


Critical Success Factors for Implementing BS7799 Information Security Management System-Based on Petrochemical Industry




黃士銘(Shi-Ming Huang);張碩毅(She-I Chang);蘇耿弘(Keng-Hung Su)


BS7799 ; ISO17799 ; 資訊安全管理 ; 關鍵因素 ; 石化產業 ; BS7799 ; ISO17799 ; Information Security Management ; Critical Success Factors ; Petrochemical Industry




13卷2期(2006 / 04 / 01)


171 - 192




隨著電子交易的發展,資訊安全逐漸受到企業重視。「BS 7799」是由英國國家標準協會(BSI)於1995年所制定;企業只要做到BS 7799的要求,並通過獨立稽核機構評鑑,便可獲頒BS7799資訊安全認證。因此,可向其客戶與合作夥伴宣告,該企業網路內與他們相關的資料都受到適當的保護,而且該企業整體的安全度也值得信任。國外許多石化公司紛紛建立供應鏈體系及電子市集,以期降低交易成本、掌握市場趨勢及交換市場訊息。而國內由經濟部工業局推動「石化產業電子化標準推動計劃」,積極輔導業者成立電子化產銷體系,以因應國際化之電子交易趨勢。另外石化業者為即時掌握生產狀況及監控工廠運作情形,利用網路、控制介面及數據擷取等技術將程控資訊與管理資訊系統整合,為管理上帶來極大的便利。但相對地因資訊安全問題所造成的風險會更加嚴重,由於石化原料及產品多屬易燃物,其所造成的影響不僅是資訊及經濟的損失,嚴重時可能造成公共安全問題,使得石化產業的資訊安全更應受到重視。本研究以BS 7799為基礎,針對國內石化產業的資訊安全議題及現況進行調查,以瞭解該產業資訊安全狀況及其差異。並利用區別分析找出影響石化產業導入資訊安全管理機制的關鍵成功因素。研究發現其關鍵成功因素分別為安全防護、資訊安全技能、供應商、法令規章、競爭壓力、商業夥伴影響、安全事件處理、員工參與、電腦化程度、高階主管支持、組織規模及安全風險程度等因素。


Due to the rapid development of electronic commerce, maintaining information security in order to protect information assets is a key concern for every enterprise today. The BS7799 administrated by the British Standards Institute (BSI) since 1995, is a comprehensive system for implementing effective Internet security, by far, it is the most appropriate approach to best practices for information security management. By gaining the BS7799 certification, companies may assure customers and partners that their data, which being kept on the enterprise networks, will be secure and that the overall security of the enterprise is trustworthy. In the case of Petrochemical manufacturing industry, in Taiwan, many companies try to minimize the cost and achieve their gross profit margin by implementing e-commerce and applying vendors' supply chain management technology. The purpose of this study is to explore the critical success factors for the implementation of information security management system in the Petrochemical Industry. The results reveal that factors such as information security protection, information security skill, supplier, industrial regulations, competitive pressure, the interdependence among business partners, occupational health and safety practice, degree of computerization, top management support, scale of organization and tolerant of risk are crucial to the success for implementing the business electronically.

主题分类 基礎與應用科學 > 資訊科學
社會科學 > 管理學
  1. BSI.(2000).Information security management- Part 1: Code of practice for information security management.BS 7799-1.
  2. BSI.(2002).Information security management- Part 2: Specification for information security management systems.BS 7799-2.
  3. Caminada, M.(1998).Internet security incidents, a survey within Dutch organizations.Computers & Security,17(1),417-433.
  4. Chau, Jacqui.(2005).Skimming the technical and legal aspects of BS7799 can give a false sense of security.Computer Fraud & Security,9,8-10.
  5. Cohen, F.(1998).A cause and effect model of attacks on information systems.Computers & Security,17(1),221-226.
  6. Eloff, M.M.,Solms S.H. von.(2000).Information Security Management: An Approach to Combine Process Certification And Product Evaluation.Computers & Security,19(1),698-709.
  7. Hair, J.F.,Anderson, R.E.,Tatham, R.L.,Black, W.C.(1998).Multivariate Data Analysis.Prentice-Hall, Inc..
  8. Huang, H.Y.,Hwang, H.G.,Yen, D.C.(2000).A Study on Internet Security Factors of Different Financial Institutions in Taiwan.Proceedings of the International Conference of Pacific Rim Management,New York, USA:
  9. Kankanhalli, A.,H. H. Teo,B.C.Y. Bernard,K.K. Wei.(2003).An Integrative Study of Information Systems Security Effectiveness.International Journal of Information Management,13,139-154.
  10. Powell, D.(1993).To Outsourcing or not to Outsourcing?.Networking Management.
  11. Premkumar, G.,Ramamurthy, K.,Nilakanta, S.(1994).Implementation of electronic data interchange: An innovation.Journal of Management Information Systems,11(1),157-186.
  12. Root, Steven J.(1998).Beyond COSO: internal control to enhance corporate governance.New York:John Wiley.
  13. Solms, Basie von.(2001).Information Security Multidimensional Discipline.Computers & Security,20(1),504-508.
  14. Solms, Basie von,Solms, Rossouw von.(2001).Incremental Information Security Certification.Computers & Security,20(1),308-310.
  15. Symantec Enterprise Solutions
  16. Trcek, D.(2003).An Integral Framework for Information Security Management.Computers & Security,22(4),337-360.
  17. 台灣區石化公會(2001)。台灣區石化公會九十年石化工業概況。台北市:台灣區石化公會。
  18. 行政院及所屬各機關資訊安全管理規範
  19. 吳俊德(2002)。碩士論文(碩士論文)。國立中正大學全業管理研究所。
  20. 經濟部國貿局九十年度第一季簡易市調
  21. 公開發行公司建立內部控制制度處理準則
  22. 張振接(2001)。打造堅不可摧的國產Linux OS-為Power by Taiwan的「資訊安全產業」催生。軟體產業通訊,43,13-21。
  23. 曾淑惠(2002)。碩士論文(碩士論文)。淡江大學資訊管理學系。
  24. 游輝祥(2001)。工廠資訊管理系統。e-safety工安簡訊電子報,8
  25. 經濟部技術處(2002)。產業電子化白皮書。台北市:經濟部技術處。
  26. 經濟部標準檢驗局(2002)。資訊安全管理系統(ISMS)-CNS 17800標準。
  27. 葉端萍(2001)。製程資訊整合實廠建置經驗談。e-safety工安簡訊電子報,5
  28. 蒲樹盛(2004)。台灣金融業應用BS 7799資訊安全管理系統(ISMS)分析。電腦稽核,10,17-25。
  1. 陳加屏、宋佩貞、古政元(2012)。以系統動力學探討電腦病毒防治政策。資訊管理學報,19(3),621-652。
  2. 趙慕芬,游佳萍,林美齡(2023)。台灣公部門與私部門建置資訊安全策略進行變革之重要驅動力。資訊管理學報,30(3),287-314。
  3. (2016)。大數據時代對於醫療照護影響與醫療隱私保護之研究。前瞻科技與管理,6(1),1-25。