企業安全暨風險管理策略之研究—台北101大樓個案分析 / The Study of Corporate Security & Risk Management Strategy and Practices - A Case Study of Taipei 101

徐子文, Hsu,Daniel Tzu-Wen

Unknown Date

企業風險安全管理隨著趨勢的發展和需求，企業安全從原本的被動式保護工作，進步到主動式的預防作為，由原來對實體環境和人員的防護，拓展到資訊網路和商譽競爭力保護的領域，逐漸的成為企業中不可或缺的重要功能部門。 國內一般文獻研究在記載研究企業風險安全管理和危機處理議題，常見以外部觀點為研究方向，來自於實際參與企業風險安全管理第一線和決策人員的個案研究則相對缺乏。本研究是希望以作者擔任台北金融大樓股份有限公司（台北101）首任安全總監期間(2003年九月到2004年七月)，實際面臨之風險安全管理挑戰之狀況及處置為主軸，並以事後結果觀察為驗證，以其他個案和文獻研究來探討：一位在企業中實際負責企業風險安全管理之專業經理人面對各式風險威脅狀況時的決策基礎和作為考量，繼而驗證相關風險管理和安全管理理論在企業安全和風險管理的實際運用狀況及成效。 企業安全管理是風險管理的一部份，重點是在處理風險類別中的純粹風險。風險管理的理論和分析架構為企業安全管理帶來了理論基礎架構，讓每一對應措施對策可以有正確的定位，而達到管理的效率。企業安全管理是一個應用科學，必須要依據實務需要，利用企業安全以及其他領域的專業知識，尋求相當的對策。「安全」代表一種穩定的、在一定程度內可以預期的環境，讓個人或團體可以在追求目標時，不受干擾或傷害，也不必擔心任何動亂或意外。安全管理同時也是一個高度和所處環境互動的過程。其所受影響的變數繁多，影響所產生的結果也多變。所以，企業安全管理不但重視建置上大架構的完善，更重視的是在細節小處的積極維護。 一個良好企業安全管理始自於有一個明確的「企業安全政策」。在這企業安全政策中要揭示企業安全的宗旨。作者以為，企業的安全目標為：「保護企業資產完整，使可能發生的損害降至最低、而使投資報酬及事業機會增至最大，進而確保企業的永續經營。」本研究認為，「實體與環境安全」、「人事安全」、「資訊安全」、「緊急應變計劃」、「企業安全稽核及事件調查」、「企業安全教育訓練及宣導」形成完整的企業安全管理架構，並以「人員」、「程序」和「科技」並重的方式進行，可以達到實效。而「未知」、「瞬時」和「大量」是企業安全管理範疇中危機的三特性，如果這三者同時發生，危機就產生，若是消彌其中一部，危機就有機會可以被制止。 / 關鍵字：企業管理、風險管理、風險評估、企業安全、安全管理、危機管理。 / Along with the business trend and demand, the function of Corporate Security is changing from reactively protection to proactively prevention. It also expends from its original functions on physical and personnel protection activities to information networks and business competition activities. Gradually, Corporate Security is becoming an irreplaceable function in modern business operations. In Taiwan, most of the researches on corporate risk and security management issues were on external perspective. There are relatively limited researches on internal perspective and being done by practioners who could provide the first hand experiences and very own observations. This study is based on the Writer’s own experiences and observations during his tenure as the very first Director of Corporate Security and Life Safety of the Taipei Financial Center Corporation, the owner of the world’s tallest building – “Taipei 101”, in September 2003 ~ July 2004. This thesis records and studies the situations the Writer faced and why certain counter-measures were selected and implemented against some corporate security related theories and best practices, and further, to examine their effectiveness and aftermath impacts. This study finds that the corporate security management is under the umbrella of enterprise risk management. It mainly deals with the area of pure risks. The risk management theories provided fundamentals and core structure for the corporate security management. The corporate security management is an applied science. The successful application requires multi-discipline efforts which employee various domains of knowledge to interact and/or counteract of the changing business environment. In addition to appreciation of the core theories of risk and security management, it is essential to attention to details. A sound corporate security begins with a clearly stated “Corporate Security Policy”, where the mission, objectives, as well as the structures and means are clear defined. The Writer believes that the objective of corporate security management is to “To protect corporate assets, both tangible and intangible ones, and to minimize the potential harms and losses, in order to maximize the investment retunes and business opportunities as well as the continuity of the business.” This study finds that the Corporate Security Management Framework best structured by the Physical & Environmental Security, Personnel Security, Information Security, Emergency Response Planning, Security Audit & Investigation, as well as Security Awareness Promotion and Education. In order to best achieve these, the practioners should equally apply measures on People, Process and Technology. / Keywords: Risk Management, Business Management, Security Management, Crisis Management, Corporate Security.

