以ISO 27001為基礎評估電信業資訊安全管理 - 以第一類電信業者為例

Abstract

科技與網路的發展迅速，增進人類生活的便利與效率，然而日益複雜的資訊安全問題，對於個人、組織甚至於國家，都已造成嚴重威脅。鑒於此，英國標準協會於1995年首先提出BS 7799資訊安全管理標準，架構出涵蓋技術面與管理面的全方位資訊安全管理系統(Information Security Management System，ISMS)，而後逐漸演變至今日的ISO 27001。眾所皆知沒有100%的資訊安全，只能採取適當的應變措施以及降低風險發生的機率來將損害減輕至最低，而遵循資訊安全管理的標準便是一個最好的方式。 本研究以ISO 27001的11大控制要項、39個控制目標與133項控制措施為基礎，建立符合驗證規範的評核表，以深度訪談與實地查察的方式，評估電信業資訊安全管理的現況；同時彙整業者的實務經驗與專家意見，發展出適用於電信業的資訊安全管理建議：ISO 27001核心版，其內容集合了ISO 27001控制措施的重點項目，提供有意自行導入資訊安全管理的電信業者參考；並運用重要性-表現程度分析法(Important-Performance Analysis，IPA)說明電信業者對於133項控制措施的施行策略。 研究結果顯示，根據ISO 27001的控制措施，電信業者的整體符合程度達到90%，顯示電信產業的資訊安全管理具有不錯的水準，而在控制要項的執行情況上，表現較佳的是「資產管理」與「遵循性」，而表現欠佳需要加以改善的是「安全政策」與「資訊安全組織」；以資訊安全管理的三個面向探討，策略面表現優於管理面，而管理面優於作業面；針對適用於電信產業的ISO 27001核心版，則提出58項重要的控制措施作為資訊安全管理建議。

Rapid growth on science and technology increases life convenience and efficiency, however the emerging information security issues become serious threat to personnel, organizations and countries. BSI released BS 7799, the Information Security Management Standard, on 1995 for building up the comprehensive ISMS, today’s ISO 27001 is evolved from BS 7799. There is no 100% guaranteed information security, follow the international standard is the best way to minimize the damage caused by information security issues. An ISO 27001 based evaluation form is created to appraisal information security management situation in telecom industry via physical interview and verification. The telecom industry oriented information security management suggestion, ISO 27001 Core Edition, is developed as reference for those who intend to deploy ISMS. IPA (Important-Performance Analysis) is used to illustrate the strategy of performing 133 controls by service providers. The research result indicates telecom service providers reach 90% of conformance level against ISO 27001 controls, and have good performance on “Asset management” and “Compliance” control sections, but need to improve on “Security policy” and “Organization of information security” control sections. The proposed ISO 27001 Core Edition includes 58 important controls which can be the information security management suggestion for telecom industry.