| 摘要: | 在這十倍速的時代裡,資訊科技一日千里,伴隨而來的資訊安全問題,對政府單位或是私人企業來說都是一項挑戰。如何善用有限的資源,落實資訊安全管理,是每個組織都要面臨的重大課題。因此,行政院制定「政府機關(構)資通安全責任等級分級作業規定」,要求所有單位需依據此規定導入ISMS。並於2012年實施「個人資料保護法」,對於民眾的個人資料,所有單位均需加以全面防護。
本研究藉由個案單位實際的經驗,尋求較符合現階段政府機構需求的資訊安全管理系統之導入過程及方法,提供給未來推動者參考;再者,本研究將政府機關因應新版標準ISO 27001: 2013及風險管理標準之增修部分特別加以描述;同時,個人資料保護法實施後,公務單位如何因應變化所採取的措施,以及其所關注的重點呈現出來,使得未來研究者或新的執行者得以掌握重點及清楚其脈絡。
經由研究分析發現導入的關鍵成功因素為﹕高階主管的支持、資安政策的宣導與推廣、全體員工的積極參與、不斷的稽核與矯正、提供完善的教育訓練、具備資安專業之資安人員以及選擇合適的資安輔導顧問…等因素,均為導入資訊安全管理系統時的關鍵成功因素,也正是各個機關須特別重視並落實執行的要點。
且經由研究結論得知,若能執行上述要點,各機關或組織在導入及實施ISMS後,將產生的效益有﹕降低重要資訊外洩之風險、提昇面臨資訊戰之防禦能力、保護組織之機敏資料、提昇公司內部資安的保護等級、增進系統之穩定性及可用性、改善組織資訊管理環境、維持機關良好聲譽、增加民眾對政府機關之信賴感與支持、提昇政府機關正確之資訊安全觀念、機關業務永續營運…等效益。
;Information technologies have been advanced greatly and rapidly in recent years, and accompany information safety issues that are challenges to government agencies and private enterprises. How to use limited resources to fulfill information safety management becomes a significant lesson facing every organization. Thus, the Executive Yuan promulgated “Government Agencies Information and Communication Security Responsibility Grade and Classification Regulations” to require all agencies to implement information security management system (ISMS). The Personal Data Protection Act implemented in 2012 also requires all agencies protect personal data of the public.
This research identifies an ISMS introduction process and approach suitable for government agencies by learning from the experience of a study case agency. Moreover, this research specifically describes the new version of ISO 27001: 2013 and the addendum of risk management standards, and also presents and highlights the actions and concerns of government agencies in response to the implementation of Personal Data Protection Act. Such efforts shall benefit future researchers and new implementers to quickly understand the essentials of these topics.
This research finds that the critical success factors for introducing ISMS include: supports of executives, propaganda and promotion of information security policies, active participation of all employees, continuous audits and correction, provision of complete educational training, employment of staff with information security expertise, and selection of proper information security consultants. These factors are also key points of implementing ISMS for agencies.
In addition, this research identifies the following benefits of introducing and implementing ISMS: reduce risks of information leakage, increase defense ability for information warfare, protect classified and sensitive data of agencies, upgrade organizations’ protection level of internal information security, improve the stability and practicality of systems, improve organizations’ information management environment, maintain good reputations of agencies, increase the public’s support and confidence in government agencies, promote agencies’ correct information security concepts, and sustainable operations of agencies’ businesses. |