企業管理

風險管理

風險評估

企業安全

安全管理

危機管理

Risk Management

Business Management

Security Management

Crisis Management

Corporate Security

Who hacked my toaster? : A study about security management of the Internet of Things. / Vem har hackat min brödrost? : En studie om säkerhetshantering av Internet of Things

Hakkestad, Mårten, Rynningsjö, Simon

January 2019

The Internet of Things is a growing area with growing security concerns, new threat emerge almost everyday. Keeping up to date, monitor the network and devices and responding to compromised devices and networks are a hard and complex matters.  This bachelor’s thesis aims to discover how a IT-company can work with security management within the Internet of Things, this is done by looking into how a IT-company can work with updating, monitoring and responding within the Internet of Things, as well what challenges there are with working with this.  A qualitative research approach was used for this case study along with an interpretative perspective, as well as abductive reasoning. Interviews were performed with employees of a large IT-company based in Sweden, along with extensive document analysis.  Our bachelor’s thesis results in challenges with Security Management within the areas updating, monitoring and responding along with how our Case Company works with these security challenges. Largely these challenges can be summarized that everything is harder with the number of devices there are within the Internet of Things / Internet of Things eller Sakernas internet är ett växande område med en växande hotbild och nya hot uppkommer dagligen. Att hålla sig uppdaterad, övervaka nätverk och enheter samt att reagera på att enheter och nätverk blir hackade är en svår och komplicerad uppgift. Den här uppsatsen ämnar undersöka hur ett IT-företag kan arbeta med säkerhetshantering inom Internet of Things. Detta har gjorts genom att kolla utmaningar och säkerhetslösningar inom de tre områdena uppdatera, övervaka och reagera.  En kvalitativ forskningsmetod har använts i denna fallstudie tillsammans med ett tolkande synsätt och en abduktiv ansats. Vi har utfört intervjuer på ett stort IT-företag baserat i Sverige tillsammans med en utförlig dokumentanalys.  Resultatet av denna uppsats påvisar ett antal utmaningar inom säkerhetshanteringen inom områdena uppdatera, övervaka och reagera tillsammans med hur vårt fallföretag jobbar med att motarbeta dessa utmaningar. I stort sett kan utmaningarna sammanfattas till att allting är svårare när mängden enheten är så hög som den är inom Internet of Things.

Internet of Things

IoT

Updating

Monitoring

Responding

Security Management

Cyber Resilience

Middle of Life

MoL

Sakernas Internet

Internet of Things

IoT

Uppdatera

Övervaka

Reagera

Säkerhetshantering

Cyber Motståndskraft

Cyber Resilience

Mitten av Livet

MaL

Information Systems, Social aspects

Um modelo de gerência de segurança para middleware baseado em tuple para ambientes difusos e nômades. / A model of security management for middleware based on tuple in diffuse and nomadic environments.

