現今大多數企業皆有導入資訊系統,根據資訊系統的原始開發文件,在使用資訊系統時,會有一套標準的作業流程,提供給使用者做為參考指南,要如何分析與驗證採購資訊系統使用者,是否遵循標準作業流程操作,而不會產生資訊安全議題的缺失,是企業應該要去著眼的部份。本研究提出一個分析使用者操作的機制,藉由使用者在操作資訊系統時,對資料庫中資料異動的行為-資料庫稽核檔(Log)加以分析,並透過資料庫的綱目Schema,建立log檔中各行為之間的先後關係,進而得到個別使用者對資料庫的操作流程。本研究利用Petri Net概念,將標準流程重新繪製成Petri Net圖形。而個別使用者對資料庫的操作流程,透過α演算法之轉換步驟,將資訊系統使用者操作流程轉換成Petri Net圖形,以方便稽核人員觀察。為了分析使用者操作流程與系統標準流程之差異,本研究建構一個自動化差異分析機制,以協助稽核人員自動化分析使用者操作流程。並且為了驗證此機制之可行性,開發一個系統,透過本研究所建立之機制與系統,協助稽核人員能即時了解資訊系統使用者是否有不當的操作行為,造成企業無法預期的損失,進而減少企業內部缺失發生的機會,並且透過流程差異分析之結果,提供企業流程再造的機會。
To date, information system is introduced into many enterprises, to provide standard working process to users for reference according to original development documents as it is applied. How to analyze and validate whether users in procurement information system comply with standard working process with no deficiency in information security topics caused, should be emphasized by enterprises. This study proposed a mechanism to analyze user operation, by analyzing varied data behavior in event log of database when users are operating information system, by establishing priority of each behavior in log file on the basis of scheme in database, to further acquire individual user’ process operating database. Adopting Petri Net, this study drew standard process into Petri Net map. As for individual user’s process operating database, this study converted such process into Petri Net map according to convert steps in α algorithm, for benefiting auditor observation. To analyze difference between user’s processes with standard process, this study constructed a mechanism for automatic difference analysis, to assist auditor in analyzing user’s process automatically. Meanwhile, to validate its feasibility, a system is developed to assist auditor in knowing whether unpredicted losses inside enterprise are caused by improper behavior of user, thus to further reduce deficiency inside enterprise and provide chances of process re-engineering to enterprises with process difference results.