標準可以累積知識與經驗,標準化則是冀求以系統的、共同的協調一致的方法來強化標準實作的知識及技術以供傳承。資訊安全之標準化歷程,自90年代的產品ISO/IEC15408(已調和為CNS 15408標準系列)、千禧年間之管理系統ISO/IEC 27000(已調和為CNS 27000標準系列),惟資訊安全管理的問題仍是全球共同面對之議題。自2007年起,根基於資訊安全內容自動化協定(Security Content Automation Protocol,簡稱SCAP)之有效性的軟體保證(Software Assurance)標準系列已逐漸成為事實標準(De facto Standards)並孕育資訊與通信技術供應鏈風險管理標準化的源池,本文闡述其歷程與布局,探討資訊安全管理標準化之未來展望及做為資訊安全護理系列報導的終篇。
Standards can be seen as the accumulation of knowledge and experience, while standadization aims at strengthening the knowledge and techniques of standard implementation by means of systematic and coherent methods. The standardization processes of information security vary from the products in the 90s to the management systems in the millenium. However, the problems of the information security management are still the common issues that the world has to encounter. Since 2007, according to information Security Content Automation Protocol (SCAP), a series of effective Software Assurance standards have become De facto Standards and have offered the standardization sources of Supply Chain Risk Management for Information and Communications Technology (ICT). In this paper, the standardization processes of Supply Chain Risk Management will be illustrated and the future prospects of Information Security Management standardization will be discussed.