大型企業資訊安全實務研究 / A Research into Information Security Case Study of Large-Scale Firms

金慶柏, Chin,Robert CP

Unknown Date

本研究主要在探討大型企業的資訊安全案例。在二十一世紀的今天，資訊系統及電腦資產對組織的成功更加重要，所以務必防止它們遭受遺失、竄改或毀滅的風險。資訊安全是保護資料、資訊遭受意外或有意的誤用的一種過程，不論是被組織內或組織外的人，包括員工、外包的顧問或網路上的駭客。資訊安全是組織中很策略的一環，不光是也不應是資訊部門一己的責任。 依據Datamonitor的估計，美國企業一年在資訊安全漏洞上至少損失美金一百五十億元。根據電腦安全學院（Computer Security Institute, CSI）及聯邦調查局（Federal Bureau of Intelligence, FBI）2004年的問卷調查顯示百分之四十九的企業曾發生個人電腦失竊的案例。依據IronPort的估計，一年前每年約有三百億封垃圾郵件，現在則激增至五百五十億封垃圾郵件。時至今日，對於資訊安全的主要威脅不是來自於組織外的駭客、病毒或蠕蟲，而是組織內的個人。不論組織內的個人是有意或無意地違反資訊安全的政策和規定，其後果可能相當嚴重，小至組織形象受損、業務損失，大至官司纏身或巨額罰款。 根據紐約時報2006年的報導：臺灣的高科技公司佔有全球半導體晶圓專工產業百分之七十的市佔率，百分之四十的半導體封裝市場，百分之五十的半導體測試市場，百分之八十的電腦主機板市場，百分之七十二的筆記本電腦代工市場，百分之六十八的LCD螢幕市場。我們如何繼續保持在全球市場上的領先地位？我們仍然得繼續在研究發展、生產製造及全球運籌上加碼投資。然而，在全球經濟之下，如何透過執行一套安全的、全球的及穩定的資訊網路及基礎架構以提供客戶更好的服務更是必要的。 對每一位資訊長或資安長而言，資訊安全永遠是他最關心的前三大議題之一。資訊安全當然是說比做容易，正確導入與永續執行才是根本。花錢購買資訊安全設備是相對簡單的。知道要保護什麼，如何保護以及要控制什麼就沒有那麼簡單了。在真實的商業世界裡，基於家醜不外揚，鮮有公司願意分享或公佈它資訊安全上的弱點及缺點。本論文的主要目的有二：一是研究業界最新的資訊安全標準及資訊安全供應商的看法，例如： 1. 國際標準組織（International Standard Organization, ISO）17799。 2. 英國標準組織（British Standard Institute, BS）7799。 3. 國際商業機器股份有限公司（International Business Machines, IBM）的資訊安全計劃。 4. 惠普股份有限公司（HP）及Information Security System公司的資訊安全稽核機制。 5. 微軟股份有限公司（Microsoft）。 二是提供一些真實的成功案例以提供給其他有興趣的組織作為參考。從結論發現，我們可藉由改善核心業務流程，去建造新的資訊安全系統，去運營一個可長治久安的實體與虛擬的環境，並強化公司的知識管理及傳承 / In the twenty-first century, information system and computing assets are more critical to organization’s success, and as a result, must be protected from loss, modification or destruction. Information security is the process of protecting data / information from accidental or intentional misuse by person inside or outside of an organization, including employee, consultants, and hackers. Information security is a strategic part of an organization, not just the issue of Management Information System, MIS, or Information Technology, IT, department. According to “Datamonitor”, US$ 15 billion, at least, cost of information security breaches to United States businesses in one year. From the survey of Computer Security Institute, CSI, and Federal Bureau of Intelligence, FBI, in 2004, 49% of companies experienced notebook Personal Computer theft. According to IronPort, there are 55 billion spam e-mail per year right now, compared with 30 billion spam e-mail yearly. Today, the largest threat to information security is not the typical hacker, virus or worm, but the corporate insider. Whether insiders violate data security policies in advertently or with maliciously, the result can expose the company to public embarrassment, lost business, costly lawsuit, and regulatory fines. Taiwanese high-technology companies have 70% market share of worldwide semiconductor foundry business, 40% share of semiconductor package segment, 50% share of semiconductor testing, 80% of computer motherboard, 72% share of notebook PC, 68% of LCD monitor --- New York Times, 2006. How can we keep maintaining the leading positions around the globe? To invest in R&D, manufacturing, and global logistics is key. However, how to implement a secure, global and reliable IT network and infrastructure to server customers better is a must under current global economy. To every Chief Information Officer, CIO, or Chief Security Officer, CSO, Information security is always one of the top 3 to-do list. Information security is easy to talk about. But, implementations and executions are where talk must turn into action. Purchasing security device is easy. Knowing how and what to protect ad what controls to put in place is a bit more difficult. In the real commercial world, no one or company would like to share or release its weakness to the public. The objective of this thesis is to study most updated information security industry standard and information security suppliers’ view, like: 1. International Standard Organization, ISO, 17799. 2. British Standard Institute’s BS 7799. 3. IBM’s Information Security Program, ISP. 4. HP & Information Security Systems’ Information Security Audit Mechanism, ISAM. 5. Microsoft Also to provide a real successful case / framework for other companies to ensure a consistent, enterprise-wide information security focus is maintained across organization boundaries. In conclusion, this information security study proposes to transfer core business process, to build information security new applications, to run a scalable, available, secure environment, and to leverage firms’ knowledge and information.

