本研究是在探討基於CNS 27001之資訊安全管理系統的自我評鑑。以某銀行的信用卡資訊部為例,展開問卷調查,並對數據進行量化分析,從而得出資訊安全管理的自我評鑑模型。
本研究基於CNS 27001所列出的總則與細則,製作兩輪調查問卷並在某銀行內部進行兩次問卷調查。第一次問卷中,收集了在該銀行內CNS 27001各項項目重要性的權重,和參與評分人員權重。基於此數據,對原有的CNS 27001項目進行篩選,保留大部分與該銀行業務相關性較大的項目,並製作了第二次問卷。隨後收集各項項目的權重以及相關文字資訊。
隨後本文對數據進行圖表,圖形等表述並進行量化分析。針對得到的結論,為該銀行未來的資訊安全建設和管理提供了建議。
與此同時,本文所提出的兩輪問卷法,CNS 27001條例可以運用於社會各類型組織內。而在研究過程中,充份考量CNS 27001個條例在組織內部的重要性權重,以及參評人員在資訊安全事務中的權重,使得模型具有相當高的針對性。既有效考評該銀行內部的資訊水準,也節省安全體系建立的成本。
This research is a study on self-evaluation information security management based on CNS27001. The research was taking place in the credit card information department of a bank as an example. Questionnaire survey was carried out, and the quantitative and qualitative analysis of the data and information security management of self evaluation model is obtained.
In this research, on the basis of CNS27001 listed in the general principles and rules, two rounds of the questionnaires was carried out in the bank. In the first questionnaire, the weight of the importance of each item in the CNS27001 in the bank was collected, and the weights of the participating scores were collected. Based on this data, the original CNS 27001 entries were selected, and the majority of the items were retained, and second questionnaires were made. Then the weights of each item and the related text information were collected.
Subsequently, this paper makes a chart of the data, graphics, and a qualitative and quantitative analysis. For the conclusion, it provides suggestions for the future information security and management of the bank.
At the same time, the two rounds of questionnaire proposed by this paper can be applied to various types of social organizations within the CNS27001 regulations. And in the course of the study, give full consideration to the CNS27001 regulation in the internal organization of the importance weights, and participating personnel in information security affairs in weight, which makes the model has the quite high pertinence. Both effective evaluations of the bank's internal information standards, but also save the cost of the establishment of the security system.
