網路世界裡資安事件頻傳,對組織來說已經是一個無法忽略的資訊安全問題。而組織該如何在有限的預算內添購哪些硬體設施或加強資訊安全管理,又該如何在有效的管理政策、作為及經費預算下,降低資料外洩所造成的資訊安全風險,對於組織所造成的損害達到可以接受的範圍之內,這些都已經是目前所有的組織所要面臨的重大問題。 ISO 27001是一套規範完整的資訊安全管理系統國際標準,幫助組織降低資安漏洞所造成的損害與事前預防潛在風險,因ISO27001規範甚是完整11領域、39控制目標及133控制項,導致了一些組織在落實上的困難。因此,利用最常發生在組織上的資料外洩案例,配合ISO 27001條文規範去加以分類、分析、統計與歸納,針對所違反的控制項去加強與防範,建議如何加強風險的控管,希望藉由這些案例,探討組織如何有效降低資安風險對組織所造成的損害。
The events of Information Security are increasing. It is a severe problem of Information Security we cannot ignored. The quality of hardware facilities and Information Security managements should be enhanced to reduce the risks of Information Security effectively, and we should consider the management of the budget restriction and the Information Security to acquire the biggest benefit. In order to effectively reduce the Information Security risks caused by network, the factors we need to consider are manage policy, behavior and budget. Therefore, we still need to control the damages within an acceptable range. The above is the current major issue we facing in the information security. ISO 27001 is an Information Security Management System (ISMS) standard. This standard prevents damages of Information Security and potential risks. ISO27001 norms as 11 areas, 39 control objectives and 133 controls that increase the implementation difficulties of the organizations. Thus, this study propose to use ISO 27001 standard to analyze many different Information Security cases for some common problems of Information Security. According to the items we explored from many different Information Security cases, we can give some suggestions to strengthen the risk management of Information Security. This study proposed to decrease the risks of Information Security effectively under the limited budget.