一個企業私有雲之資訊安全管理規範 -以W公司為例

Abstract

對許多企業來說，運用雲端運算服務，已經成為不可抵擋的趨勢，企業可以藉由雲端服務降低軟硬體的投入成本以及管理維護作業，藉由雲端技術的優勢，達成快速佈署相關系統及服務。然而，許多企業對於雲端運算的服務，仍然持保留的態度，資訊安全議題成為最大的隱憂。如何做好相關安全措施，是企業導入雲端技術時最主要的挑戰。本研究嘗試透過相關文獻探討、觀察、訪問資安專家意見以及書面記錄彙整資料，利用ISO27001 資訊安全作業規範，並輔以（Cloud Security Alliance/Cloud Control Matrix）雲端安全認證規範，進行分析及歸納後，提出建議之雲端資訊安全管理架構，企業可依據這套管理架構，了解目前的資訊安全管理現況，並針對不足的部分加以補強，提高資訊安全等級，避免因為資安問題造成企業的損失，影響商譽。

For many businesses, the use of cloud computing services has become an irresistible trend. Cloud Computing services can be reduced input costs of hardware and software as well as management and maintenance work. We can achieve rapid deployment of related systems and services by the advantages of cloud computing technology. However, many cloud computing services for enterprises are still holding the reserved attitude. Information security issues have become the biggest worry. How to make the relevant safety measures is enterprise adoption of cloud technology major challenges. The present study attempts to explore through literature, observation, and access to information security expert opinion written record of aggregate data. In this study, the ISO27001 information security operations to regulate, and it add (Cloud Security Alliance / Cloud Control Matrix) Cloud security certification to regulate. After conducting analysis and induction, this study presents the cloud information security management framework of the recommendations. Enterprises can manage in accordance with this framework to understand the current status of information security management. Enterprises can be reinforced for its shortfall, improve information security level, to avoid the impact of goodwill because of information security problems caused by the loss of business.