| 摘要: | 由於高度的資訊化、數位化,不論企業規模大小,均仰賴資訊化提升效益,故資訊安全在目前已成為重要的議題。但在此同時電腦犯罪者亦不斷的發展技術,竊取資料,破壞資訊系統或環境等新聞層出不窮。然而,中小型企業因預算或經濟效益考量,大多並無導入安全認證。面對中小企業的資訊安全需求與管理,本論文希望透過ITILV3的方法論將企業的IT服務與安全標準結合,規劃符合中小企業的整合式的ISMS,且有效運用這些控制措施達到資訊安全的目的。
將ISO 27001、BS 10012、個人資料保護法條文與控制目標及措施進行比對分析,產生出整合性的安全需求。同時將ISO 27001與ITILV3進行分析研究,在ITILV3的管理流程中如何與ISO 27001的控制措施結合,最終提出一種整合性ISMS架構,將ISMS以一種服務的概念應用於企業。
整合性ISMS有四個不同階段,透過實際個案,本研究完整呈現整個建置過程所需的要素,展示如何從企業政策到IT策略,從企業流程到IT服務到IT系統的詳細規劃。藉由此建置過程可提供企業自行建置ISMS的典範,這也是本研究的最終目的。
Due to highly informationization and digitalization, enterprises, regardless of the size, rely on the informationization to improve their benefits. Information security has become an important topic at the present day. However, computer criminals also continuously develop their techniques at the same time. News relating to the data stealing, destruction of information systems or environment emerge in an endless stream. Most small and medium-sized enterprises do not implement security certificates due to considerations of budget or economic effects. Facing the demand and management of information security of small and medium-sized enterprises, This thesis intends to, through ITILV3 methodology, integrate the IT services and security standards of enterprises, and plan the integrated ISMS conforming to the requirements of small and medium-sized enterprises in order to effectively make use of these control measures to achieve the purpose of information security.
ISO 27001, BS 10012, and clauses of Personal Information Protection Act are also compared and analyzed with control objects and measures, which results in the integrated security requirements. At the same time, ISO 27001 and ITILV3 are also analyzed and studied on how to combine the management procedures of ITILV3 with the control measures of ISO 27001. An integrated ISMS structure is ultimately addressed and applied in the enterprises as a service concept.
There are four different stages of integrated ISMS. This research, by actual cases, presents intactly the required elements of entire establishment procedure. This research also reveals how it works from the policies of an enterprise to IT strategies, and from the procedures of a venture to IT services, and even more, to detailed plans of IT systems. This establishment procedure will provide an example to enterprises of establishing ISMS by themselves, which is also the ultimate purpose of this research. |
