孫嘉明、周芳銘(2016)。資訊安全防護基準與安全組態管理之結合應用。電腦稽核,(34),66-77。https://www.airitilibrary.com/Article/Detail?DocID=2073090X-201608-201608240072-201608240072-66-77
- Yan, S. J. (2011). 服務資訊系統之分析與設計方法論架構 [master's thesis, National Central University]. Airiti Library. https://www.airitilibrary.com/Article/Detail?DocID=U0031-1903201314422395
- 孫嘉明、吳建明、紀文章(2015)。A Case Study of Information Technology Governance Framework: From an Accountability Relationships Perspective。商管科技季刊,16(3),291-334。https://www.airitilibrary.com/Article/Detail?DocID=19948107-201509-201510050011-201510050011-291-334