摘要: | 當企業為了追求效率以及迅速因應環境的瞬息萬變,紛紛採用資訊科技協助執行各項業務時,就表示企業的資訊化程度越來越高,發生資安事故對企業造成的衝擊也隨之增加。為了強化資訊安全,降低風險發生的機率及衝擊,資訊安全管理系統 (Information Security Management System, ISMS) 已經成為全球各國政府與企業公認的資訊安全管理最佳參照與標準。 本研究以國內現今最熱門的雲端產業導入ISMS為例,從個案研究的角度,從ISMS的導入動機、差異分析作業、資產盤點與風險評鑑、建立資訊安全管理體系、教育訓練、內部稽核、管理審查、矯正預防措施,以及第三方驗證,最終在2011年初取得國際標準ISO/IEC 27001:2005認證,深入探討ISMS導入遭遇的困難與解決方式、導入的效益以及關鍵成功因素。 研究結果發現ISMS導入範圍是否包含企業的關鍵核心業務,決定了企業落實資訊安全的決心。藉由尋求專業資安顧問的協助,導入已獲得業界認可的資訊安全管理方法論,進行全方位的風險分析,從制度面將各個控制環節加以串聯。首先在資訊安全政策明確宣示組織保護的範圍,並建立資訊安全組織進行跨部門的溝通協調,讓員工清楚感受到高階主管的願景與決心。搭配適當的資安教育訓練,提升員工資訊安全意識,將資安深化於作業之中,最後使企業培養出自我持續改善的能力,進而達到企業永續經營的目的。 Organizations use Information Technology (IT) to enhance their effective and efficient responses for facing this rapid growing world. The more IT they adopt, the more information security incidents can happen and the more impact they can be. In order to improve information security and decrease the probability of risk occurrence, more and more government agencies and enterprises implement the best practice, Information Security Management System (ISMS), in the information security field. This thesis is based on the case study, which is the process of an enterprise in the cloud industry to implementing ISMS. It includes the motivation of implementation, gap analysis, asset collection, risk assessment, ISMS establishment, awareness training, internal auditing, management review, corrective and preventive actions, and third party certification so that the enterprise obtained the international ISO/IEC 27001:2005 certificate in early 2011. The contribution of this thesis is to find the difficulties and solutions, benefits, and critical success factors while implementing ISMS. The research result indicates that the organization’s determination of putting information security into practice is based on whether its core business function is included in the ISMS scope or not. By the assistance of professional information security consultants to implement ISMS via a recognized methodology in the industry, the organization can conduct comprehensive risk analysis and adopt information security controls from different perspectives. After declaring the implementation scope in information security policy and create a dedicated information security organization to have cross-teams’ communication and coordination, employees in the organization can fully understand the support and commitment of their senior management. Along with appropriate information security trainings to enhance employees’ information security awareness, the organization can fulfill the objective of continuous improvement and the purpose of long-run business operations. |