基於內容管理系統的資訊安全標準導入輔助系統 / A Content Management System Based Assistant for Implementing ISO Information Security Standard

彭應武, Peng, Ying-Wu

Unknown Date

隨著資訊科技日益普及，近年來資安事件仍層出不窮。行政院國家資通安全會報於94年5月，訂定「政府機關(構)資訊安全責任等級分級作業實施計畫」，針對各種資訊安全的潛在威脅，提出以建立管理機制並配合技術支援服務的方式，期能有效防護資訊資產，提昇資訊安全。其中管理面的具體措施為建構「資訊安全管理系統」（ISMS, Information Security Management System），並規範列屬資安責任等級為A或B級之機關，應在規定之期限內通過由第三方(third party)公正機構驗證符合資訊安全國際標準。根據行政院科技顧問組針對A、B級機關在2008年進行資安責任等級應辦事項調查顯示，B級機關在資安認證達成率只有43%，可見通過資安認證有其困難性。 本研究依據已通過資安認證的機關的經驗分享文獻，分析歸納導入ISMS所可能遭遇的主要問題，從而主張可以採用內容管理系統(CMS, Content Management System)的平台來協助組織導入ISMS。Drupal是一套結構簡單且具高擴展性模組化的開放源碼內容管理系統，不僅容易在其平台上建立客製化的應用系統，且有大量的社群可提供技術支援，故本研採用Drupal建置輔助系統，方便組織在導入符合國際標準的ISMS(如ISO 27001)時，可以集中管理各類相關資訊，評定資產價值，計算風險值，並提供組織申請ISO驗證時作為部份佐證資料的集中管理。 / As information technology is widely used in our daily work and life, incidents of information security also occurs from time to time. In May of 2005, the National Information & Communication Security Taskforce of R.O.C. instituted “The operational plan for classifying the information security duty grade of the government agencies”. The plan demands government agencies to establish technological support services along with management mechanisms for all potential security threats to provide effective information security management. In addition, all agencies whose security grade belongs to the A or B levels must pass the third party certification for ISO Information Security Standard within a specific deadline. However, as shown in the investigation report released by the government technology advisors in 2008, the achievement rate for information security certification on grade B government agencies is only 43%. Therefore, it is perceived that there are some difficulties in passing the information security certification This thesis analyzes and summarizes the main difficulties that organizations may encounter when establishing an ISMS by following the international IS standard ISO 27001. The analysis results show that document management is a key issue. Therefore, we claim that a content management platform is a good foundation to build an assistant for an organization to establish its ISMS. To demonstrate our proposal, we choose the open source content management platform, Drupal, to set up such an assistant. By fully utilizing the simpler yet extensible structures provided Drupal, we build up an assistant system that facilitates an organization to manage all related documents centrally, to assess asset values and calculate risk values by following the ISO 27001 information security international standard. These facilities will give the organization a very strong evidence of employing a centralized information security management system when applying for ISO certification

內容管理系統

資訊安全管理系統

CMS

ISMS

ISO 27001

Drupal