Désiré, Nguessan

18 December 2009

Este trabalho explora a gerência de segurança e cooperação de aplicações em sistemas distribuídos móveis. Neste contexto, é feito um estudo sobre os diferentes middlewares para ambientes móveis (mobile middleware): suas capacidades de enfrentar os desafios da mobilidade e da segurança. As análises do estudo mostram que esses middlewares devem possuir características que lhes permitem uma melhor adaptação às necessidades das aplicações e à natureza dos ambientes móveis. Os middlewares existentes pouco abordam a questão da segurança. A segurança ainda é um problema complexo que deve ser gerido em todos os níveis de um sistema distribuído móvel, incluindo novos mecanismos. Com base nessa análise, foi desenvolvido um modelo de gerência de segurança que implementa um mecanismo de autenticação mútua, confidencialidade, detecção de intruso e controle de acesso em ambientes móveis. O objetivo é garantir a confiabilidade, a disponibilidade de serviços e a privacidade do usuário através da tecnologia PET - Privacy-Enhancing Tecnologies. A idéia é fundamentada em agentes interceptadores e autoridades de segurança que distribuem tíquetes de segurança e controlam o acesso a recursos e espaços de tuple do ambiente. O estudo de caso apresentou resultados satisfatórios que permitem julgar a pertinência do modelo proposto. O modelo será integrado a um sistema de e-saúde. / The work exploits the security management and the cooperation of applications in mobile distributed systems. In this context a study of different mobile middleware is made. The study examines their capacities to face the challenges of mobility and security issues. The analysis shows that the existing middleware has very few approaches on security problems; security is still a complex issue to be managed in all the levels of mobile distributed system including new mechanisms. Based on this analysis, a security management model is developed that implements a mechanism for mutual authentication, confidentiality, intrusion detection, access control of mobile agents in mobile environments, ensures services availability and user privacy, through technology PET (Privacy-Enhancing Technologies). The idea is based on interceptor agents and security authorities that distribute security tickets and control the access to resources and Tuple spaces in mobile environment. The proposed model presents good performance and is integrated to an e-health system: Relationship Management with Chronic Patient GRPC.

Agente móvel

Computação difusa

Computação nômade

Espaço tuple

Gerência de segurança e privacidade

Middleware móvel

Mobile agent

Mobile middleware

Nomadic computing

Pervasive computing

PET technology

Privacy and security management

Tecnologia PET

Tuple space

Integration of CTI into security management

Takacs, Gergely

January 2019

Current thesis is a documentative approach to sum up experiences of a practical projectof implementing Cyber Threat Intelligence into an existing information securitymanagement system and delivering best practices using action design researchmethodology. The project itself was delivered to a multinational energy provider in 2017.The aim of the CTI-implementation was to improve the information security posture ofthe customer. The author, as participant of the delivery team presents an extensive reviewof the current literature on CTI and puts the need for threat intelligence into context. Theauthor claims that traditional security management is not able to keep up with currentcybersecurity threats which makes a new approach required. The thesis gives an insightof an actually working and continuously developed CTI-service and offers possible bestpractices for InfoSec professionals, adds theoretical knowledge to the body of knowledgeand opens up new research areas for researchers.

Cyber Threat Intelligence

CTI

security management

information security

InfoSec

operational CTI

technical CTI

threat intelligence

TIP

threat information portal

cybersecurity

threat management

risk management

InfoSec management

Computer Systems

Datorsystem

Um modelo de gerência de segurança para middleware baseado em tuple para ambientes difusos e nômades. / A model of security management for middleware based on tuple in diffuse and nomadic environments.

