根據行政院資通安全會報統計,在2006年的600家受訪企業中,約有108家企業曾經發生6件以上實際造成損害的資安事件。資通安全在過去常被視為技術層面上的議題,管理層面較少受到重視,所以本研究欲了解資安事件發生頻率如此高的原因是否為董事會參與程度不足,或是沒有制定相關法規加以約束,故探討透過資通安全治理是否能協助組織改善資安議題並減少資安事件的發生。 本研究作者日前參與行政院科技顧問組資安治理機制與資安建設持續發展規劃研究計畫,該研究計畫探討公、私部門之資通安全治理,本研究欲研究國內企業資通安全治理成熟度,以民間企業作為實際案例,研究國內民間企業之資通安全治理。本研究採用個案研究法的多重個案研究法,探討國內民間企業之資通安全治理成熟度,並透過深入訪談研究資通安全治理導入時可能會遭遇的困難,研究結果發現導入資通安全治理可能會遭遇到組織與主管對資通安全治理之必要性不認同、相關人員對資通安全治理不夠瞭解掌握、缺乏如法規等外在之誘因或壓力、缺乏導入實務之諮詢與協助等問題。 According to the statistics of ICST in 2006, there are about 108 companies that have been attacked more than 6 times among the 600 companies surveyed. Information Security was regarded as a technical issue, and not considered as a managing one. Therefore, the study is trying to find out the reasons which result the highly frequent happening of information security breach, they may be caused by short participation of Board of Directors or shortage of relevant legislation, and find the answers which can help the organization prevent or decrease the situation. The author of the study has participated in the research plan, which is about ISG of public and private sectors. The study focuses on the maturity of ISG of domestic enterprises. Through the case study, we try to realize the situation of information security governance of private sectors. The research method of the study is multi-case study. We try to discuss the maturity of ISG of private sectors. We also use indepth interview to understand the problems of conducting ISG. The results of the study show as following. First, the boards and senior executives do not think ISG which is necesarry. Second, the employees who are responsible for ISG don''t fully understand what they are supposed to do. Third, we are lack of external incentives and pressures such as regulations. Finally, we are lack of the consultation and assistance of practices of conducting ISG.
