本研究以某財團法人機構為例,並以原有之資訊安全稽核清單表為基本條件,依循傳統稽核流程與計畫模式,設計與建立一套系統化與行動化的稽核評量輔助系統;並利用可擴充性模版功能,替換產生不同性質稽核過程所需要的資訊,更透過手持裝置的操作,消除空間與時間的限制,達到有效的稽核紀錄存放管理;並可預先載入企業組織過往稽核報告資訊,重新依據新式計分模式進行稽核活動,經過後端資料庫統計及進行新舊模式稽核結果之對照分析,更可顯現實際客觀的資訊安全稽核結果。 In the face of increasing information security threats, it is now a trend among business organizations to promote and implement security audits based on the ISO/IEC 27001:2005 information security standards. However conventional manual audit has a number of shortcomings, including high error rate, time consuming, lack of efficiency, inability to preserve paper records indefinitely which is also environmentally unfriendly, and inability to effectively pass on the audit experience.
This study uses a legal entity as an example and its existing information security audit checklist as basic conditions and follows the traditional audit process and planning model to design and establish a systematic and action-oriented audit and assessment aid system; scalable template features are also included for replacement of information of different natures needed during the auditing process while the use of handheld devices can eliminate the time and space constraints for effective audit log management; past audit report information of the business organization can be pre-loaded for conducting audit activities based on the new scoring model. The results of objective information security audit can be obtained through back-end database and comparative analysis on the audit results based on the old and new models.
