摘要: | 資訊安全管理已是當今不可忽視的管理議題,其主要之精神乃在於辨識出組織的重要資訊資產及其所面臨的威脅,並在資源有效地分配下,規劃合理之控管措施,以使得風險降至可接受範圍。這是一個資訊安全風險管理的過程,管理的重點應放在組織機密資料的保護,而非所有資料存取的管道,因為如此將造成企業的成本浪費並模糊失焦。近年來國內外層出不窮的資訊安全事件,多為缺乏上述資訊安全風險管理機制所致。 企業在逐步跨大規模時,如何保有其智慧財產及機密性資料,需要藉由資訊安全政策及管理措施來保護,而資料使用單位亦要有安全意識來妥善使用公司資源,透過規範、制度及權限管控來有效管理及使用公司資訊資產。 本研究依據BS7799國際安全規範,選擇以印刷電路板個案公司為例,透過個案公司資料、高階主管的訪談與歷史經驗,彙整資料後,參考國內外文獻,分別從公司運作狀況、資訊安全問題、產生的影響,進而從改善的措施與具體成效來說明資訊安全的重要性,並瞭解資訊安全建置前後的差異性。 最後資訊安全管理是一個永續經營的規劃,許多企業雖已建立資訊安全政策,還是難以避免許多資訊安全事件的發生,究其原因是輕忽安全管理的重要性及未持續更新。鑑於此,本研究建議企業需要不斷的發掘及反映出需改善之處,並因應不同時間的資安要求,持續更新資訊安全計畫。 ;Information security management is non-ignorable management topic, and the key spirit is to identify important information property in organization and the threat been faced, then under effect resource arrangement plan reasonable control policy, and reduce risk to acceptable range. This is an information security risk management process, key point of management should focus on protection of secrete information in organization,instead of all information access channel, because this will cause enterprise waste cost and lost focus as well. Yearly most of information security events from international and domestic are due to lack of above information security risk management mechanism. When enterprise during expansion business size, need through information security and management policy to protect the Intelligence Property and secret information, And information user also need security concept to well use company resource, by through regulation, system and authority control to manage and use company information property effetely. This research based on BS7799 international security spec, and choose printed circuit board A company as case study, based on case study company information, high level management interview and historical experience, integrate all of information then refer to international and domestic articles, and also from company operation status, information security problem, influence of impact, to show importance of information security by effectiveness of measures and concrete results from improvements and know the difference between before and after of information security structure setup. Information security is continue operating plan, even lots of enterprise already setup information security policy but still can not avoid information security events happens, the reason is ignore the importance of security management and did not update continually. In view of this, the study recommends that companies need to continue finding out and feedback areas need to improve, and continue to update information security plan based on requirement at different phase of information security. |