我國2012年有344萬次的駭客攻擊，有251次成為資安事件，鑑於2013年美國史諾登（Edward Snowden）洩密案，對國家安全的影響，從資安的角度來探討其原因，資安治理工作執行的落差也可能是主要的肇因之一，所以本文以我國相關部門為例，探討治理現況與執行上的落差與問題。 本研究採用個案研究法，對象為國安機關某業務單位，爰引我國資通安全政策等相關文獻，以問卷調查及深入訪談來瞭解個案現況，找出不同部門及階層之間對資安治理工作推展現存落差與問題，並提出建議。研究結果發現在風險管理及組織與人員方面，因不同部門與階層確實存有顯著性落差，根究其原因在於人員對政策指導認知、教育訓練及作業權責區分等都有所不足，建議治理高層與資訊部門應加強整體人員對政策與規範的認知，同時可藉由導入ISO27001(CNS27001)、ISO27005(CNS27005)等國際標準最佳實務，來提升組織內人員對風險管理的認識與能力，結合適當的資安人力配置、提供必要的專業訓練、合理明確的授權等措施，以增進國家資安防處之嚴謹可靠。 We were attacked by hackers 3,340,000 times in 2012, and almost caused 251 information crisis. That Edward Snowden revealing confidential state secret in 2013 had great influence on the relationship between information security and national security. One of the reasons that cause the case might be lake of information security management. In this study, we discuss the status quo of information security management and investigate the real challenge it faces in our country. In this study, we take one of the departments of Ministry of state security as our case study. With relative references about information security policies of our country and that of the government, we use survey to know the status quo of the case and investigate the real challenge it faces, trying to find out if the information security works well, and if there is any obstacle existed in information security between different departments and different positions. The results of this study indicates some gaps among risk management, organizations and personnel does exist, and that’s because lack of policy acknowledgement, training and distinction between responsibility and accountability. The governing body and the information department should help their personnel to fully understand the policy, and help them know more about risk management through ISO27001(CNS27001) and ISO27005(CNS27005). With adequate information security manpower disposition, training, reasonable and definite authorization, the information security of our national system would be much stronger.