| 摘要: | 企業進行資訊委外作業可依據「計畫準備階段」、「遴選廠商階段」、「合約執行與管理階段」及「運作與維護階段」等程序進行,但常會忽略了資訊安全管理的重要性。 本研究是透過問卷訪談的方式,以「資訊技術-資訊安全管理之作業要點(CNS 17799)」作為調查資訊人員於進行資訊委外時資訊安全著重之要項。 本研究將問卷分析資料與資訊委外的四個階段結合所得結果發現,各階段應注重之資訊安全管理項目與控制措施為:「計畫準備階段」包含有資訊安全政策;「遴選廠商階段」:包含有第三者存取風險、第三者存取之安全、第三者合約的安全要求、人員篩選及政策、實體安全、纜線傳輸安全、惡意軟體的控制措施、資訊備份、機密性系統的隔離、金鑰管理、智慧財產權等要項;「合約執行與管理階段」:包含有資訊安全政策維護、安全及失效事件的回應、使用者訓練、安全區域的管制、惡意軟體的防範、資訊備份、資料保護-資料存取的識別、組織紀錄-資料表單維護等要項;「運作與維護階段」:包含有資訊安全管理持續維護要項,本研究結果可供企業資訊委外時規劃評估之參考。
Enterprise Information outsourcing can be proceed in 4 stages. Stage 1, plan and preparation; stage 2, selecting vendor; stage 3, contract execution and management; stage 4, operating and maintenance. However, usually people forget the importance of information security.
This study used questionnaires and interviews based on the standard of Information Technology-Code of Practice (CNS 17799). Trying to find information security management focuses in enterprise outsourcing.
This study integrates the analysis results from the questionnaires with the 4-staged information technology outsourcing methodology. The results show the main points on information security best practice in every stage as follows:
Stage 1, plan and preparation: information security policy.
Stage 2, selecting vendor: identification of risks from third party access, identification of security from third party access, security requirements in third party contracts, personnel screening and policy, physical security perimeter, cabling security, controls against malicious software, information back-up, sensitive system isolation, key management and Intellectual property rights (IPR).
Stage 3, contract execution and management: review information security policy, reporting security incidents, information security education and training, physical entry controls, defense against malicious software, information back-up, information protection and safeguarding of organizational records.
Stage 4, works and maintenance: Business continuity management. |
