The rapid development of information and network technology has brought about speed and convenience. Data and information systems play a more important role. Administrative agencies are required to use emerging information and network technologies to assist business improvement and promotion, accelerate operational processes, and achieve the goal of simplifying administration and facilitating the people. In response to the requirements of laws and regulations, administrative agencies need to conduct security audits and verifications every year to find out whether there is a lack of security and make suggestions for improvement. Through security audit and continuous improvement, it will promote the security protection performance of administrative agencies, discover security loopholes, and reduce security risks. 　　This research collects information about security deficiencies and suggestions for improvement discovered by an administrative agency in the past three years. We used the "comparative research method" to analyze the similarities and differences between these deficiencies and recommendations, and categorized them to identify the most frequently occurring security loopholes. This study used the "semi-structured interview method" to design interview questionnaires, selected information personnel and general business personnel within administrative agencies as interviewees to conduct interviews, in order to explore how to adopt effective security precautions and implement necessary information security controls. It also discussed whether the administrative agencies, after promoting the information security management mechanism, through information security audits and continuous improvement, would bring positive improvements to information security protection? 　　The results revealed the facts that: (1) The most common types of security deficiencies discovered by administrative agencies during audits were: security areas, user access control, and responsibility for assets. (2) In response to the lack of security often found in audits in recent years, the interviewed information staff were able to propose corresponding preventive measures and implement necessary information security controls. (3) By continuously implementing information security improvement actions, it could indeed bring a positive improvement effect on information security protection. 　　The results of this research can provide administrative agencies as a reference to implement and continuously improve the information security management mechanism, make effective use of resources, reduce the additional burden on the normal operation of the unit, and avoid unnecessary security risks.