摘要: | 資訊安全的維護,常常偏重於資訊安全的技術。然而有越來越多的事實表明,資訊安全的層面甚廣,它不僅僅是一個技術問題,而且是一個管理問題。根據統計數據顯示,資訊安全所面臨的問題,屬自然因素所影響的,僅占15%;而人為因素的影響,卻高達85%。更進一步的,在此85%的比例中組織內部人員之原因就占了80%。故人為因素實為近日資訊安全的主要問題,因此如何有效管理人為因素導致的缺失,實為討論及探究的重點。 資訊管理,尤其是資訊人員的管理,必須處理有關「人」的議題,然而,涉及人的議題,似乎總有一些模糊難解之處。至今企業仍然無法發展出一套完美的甄選辦法,正確地為企業篩選出最適當的人才。本研究為國內少數參考BS7799關於人員安全管理規範,將資訊人員的安全管理分為聘用前、聘用後、升職前及定期稽核四個項目,分別探討「聘用前執行品德評估」、「聘用後執行情緒評估」、「升職前考慮品德情緒」及「定期做人員稽核」對資訊安全之影響程度。 本研究以問卷自我評估方式,以就讀於二所知名大學在職專班的同學為研究對象(N=94)。研究發現經營年限、公司規模對資安事件發生無影響,而執行BS7799的企業對資安事件發生有較佳的預防效果;此外執行「聘用前執行品德評估」、「聘用後執行情緒評估」、「升職前考慮品德情緒」及「定期做人員稽核」對於未來發生資安事件之機會較低,同時也對於未來發生資安事件有抑制效果,而大部份的研究對象也同時認為人員品德素質對資安事件之發生有影響。建議實務上由「升職前考慮品德情緒」及「定期做人員稽核」先執行,效果明顯且實施簡易。 The maintenance of the information safety, often overweight the technology of the information safety. According to statistics, the problem that information faces safely, belong to natural factor influence, only account for 15%; And the influence of the human factor, is up to 85%. Further, the reason organizing inside personnel accounts for 80% in 85% of the proportions here. So the human factor is a subject matter of the recent information safety in fact, so what a disappearance of managing the human factor and causing effectively, it is a focal point discussed and probing into in fact. Information management, especially the management of information personnel, must deal with the topic about ' people ', but, the topic related to people, seem to always have some fuzzy and difficult to resolve places. This research consults BS7799 and audit four projects regularly before dividing the safety management of information personnel into employing, after employing, promote, probe into separately “carry out morality and assess before employ”, “carry out after not employing mood assess”, “consider morality mood in front of not promoting” and “do personnel audit regularly” influence degree against information safety. This research assesses the way with the questionnaire oneself(N=94). Discover that the size, company's scale have not influenced the incident of information safety to manage time, and less frequency happens to the incident of information safety to enterprises carrying out BS7799; In addition operational staff safety management happen information safety incident have lower taking place incident of information safety have result of suppressing chances to future. |