一個建構傳統產業資訊安全管理架構的程序 -以M公司研發單位為例

Abstract

在資訊科技進步、網際網路發達以及雲端服務盛行的時代，大部份企業的運作都仰賴網際網路所提供的相關服務。若沒有做好資訊安全管理，風險高也容易造成企業損失。為了避免在使用資訊科技後，資料外洩、駭客入侵…等未蒙其利先蒙其弊的情況發生，資訊安全有其必要性。普遍來說，傳統產業對資訊科技的使用較為落後，也較不重視資訊安全管理，故本研究希望提出建構傳統產業資訊安全管理架構的程序，以協助傳統產業進行資訊安全管理。首先了解行政院對政府機關所規範的資通安全責任等級，參考其分級並提出傳統產業的資訊安全分級原則。再由國家安全資通會報所提出的資安健診項目以及業界常見的資安缺失和解決方案，進行分析及歸納後，提出資訊安全重點管理項目以及ISO 27001 國際標準的對應。依據傳統產業之行業特性及業務需求，提出建議之資訊安全管理架構。依此，Ｍ公司研發單位可先進行自身的資訊安全分級，並針對該等級的資訊安全管理架構做現況檢核，就知道哪些項目需要改善。進而降低資訊安全風險，保護企業資產。

In recent years, Information technology, Internet and cloud services are very popular and progress. The operations of most enterprises depend on Internet-related services. If there is no good information security management, enterprises will get higher risk to cause damage. Generally speaking, traditional industries don’t attach importance to information technology and information security management. Therefore, this study is to propose solutions for improving information security architecture of traditional industries. First, understand the information security responsibilities level of government then propose information security demand first level of industries. Second, based on the characteristics of traditional industries, propose information security demand second level. Third, based on the information security healthy clinics of government, usual information security questions and solutions, propose the information security management items. Fourth, the information security management items reflect to the control objectives of ISO 27001. Fifth, base on the information security demand second level, suggest which information security management items need to improve. Finally, the enterprise of traditional industries can use the information security demand level and suggestions to improve information security management items. So enterprise can construct information security management architecture then to reduce information security risks and protect enterprise assets.