Nguessan Désiré

18 December 2009

Este trabalho explora a gerência de segurança e cooperação de aplicações em sistemas distribuídos móveis. Neste contexto, é feito um estudo sobre os diferentes middlewares para ambientes móveis (mobile middleware): suas capacidades de enfrentar os desafios da mobilidade e da segurança. As análises do estudo mostram que esses middlewares devem possuir características que lhes permitem uma melhor adaptação às necessidades das aplicações e à natureza dos ambientes móveis. Os middlewares existentes pouco abordam a questão da segurança. A segurança ainda é um problema complexo que deve ser gerido em todos os níveis de um sistema distribuído móvel, incluindo novos mecanismos. Com base nessa análise, foi desenvolvido um modelo de gerência de segurança que implementa um mecanismo de autenticação mútua, confidencialidade, detecção de intruso e controle de acesso em ambientes móveis. O objetivo é garantir a confiabilidade, a disponibilidade de serviços e a privacidade do usuário através da tecnologia PET - Privacy-Enhancing Tecnologies. A idéia é fundamentada em agentes interceptadores e autoridades de segurança que distribuem tíquetes de segurança e controlam o acesso a recursos e espaços de tuple do ambiente. O estudo de caso apresentou resultados satisfatórios que permitem julgar a pertinência do modelo proposto. O modelo será integrado a um sistema de e-saúde. / The work exploits the security management and the cooperation of applications in mobile distributed systems. In this context a study of different mobile middleware is made. The study examines their capacities to face the challenges of mobility and security issues. The analysis shows that the existing middleware has very few approaches on security problems; security is still a complex issue to be managed in all the levels of mobile distributed system including new mechanisms. Based on this analysis, a security management model is developed that implements a mechanism for mutual authentication, confidentiality, intrusion detection, access control of mobile agents in mobile environments, ensures services availability and user privacy, through technology PET (Privacy-Enhancing Technologies). The idea is based on interceptor agents and security authorities that distribute security tickets and control the access to resources and Tuple spaces in mobile environment. The proposed model presents good performance and is integrated to an e-health system: Relationship Management with Chronic Patient GRPC.

Agente móvel

Computação difusa

Computação nômade

Espaço tuple

Gerência de segurança e privacidade

Middleware móvel

Tecnologia PET

Mobile agent

Mobile middleware

Nomadic computing

Pervasive computing

PET technology

Privacy and security management

Tuple space

A conceptual framework and considerations for mergers and acquisitions in the information technology arena / P.J. van Schalkwyk

Van Schalkwyk, Phillipus Johannes

January 2007

Thesis (M.B.A.)--North-West University, Potchefstroom Campus, 2008.

Merger and acquisitions

Aligned commitment

Ethics

Governance

Information

Information audit

Information technology

Innovation

Intellectual property

IT investments

Knowledge management

Law of requisite variety

Organisation design and culture

Outsourcing

Security management

Strategy

Structure

Θέματα στην εφαρμογή προτύπων ποιότητας στην ασφάλεια των πληροφοριακών συστημάτων : Η περίπτωση της Εθνικής Τράπεζας της Ελλάδος

Παναγόπουλος, Αιμίλιος-Χρήστος

13 January 2015

Η χρήση των Πληροφοριακών Συστημάτων συνεχώς αυξάνεται. Πλέον οι περισσότεροι οργανισμοί βασίζονται στην λειτουργία τους. Αχίλλειος πτέρνα αυτών είναι η ασφάλεια τους. Στη παρούσα μελέτη παρουσιάζονται τα βασικά θέματα που αφορούν την διαχείριση προσωπικών δεδομένων αναλύοντας την πολιτική ασφαλείας μιας εταιρείας του ελληνικού τραπεζικού τομέα . Αρχικά εντάσσεται η έννοια των Πληροφοριακών Συστημάτων. Ακολουθεί η έννοια της Πολιτικής Ασφάλειας στον ευρύτερο τομέα της Διαχείρισης της Ασφάλειας των Πληροφοριακών Συστημάτων καθώς και οι κατηγοριοποιήσεις των κινδύνων και των ζημιογόνων γεγονότων. Έπειτα προσδιορίζονται οι βασικές αρχές για την ανάπτυξη Πολιτικών Ασφάλειας των Πληροφοριακών Συστημάτων, διευκρινίζοντας το νομικό πλαίσιο προστασίας τραπεζικών δεδομένων και το απόρρητο τους. Η επόμενη ενότητα αφορά την εφαρμογή των Πολιτικών Ασφάλειας στο πλαίσιο της εταιρείας και καταγράφει τα απαραίτητα μέτρα για την επιτυχή και αποτελεσματική εφαρμογή τους. Ακολουθούν τα αποτελέσματα της μελέτης και οι προτάσεις για την βελτιστοποίηση της παρούσας κατάστασης και την αποφυγή μελλοντικών κινδύνων. / The use of Information Systems is constantly increasing. Now most of the organizations rely on them for their operation. Their vulnerable spot is their security. This study presents the main issues related to the management of personal data by analyzing the security policy of a company of Greek banking sector. Firstly, the concept of Information Systems is presented.Then a part of the concept of security policy in the broader field of Safety Management Information Systems and classifications of risks and loss events is presented. Afterwards identifying the key principles for the development of Rules of Security of Information Systems, specifying the legal framework for the protection of bank data and their privacy. The next section involves the implementation of security policies within the company and record the necessary steps for the successful and effective implementation. Then are the results of the study presented and recommendations for optimization of this situation and avoiding future risks.

