  • 學位論文


Government agencies Study of Information Security Governance - A Case Study of Taipei City Government

指導教授 : 黃明達


根據行政院研考會科技顧問組於「國家資通訊安全發展方案(98年-101年)」中,將推動資通安全治理納為行動方案之一,並提供適用於政府部門機關之資通安全治理成熟度評估工具,期望藉由此方案落實我國政府機關的資通安全治理制度。 本論文研究目的為,透過評估工具評估臺北市政府資通安全治理成熟度,並搭配深入訪談活動,深入了解其資通安全工作落實程度與現況,且進一步探討未來落實資通安全治理可能遇到的困難。本論文研究採用個案研究的單一個案類型為研究方法,針對臺北市政府進行資通安全治理成熟度之評估,以了解機關資通安全治理成熟度與實際情況,並加以分析與比較,本論文研究成果為:提出臺北市政府對資通安全治理的落實程度、可能遭遇問題、改善項目及時程建議。本論文研究對象在機關業務IT依賴度分數級距主要落在非常高,而評估結果發現機關資通安全治理成熟度之整體評價與整體加權平均落在「持續改善」項次,因此表示臺北市政府在資通安全治理方面,需加強實施風險管理之評估為主要目標。透過深入訪談與研究討論發現,導入資通安全治理可能遭遇問題,對於風險管理作業有觀念與想法,但在落實上仍需加強,並且缺乏制定流程來改善資通安全政策、程序、落實所面臨的缺失,所以應建立資通安全計畫,規劃推動組織及規劃資通安全治理流程,用以支援單位營運及落實資通安全管理,經由專責人員進行定期檢核相關程序是否適宜,並持續進行資通安全治理改善,以達到良好之成效。


According to the RDEC (Research, Development and Evaluation Commission, Executive Yuan) and Technology Advisory Group, "National Information and Communications Security Development programme (2009-2012)" in promoting information and communication security control will accept one of the options for action, and to provide authority for information on government departments communication security governance maturity assessment tool, expected by the implementation of this program our government authorities information and communication security management system. The purpose of this study, the Taipei City Government, through assessment tools to assess the maturity of information security governance, and activities with in-depth interviews, in-depth understanding of the extent of implementation of information security, and current status of work then to further discuss with management of the implementation of information and communication security may experience difficulties. In this study, a single case by case study type of research method, for the Taipei City Government to conduct information and communication security governance maturity assessments, to understand the authority information and communication security governance maturity with the actual situation, and make analysis and comparison, this thesis results: make the Taipei City Government on the implementation of information and communication security management level, may encounter problems, to improve the process of the proposed project in a timely manner. In this research, dependence on IT in business organizations from the main falls scores very high level, while the evaluation found that agencies information and communication security governance maturity of the overall evaluation of the overall weighted average fall on "continuous improvement" entry times, so that Taipei Government information and communication security governance, risk management need to strengthen the implementation of the main objectives of the evaluation. Through interviews and research and discussion shows that, information and communication security control may encounter problems with the concept of risk management practices and ideas, but on the need to be strengthened in the implementation and the lack of the development process to improve information and communication security policies, procedures, implementation of face absence, it should be the establishment of information and communication security plan, and planned to promote the organization and management of information security, process planning, to support unit operations and the implementation of information security management, and through dedicated personnel regularly check the suitability of the relevant procedures, and ongoing improve information and communication security control in order to achieve effect.