資訊安全

大型企業

垃圾郵件

駭客、病毒或蠕蟲

國際標準組織17799

Information security

spam

hacker, virus or worm,

電腦病毒特性與病毒/防毒廠商互動研究 / The Computer Virus Pattern and Interaction of Virus & Anti-Virus Companies

吳宣諭

Unknown Date

傳統商學院論文所探討的競爭態勢多半聚焦於廠商間的競爭，著重組織對組織、集團對集團的互動過程，本研究提出競爭的另一種型態，描述由個體所組成的非正規群體(駭客)與組織集團(廠商)的競爭，以病毒與防毒軟體廠商的互動過程為例，透過歷史的描述呈現電腦病毒、防毒廠商、戰爭三個構面。 本研究以病毒為描述主體作為邪惡的反方角色，並且深入探討其背後的核心操控者：駭客們的動機與行為，之後將相對應的正方角色：防毒公司拉進來，詮釋病毒與防毒軟體的互動過程。最後，整理出在歷史的演進之下，病毒/防毒戰爭過程中的脈絡與攻防特性，並演譯歸納出病毒的五大創新特點：技術Deeper、影響範圍Bigger、傳播速度Faster、病毒行為Smarter、產業結構Robuster。 綜觀國內外商學院論文，尚無類似論述，其突破性貢獻有三：其一，本研究提出以病毒負效用的特性作為創新的論述，至今無人提出，雖可議卻也空前；其二，本研究突破過去討論病毒相關議題僅考量單項變數的限制，以全面性的系統觀點探討其特性；其三，此類議題的相關論文處理方式多半以量化、實作亦或次級資料整理為主，本研究則進行深入訪談的田野調查。 基於創新來自於邊陲的概念，本論文希望排除道德的限制，單純從特性上加以考量其創新，並非鼓勵或褒揚之意。希望提供企業以另一個層次的角度思考本文所提出之創新觀點，應用於研發管理、創新管理、行銷管理、策略管理等領域，興許能有不同的創新解決方案。 / Most papers from the traditional business school discuss the competitions among manufacturers, and focus on the interactions between organizations and between groups. However, in this paper, we propose another type of competition - the competition between the hacker (composed by the individuals or non-regular organization) and the manufacturer (organizations or groups). Here, we take the interaction between virus and anti-virus software manufacturers as example to describe the 3 dimensions among computer virus, anti-virus software manufactures and their contests. In this thesis, we take virus as the evil side and expect to dig out the motivation and behavior of the hackers, and then we take the anti-virus software manufactures as the counter side to discuss the interaction between virus and anti-virus software. Finally, we sum up the 5 innovative characteristics of the virus: the skill is deeper, the incidence is bigger, the spreading speed is faster, the virus behavior is smarter and the industrial structure is more robust. In this thesis, there are 3 unprecedented distributions: first, we propose the innovative concept by using the disutility characteristic of virus; second, we breakthrough the restriction that only taking the single parameter into consideration, and we take the total system viewpoints into consideration to discuss its characteristics; third, instead of quantification, experimentation, and sub-data collection, we do the research through the interview and the field work. In this thesis, we wish to eliminate morals constraints, just consider its innovative concept, and not mean to encourage or commend it. Furthermore, we expect to provide the enterprises another way to think about this new concept, and apply it in research and development management, innovation management, marketing management, strategy management, and so on. We believe that there will be some other different innovative solutions.

電腦病毒

防毒

駭客

動態競爭策略

創新管理

創造力

Computer Virus

Anti-virus

Hacker

Dynamic Competitive Strategy

innovation management

creativity

從實踐中體現： 匯聚而生一個多元文化「Hackerspace」社群 / Embodied in Practice: The Emergence of a Multicultural Hackerspace Community

高敏功, Kao, Eli

Unknown Date

從實踐中體現： 匯聚而生一個多元文化「Hackerspace」社群 / Hackerspaces are open and public workshops where participants pro-actively engage with technology in a social context. From origins in 1990s Germany, the global propagation of hackerspaces has been grassroots, decentralized, and extra-institutional. How does a new hackerspace emerge? What are some key social processes at work within a hackerspace and how are they conditioned by a multilingual, multicultural setting? What roles do values and ideology play? The present study addresses these questions through immersion in the social world of a hackerspace in Taipei, Taiwan. Participant observation and in-depth interview data were analyzed using grounded theory techniques. The results emphasize that initial organizing depends on catalysts and relevant prior experience may be crucial. Local conditions in the form of a multicultural, multilingual environment are shown to affect social processes, sometimes as a source of friction. Ideological and political concerns do not seem salient to Taipei Hackerspace participants generally, though values implicit in practices present alternatives to institutional conventions. In addition, four primary processes are proposed: “Project-ing,” Sharing, “Making it one’s own,” and Negotiating. Finally, support is given to the concept of a transferable hackerspace model that is adapted to local conditions. The values and principles observed—sharing and openness norms, “do-ocracy”, ad hoc organizing, resistance to rules and hierarchy—can be traced to various influences in hackerspaces’ historical development, particularly the open source movement, and serve to optimize hacking potential while fostering a heterogeneous community network.

駭客

創客空間

社群

科技

開放原始碼

學習方法

教育

多元文化

跨文化溝通

紮根理論

社會程序

台灣

hacker

hackerspace

community

technology

open source

learning

education

multicultural

intercultural communication

grounded theory

social processes

Taiwan