本研究主要在探討大型企業的資訊安全案例。在二十一世紀的今天,資訊系統及電腦資產對組織的成功更加重要,所以務必防止它們遭受遺失、竄改或毀滅的風險。資訊安全是保護資料、資訊遭受意外或有意的誤用的一種過程,不論是被組織內或組織外的人,包括員工、外包的顧問或網路上的駭客。資訊安全是組織中很策略的一環,不光是也不應是資訊部門一己的責任。
依據Datamonitor的估計,美國企業一年在資訊安全漏洞上至少損失美金一百五十億元。根據電腦安全學院(Computer Security Institute, CSI)及聯邦調查局(Federal Bureau of Intelligence, FBI)2004年的問卷調查顯示百分之四十九的企業曾發生個人電腦失竊的案例。依據IronPort的估計,一年前每年約有三百億封垃圾郵件,現在則激增至五百五十億封垃圾郵件。時至今日,對於資訊安全的主要威脅不是來自於組織外的駭客、病毒或蠕蟲,而是組織內的個人。不論組織內的個人是有意或無意地違反資訊安全的政策和規定,其後果可能相當嚴重,小至組織形象受損、業務損失,大至官司纏身或巨額罰款。
根據紐約時報2006年的報導:臺灣的高科技公司佔有全球半導體晶圓專工產業百分之七十的市佔率,百分之四十的半導體封裝市場,百分之五十的半導體測試市場,百分之八十的電腦主機板市場,百分之七十二的筆記本電腦代工市場,百分之六十八的LCD螢幕市場。我們如何繼續保持在全球市場上的領先地位?我們仍然得繼續在研究發展、生產製造及全球運籌上加碼投資。然而,在全球經濟之下,如何透過執行一套安全的、全球的及穩定的資訊網路及基礎架構以提供客戶更好的服務更是必要的。
對每一位資訊長或資安長而言,資訊安全永遠是他最關心的前三大議題之一。資訊安全當然是說比做容易,正確導入與永續執行才是根本。花錢購買資訊安全設備是相對簡單的。知道要保護什麼,如何保護以及要控制什麼就沒有那麼簡單了。在真實的商業世界裡,基於家醜不外揚,鮮有公司願意分享或公佈它資訊安全上的弱點及缺點。本論文的主要目的有二:一是研究業界最新的資訊安全標準及資訊安全供應商的看法,例如:
1. 國際標準組織(International Standard Organization, ISO)17799。
2. 英國標準組織(British Standard Institute, BS)7799。
3. 國際商業機器股份有限公司(International Business Machines, IBM)的資訊安全計劃。
4. 惠普股份有限公司(HP)及Information Security System公司的資訊安全稽核機制。
5. 微軟股份有限公司(Microsoft)。
二是提供一些真實的成功案例以提供給其他有興趣的組織作為參考。從結論發現,我們可藉由改善核心業務流程,去建造新的資訊安全系統,去運營一個可長治久安的實體與虛擬的環境,並強化公司的知識管理及傳承 / In the twenty-first century, information system and computing assets are more critical to organization’s success, and as a result, must be protected from loss, modification or destruction. Information security is the process of protecting data / information from accidental or intentional misuse by person inside or outside of an organization, including employee, consultants, and hackers. Information security is a strategic part of an organization, not just the issue of Management Information System, MIS, or Information Technology, IT, department.
According to “Datamonitor”, US$ 15 billion, at least, cost of information security breaches to United States businesses in one year. From the survey of Computer Security Institute, CSI, and Federal Bureau of Intelligence, FBI, in 2004, 49% of companies experienced notebook Personal Computer theft. According to IronPort, there are 55 billion spam e-mail per year right now, compared with 30 billion spam e-mail yearly. Today, the largest threat to information security is not the typical hacker, virus or worm, but the corporate insider. Whether insiders violate data security policies in advertently or with maliciously, the result can expose the company to public embarrassment, lost business, costly lawsuit, and regulatory fines.
Taiwanese high-technology companies have 70% market share of worldwide semiconductor foundry business, 40% share of semiconductor package segment, 50% share of semiconductor testing, 80% of computer motherboard, 72% share of notebook PC, 68% of LCD monitor --- New York Times, 2006. How can we keep maintaining the leading positions around the globe? To invest in R&D, manufacturing, and global logistics is key. However, how to implement a secure, global and reliable IT network and infrastructure to server customers better is a must under current global economy.
To every Chief Information Officer, CIO, or Chief Security Officer, CSO, Information security is always one of the top 3 to-do list. Information security is easy to talk about. But, implementations and executions are where talk must turn into action. Purchasing security device is easy. Knowing how and what to protect ad what controls to put in place is a bit more difficult. In the real commercial world, no one or company would like to share or release its weakness to the public. The objective of this thesis is to study most updated information security industry standard and information security suppliers’ view, like:
1. International Standard Organization, ISO, 17799.
2. British Standard Institute’s BS 7799.
3. IBM’s Information Security Program, ISP.
4. HP & Information Security Systems’ Information Security Audit Mechanism, ISAM.
5. Microsoft
Also to provide a real successful case / framework for other companies to ensure a consistent, enterprise-wide information security focus is maintained across organization boundaries. In conclusion, this information security study proposes to transfer core business process, to build information security new applications, to run a scalable, available, secure environment, and to leverage firms’ knowledge and information.
Identifer | oai:union.ndltd.org:CHENGCHI/G0091932601 |
Creators | 金慶柏, Chin,Robert CP |
Publisher | 國立政治大學 |
Source Sets | National Chengchi University Libraries |
Language | 英文 |
Detected Language | English |
Type | text |
Rights | Copyright © nccu library on behalf of the copyright holders |
Page generated in 0.0031 seconds