資訊安全管理系統驗證作業之研究

Abstract

隨著近年來國內與國外的資訊安全事件層出不窮，造成許多企業組織的重大損失，甚至影響層面已擴及至整個國家社會，世界各國已逐漸體認到資訊安全的重要性，特別是針對關鍵性資訊基礎建設的安全防護議題。國際標準組織面對類似資訊安全事件的一再發生與管理不當等缺失，已於2000年前後通過資訊安全管理系統(Information Security Management System，簡稱ISMS)標準系列，希望從整體性的安全對策著手，思考如何達到保護組織內之資訊的機密性、完整性及可用性，藉由資訊資產的風險分析、評估與處理步驟等程序而達到安全控管、有效降低資訊安全事件發生的頻率及衝擊，進而健全組織資訊安全管理的能力。 在我國提出的「挑戰2008－國家發展重點計畫」中，已將「政府主要部會實施資訊安全管理系統制度達50﹪」列為建置安全的資訊環境之計畫指標，可見如何建立完善的資訊安全管理制度是政府e化當中重大的課題。「沒有百分之百的資訊安全」是眾所皆知的事實，建立整體性的安全對策應是較務實且可行的做法。根基於國際標準、已頒佈之相關規範與類似個案的實際做法為出發點，兼顧安全工程、管理與稽核等方法論，於資訊安全管理系統驗證作業加以做深入的探討；並進而提出我國與國際接軌之「資通訊基礎建設安全機制」中之資訊安全管理系統之分級處理構想，藉由「規劃、執行、檢查與行動」的PDCA工作循環模式，將資訊安全作為制度化及合理化，儘可能降低伴隨在安全事件內的風險因素，以持續改善作業品質及達到防範於未然之目標。 有鑑於此，依據2002年7月25日OECD公布的「資訊系統與網路安全指導綱要－朝向安全的文化」，更進一步提出資訊安全管理系統驗證作業中計畫、評估與內部稽核的作法，試圖整合ISO/IEC 15408、ISO/IEC 17799與ISO/IEC 21827等標準的資訊安全管理系統驗證與認證過程，訂定資訊安全稽核及其工作能力上宜具備之教育與訓練的內涵，提出新的研究觀點，作為未來資訊安全管理系統實作之參考，確保組織的資訊安全及永續經營。

Due to the continual occurrence of many information security problem incidents, there have been a lot of disasters in many organizations Many countries are paying more attention to the problems and the Information Security Management System (ISMS) Standard was passed in 2000. The aim of ISMS is to protect the confidentiality, integrity and availability in the organizations. By risk analysis, evaluation and management of the information assets, we cab lower the frequencies of the information security problem incidents and impact so as to improve the organizational information security management capabilities. Taiwan has brought out “Challenge 2008 – Nation’s Major Focus Plan” in which “The accomplishment of 50% information security management system in any government branch” is an indicator for the set up of secure information. Setting up a complete information security system is helpful to upgrade the country’s overall information and communication environments. In view with that, our study is based on the integrated operation mechanism of ISMS. It’s known that there is no such a thing as “Absolute information security”. Thus, it is practical to establish an integrated security solution. In this study, I am using the international standards, the related guides and similar studies as my research reference. Then this study also includes the security engineer, management and auditing and ISMS certification process. In the thesis, I also bring out the leveling process of ISMS for our country to meet the standard internationally. Through a “Plan, Do, Check and Action (PDCA) life cycle model” by making a systematic and rational information security and lowering the risk factors of accompanying security incidents, we can improve the process quality continuously and protect the systems. Hence, According to the “OECD Guidelines for the Security of Information Systems and Networks －Towards a Culture of Security” published by the OECD on July 25,2002. The planning, evaluation and internal auditing of are studied. In this study, we try to integrate ISO/IEC 15408, ISO/IEC 17799, and ISO/IEC 21827 for National Information Assurance Certification and Accreditation (NIACAP), and formulate the information security auditing capability and the its required education training for the future ISMS implementation guideline to ensure the organizational information systems security and long-term operation.