题名

ISMS驗證合規初論:根基於管理系統驗證機構資通安全管理法驗證方案特定要求

并列篇名

A Preliminary Discussion on ISMS Certification Compliance: Based on the Specific Requirements of the Cybersecurity Management Law under the Management System Certification Bodies

作者

樊國楨;羅德興;錢素英;蔡昀臻

关键词

驗證 ; 資訊安全管理系統 ; 標準化 ; 脆弱性資料庫 ; 零信任網路 ; Certification ; Information security management system (ISMS) ; Standardization ; Vulnerability database ; Zero trust network

期刊名称

電腦稽核

卷期/出版年月

47期(2023 / 02 / 24)

页次

44 - 83

内容语文

繁體中文;英文
中文摘要

隨著政府機關對資通安全的重視,我國整體資安防護體系之建立與資安防護能力之提升已見初步成效;2022年5月1日,全國認證基金會(Taiwan Accreditation Foundation, TAF)已實施於2022年4月頒佈的《管理系統驗證機構資通安全管理法驗證方案特定要求》(備考:ISO/IEC 27002: 2022(E)第5. 1節(ISO/IEC 27001:2022(E)第A. 1節)已規範之),開展我國資訊安全管理系統(Information Security Management Systems, ISMS)實作及其驗證的新頁。根基於此,本文期以前述ISMS驗證之緣由及國家資通訊安全發展方案(110年至113年)」中「建立資通系統弱點之主動發掘、通報及修補機制」與「完善政府網際服務網防禦深廣度」之工作項目中的資安弱點通報機制(Vulnerability Alert and Notification System, VANS)及零信任網路(Zero Trust Network, 簡稱ZTN)之實作,探討ISMS驗證合規的實然與應然。
英文摘要

