透過您的圖書館登入
IP:44.211.91.23
  • 學位論文

資訊資產分類與風險評鑑之研究 – 以金融業者為例

Classification of Information Assets and Risk Assessment ─ by Example of Banking Industry

指導教授 : 陳志誠
若您是本文的作者,可授權文章由華藝線上圖書館中協助推廣。

摘要


企業的資訊安全作法繁多,但不一定能聚焦於最需要之處,以及考慮到成本與時間效益,而為企業的資訊資產進行分類與建立風險評鑑機制,可以得到資訊資產詳細的風險等級,讓資訊安全管理決策更精確、完整及可用,避免資訊安全事件的再發生。目前國內外有關資訊資產風險評鑑的研究不多,本研究就重視資訊資產管理的銀行業進行研究,以國內某知名銀行為例,由資訊安全管理之作業要點BS 7799-1:2000、資訊安全系統規範BS 7799-2:2002和資訊技術安全管理指導綱要ISO/IEC TR 13335做為問卷設計的依據,從個案公司的資訊資產清冊中選出99項較可能發生資安事件的資訊資產,使用德菲法進行資料收集分析,評估出資訊資產的現有價值、相關威脅、弱點及風險等級,同時進行定性與定量的風險分析。研究結果說明個案公司資訊資產風險等級為中等者只有主路由器一項,其餘均為低等級,基於BS 7799-2:2002持續改善的原則,研究中對高風險等級的資訊資產提出建議及改進措施。由於銀行業的資訊環境具有高度雷同,主要核心業務放在大型主機,外圍由中小型伺服器處理非帳務性系統,而且研究個案之規模和資訊系統在銀行業中具有代表性,本研究獲致之成果具實務上的參考價值,可協助企業降低資訊資產風險,降低資安事件的發生。

並列摘要


Many incidents of information systems result in imperfect protection of information assets. Since overall protection is expensive, even impossible, security measures should be made at the most needed places in terms of cost and time. By means of classification of information assets and their risk assessment, we are able to know the degree of risk of the assets and to achieve a better decision in security measures. Owing to the secrecy policy, research reports on risk assessment of information assets are rarely made public. In this research we will classify the information assets of a financial institution and assess their risks. Because the institution is one of the major banks in Taiwan, the research results should be representative. The Delphi method is adopted in this research and the questionnaires are designed based on the guidelines of information security management of BS 7799-1: 2000, BS 7799-2: 2002 and ISO/IEC TR 13335. In total, 99 information assets subject to security breaches are chosen for risk assessment, and 7 experts in information security and computer auditing are invited to answer the questionnaires concerning current value of the assets, possible threats, vulnerabilities and degree of risks. Risks are expressed in low, medium and high, ranging over 9 degrees on risk scale. The results reveal that there is one item, the core router, with medium risk while others are in low risk. We also made suggestions for enhancing security measures for all assets with risk degree greater or equal to 2. Owing to the lack of publications of researches on classification of information assets and assessment of their risk in financial field, the results achieved in this study is of practical value.

參考文獻


13.BS 7799-2. “Specification for Information Security Management Systems,” British Standards Institution, 2002
3.吳俊儀,2005「ISO9000知識創造模式之探討」,工業與資訊管理研究所博士論文,國立成功大學。
10蕭吉宏,2005「機敏軍事單位資訊安全風險分析之研究」,資訊管理研究所碩士論文,元智大學。
12.BS 7799-1. “Code of practice for information security management,” British Standards Institution, 2000
14.Budgen, P. J. “Why risk analysis?” Risk Analysis Methods and Tools, Colloquium on IEEE 1992, pp:2/1-2/4

被引用紀錄


柯彥睿(2008)。以決策樹模型分析機房資訊安全之風險〔碩士論文,元智大學〕。華藝線上圖書館。https://www.airitilibrary.com/Article/Detail?DocID=U0009-1607200801091300
周楷智(2015)。教育機構個人資料保護稽核機制之研究 -以某國立大學為例〔碩士論文,國立中正大學〕。華藝線上圖書館。https://www.airitilibrary.com/Article/Detail?DocID=U0033-2110201614034456

延伸閱讀