题名

資訊資產分類與風險評鑑之研究-以銀行業為例

并列篇名

Classification of Information Assets and Risk Assessment: By Example of Banking Industry

DOI

10.6382/JIM.200907.0055

作者

陳志誠(Patrick S. Chen);林淑瓊(Shu-Chiung Lin);李興漢(Shing-Han Li);許派立(Perry Shi)

关键词

資訊資產 ; 資訊安全 ; 風險評鑑 ; Information Assets ; Information Security ; Risk Assessment

期刊名称

資訊管理學報

卷期/出版年月

16卷3期(2009 / 07 / 01)

页次

55 - 84

内容语文

繁體中文
中文摘要

企業的資訊安全作法繁多,但不一定能聚焦於最需要之處,以及考慮到成本與時間效益。因此,為企業資訊資產進行分類與建立風險評鑑機制,不僅可以得到資訊資產詳細的風險等級,也可使資訊安全管理決策更精確、完整及有效,避免資訊安全事件的發生。目前國內外有關資訊資產風險評鑑的研究不多,本研究對重視資訊資產管理的銀行業進行研究,以國內某知名銀行為例,由資訊安全管理之作業要點BS 7799-1:2000、資訊安全系統規範BS7799-2:2002和資訊技術安全管理指導綱要ISO/IEC TR 13335做為問卷設計的依據,再以美國國家技術標準局(NIST)於2001年制定的「資訊科技系統風險管理指導」三項程序,進行風險管理。研究中由個案公司的資訊資產清冊中選出十一類24項較可能發生資安事件的資訊資產,使用德菲法進行資料收集分析,評估出資訊資產的相關威脅、弱點及風險等級,同時進行定性與定量的風險分析。研究結果說明個案公司資訊資產風險等級為中等者只有主路由器一項,其餘均為低等級,基於BS 7799-2:2002持續改善的原則,研究中對高風險等級的資訊資產提出建議及改進措施。由於銀行業的資訊環境具有高度雷同性-主要核心業務放在大型主機,外圍由中小型伺服器處理非帳務性系統,且研究個案之規模和資訊系統在銀行業中具有代表性,本研究獲致之成果具實務上的參考價值,可協助企業降低資訊資產風險與資安事件的發生。
英文摘要

