题名

資訊安全長之設置與責任初探

并列篇名

The Establishment and Responsibilities of Chief Information Security Officer

DOI

10.6868/HKLR.202306_(74).01

作者

余啓民(Chi-Min Yu)

关键词

數位經濟 ; 資訊安全 ; 資訊安全風險 ; 資訊安全長 ; 聯邦資訊安全管理法 ; 資通安全法 ; 金融資安行動方案 ; Digital Economy ; Information Security Risk ; Chief Information Security Officer ; FISMA ; Cyber Security Management Act ; Financial Security Action Plan

期刊名称

華岡法粹

卷期/出版年月

74期(2023 / 06 / 01)

页次

1 - 61

内容语文

繁體中文;英文
中文摘要

數位經濟已成為各國經濟發展重心,COVID-19疫情更促使各行各業競相投入數位轉型,但資通訊科技日新月異與資料多元應用也使得資訊安全問題日趨嚴峻。資訊安全風險已是當前企業營運之重大挑戰,然而資訊安全風險管理涉及眾多層面與考量因素。面對資訊安全風險對企業帶來的威脅,建立充分對應相關風險的管理機制,成為資訊安全風險問題對應上的重要工作。對此,企業如何藉由設置「資訊安全長」,將資訊安全風險與企業經營加以連結,甫能充分判斷資訊安全事件對企業營運所產生的實際影響範圍與影響程度。美國「聯邦資訊安全管理法」強調「資訊安全長」的重要,帶動主要國家制定相近規範,而我國「資通安全法」亦首見於法律層級明訂「資通安全長」之設置要求。在非公務機關層面,金管會於「金融資安行動方案」及「金融資安行動方案2.0」中提出及擴大資訊安全長之設置要求,並採取分階段及分級方式加以推動。在個人資料保護議題受到重視並衍生應否設置隱私長/個人資料保護官之討論時,我國亦可參酌資訊安全長的設置要求,以分層分級方式逐步推動此一機制,協助企業在全力發展之餘,可得有效兼顧發展過程中所出現的資訊安全風險之管理需求。
英文摘要

The digital economy has become the focus of economic development in various countries. The COVID-19 epidemic has prompted all industries to invest in digital transformation. However, the rapid changes in information and communication technology, together with the multiple applications of data have also aggravated information security issues. Information security risk has become a major challenge for current business operations, but its management involves many levels and considerations. Facing the threats brought by information security risks to enterprises, establishing a management mechanism that adequately responds to relevant risks has become an important task in dealing with information security risk issues. In particular, whether and how an enterprise can link information security risks with business operations by setting up a "Chief Information Security Officer" to fully judge the actual scope and degree of impact of information security incidents on business operations. The Federal Information Security Management Act of the United States emphasizes the importance of the "Information Security Officer", while leading major countries also formulate similar regulations. Taiwan's Cyber Security Management Act is the first to clearly stipulate the establishment requirements of the "Chief Information Security Officer" at the legal level. At the level of non-government agencies, the Financial Supervisory Commission proposed and expanded the requirements for setting up chief information security officers in the "Financial Security Action Plan" and "Financial Security Action Plan 2.0", as well as adopted a phased and hierarchical approach to promote it. When the issue of personal data protection is taken seriously and leads to discussions on whether to set up a privacy officer/personal data protection officer, our country can also refer to the requirements for the establishment of an information security officer, and gradually promote this mechanism in a hierarchical manner. The establishment of an information security officer will gradually become an indispensable item in the operation of each enterprise, assisting enterprises to fully develop while effectively accommdating the management needs of information security risks that arise during the development process.
主题分类 社會科學 > 法律學
参考文献
  1. 葉志良(2016)。大數據應用下個人資料定義的檢討:以我國法院判決為例。資訊社會研究,31,1-36。
    連結:
  2. 樊國楨,林惠芳,黃健誠(2012)。資訊安全法制化初探之一:根基於美國聯邦資訊安全管理法。資訊安全通訊,18(1),3-26。
    連結:
  3. 潘元偵(2019)。淺談新加坡網路安全法-以網路安全總監為核心。科技法務透析,31(8),13-19。
    連結:
  4. CRAIG, PAUL,BÚ RCA, GRÁ INNE DE(2021).THE EVOLUTION OF EU LAW.NEW YORK:OXFORD UNIVERSITY PRESS.
  5. Rustad, Michael L.,Koenig, Thomas H.(2019).Towards a Global Data Privacy Standard.FLA. L. REV.,71,365-453.
  6. Smith, Chelsea C.(2016).Hacking Federal Cybersecurity Legislation: Reforming Legislation to Promote the Effective security of Federal. Information Systems.NAT’L SEC. L.J.,4,345-385.
  7. THE WHITE HOUSE(2023).NATIONAL CYBERSECURITY STRATEGIES.UNITED STATES:WHITE HOUSE OFFICE.
  8. Whitea1, Daniel M.(2011).The Federal Information Security Management Act of 2002: A Potemkin Village.FORDHAM L. REV.,79,369-405.
  9. 王宏瑞(2016)。淺談美國 COSO 委員會之「企業風險管理-整合架構」報告。集保結算所月刊,225,8-33。
  10. 行政院(編)(2022)。行政院編,國家人權行動計畫,行政院,2022 年 5 月。
  11. 李世德(2018)。GDPR 與我國個人資料保護法之比較分析。臺灣經濟論衡,16(3),69-93。
  12. 林淑芸,金旻姍(2015)。美國 COSO 內部控制相關報告之介紹。證券暨期貨月刊,33(6),5-12。
  13. 金融監督管理委員會(編)(2020)。金融監督管理委員會編,金融資安行動方案,金融監督管理委員會,2020年 8 月。
  14. 金融監督管理委員會(編)(2022)。金融監督管理委員會編,金融資安行動方案 2.0,金融監督管理委員會,2022 年 12 月。
  15. 郭戎晉(2018)。自歐盟執委會及成員國視角談一般資料保護規則(GDPR)之實施與課題。科技法律透析,30(4),28-38。
  16. 經濟部統計處編,110 年經濟統計年報,經濟部統計處,2022 年 5 月。
  17. 廖君美(2013)。企業風險管理與資訊安全機制設計。財金資訊季刊,75,27-31。
  18. 劉靜怡(2019)。淺談 GDPR 的國際衝擊及其可能因應之道。月旦法學雜誌,286,5-31。
被引用次数
  1. (2024)。從歐美資安法制發展淺析我國資通安全管理法修法草案。電腦稽核,49,39-55。
print cancel