查詢結果分析
來源資料
頁籤選單縮合
題 名 | 組織導入BS7799後之資訊安全管理成效研究=The Study of the Effectiveness of Information Security Management after Organizations Implement BS 7799 |
---|---|
作 者 | 黃明達; 徐正; | 書刊名 | 資訊管理展望 |
卷 期 | 9:2 2007.12[民96.12] |
頁 次 | 頁67-86 |
分類號 | 312.76 |
關鍵詞 | 資訊安全管理系統; BS7799; ISMS; Information security management system; |
語 文 | 中文(Chinese) |
中文摘要 | 在台灣,2006 年4 月已經有81 家組織導入BS7799 資訊安全管理系統。近年來,相關的研究都是以探討單一行業、個別領域與個案公司方面為主,目前較缺乏探討各不同行業別、不同領域的組織導入BS7799 後,其成效分析之實證研究。因此,本研究探討的就是當ISMS(Information Security Management System)導入組織一段時間後,資訊安全管理上的成效議題,即BS7799 導入組織後在資訊安全管理上的成效。 本研究是透過2005 年12 月底中華民國台灣地區在ISMS 國際機構業已註冊,通過BS7799 認證的組織共計66 家來進行問卷調查。研究BS7799 導入後,其不同組織行業別、導入部門範圍別間,資訊安全管理上實施的成效。最後歸納出的結果顯示:1.導入後,74%的組織資訊安全事件有減少;2.各組織的資訊安全控制領域皆有改善,當中以「資訊安全政策」、「營運持續管理」與「實體與環境安全」改善成效較高,「資訊安全政策」領域內的控制措施A5.1.2 改善成效最佳;3.「資訊安全事件管理」與「資訊系統取得開發及維護」是改善成效比較偏低的領域,可作爾後組織導入BS7799 時的參考。 |
英文摘要 | As of May 2006, eighty four organizations in Taiwan have implemented BS 7799 information security management systems. The related researches in the recent years mostly discuss the BS 7799 implementation issue in terms of one single industry field, a specific domain or individual cases. It is lacking to find studies which investigate the effectiveness of implementing information security management system (ISMS) in terms of organizations across different fields. This paper focuses on the across-the-field effectiveness after BS 7799 is implemented into organizations. Based on the survey of the sixty six organizations in Taiwan which have registered in the international ISMS user group, this paper examines the diverse domains and controls in implementing BS 7799. The findings of this paper are as follows. In general after organizations implement BS 7799, the information security events in seventy four percent of these organizations have decreased. This shows that most organizations have improved their environment of information security. Furthermore, the organizations gain improvement in most control objectives, and become remarkably secure in the “security policy”, “business continuity management,” and “physical and environmental security” domains. In the “security policy” domain, implementing the A5.1.2 control achieves an outstanding effectiveness. Nevertheless,the outcome also reveals the lower implementing effectiveness in the “information security incident management” and “information systems acquisition, development and maintenance” domains. |
本系統中英文摘要資訊取自各篇刊載內容。