資訊安全問題急速擴散漫延,從資訊科技技術領域延伸至組織管理制度領域,嚴重威脅組織的資訊安全。ISO 27001是資訊安全管理系統的國際驗證標準,組織通過ISO 27001驗證,並不保障擁有優異的資訊安全管理績效。資訊安全管理系統必須在持續有效運作下,才能發揮保護組織資訊安全的效益。如何評估資訊安全管理系統的有效性、並據以改善資訊安全管理系統的績效,乃是組織持續推動資訊安全管理系統的重要核心議題。 本研究以個案研究方式,瞭解檔案管理局資訊安全管理系統的實施情形及需求,並探討資訊安全管理系統及績效評估相關文獻後,運用平衡計分卡績效管理模式,由任務使命、顧客、內部流程及學習與成長4項構面,架構以「健全資安防護能力、提高服務品質、落實資訊安全管理系統、加強資安技術與觀念宣導」為策略的資訊安全管理系統平衡計分卡。 本研究結果發現,運用平衡計分卡,可以由上而下完整的表達資訊安全管理系統的願景、策略、目標及行動計畫之間的因果關係,透過落後指標與領先指標的整合運用,探索關鍵性績效評估指標,達到衡量資訊安全管理系統的有效性。
Information security problems spread rapidly from the information technology domain into the organization management one. They severely threat the information security of an organization. ISO 27001 is an international certification standard of information security management systems(ISMS). An ISO 27001 certified organization, however, doesn’t guarantee that it has superior performance for its information security management. To protect the information assets of an organization, the ISMS must keep operating effectively. A core issue regarding information security is to evaluate and implove the effectiveness of the ISMS. This study applies the method of case study to realize the requirements and statues of current ISMS in National Archives Administration. Thereafter, this study employs balanced scorecard to construct a model for evaluating the performance of the ISMS for the case. The results show that this model is capable of concatenating the mission, strategies, objectives, and action plans for the ISMS. In addition, helpful critical indicators are developed to evaluate the effectiveness of the ISMS.