研究結果發現,已導入資安管理系統ISMS的組織,可整合資訊資產風險評鑑與個資檔案風險評鑑,以一致的評估方式,減少風險評鑑重複執行。若導入「個人資料保護參考指引」之風險評鑑架構,可加入詳細風險評鑑方法,以配合企業原有ISMS之作法。本研究並由68個資訊資產威脅與弱點項目,彙整出38項主要個資檔案威脅與弱點評估項目,及12項次要評估項目,提供企業進行個資檔案詳細風險評鑑之基礎,並可節省時間與成本。 This study would explore the risk evaluation integration of information security and personal information files, and then explore the threat and vulnerability items for risk evaluation of personal information files. This study collected the threat and vulnerability items for information asset risk evaluation by literature analysis method.
Through the expert interview and options collection for integration of information security and personal information files, and the suggestion of the threat and vulnerability items for personal information files risk evaluation, the result shows that enterprise should integrate the information security risk evaluation and personal information file risk evaluation to reduce the effort. If companies implement the “Personal Data Protection Reference Guide", the findings recommend to practice with detail risk evaluation method. This study also organized 38 threat and vulnerability items to reduce the loading of personal information file risk evaluation and to support the integration of risk evaluation for information security and personal information files.