| 摘要: | 在日異頻繁的資訊安全事件中,大多數的企業組織均已體會到資訊安全管理的重要性,資訊安全管理制度(ISMS)是國際上受到認可的資訊安全管理標準,是整體資訊安全管理系統的一部分,包括:資訊安全組織、資訊安全政策、規劃活動、職責、實施、流程和資源等,以風險評鑑的作法為基礎,用以建立實施、運行、監控、檢視、維護和改善資訊安全。提供適當的安全控制措施及充分地資訊資產保護,以確保組織的資訊安全;並賦予利害關係人的信賴。
ISMS是規範、建立及實施資訊安全管理系統的方式,以及落實文件化的要求,可以確保ISMS在組織內部能夠有效的運作;並即時掌握資訊安全現況,把可能發生的資訊安全風險危害與損失,降低至企業組織可接受的程度範圍內,確保企業永續經營。持續落實資訊安全管理,在導入ISO 27001制度化、文件化及系統化的管理機制後,將透過規劃-執行-查核-行動(PDCA)等,持續進行管理與技術的改善及強化,期以提供更優質、更安全的服務。
本研究以個案研究法及參照ISO/IEC 27001附錄A5-A18控制措施設計評分表評估企業導入ISMS之管理成熟度分析方式,以某金控公司下子公司為研究個案,探討現行的企業中,透過ISMS成熟度模型分析,瞭解組織現況差異分析、ISMS導入及資訊安全管理系統之國際資安認證,確保企業資安管理符合國際資訊安全標準,並診斷企業在資安管理成熟度及落實的程度之研究,以作為未來強化組織改善資訊安全的依據。
關鍵字:資訊安全管理制度,規劃-執行-查核-行動,ISO27001,資安管理成熟度。;In the frequent and frequent information security incidents, most enterprise organizations have realized the importance of information security management. The Information Security Management System (ISMS) is an internationally recognized information security management standard and an overall information security management system. Some of these include: information security organizations, information security policies, planning activities, responsibilities, implementation, processes, resources, etc., based on risk assessment practices for establishing, implementing, monitoring, reviewing, maintaining, and improving information security. Provide appropriate security controls and adequate protection of information assets to ensure the security of the organization′s information; and give stakeholders the trust.
The Information Security Management System regulates, establishes and implements information security management systems, and implements documented requirements to ensure that information security management systems can be effectively operated within the organization; The occurrence of information security risk hazards and losses will be reduced to an acceptable level within the organization of the enterprise to ensure the sustainable operation of the enterprise. Continue to implement information security management. After introducing the ISO 27001 institutionalized, documented, and systematic management mechanism, we will continue to improve and strengthen management and technology through planning-execution-check-action (PDCA), etc., to provide Better and safer service.
This study uses the case study method and reference to the ISO/IEC 27001 appendix A5-A18 control measure design score table to evaluate the management maturity analysis of the company′s introduction into the ISMS, using a subsidiary of a financial control company as a research case to discuss the current Analyze the ISMS maturity model to understand the current status of organizational differences analysis, ISMS import and international security verification of information security management systems to ensure that the company′s security management complies with international information security standards, and diagnoses the degree of maturity and implementation of corporate security management Research as a basis for strengthening information security in the future.
Keyword: Information Security ManagementSystem , PDCA , ISO27001 , Maturity of Information Security Management. |