Πολιτική ασφάλειας

Λογαριασμοί

Απάτη

005.8

Information Systems (IS)

Information security management systems

Security policy

National Bank of Greece

Regulatory compliance

Accounts

Fraud

Credit institutions (CIs)

A conceptual framework and considerations for mergers and acquisitions in the information technology arena / P.J. van Schalkwyk

Van Schalkwyk, Phillipus Johannes

January 2007

Thesis (M.B.A.)--North-West University, Potchefstroom Campus, 2008.

Merger and acquisitions

Aligned commitment

Ethics

Governance

Information

Information audit

Information technology

Innovation

Intellectual property

IT investments

Knowledge management

Law of requisite variety

Organisation design and culture

Outsourcing

Security management

Strategy

Structure

A conceptual framework and considerations for mergers and acquisitions in the information technology arena / P.J. van Schalkwyk

Van Schalkwyk, Phillipus Johannes

January 2007

Thesis (M.B.A.)--North-West University, Potchefstroom Campus, 2008.

Merger and acquisitions

Aligned commitment

Ethics

Governance

Information

Information audit

Information technology

Innovation

Intellectual property

IT investments

Knowledge management

Law of requisite variety

Organisation design and culture

Outsourcing

Security management

Strategy

Structure

De porto a porto : a segurança pública como forma de controle social

Carpes, Nívea S.