Many incidents of information systems result in imperfect protection of information assets. Since overall protection is expensive, even impossible, security measures should be made at the most needed places in terms of cost and time. By means of classification of information assets and their risk assessment, we are able to know the degree of risk of the assets and to achieve a better decision in security measures. Owing to the secrecy policy, research reports on risk assessment of information assets are rarely made public. In this research we classified the information assets of a financial institution and assessed their risks. Because the institution is one of the major banks in Taiwan, the research results should be representative. The Delphi method was adopted in this research and the questionnaires were designed based on the guidelines of information security management of BS 7799-1:2000, BS 7799-2: 2002 and ISO/ IEC TR 13335. In total, 24 information assets subject to security breaches were chosen for risk assessment, and 7 experts in information security and computer auditing were invited to answer the questionnaires concerning current value of the assets, possible threats, vulnerabilities and degree of risks. Risks are expressed in low, medium and high, ranging over 10 degrees on risk scale. The results revealed that there is one item, the core router, with medium risk while others are of low risk. We also made suggestions for enhancing security measures for all assets with risk degree greater or equal to 2. Owing to the lack of publications of researches on classification of information assets and assessment of their risk in financial field, the results achieved in this study is of practical value.
主题分类 基礎與應用科學 > 資訊科學
社會科學 > 管理學
参考文献
  1. 瞿鴻斌(2004)。碩士論文(碩士論文)。世新大學資訊管理研究所。
    連結:
  2. BS(2000).Specification for Information Security Management Systems.British Standards Institution.
  3. BS(2000).Code of Practice for Information Security Management.British Standards Institution.
  4. Budgen, P.J.(1992).Why Risk Analysis? Risk Analysis Methods and Tools.Colloquium on IEEE.
  5. Chapple, A.,Rogers, A.(1998).Explicit Guidelines for Qualitative Research: A Step in the Right Direction, a Defence of the Soft Option, or a Form of Sociological Imperialism?.Family Practice,15(6),556-561.
  6. de Meyrick, J.(2003).The Delphi Method and Health Research.Health Education,103(1),7-16.
  7. Dhaliwal, J.S.,Tung, L.L.(2000).Using Group Support Systems for Developing Knowledge-Based Explanation Facility.International Journal of Information Management,20(2),131-149.
  8. Fink, D.(1995).IS Security Issues for the 1990s: Implications for Management.Journal of Systems Management,46(2),46-49.
  9. Fowles, J.(1976).An Overview of Social Forecasting Procedures.Journal of the American Institute of Planners,42(3),253-263.
  10. Gallagher, M.,Hares, T.,Spencer, J.,Bradshaw, C.,and Webb, I.(1993).The Nominal Group Technique: A Research Tool for General Practice?.Family Practice,10(1),76-81.
  11. Goldman, A.E.,McDonald, S.S.(1987).The Group Depth Interview: Principles & Practice.Englewood Cliffs, NJ:Prentice Hall.
  12. Grant, J.S.,Kinney, M.R.(2008).Using the Delphi Technique to Examine the Content Validity of Nursing Diagnoses.International Journal of Nursing Terminologies and Classifications,3(1),12-22.
  13. Greenhalgh, T.,Taylor, R.(1997).Papers that go beyond numbers (qualitative research).British Medical Journal,315(7110),740-743.
  14. Groom, P.D.(2003).The IT Security Model.Potentials IEEE,22(4),6-8.
  15. Gupta, U.G.,Clarke, R.E.(1996).Theory and Applications of the Delphi Technique: a Bibliography (1975-1994).Technological Forecasting and Social Change,53(2),185-211.
  16. Harris, S. J.(1996).Proactive service management: Leveraging Telecom Information Assets for Competitive Advantage.IEEE Network operations and management symposium
  17. Hoddinott, P.,Pill, R.(1997).A Review of Recently Published Qualitative Research in General Practice: More Methodological Questions than Answers.Family Practice,14(4),313-319.
  18. Hoqqanvik, I.,Stolen, K..Risk Analysis Terminology for IT-systems: Does it Match Intuition?.Empirical Software Engineering 2005. 2005 International Symposium on
  19. Iheagwara, C.(2003).More Effective Risk Assessment: Using Cascading Threat Multipliers for Assessing Intrusion Detection Systems in Complex Infrastructures.Computer Security Journal,19(2),8-20.
  20. ISO/IEC(1997).TR 13335-2. Information Technology-Guidelines for the Management of IT Security-Part 2: Managing and Planning IT Security.
  21. ISO/IEC(1998).TR 13335-3. Information Technology-Guidelines for the Management of IT Security-Part 3: Techniques for the Management of IT Security.
  22. ISO/IEC(2000).TR 13335-4. Information Technology-Guidelines for the Management of IT Security-Part 4: Selection of Safeguards.
  23. ISO/IEC(2001).TR 13335-5. Information Technology-Guidelines for the Management of IT Security-Part 5: Management Guidance on Network Security.
  24. ISO/IEC(1996).TR 13335-1. Information Technology-Guidelines for the Management of IT Security-Part 1: Concepts and Models for IT Security.
  25. ISO/IEC(2002).TR 17944. Banking-Security and other Financial Services-Framework for Security in Financial Systems.
  26. Jones, R.(1995).Why do Qualitative?.British Medical Journal,311(6996),2.
  27. Kuo, N.W.,Yu, Y.H.(1999).Policy and Practice: An Evaluation System for National Park Selection in Taiwan.Journal of Environmental Planning and Management,42(5),735-745.
  28. Liebowitz, J.(1999).Key Ingredients to the Success of an Organization's Knowledge Management Strategy.Knowledge and Process Management,6(1),37-40.
  29. Malterud, Q.K.(2001).Qualitative Research: Standards, Challenges, and Guidelines.The Lancet,358(9280),483-488.
  30. Mendoza, G.A.,Prabhu, R.(2000).Development of a Methodology for Selecting Criteria and Indicators of Sustainable Forest Management: A Case Study of Participatory Assessment.Environmental Management,26(6),659-673.
  31. Munier, F.,Ronde, P.(2001).The Role of Knowledge Codification in the Emergence of Consensus under Uncertainty: Empirical Analysis and Policy Implications.Research Policy,30(9),1537-1551.
  32. NIST.(2001).National Institute of Standards and Technology, Risk Management Guide for Information Technology Systems.Special Publication,800(30)
  33. Pasukeviciute, I.,Roe, M.(2001).The Politics of Oil in Lithuania: Strategies after Transition.Energy Policy,26(3),383-397.
  34. Perna, J.(1995).Leveraging the Information Asset.Proceedings of the 1995 ACM SIGMOD international conference on Management of data
  35. Powell, R.,Single, H.(1996).Methodology Matters-V, Focus Group.International Journal for Quality in Health Care,8(5),499-504.
  36. Rodriguez-Diaz, A. J.(2000).Globalisation and Technology Management in the Mexican Food Industry.Industrial Management and Data Systems,100(9),430-435.
  37. Rowe, G.,Wright G.(1999).The Delphi Technique as a Forecasting Tool: Issues and Analysis.International Journal of Forecasting,15(4),353-375.
  38. Saunders, C.S.,Jones, J.W.(1992).Measuring Performance of the Information System Function.Journal of Management Information System,8(4),63-82.
  39. Vorster, A.,Labuschagne, L.(2005).A Framework for Comparing Different Information Security Risk Analysis Methodologies.Proceedings of the 2005 Annual Research Conference of the South African Institute of Computer Scientists and Information Technologists on IT Research in Developing Countries
  40. Ward, S.C.(1999).Assessing and Managing Important Risks.International Journal of Project Management,17(6),331-336.
  41. 王秀文(2005)。碩士論文(碩士論文)。國立交通大學資訊管理研究所。
  42. 吳俊儀(2005)。博士論文(博士論文)。國立成功大學工業與資訊管理研究所。
  43. 林耀垣(2004)。碩士論文(碩士論文)。國立東華大學企業管理學系。
  44. 張芳珍(2005)。碩士論文(碩士論文)。國立中央大學資訊管理研究所。
  45. 陳志誠、吳宗成編(2003)。電子商務安全。台北:國科會科資中心。
  46. 陳志誠、許派立(2006)。資訊資產分類管理與控制之研究-以金融業者為例。資訊管理暨電子商務經營管理研討會
  47. 劉智敏(2004)。碩士論文(碩士論文)。國立臺北大學企業管理學系。
  48. 鄭年華(2004)。碩士論文(碩士論文)。輔仁大學資訊管理研究所。
  49. 蕭吉宏(2005)。碩士論文(碩士論文)。元智大學資訊管理研究所。
被引用次数
  1. 陳志誠(2012)。檔案管理中的隱私權保護問題。檔案與微縮,105,11-22。
  2. 劉用貴、陳志誠(2016)。建構雲端環境資料安全存取模型暨績效評估。資訊管理學報,23(1),1-32。
  3. (2024)。以Q方法探討銀行顧客對資訊安全認知之研究。管理資訊計算,13(2),241-251。
print cancel