|摘要: ||由於近年來金融法令限制的解除與市場開放的政策，本國銀行業面臨國外銀行來台的競爭威脅加劇，必須擴大其營運規模以因應所面臨的業務衝擊。台灣在2002年加入世界貿易組織WTO後，基於互惠原則，銀行業者也可對等設立分行。因此走向國際也成為多數國內本地銀行擴展規模的可行選項之一；而隨著營運版圖的擴大與人員的增加，跨國資訊處理/傳遞的安全以及各國資訊安全法規的遵循也就成為必須重視的課題之一。根據統計，截至2011年11月為止，國內銀行已有13家取得ISO/IEC 27001:2005資訊安全管理標準驗證，透過符合國際資安管理標準，確保客戶對於銀行在資訊處理與保管上的信賴感。相較於國內本地銀行以ISO國際資安管理標準為藍本來規劃資安管理作業程序，許多來台營業之大型外商銀行都發展出自有的資訊安全管理系統(ISMS)。就我們所知，過去探討銀行業資安管理文獻中，大多以區域性銀行或本國銀行為研究對象，尚未有針對大型外商銀行業的資安管理框架之研究，因此我們想要探討大型國際性銀行之資安管理實作相對於ISO/IEC 27001:2005國際標準是否有所差異或特出之處。本研究透過問卷調查與深度訪談的方式，發現 A 外商銀行的ISMS最著重於應用系統之安全需求、設計、開發、測試與維運等應用程式生命週期的安全強化；而在資安實作面上，則有內外部主動風險控管、深化資訊系統安全評鑑工作、簡化資訊資產分級標的、強化資訊安全組織及廣度等四項特色，可提供本國銀行進行國際化時之資安管理實作參考。|
Due to lifting of regulations in financial laws and market opening policies within recent years, the domestic banks face intensifying competition from foreign banks. They have expanded operation scales to cope with such business impact. In 2002, since Taiwan joined the World Trade Organization (WTO), domestic banks have been permitted to set up branches in WTO’s member countries based on the reciprocity treaty. For the first time, expanding their business worldwide became one of the feasible options to most of the domestic banks. In becoming internationalized, their operations and number of personnel have been tremendously increasing. That brings up the important security issues of cross-border information processing/transmission as well as inter-country regulatory security compliances. In order to gain the trust of information protection to the bank’s customers, 13 Taiwanese banks have earned ISO/IEC 27001:2005 ISMS certification. Nevertheless, instead of the approach of earning the certifications, major foreign banks have developed their own information security management systems (ISMS) and have customized it to meet their business requirements. As far as we know, most previous studies about information security on the financial sector were related to regional or domestic banks and focused on the implementation of ISO/IEC 27001 ISMS standard. The ISMS frameworks of the major international banks have not been studied. Therefore we would like to explore the ISMS framework of a major foreign bank and compare the bank’s practice with ISO/IEC 27001:2005 standard to address the gaps between them. In this study, through questionnaires and in-depth analysis of interviews, we found that A Bank’s security measurements are largely focus on the secure system development lifecycle (SSDLC) aspects such as system security requirements, design, development, testing and maintenance. In ISMS implementations, the bank emphasized the active internal/external risk management, deepened IT system security assessment, simplified assets classification, and strengthened the independence and breadth of information security organization.