以ISO27001為基礎探討個資法對電信業者的影響-以F公司為例; Based on the ISO 27001: To Explore the Influence of Personal Information Protection Act toward Telecommunications

NCUIR > School of Management at National Central University > Executive Master of Information Management > Electronic Thesis & Dissertation > Item 987654321/60114

Please use this identifier to cite or link to this item: http://ir.lib.ncu.edu.tw/handle/987654321/60114

Title:	以ISO27001為基礎探討個資法對電信業者的影響-以F公司為例;Based on the ISO 27001: To Explore the Influence of Personal Information Protection Act toward Telecommunications
Authors:	余昌霖;LIN,YU CHANG
Contributors:	資訊管理學系在職專班
Keywords:	個人資料保護法;ISO 27001;ISO 27011;Personal Information Protection Act;ISO 27001;ISO 27011
Date:	2013-06-19
Issue Date:	2013-07-10 12:07:02 (UTC+8)
Publisher:	國立中央大學
Abstract:	鑑於電信業者擁有通訊、網路等資源，留存大量的用戶資料，常為不法人士覬覦的目標，致使公司業務機密及用戶資料外洩事件頻傳，造成社會信用危機。本研究以個案電信公司作為研究對象，探討在ISO 27001資訊安全管理系統 (Information Security Management System, ISMS) 架構下，個案公司對於客戶個人資料保護的具體做法，以及該架構是否能符合個資法的資料保護措施。此外，本研究另以ISO 27001資訊安全管理標準下11大控制領域、39個控制目標、133項控制措施及ISO 27011增列檢查項目，與個人資料保護法找出兩者的相關聯性，並進行資料歸納整理及分析。研究結果發現，電信業運用現有的ISMS架構去規劃以下作業流程，包含：個人隱私衝擊分析、個人資料定義與辨識、個人資料價值之判定標準、個人資料生命循環週期控管等，確實能補強個案公司在個資安全上的管控。另外，對電信業者而言，在ISO 27001共有6個控制領域、24項控制措施與個資法有相關聯性，分別為「遵循性」、「人力資源安全」各2項；「資產管理」、「存取控制」各3項；「資訊安全事故管理」5項；以及「通訊與作業管理」9項。因此，電信業者在針對個資法規劃防護時，可對這些相關聯性的控制措施投入較多資源並加強管控。除此之外，研究發現個案公司通過ISO 27001認證，只需檢視目前ISMS下的架構，再針對個資保護控管仍不足的地方，建立屬於本身的個人資料作業流程並嚴格遵循，就不需重新導入新的認證機制。 Some illegal persons cast greedy eyes on the telecommunication companies because of its communication, Internet and a large amount of users’ data. Therefore, the company’s business secrets and users’ data are frequently leaked and crisis of social credit are occurred. The study aims to study the telecommunications to explore the F Telecom’s concrete measures to protect the consumers’ data under the structure of ISO 27001 Information Security Management Systems (ISMS). Besides, ISO 27001 contain 11 control domains, 39 control objectives, 133 controls and the inspection items of ISO 27011. The research seeks to find out the relevance between ISO 27001 and Personal Information Protection Act (PIPA), then collate and analyze the data. The study shows that telecom use the existing ISMS structure to arrange the following processes, including Privacy Impact Assessment (PIA), definition and identification of personal data, the value criteria of personal data and the life cycle of personal data. It definitely can reinforce the security and control for the case company. In addition, for telecommunication companies, six domains and twenty-four measures are correlative with PIPA in ISO27001. There are two items for each compliance and human resources security there are three for each asset management and access control there are five items for Information security incident management, and there are nine items for communications and operations management. Hence, the telecom companies can invest more resources on the control measures when they plan to protect the PIPA. Besides, the research finds that the case company passes the ISO 27001 certification. They need to review the existing ISMS structure and build their operation procedures to make up its insufficient parts. They do not need to use the new authentication mechanism.
Appears in Collections:	[Executive Master of Information Management] Electronic Thesis & Dissertation

Files in This Item:

File	Description	Size	Format
index.html		0Kb	HTML	1399	View/Open

社群 sharing

Loading...