企業資訊安全營運管理之績效評估

Abstract

企業經營者均體認資訊安全對企業IT營運的重要性，但投資在資訊安全防護上的資源，是否得到合理效益，如何評估資訊安全營運管理的績效？由於資訊安全涉及複雜的技術與管理問題，且攻擊手法與變化甚為快速，每一個環節都有可能衍生風險，過去沒有問題的IT環境，不保證現在或未來仍能固若金湯、安全無虞。企業除了自行聘用資訊安全專長的員工負責企業本身的安全，也可以選擇委外專業的資訊安全服務廠商，提供企業資訊安全服務。 本論文探討資訊安全營運管理的技術架構，並設計「技術管理」與「營運管理」的績效評估指標，用來衡量資訊安全營運管理表現的良窳。這些指標可以當作日常營運管理的工具，隨時了解整體營運管理的表現，及時採取各種矯正或改善措施，控制資訊安全風險。本論文進一步依照所設計績效評估指標，就真實發生的個案，計算實際金錢損失以衡量投資效益。 各項績效評估指標，依照Specific, Measureable, Attainable, Repeatable, Time-dependent的S.M.A.R.T 原則設計，內容均為量化的單位如小時、次數、百分比等，避免個人主觀 (Subjective) 認定不同，而有不同判斷。各項指標可以合理的代價（時間、金錢、人力）有效取得，具備可操作性。有了適當的績效評估指標，本論文運用真實個案，嘗試回答以下管理者關心的問題。 ●投入的資訊安全成本，是否獲得「合理效益」 ？ ●要「投資多少」資源，才能達到安全的程度？ ●資訊安全的狀態「比」過去好嗎？

Information Security is a pivotal component in modern business activities without questions. Enterprise should exercise due care to perform the ongoing maintenance necessary to keep IT systems in proper working order, or to abide by what is commonly expected in a situation. IT head is responsible to implement countermeasures to provide protection from those threats. By developing and implementing security policies, procedures, and standards, shows that a company has taken responsibility for the activities that take place within the corporation and has taken the necessary steps to help protect the company, its resources, and employees from possible threats. It is especially important if the due care situation exists because of a contract, regulation, or law. However, there’s been a lack of well-defined performance evaluations indexes to understand the return of investment regarding information security operations. The thesis designs “technical management” and “operational management” performance indexes to help enterprise top management level to evlautie the return regarding the money paid for security operations. Moreover, real security incident cases are discussed and the financial losses are calculated as well to response the concerns from the top management viewpoints: 1)Am I spending the right amount of money? 2)How much should I pay for information security? 3)Am I better off than I was this time last year? The indexes designed in the thesis are evaluated to a number, percentage or time elapsed. They are contextually specific, measureable, attainable (cheap to gather) repeatable and time-dependent. In addition, all of the indexed are clear, unambiguous and can be consistently measured without subjective distortion.