淡江大學機構典藏:Item 987654321/102410
English  |  正體中文  |  简体中文  |  Items with full text/Total items : 62819/95882 (66%)
Visitors : 4002872      Online Users : 677
RC Version 7.0 © Powered By DSPACE, MIT. Enhanced by NTU Library & TKU Library IR team.
Scope Tips:
  • please add "double quotation mark" for query phrases to get precise results
  • please goto advance search for comprehansive author search
    •  Adv. Search
    HomeLoginUploadHelpAboutAdminister Goto mobile version


    Please use this identifier to cite or link to this item: https://tkuir.lib.tku.edu.tw/dspace/handle/987654321/102410


    Title: 資訊安全健診之研究 : 以政府機關為例
    Other Titles: A study of information security diagnostic : three cases of government organizations
    Authors: 高敏書;Kao, Min-Shu
    Contributors: 淡江大學資訊管理學系碩士在職專班
    黃明達;Hwang, Ming-Dar
    Keywords: 資安健診;網站安全;更新管理;Information Security Diagnostic;ISO27001;Web Security;Patch Management
    Date: 2014
    Issue Date: 2015-05-04 09:55:04 (UTC+8)
    Abstract: 國內關於資安相關的個案研究,大多針對單一組織管理面進行探討,而本研究係透過A公司執行三個政府機關技術面的資安健診專案所得到結果,進行交叉分析,希望透過三個個案的執行結果,進行比較,找出機關間共同存在的問題。透過問題的發現及評估可能的風險,進而提出降低風險的方式。

    本研究針對三個個案結果進行比較分析後,發現針對網站安全、網路架構、內部網路防護機制、個人電腦與伺服器惡意程式防護與更新管理; 系統、資料庫與網路安全設定等五個構面存在類似的問題,如三個機關網站均存在OWASP 2013 TOP 10的問題,有兩個機關存在相同的惡意程式,使用者電腦與伺服器更新管控機制及內部網路存取管控均較弱等問題。兩個機關在資料庫重要資料加密與稽核機制均缺乏管控機制,三個機關對外服務使用之通訊協定均有未加密而產生可能洩露重要資訊的風險。行政院國家資通安全會報雖針對上述五個構面有訂定相關規範且不定期執行稽核,但由於各機關執行的範圍與落實度不盡相同,導致無法顯示真實的防護情況。例如X機關ISO27001驗證的範圍較其他機關廣泛,所以在資安健診結果上整體資安的強度較其他機關高。本研究提出幾個改善的建議,期望透過這些建議可改善政府的整體資安現況。
    The majority of regional case studies on information security focus on the management of individual organizations, this study however cross an analysis diagnosis results from “Company A” on the information security (technology-wise) of three government agencies. Through this study, common mistakes among organizations can be identified, risks can be evaluated, and approaches to reduce such risks will be proposed.
    It is found in this study that similar problems on web security, network architecture, internal network protection mechanisms, update management, databases security were identified in all three cases. Meaning that although regulations and guidelines on information security for all government divisions are set by the National Information and Communication Security Taskforce, and audits are carried out irregularly, the extent of accomplishments of each and individual divisions vary significantly, resulting their true security level not fully reflected. For instance, “Organization A” gets best mark on over all information security only because it has a wider inspection range on ISO27001. Several recommendations are proposed in this study for future improvements. It is expected that the information security level of our government will be enhanced through these suggestions.
    Appears in Collections:[Graduate Institute & Department of Information Management] Thesis

    Files in This Item:

    File SizeFormat
    index.html0KbHTML244View/Open

    All items in 機構典藏 are protected by copyright, with all rights reserved.

    DSpace Software Copyright © 2002-2004  MIT &  Hewlett-Packard  /   Enhanced by   NTU Library & TKU Library IR teams. Copyright ©   - Feedback