| 摘要: | 經歷近二十多年的發展與立法規範,政府部門多已導入資訊安全管理系統制度(Information Security Management System,簡稱 ISMS)。我國依「資通安全管理法」實施資通安全維護計畫並設置資通安全長,負責推動與監督機關內資通訊安全相關事務。透過每年例行的內部稽核與外部稽核,以確保所建立資訊安全管理制度的落實。
現今戶政事務所已遵循落實資訊安全管理制度,藉由每年例行內部資訊安全稽核,以確保所建立資訊安全制度確實落實。現今政府機構資訊安全稽核業務主要由資訊部門負責,定期對機關的資訊安全管理系統進行查核,發現資訊安全風險問題後提交缺失報告,資訊安全稽核標準主要由處理資通訊業務人員及其單位主管自行認定,常流於文件化的審核,且缺乏其他部門的參與,容易引起他人對稽核實際執行的疑慮。因此,本研究的動機在於透過資訊安全稽核的證據與客觀評估,採用文獻分析法與深度訪談法組成資訊安全管理小組,收集相關參與稽核人員意見,制定出有效的資訊安全管理監管機制,防範資訊安全稽核流於形式化,同時協助管理階層不斷改進資通訊安全的監督管理方法。
戶政事務所運用資訊安全稽核機制檢視資訊安全業務執行的情形,作為達到落實資訊安全管理制度的目地,惟研究發現員工資安危機意識薄弱與缺乏有經驗專業資訊安全技術人才成為本案機關資訊安全防護的弱點,缺乏實務訓練,員工無法體會認知到資訊安全宣導對機關的重要性,威脅情資掌握太少或太慢的問題與公務資料外洩對機關造成形象受損、內部系統癱瘓、資訊安全業務受影響等因素,皆是導致無法確實落實資訊安全管理制度的原因,故資訊安全最大漏洞不是系統開發或網路技術,而是人!採用PDCA模型持續改善資訊安全管理制度,透過不斷的評估與更新,確保制度與時俱進,進而提高整體社會對資訊安全的重視。
過去很少以理論方式來探討政府機構制度文化形成過程,建議對於質性研究方法有興趣的學者,得以不同的理論視角解析不同政府機構體系資訊安全管理監管制度研究,唯有了解不同體系制度形成,才能進而推廣社會大眾培養強健資訊安全文化認知。
After nearly two decades of development and legislative regulation, many government departments have introduced Information Security Management System (ISMS). In accordance with the "Information Security Management Law", our country implements an information security maintenance plan and establishes an information security chief, who is responsible for promoting and supervising internal information security related matters within the agency. Through annual routine internal and external audits, we ensure the implementation of the established information security management system.
Nowadays, the household registration office has followed the implementation of the information security management system and conducted annual internal information security audits to ensure that the established information security system is actually implemented. Nowadays, the information security audit business of government agencies is mainly responsible for the information department, which regularly inspects the agency's information security management system and submits deficiencies reports after discovering information security risk problems. Information security audit standards are mainly determined by the information and communication business personnel and their unit supervisors. Determination is often reduced to a documented review and lacks the participation of other departments, which can easily cause others to doubt the actual plementation of the audit. Therefore, the motivation of this study is to use the evidence and objective evaluation of information security audits, use literature analysis and in-depth interviews to form an information security management team, collect the opinions of relevant audit personnel, develop an effective information security management supervision mechanism, and prevent Information security audits are formalized and at the same time help management continuously improve the supervision and management methods of information and communications security.
The household registration office used the information security audit mechanism to review the execution of information security business in order to achieve the purpose of implementing the information security management system. However, the study found that employees’ weak awareness of security risks and the lack of experienced professional information security technical personnel were the factors affecting the information security of the agency in this case. Weaknesses in protection include the lack of practical training, employees’ inability to understand the importance of information security propaganda to the organization, the problem of too little or too slow access to threat information, and the leakage of official data, which has damaged the organization’s image and paralyzed its internal systems. , information security business is affected, and other factors are all reasons for the inability to implement the information security management system. Therefore, the biggest vulnerability in information security is not system development or network technology, but people! Use the PDCA model to continuously improve the information security management system, and ensure that the system keeps pace with the times through continuous evaluation and updating, thereby increasing the overall society's emphasis on information security.
In the past, the formation process of government agency system culture has rarely been discussed theoretically. It is recommended that scholars who are interested in qualitative research methods analyze the research on information security management and supervision systems of different government agency systems from different theoretical perspectives. Only by understanding the formation of different systems and systems , in order to promote the public to cultivate a strong cultural awareness of information security. |
