大型企業資訊安全實務研究 / A Research into Information Security Case Study of Large-Scale Firms

金慶柏, Chin,Robert CP

Unknown Date

本研究主要在探討大型企業的資訊安全案例。在二十一世紀的今天，資訊系統及電腦資產對組織的成功更加重要，所以務必防止它們遭受遺失、竄改或毀滅的風險。資訊安全是保護資料、資訊遭受意外或有意的誤用的一種過程，不論是被組織內或組織外的人，包括員工、外包的顧問或網路上的駭客。資訊安全是組織中很策略的一環，不光是也不應是資訊部門一己的責任。 依據Datamonitor的估計，美國企業一年在資訊安全漏洞上至少損失美金一百五十億元。根據電腦安全學院（Computer Security Institute, CSI）及聯邦調查局（Federal Bureau of Intelligence, FBI）2004年的問卷調查顯示百分之四十九的企業曾發生個人電腦失竊的案例。依據IronPort的估計，一年前每年約有三百億封垃圾郵件，現在則激增至五百五十億封垃圾郵件。時至今日，對於資訊安全的主要威脅不是來自於組織外的駭客、病毒或蠕蟲，而是組織內的個人。不論組織內的個人是有意或無意地違反資訊安全的政策和規定，其後果可能相當嚴重，小至組織形象受損、業務損失，大至官司纏身或巨額罰款。 根據紐約時報2006年的報導：臺灣的高科技公司佔有全球半導體晶圓專工產業百分之七十的市佔率，百分之四十的半導體封裝市場，百分之五十的半導體測試市場，百分之八十的電腦主機板市場，百分之七十二的筆記本電腦代工市場，百分之六十八的LCD螢幕市場。我們如何繼續保持在全球市場上的領先地位？我們仍然得繼續在研究發展、生產製造及全球運籌上加碼投資。然而，在全球經濟之下，如何透過執行一套安全的、全球的及穩定的資訊網路及基礎架構以提供客戶更好的服務更是必要的。 對每一位資訊長或資安長而言，資訊安全永遠是他最關心的前三大議題之一。資訊安全當然是說比做容易，正確導入與永續執行才是根本。花錢購買資訊安全設備是相對簡單的。知道要保護什麼，如何保護以及要控制什麼就沒有那麼簡單了。在真實的商業世界裡，基於家醜不外揚，鮮有公司願意分享或公佈它資訊安全上的弱點及缺點。本論文的主要目的有二：一是研究業界最新的資訊安全標準及資訊安全供應商的看法，例如： 1. 國際標準組織（International Standard Organization, ISO）17799。 2. 英國標準組織（British Standard Institute, BS）7799。 3. 國際商業機器股份有限公司（International Business Machines, IBM）的資訊安全計劃。 4. 惠普股份有限公司（HP）及Information Security System公司的資訊安全稽核機制。 5. 微軟股份有限公司（Microsoft）。 二是提供一些真實的成功案例以提供給其他有興趣的組織作為參考。從結論發現，我們可藉由改善核心業務流程，去建造新的資訊安全系統，去運營一個可長治久安的實體與虛擬的環境，並強化公司的知識管理及傳承 / In the twenty-first century, information system and computing assets are more critical to organization’s success, and as a result, must be protected from loss, modification or destruction. Information security is the process of protecting data / information from accidental or intentional misuse by person inside or outside of an organization, including employee, consultants, and hackers. Information security is a strategic part of an organization, not just the issue of Management Information System, MIS, or Information Technology, IT, department. According to “Datamonitor”, US$ 15 billion, at least, cost of information security breaches to United States businesses in one year. From the survey of Computer Security Institute, CSI, and Federal Bureau of Intelligence, FBI, in 2004, 49% of companies experienced notebook Personal Computer theft. According to IronPort, there are 55 billion spam e-mail per year right now, compared with 30 billion spam e-mail yearly. Today, the largest threat to information security is not the typical hacker, virus or worm, but the corporate insider. Whether insiders violate data security policies in advertently or with maliciously, the result can expose the company to public embarrassment, lost business, costly lawsuit, and regulatory fines. Taiwanese high-technology companies have 70% market share of worldwide semiconductor foundry business, 40% share of semiconductor package segment, 50% share of semiconductor testing, 80% of computer motherboard, 72% share of notebook PC, 68% of LCD monitor --- New York Times, 2006. How can we keep maintaining the leading positions around the globe? To invest in R&D, manufacturing, and global logistics is key. However, how to implement a secure, global and reliable IT network and infrastructure to server customers better is a must under current global economy. To every Chief Information Officer, CIO, or Chief Security Officer, CSO, Information security is always one of the top 3 to-do list. Information security is easy to talk about. But, implementations and executions are where talk must turn into action. Purchasing security device is easy. Knowing how and what to protect ad what controls to put in place is a bit more difficult. In the real commercial world, no one or company would like to share or release its weakness to the public. The objective of this thesis is to study most updated information security industry standard and information security suppliers’ view, like: 1. International Standard Organization, ISO, 17799. 2. British Standard Institute’s BS 7799. 3. IBM’s Information Security Program, ISP. 4. HP & Information Security Systems’ Information Security Audit Mechanism, ISAM. 5. Microsoft Also to provide a real successful case / framework for other companies to ensure a consistent, enterprise-wide information security focus is maintained across organization boundaries. In conclusion, this information security study proposes to transfer core business process, to build information security new applications, to run a scalable, available, secure environment, and to leverage firms’ knowledge and information.