January 2018

A tese analisa a atuação dos secretários de segurança e sua capacidade de gerar mudanças nas instituições de segurança e sobre os índices de criminalidade e violência. O objeto de investigação circunscreve-se ao âmbito do estado do Rio Grande do Sul, na cidade de Porto Alegre, nas gestões da segurança pública do período entre 2001 a 2015. O enfoque é a política de segurança proposta pelos secretários de segurança e os dados criminais da cidade de Porto Alegre, que possibilitam um diálogo com a política criminal portuguesa e programas especiais de segurança pública, executados pela Polícia de Segurança Pública. Para esse cenário, a tese busca apresentar o contexto histórico, social e econômico que favorece a criminalidade em Porto Alegre e na cidade do Porto, fazendo um debate com elementos como planos de segurança, modelos de policiamento, índices criminais, a política criminal portuguesa, a lei que descriminaliza o consumo de drogas em Portugal e os programas especiais da Polícia de Segurança Pública do Porto. Em termos metodológicos, foram realizadas análises de documentos; foram levantados dados sobre criminalidade, reaparelhamento das instituições de segurança, investimento em formação, novas tecnologias e participação social; e foram realizadas entrevistas. O referencial teórico foi constituído por abordagens sobre segurança pública e dilemas da violência e da criminalidade – Benevides (1985), Soares (2003), Adorno (1996), Velho (2000), Silva (1999); “governance” - Wood & Dupont, 2006, Oliveira (2006), Merrien (1998), Johnston & Shearing (2003), Agra (1997), Oliveira (2006), Zedner (2009), Lemieux (2000), Webber (2004) e Jones (2012); e cidadania - Villagómez (1997), Elster (1993), Martin & Ceballos (2004), Sen (2003), Dagnino (2004) e Carvalho (2001). Para desenvolver esta análise, vinculamos o contexto da segurança pública a temas fundamentais como a “governance”, que nos possibilita tomar contato com a gestão a partir de um debate específico e a cidadania, como elemento que imprime um novo ponto de partida para a segurança pública. Pudemos constatar que a segurança pública no Brasil chega de maneira diferente aos estratos sociais. De modo geral, utilizando recursos diversos, os secretários de segurança buscaram dar respostas que definiam um determinado tipo de controle sobre a criminalidade e a violência, os resultados são expostos nos índices de criminalidade. Os enfoques para confrontar a insegurança vão do combate à criminalidade até o enfrentamento da causalidade do crime. A visão sobre o criminoso tem grande diferença, alguns secretários evitam esse ângulo, alguns compreendem que são cidadãos que deveriam ter oportunidades e outros entendem como pessoas irremediavelmente desviantes. Assim, os secretários dividemse entre mais voltados para uma abordagem social-crítica do contexto de criminalidade, os que ficam num estágio intermediário, conservador, buscando ações preventivas e aqueles que se concentram numa perspectiva punitivista e tradicional do combate ao crime. Quanto à Portugal, vem para essa tese para confirmar as possibilidades de uma convivência social pacífica, a despeito da existência de problemas socioeconômicos, destacando elementos culturais importantes na construção de ambientes seguros. Por fim, a Polícia de Segurança Pública demonstra a importância de programas especiais de segurança perenes e bem definidos, voltados a públicos mais vulneráveis. / The thesis analyzes the performance of the secretaries of security and their capacity to generate changes in the security institutions and on the rates of crime and violence. The object of investigation is limited to the scope of the state of Rio Grande do Sul, in the city of Porto Alegre, in the public security administrations of the period between 2001 and 2015. The focus is the security policy proposed by the secretaries of security and the data criminal cases of the city of Porto Alegre, that allow a dialogue with the Portuguese criminal policy and special programs of public security, executed by the Public Security Police. For this scenario, the thesis seeks to present the historical, social and economic context that favors criminality in Porto Alegre and in the city of Porto, by discussing elements such as security plans, policing models, criminal indexes, Portuguese criminal policy, law that decriminalizes drug use in Portugal and the special programs of the Porto Public Security Police. In methodological terms, document analyzes were carried out; data were collected on crime, re-organization of security institutions, investment in training, new technologies and social participation; and interviews were conducted. The theoretical framework was constituted by approaches on public security and dilemmas of violence and crime - Benevides (1985), Soares (2003), Adorno (1996), Velho (2000), Silva (1999); (1998), Johnston & Shearing (2003), Agra (1997), Oliveira (2006), Zedner (2009), Lemieux (2000), Webber (2004) and Jones (2012); and citizenship - Villagómez (1997), Elster (1993), Martin & Ceballos (2004), Sen (2003), Dagnino (2004) and Carvalho (2001) In order to develop this analysis, we link the public security context to fundamental issues such as "governance", which enables us to make contact with management through a specific debate and citizenship as an element that sets a new starting point for security public. We can see that public security in Brazil arrives differently from social strata. In general, using diverse resources, the secretaries of security sought to provide answers that defined a certain type of control over crime and violence, the results are exposed in crime rates. The approaches to confront insecurity range from combating crime to tackling the causality of crime. The view of the criminal has a big difference, some secretaries avoid this angle, some understand that they are citizens who should have opportunities and others understand them as hopelessly deviant people. Thus, the secretaries are divided among more focused on a social-critical approach to the context of crime, those who are in an intermediate stage, conservative, seeking preventive actions and those who focus on a punitive and traditional perspective of the fight against crime. As for Portugal, he comes to this thesis to confirm the possibilities of a peaceful social coexistence, in spite of the existence of socioeconomic problems, highlighting important cultural elements in the construction of safe environments. Finally, the Public Security Police demonstrates the importance of special, perennial, well-defined security programs aimed at more vulnerable groups.

Segurança pública

Criminalidade : Aspectos sociais

Criminalidade

Segurança pública : Brasil

Gestor público

Controle social

Policiamento

Porto Alegre (RS)

Porto (Portugal)

Public security

Drug war

Citizenship

Special security programs

Public security plans

Criminal policy

Public security management

Violence

Crime