With the government's emphasis on cybersecurity, the establishment and capabilities of national overall information security protection system have achieved initial results. The Taiwan Accreditation Foundation (TAF) has implemented the "specific requirements for the management system verification bodies on verification schemes of Cybersecurity Management Act" issued on April 2022 (for reference, see: Section 5. 1 of ISO/IEC 27002: 2022 (E) (this is specified in ISO/IEC 27001: 2022(E) Section A. 1) on May 1, 2022. The act has opened a new page on the implementation and verification of national Information Security Management Systems (ISMS). Regarding this topic, we discuss the necessity and reality of ISMS certification compliance in this paper. Besides illustrating the above narrative of verification of ISMS in our country, we also deliberate the implementations of Vulnerability Alert and Notification System (VANS) and Zero Trust Network (ZTN) in the work of " establishing an active discovery, notification, and repair mechanism for information system vulnerabilities" and " improving the defense depth and breadth of the government Internet service network" in the National Communication Information Security Development Plan.
主题分类 基礎與應用科學 > 資訊科學
参考文献
  1. 樊國楨,季祥,韓宜蓁(2015)。資訊安全管理系統稽核初論:根基於資安健診與標準化。Communications of the CCISA,21(1),33-56。
    連結:
  2. 樊國楨,林惠芳,黃健誠,林樹國(2012)。論美國資訊安全管理政策-從「數位空間國際策略 」中之供應鏈風險管理標準化進程談起。前瞻科技與管理,2(2),15-34。
    連結:
  3. 樊國楨,黃健誠,朱潮昌(2013)。資訊安全管理與脆弱性評分系統初探。電腦稽核,27,79-101。
    連結:
  4. 樊國楨,黃健誠,林樹國(2013)。完備我國資訊安全法規初論。前瞻科技與管理,3(1),97-147。
    連結:
  5. 樊國楨,韓宜蓁,季祥(2014)。黑暗首爾(Dark Seoul)資訊安全事故(2013- 03-20)及其防禦方法初論。Communications of the CCISA,20(2),24-36。
    連結:
  6. (2012).NIST Interagency Report (IR) 7756 (2nd Draft). CAESARS Framework Extension: An Enterprise Continuous Monitoring Technical Reference Model. January 2012..
  7. Andresen, Leslie(2011).Trusted Computing Based Insider Threat Protection.2nd Annual NSA Trusted Computing Conference & Exposition
  8. Booth, H.,Halbardier, A.(2011).NIST Interagency ReportNIST Interagency Report,未出版
  9. Chandramouli, Ramaswamy(2017).NIST Interagency ReportNIST Interagency Report,未出版
  10. Cooper, David,Polk, William,Regenscheid, Andrew,Souppaya, Murugiah(2014).Cooper, David, William Polk, Andrew Regenscheid, & Murugiah Souppaya (2014). BIOS Protection Guidelines. NIST Special Publication 800- 147, 2011/ 04.
  11. Coyne, E. J.,Weil, T.R.(2013).ABAC and RBAC: Scalable, Flexible, and Auditable Access Management.IEEE IT Professional
  12. DoD(2011).ICSOA Security Reference Architecture.IA newsletter,14(3),16.
  13. Enders, R., & H. Schwarz (2013) . Network Endpoints and Attribute Based Access Controls. May 2013 Whitepaper and Presentation Submissions, ICS-CERT (Industrial Control Systems Cyber Emergency Response Team), https://www.cisa.gov/uscert/ics/ (accessed October 19, 2013).
  14. Hu, Vincent C.,Ferraiolo, David,Kuhn, Rick,Schnitzer, Adam,Sandlin, Kenneth,Miller, Robert,Scarfone, Karen(2014).NIST Special PublicationNIST Special Publication,未出版
  15. IAF, Inc.(2022).IAF (International Accreditation Forum, Inc.) (2022) Knowledge Requirements for Accreditation Body Personnel for Information Security Management Systems (ISO/IEC 27001) Issue 2, Version 2 (IAF MD 13: 2022), 2022- 09- 19..
  16. IAS (International Accreditation Service) INC(2013).IAS (International Accreditation Service) INC (2013). Accreditation Criteria for Management System Certification Bodies. IAS/MS/ 001, July 2, 2013..
  17. Irvine , C. E.,Levin, T. E.(2004).A Doctoral Program with Specialization in Information Security.Information Security Management, Education and Privacy
  18. Irvine, C.(Ed.),Armstrong, H.(Ed.)(2003).Security Education and Critical Infrastructures.Kluwer Academic Publishers.
  19. ISO(2008).ISO (2008). Corporate Governance of information technology-a standard for corporate governance of information technology. ISO/IEC 38500: 2008(E)..
  20. ISO(2013).ISO (2013c). Information technology – Security techniques – Governance of information security. ISO/IEC 27014: 2013(E)..
  21. ISO(2013).ISO (2013a). Information technology-Security techniques -Code of practice for information security control. ISO/IEC 27002: 2013- 10- 01..
  22. ISO(2013).ISO (2013b). Information technology-Security techniques – Information security management systems – Requirements. ISO/IEC 27001: 2013(E)..