資訊安全

大型企業

垃圾郵件

駭客、病毒或蠕蟲

國際標準組織17799

Information security

spam

hacker, virus or worm,

應用6 Sigma 導入EuP 綠色專案之個案研究 / Six Sigma Management for EuP Green Program - A Case Study

許瑞鵬, Hsu, Juey Peng

Unknown Date

今 (2008) 年，全球規模排名前三大的電腦展，從1月開始美國拉斯維加斯的CES展、3月的德國漢諾威的CeBiT展，到6月在台北的Computex展，數千家之參展廠商，數十萬之買主與參觀人士，不約而同，大家的主訴求都是「綠色」與「節能」。向來，三大電腦展都是未來產品的風向球，加上從美國前副總統高爾的紀錄片「不願面對的真相」看到地球暖化現象日益嚴重，石油價格也不斷再創歷史新高，的確讓人感到這個世界將變得更為綠色，當人們愈來愈重視自己居住的這個環境與資源，也宣告「綠色產品、綠色消費」的時代正式來臨。 近年來一波波的綠色浪潮，如同過去十餘年間的網路興起，所產生巨大的改變一般。全球環保意識覺醒，尤以歐盟一向以高環保標準為最，陸續在2005年8月起推行的三大環保指令：WEEE(回收化)、RoHS(無毒化)、EuP(節能化)，超過80％的環境衝擊都跟產品設計有緊密關聯；是故，整合環境考量因素而成綠色產品的生態化設計作法，將會是企業最有效的方法。 上述WEEE 及RoHS兩項已於2006 年7月1日後，正式對輸出到歐盟各國的產品中全面實施管制，而日本、韓國、中國等國及美國(部分州)等，亦在2007年初立法通過並已實施，此股全球化之綠潮，已是勢不可擋；第三項的EuP (Energe using Product)「耗能使用產品之生態化設計指令」，歐盟各國已大多立法制定完成，部分國家還一併通過違規罰則，預計在2009年第一季起開始啟用，屆時勢必又將再度啟動第三回合的環保大挑戰。 我國對歐盟之貿易額佔了總體的比重極大，於2007年，我國出口到歐盟各國之電機、電子產品等金額超過逾NT$3,000億，企業也決不容忽視這廣大的市場商機。本研究的個案公司向來對環保意識相當重視，亦積極地關注在永續發展與環保議題上，所設計製造的綠色產品也行銷全球；現今的設計趨勢都以綠色、節能為導向，身處電子、電機產業的一員，面臨這項嚴峻之挑戰，更需即早因應，通過這些環保規範檢測，才能確保產品順利銷往歐盟。 本研究乃透過個案公司於過去三、四年中，利用 6 Sigma 的DMAIC循環改善手法，搭配ISO 9000/14000品質/環境管理系統以有效整合，組成專案團隊運作，成功導入6 Sigma WEEE / RoHS等專案，且比2006年7月1日的法定實施期限日，提早一季的時間完成歐盟WEEE及RoHS所有綠色產品之設計，並在符合法定時程/品質要求/客戶滿意等情況下順利出貨。 爰此，以綠色設計為整體考量因素，建置成一套標準化的流程機制，應用到EuP新環保規範中，進行產品節能、生命週期等多項評估，提升生態化設計能力。EuP雖與RoHS/WEEE的指令訴求內容互異，但本著6 Sigma RoHS過去分析及改善等手法，藉由嫻熟運作之科學管理模式，來縮短研發時程；目標為：提早一季時間完成產品設計，且品質符合環保規範驗證之出貨準備；期間雖會遭遇諸多問題與困難，但以6 Sigma經驗豐富之優秀成員組成的團隊，將採絕佳默契、合作無間的精神，順利於今年底達成任務，也為個案公司大幅提升環保戰力之全球競爭優勢。 關鍵字：限用有害物質指令、耗能使用產品指令、生態設計、國際標準組織、六標準差專案管理。 / In the world’s top three exhibitions of the electronic industry this year - namely CES of Las Vegas in January, CeBIT of Hanover in March, and Computex of Taipei in June, the main theme is the same: Green Technology and Energy Saving Products. Mr. Al Gore’s ‘Inconvenient Truth’ has unfolded future disasters caused by global warming, together with recent oil price hikes over US$140 a barrel, all these environmental and energy crisis have hastily ushered in the ‘Green Product Epoch.’ The European Union led the wave of Green Products by issuing the WEEE (Waste Electrical Electronic Equipment) directives in August 2005 which aimed at reducing E/E waste disposal through reuse, recycle and recovery, followed by the RoHS (Restriction of Hazardous Substance) directives enforced on July 1, 2007. EuP (Energy using Product) is the latest set of directives which will be implemented in 2009. Since more environmental impacts relate to product design, the green product ecological design incorporating environmental factors is most effective method. These regulations will greatly affect members of global E.E product supply. Taiwan had a big trade count with EU in the past time, so it will be caused more impacted as well. Therefore, many countries have regulated new national standards, many Taiwanese firms are making great efforts on the issues of Eco Design for energy saving to meet the trend on environment protection as earlier as possible and to provide operational producers for the business toward green global supply chain. For enterprises to implement environmental management system and to establish green product design and production by ISO9000 / ISO 14000 systems, and there are many procedures, validation and testing need to by 6 Sigma DMAIC improvement methodology. This case study proposes a model to include the RoHS green product into quality system successfully in 2 years ago, next case is provided to verify the model and justify how a firm can efficiently use the proposed model and empirical experience to meet product certification requirement into the system. The findings of this research can support other enterprises to implement appropriate model to integrate green product with framework of ISO9000/14000 quality/environment management system by 6 Sigma process. This is also suitable for a firm to upgrade its management system to meet various green requirements as WEEE, RoHS and EuP. The study is still enphasised many Taiwan manufacturers are tempted by the success of 6 Sigma in the western world and are now in the process of introducing 6 Sigma into their organizations. The push to further reduce costs has urged the firms to use 6 Sigma to regain their competitive positions in the global economy. Keywords: RoHS, EuP, Eco Design, ISO, 6 Sigma Managment

限用有害物質指令

耗能使用產品指令

生態設計

國際標準組織

六標準差專案管理

RoHS

EuP

Eco Design

ISO

6 Sigma Management