摘要: | 由於科技快速發展與金融服務普及,越來越多銀行業者將科技帶進組織所提供的服務中。雖然科技帶來便利,但相對的也帶來風險。民國105年臺灣發生了本土金融史上第一起駭客入侵銀行ATM系統事件,共計損失8,000萬餘元。民國106年遠東國際商業銀行的國際匯款系統SWIFT發生駭客在成功入侵盜轉了18億元匯款到海外。銀行是個歷史悠久的古老行業,在面對數位轉型時,傳統的金融業高階管理人員是否能夠理解資訊科技所帶來的風險? 本研究主要透過各國之法規、各國際組織之文獻的分析,來比較研究我國與各金融中心先進國家(如:美國、香港、英國、澳洲等)金融業資訊安全制度,了解其中差異並彙總分析。另外研究中也說明各國際公認組織之內部稽核最佳實務,並經由歸納比較我國金融主管機關金管會所公告之資訊安全相關裁罰、未裁罰之重大事件及相關新聞,透過內部稽核人員的角度了解事件的發生是否源自於系統面或是制度面的不足,也將裁罰案例之缺失態樣與前述最佳實務對比,找到稽核職能應改善之處。 本研究結果顯示,香港主管機關HKMA所頒佈之CFI為較全面的資安規範,其餘各主要金融中心之規範普遍缺乏系統面之規範,並且許多未對內部稽核訂定相關要求,而國內主管機關甚至未對於金融業之資訊安全訂立專法。此外,有關金融業資安事件,則以組織內部發生之事件為大宗,而組織資訊作業之改善應以系統面與制度面並重,且內部稽核職能之資訊作業相關之查核作業應由專業資訊內稽人員負責進行查核,同時也應著重於確認控制措施制度之建立是否已完備。;Due to the development of technology and the popularity of financial services, more and more banks are bringing technology into the services offered by their organizations. Although technology brings convenience, it also brings risk. In Taiwan, the first hacking of a bank ATM system in the history occurred in 2016, with a total loss of over NT$80 million. In 2017, hackers successfully hacked Far Eastern International Commercial Bank′s international remittance system, SWIFT, and transferred NT$1.8 billion in remittances overseas. Banking is an ancient industry with a long history. To face the digital transformation, can traditional financial executives understand the risks brought about by information technology? This study compares and analyzes the information security systems of the financial industry in Taiwan with other financial centers (e.g., the United States, Hong Kong, the United Kingdom, Australia) through the analysis of national regulations and the publications of various international organizations. In addition, the study explains the internal audit best practices of various international organizations, and through case summaries analyzes the information security-related penalties announced by the Financial Supervisory Commission, the financial authority in Taiwan, and the major events and related news, to understand from internal auditor′s point of view whether the occurrence of events is due to system or regulations deficiencies. The study also compares the penalized cases with the best practices to identify where the audit function could be improved. The results of this study show that the CFI issued by the Hong Kong authority, HKMA, is most comprehensive information security regulation, while the other major financial centers generally lack systematic requirements and do not have relevant requirements for internal auditing. The domestic authority does not even have a specific law on information security in the financial industry. The improvement of information operations of the organization should be emphasized both systematically and institutionally, and the audit operations related to information operations of the internal audit function should be conducted by professional information internal auditors, and emphasis should also be placed on confirming whether the system of control measures has been established. |