  23. ISO,IEC(2022).ISO/IEC 18045 (2022- 08) Information security, cybersecurity and privacy protection - Evaluation criteria for IT security - Methodology for IT security evaluation..
  24. ISO,IEC(2022).ISO/IEC 27002 (2022- 03). Information security, cybersecurity and privacy protection–Information security controls..
  25. ISO,IEC(2016).ISO/IEC JEC 1/SC 27 (2016). Information technology – Security techniques-Information security for supplier relationships - Part 4: Guidelines for security of cloud services. ISO/IEC 27036-4: 2016- 10- 01..
  26. ISO,IEC(2022).ISO/IEC 15408 (2022- 08) Information security, cybersecurity and privacy protection(all parts).I.
  27. ISO,IEC(2022).ISO/IEC 27001 (2022- 10). Information security, cybersecurity and privacy protection-Information security management systems-Requirements..
  28. Kuhn, D. R.,Coyne, E.J.,Weil, T.R.(2016).Adding Attributes to Role Based Access Control.IEEE Computer,79-81.
  29. Michael, Willett (2013). Consumerization of Trusted Computing. https://www.snia.org/sites/default/education/tutorials/2013/fall/Security/MichaelWillett_Consumerization_of_Trusted_Computing.pdf(2022 年 11 月 1 日檢索 ).
  30. Nguyen, T.D.,Irvine, C.E.(2006).Utilizing the Common Criteria for Advanced Student Research Projects.Proceedings of the IFIP TC- 11 21st International Security Conference
  31. OMB, EXECUTIVE OFFICE OF THE PRESIDENT(2022).OMB (OFFICE OF MANAGEMENT AND BUDGET, EXECUTIVE OFFICE OF THE PRESIDENT) (2022- 01- 26). Moving the U.S. Government Toward Zero Trust Cybersecurity Principles (M- 22- 09, January 26, 2022). OFFICE OF MANAGEMENT AND BUDGET, EXECUTIVE OFFICE OF THE PRESIDENT..
  32. Regenscheid, A.,Scarfone, K.(2011).Regenscheid, A. and K. Scarfone (2011). BIOS Integrity Measurement Guidelines aft. Special Publication 800- 155 (Draft), 2011/ 12..
  33. Sherstobitoff, R.,Liba, I.,Walter, J.(2013).,McAfee.
  34. Souppaya, Murugiah,Morello, John,Scarfone, Karen(2017).NIST Special PublicationNIST Special Publication,未出版
  35. Sultan, S.,Ahmad, I.,Dimitriou, T.(2019).Container Security: Issues, Challenges, and the Road Ahead.IEEE Access,7,52976-52996.
  36. Unal, D.,Caglayan, M. U.(2013).A formal role-based access control model for security policies in multi-domain mobile networks.Computer Networks,57(1),300-350.
  37. Vrancken, Joren(2020).Computing Science, Radboud University.
  38. Walker, A.J.(2011).Walker, A.J. (2011). Evaluating the ISO TMB Management System Common Text proposal in terms of selection of candidate management system standards. HRD- 095-PRD-02.Walker-Paper.doc Issue 3, 29 August 2011, SPI Tab.
  39. Willett, Michael(2013).Dr. Michael Willett (2013). Consumerization of Trusted Computing. Storage Networking Industry Association..
  40. 中國信息通信研究院雲計算與大數據研究所(2021)。,未出版
  41. 中華民國資訊軟體協會(2012)。,未出版
  42. 仉桂美,劉德勳,包宗和(2021)。仉桂美、劉德勳與包宗和 (2021)。109教調 0004(監察院調查報告),110/06/04。
  43. 行政院(2013)。行政院 (2013)。院臺護字第 1020157911號函,2013 年 12 月 15 日。
  44. 行政院 (2021)。資通安全管理法及子法彙編,2021 年 9 月。
  45. 吳世忠,劉暉,郭濤,易錦(2013).信息安全漏洞分析基礎.科學出版社.
  46. 季祥,樊國楨,韓宜蓁(2015)。進階持續性威脅之防護與認知初論:根基於黑暗首爾資訊安全事故及其防禦方法。前瞻科技與管理,5(2),95-122。
  47. 財團法人全國認證基金會(2022)。財團法人全國認證基金會 (2022)。《管理系統驗證機構資通安全管理法驗證方案特定要求》2022/04。
  48. 財團法人全國認證基金會 (2020)《資訊安全管理系統驗證機構認證規範(ISO/IEC 27006: 2015 AMD 1: 2020)》2020/ 10。
  49. 曾懿晴、李明賢(2014)。「政院踢爆,全國APP設計不良;eTag遭駭,攏係假。」。中國時報,A 1 要聞,2014 年 01月 16 日。
  50. 華為技術有限公司(2020).華為雲安全白皮書.中國:深圳:
  51. 經濟部標準檢驗局 (2007)。資訊技術-安全技術-資訊安全管理系統,CNS(ISO/IEC 27001: 2005(E)) 27001: 2007- 10- 24。
  52. 經濟部標準檢驗局 (2012)。風險管理-原則與指導綱要:CNS (ISO 3100: 2009(E)) 3100。2012年 08月 16日。
  53. 樊國楨,林惠芳,黃健誠(2011)。管理系統要求事項標準化初探:根基於資訊安全管理系統標準化歷程。標準與檢驗,154,51-63。
  54. 樊國楨,黃健誠(2013)。下一世代網路(Next Generation Network, NGN)安全標準初探之三:可信賴網路接取(Trusted Network Connect, TNC)。網路通訊國家型科技計畫簡訊,54,38-47。
  55. 樊國楨,謝麗珠,黃健誠,廖菊芳,王演芳,林國水,翁敏鈺(2010)。資訊安全治理(ISG)與資訊安全管理系統(ISMS)實作初探:根基於 ISG 框架之策略校準。政府機關資訊通報,274,16-20。
  56. 樊國楨,謝麗珠,黃健誠,廖菊芳,王演芳,林國水,翁敏鈺(2010)。資訊安全治理(ISG)與資訊安全管理系統(ISMS)實作初探:根基於 ISG 框架之策略校準。政府機關資訊通報,275,13-19。
  57. 樊國楨,謝麗珠,黃健誠,廖菊芳,王演芳,林國水,翁敏鈺(2010)。資訊安全治理(ISG)與資訊安全管理系統(ISMS)實作初探:根基於 ISG 框架之策略校準。政府機關資訊通報,273,17-20。
  58. 樊國楨,韓宜蓁,黃健誠(2014)。資訊安全管理系統要求事項初探:根基於 ISO/IEC 27001: 2013(E) 新版之脈終及其變更。標準與檢驗,181,62-90。
被引用次数
  1. 羅德興,錢素英,樊國楨,陳韶薇(2023)。資通安全管理法驗證方案特定要求事項標準化初論:根基於ISO/IEC 27001:2022(E)及ISO/IEC 27009:2020(E)框架。電腦稽核,48,24-60。
print cancel