本研究植基於「教育體系資通安全管理規範」,以郵寄問卷方式,調查北台灣高中職學校的資通安全實施現況,除了間接促成教育部在「教育體系資通安全管理規範」的要求、讓受訪之高中職學校以本研究問卷進行自審,然後統計各資通安全構面的落實度結果,並推估其落實度高或不足的原因,最後將「教育體系資通安全管理規範」中條列高中職學校不適用之控制措施、與研究結果做出比較討論,期望能提供政府、教育部在推動高中職教育體系資通安全之參考。 本研究發現,北區高中職學校對於資通安全政策制定情況大致良好,但資安措施落實度不足。高中職學校目前實施資安管理的動機,多出自於被動性因素(配合教育部法令規定)。另外,各學校資訊單位人力不一,未按師生人數來比例調整資訊單位的員額編制。幾乎每所學校都有發生資安事件,但卻仍有將近半數的學校未設置資安部門專門管理。而推行資安時的障礙因素多與「人」有關,包含專業人力不足、使用者或其他處室不願配合、未受到校內高層人士積極重視。而由教育部頒定之「教育體系資通安全管理規範」,其對高中職學校的適用性呈現教育部與學校認知不符、未達成共識的情形。 Based on "The Norms of Information and Communication Security Management in Educational Systems", this study was conducted by mailing questionnaires to survey the current situation of implementing information and communication security management in senior high and vocational high schools. In addition to indirectly facilitating the request of "The Norms of Information and Communication Security Management in Educational Systems" by Department of Education, prompting surveyed senior high and vocational high schools review itself with the questionnaires of this study, making statistics for the level of implementing information and communication security management in every aspect, inferring the cause of sufficient or insufficient implementation, comparing the inappropriate control measures to senior high and vocational high schools listed in "The Norms of Information and Communication Security Management in Educational Systems" with the study results, this study expects to provide a reference to our government and Department of Education for promoting the information security of senior high and vocational high schools. This study discovered that northern senior high and vocational high schools don't have too much problems in establishing information and communication security policies; however, they don't implement information security measures sufficiently. The motivation of implementing information security management is largely out of passive factors (for complying the rules and regulations of Department of Education). Furthermore, the human resources in the departments of information management of every school varies and don't increase or decrease according to the number of teachers and students. Although information security events happen in almost every school, there are nearly half of schools don't set departments of information security to deal with them. The major obstacle to promoting information security is "human," including that professional human resources are insufficient, users or other units of schools don't want to comply the measures of information security, and the upper management of schools doesn't lay great emphasize on information security. "The Norms of Information and Communication Security Management in Educational Systems" was established by Department of Education, which is partly inappropriate to and doesn't meet the expectation of senior high and vocational high schools.
