請用此 Handle URI 來引用此文件:
http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/35869
標題: | BS 7799 的資訊安全虞慮之探討 A Study Of Information Security Misgivings About BS 7799 Standard |
作者: | Wen-Long Shu 徐文龍 |
指導教授: | 湯耀中 |
關鍵字: | 資訊安全, BS 7799, |
出版年 : | 2005 |
學位: | 碩士 |
摘要: | 資訊科技的發達與普及為我們帶來了生活上的方便,然而,相對的也帶來了許多資訊安全問題,由於資訊危安事件所造成的影響層面更逐漸擴大,這些問題已逐漸成為眾人最關心的問題之一,因此便有些企業組織想透過認證的方式來保障自身資訊系統的安全,但是有越來越多的事件顯示資訊安全問題的發生並非系統的問題而是人員有意或無意的行為所造成。
本篇論文以「人」為考量主體,從「道德」的角度來探討資訊安全的影響並對目前政府積極推行的資訊安全認證,BS 7799標準做相關的安全性探討。我們提出四個主要論點: 一、BS 7799對於新的網路犯罪手法不易抵抗; 二、BS 7799對組織內部的文化及人員的道德操守不易規範; 三、BS 7799對社會工程的防範能力仍薄弱; 四、資安認證成本偏高、部分規定過於繁瑣使得企業多不願投資。 我們也藉由相關的個案討論,說明BS 7799安全規範並無法涵蓋整個資訊安全範圍也不易對人員道德提出有效的規範,即使符合BS 7799認證並不表示就能獲得資訊安全上的保障或從此避開資訊安全的威脅。要做好資訊安全的工作除了從系統軟硬體的安全措施著手外,更需要從企業、組織內部做好人員的管理並加強有關人員的道德教育,如此企業、組織才能真正落實並有效提升整體的資訊安全。 As with the convenience that the information technology has brought to our life, there also comes the information security problems. And with the impact of the information security events getting stronger and stronger, there is growing concern over the information security. Some enterprises might consider way of information security certificate to insure the safety of information systems. However, more and more events indicate that why the information security problem happened comes from people’s improper behavior whether intentionally or not, instead of the information system itself. In this thesis, we take ‘human’ as the major object in the thinking of information security. We exploit the impact of the information security from the morality point of view. The safety of the information security certificate, BS 7799 which the government is trying to carry out is also been discussed. We propose four major issues as follows: 1. It is not easy for BS 7799 to against the new technique of information attacks. 2. It is not easy for BS 7799 to rule the organization culture and the human morality. 3. BS 7799 could hardly attack the cheating by social engineering. 4. Most of organizations are unwilling to invest in BS 7799 certificates of registration because of the high cost of certificate registration and the tedious rules as well. We also claim that BS 7799 neither covers the whole scope of the information security nor makes efficient specifications on human normality through the case study. Even if the organization had been awarded a BS 7799 certificate of registration for the information security management system, it does not promise that their information system is under safe state or could keep away from any security threat. Besides enhancing the hardware/software of the information system, one of the critical disciplines needed for thorough security work is to establishing sound internal controls and enhancing the moral education for staffs, so that the organization can fulfill and improve the whole information security properly effectively. |
URI: | http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/35869 |
全文授權: | 有償授權 |
顯示於系所單位: | 資訊工程學系 |
文件中的檔案:
檔案 | 大小 | 格式 | |
---|---|---|---|
ntu-94-1.pdf 目前未授權公開取用 | 882.28 kB | Adobe PDF |
系統中的文件,除了特別指名其著作權條款之外,均受到著作權保護,並且保留所有的權利。