資訊安全管理系統與企業網路安全實作探討

Abstract

許多組織仰賴 IT 資源，並且相信它們是可靠的。然而，網路安全問題卻會隨著時間變得更加錯綜複雜，影響也將會不斷擴大，一旦公司資產的安全性受到危害而導致災難性後果，停機數天所帶來的損失將會難以估算。今日有關資訊安全宜遵循的策略，都是在不完整之資訊內容下做決定的，標準可以減輕因不完整資訊引發之困難，因為標準可以減少選擇的範圍而簡化資訊之供給與需求決策制定的過程。

本研究以實例探討方式將評核企業已實施之資訊安全控制措施與我國經濟部標準檢驗局起草修訂之新版國家標準CNS 17799（ISO/IEC 17799：2005（E））所列出之控制項目進行檢測比對。並以「符合度」指標探討該企業現行資訊安全制度與資訊安全管理規範之符合程度以分析有待改善之控制措施項目與所造成之風險，並且根基於標準相關控制措施提出「企業安全性修補程式之架構設計」是可用以支援可信賴資訊安全使用環境可行之解決方案之一。

本研究之成果從企業安全性修補程式之架構與相關網路安全偵測實作中比較發現新架構可將伺服器更新比率由85%提高至99%(提昇14%)，並且在完成安全性修補程式更新時間方面，將工作站更新時間從1394人/天減少為32人/天，對於網路上未受管理之工作站可以採用更強烈的主動偵測方式移除此電腦的網路連線。實作結果可大幅提昇對抗惡意軟體的控制措施之有效性。

在資訊安全的研究與運用方面，由於電子商務活動的日益頻繁，網路安全勢必成為未來人類交易行為轉型的成功關鍵，而電腦病毒與系統入侵卻是在資訊科技發展中不易消除的障礙。本研究藉由分析企業網路安全宜採用之控制措施並且提出實作成果，希望對於企業之資訊人員從事企業網路安全規劃時，可依本研究結果做基礎進行規劃作業，則可有效減少資訊人員在規劃上進行評估及分析的時程。

A lot of organizations are dependent on IT resources，and believe that they are reliable. However, the online security question will become more intricate、influential and expand constantly with time. Once the security of company's assets will be endangered and caused the calamitous consequence, the losses will be difficult to estimate to shut down for several days. Today all make the decision under the incomplete information that should be followed. The standard can lighten the difficulty caused because of incomplete information. Course that the standard can reduce the range and demand of simplifying information chosen and make policy.

This research is based on draft new national standard CNS 17799（ISO/IEC 17799：2005（E））that enterprises have already implement to analysing control measure project improved to remain in enterprise information security system. And the solution「Architecture design for enterprise security patch management」is proposed in the relevant control measure of the standard and it can be used to support the information security with feasible environment for use. To examine from the new structure can increase the upgrade rate of the server from 85% to 99%, and reduce the update time of workstation from 1394 man-day to 32 man-day. The solution is well approved for malice code protection.

Because electronic commercial activity is frequent day by day，the online security certainly will become the successful key that the human trading activity of future make the transition. It is obstacles difficult to dispel in the development in science and technology of information that electronic virus and system are invaded. This research is by analysing the control measure that enterprise's online security should be adopted. While hoping for personal who is engaged in enterprise's online security planning，can make the foundation and plan in accordance with this result of study.