標題: | 應用層級分析法之資訊安全風險評鑑 Information Security Risk Assessment Based on Analytic Hierarchy Process |
作者: | 何寬祥 Ho, Kuan-Shiang 單信瑜 Shan, Hsin-yu 工學院工程技術與管理學程 |
關鍵字: | ISO27001;風險評鑑;層級分析法;ISO27001;risk assessment;AHP |
公開日期: | 2013 |
摘要: | 企業資訊化程度越高,伴隨而來的資訊安全議題也越趨複雜,國際上因應此趨勢於2005年發布資訊安全國際標準:ISO27001,此標準以英國標準協會BS 7799為藍本漸次修改而來,讓企業對於資訊安全系統的建置、評量與施行有一可遵循的規範。
高科技製造業因其產業特性,對於高度資訊化伴隨而來的資安風險更是其公司營運上不可忽視的一環;透過建置符合ISO27001標準的資訊安全系統,以系統化的方法,有效管理資訊安全,可降低企業營運上的風險同時提昇企業內資訊人員的專業。
ISO27001標準的框架以風險管理為主軸,以PDCA手法,逐次降低資安風險,過程中的風險評鑑至為重要且關鍵,而其中的風險評鑑方法更是決定風險否能有效管控的要項;本研究中的個案公司,依其原有之風險評鑑方法施行兩年後,出現風險評鑑中,價值高的資訊資產,風險無法再降低之瓶頸。
本研究將以簡單問卷的方式,分析問卷結果,調整風險評鑑方法中的評量方式,依此結果修改風險評鑑的準則,發展出相對完善的風險評鑑方法,針對公司之特性,擬定更合理之資安風險評鑑項目與權重,使風險評鑑的結果更趨完備。 With the higher level of business informatisation, information security issues become more and more complex. Thus, ISO27001, which had been established based on BS 7799 of British Standards Institution, was published in 2005 as the international standard of information security. It has become the set of standard specifications for enterprises to follow to evaluate, build up, and implement information security systems. The possibility of information security risks of high-tech manufacturing industries increases under exposure of high level of business informatisation. Information security systems can be approached and well managed by implementing it with ISO27001. It also can minimize the risks of business operations and improve the professional skills of information technology employees. The principle concept of ISO27001 is based on risk management which fits into the "Plan-Do-Check-Act" (PDCA) model and successive reduces risks. The most important factor of this process is risk evaluation and assessment which determines if the risks can be effectively controlled. The bottleneck of the company of this case study, after performing the risk evaluation and assessment for two years, is the high-value information assets can no longer to be reduced. This was a questionnaire-based study. The results were analyzed in order to adjust and obtain a comprehensive risk evaluation and assessment method. A suitable and reasonable method will be developed by rearranging the items and their weights according to the characteristics of the company. Thus, the risks will be controlled and reduced once again. |
URI: | http://140.113.39.130/cdrfb3/record/nctu/#GT079870508 http://hdl.handle.net/11536/75118 |
Appears in Collections: | Thesis |