鑑於機敏軍事單位內部,相繼二次的資訊安全事件對組織所造成的影響,為求資訊安全政策的制訂方向,降低再度發生之機率,本研究採專案風險管理與ISO/IEC 27001資訊安全管理系統規範相結合,使用問卷方式執行風險定性分析,並依機率-衝擊矩陣評估風險辨識項目之風險值,以突顯出機敏軍事單位資訊安全重點。 而在風險回應方面,則採「規避」或「減輕」模式,規劃高風險指標之管控措施,以提供單位管理者、資訊部門人員及使用者參考,也儘可能依標準規範所建議的方式建置資訊作業環境,讓資訊安全等級更加提升,並透過本研究所得知的成果,作為後續導入第三方資訊安全認證之先期準備。
Seeing that two information security events happened in the sensitive military organization successively, this study, which is for preventing other similar events and setting up a direction for policy, combines “Project Risk Management’ and “ISO/IEC 27001”, adopting a questionnaire method to implement risk analysis. This study also indicates important information security points of sensitive military organization according to the probability-impact array. For “Risk Response Planning”, this study use “Avoidance” and “Mitigation”, which work out control over high risk point, to provide information or suggestion for IT professionals, managers and users. This study constructs an information operating environment on the basis of ISO/IEC 27001 to monitor the information security level, and prepare for the third-party information security authentication.