論我國資訊安全法制與驗證機構監理—以利益衝突防免為中心

白哲綸; Che-Lun Pai

請用此 Handle URI 來引用此文件： http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/97328

完整後設資料紀錄

DC 欄位	值	語言
dc.contributor.advisor	楊岳平	zh_TW
dc.contributor.advisor	Yueh-Ping Yang	en
dc.contributor.author	白哲綸	zh_TW
dc.contributor.author	Che-Lun Pai	en
dc.date.accessioned	2025-04-24T16:10:09Z	-
dc.date.available	2025-04-25	-
dc.date.copyright	2025-04-24	-
dc.date.issued	2025	-
dc.date.submitted	2025-03-24	-
dc.identifier.citation	壹、中文文獻 (一) 專書王文宇(2019)，「探索商業組織契約與組織」，元照出版。朱敬一、毛慶生、林全、許松根、陳添枝、陳思寬、黃朝熙(2022)，「經濟學」，華泰文化。陳瑞華(2003)，「信息經濟學」，天津:南開大學出版社。 (二)期刊論文呂正華(2019)，〈我國物聯網資安產業標準與檢測認驗證推動策略與發展〉，「國土及公共治理季刊」，第七卷第四期，頁74-79。朱景鵬、張筵儀(2015)，〈國營事業經營績效、政策定位與考成問題之探討：以中油公司為例〉，「國土及公共治理季刊」，第三卷第三期，頁59。李曜崇(2008)，〈美國信用評等機構法制建構之研究法〉，「法學新論」，第2期，頁119-149。李曜崇(2008)，〈從比較法觀點探討我國律師擔當守門人角色之法律布局〉，「法學新論」，第5期，頁119-154。林永忠、楊禮源、陳俊廷(2016)，〈國際間政府機關在認驗證制度扮演之角色〉，「標準與檢驗」，頁1-9。林建智(2008)，「再保險監理」，再保險新論第六章，財團法人保險事業發展中心，頁3-10。邵慶平（2013），〈金融管制與私人執行──國際金融危機後管制發展的反省〉，「國立中正大學法學集刊」，40 期，頁95-141。莊永丞(2011)，<對信用評等機構應有規範之比較研究>，「臺大法學論叢第40卷4期」，頁2249-2321。許登科(2021)，〈行政法上認證與驗證之制度建構及其法理——以德國產品安全法為中心（上）〉，「科技部補助專題研究計畫」，頁69-127。陳慈陽(2006)，〈環境法各論（一）合作原則之具體化—環境受託組織法制化之研究〉，「元照出版」，頁1-2。傅岳邦(2006)，〈組織層級的最適理論：交易成本的觀點〉，「中國行政」，頁77-100。廖志恆(2012)，〈認可、認證及驗證等名稱介紹與剖析〉，「疫情報導」，28卷4期，頁73-77。蔡進財(2002)，〈存款保險由全額保障轉換限額保障配套措施之探討〉，「存款保險資訊季刊」，15卷4期，頁13-14。臧正運（2019），〈台灣發展監理科技之芻議〉，「存款保險資訊季刊」，32卷4期，頁50-77。臧正運（2020），〈論金融科技發展的監理難題與法制策略──以我國的規範與實踐為核心〉，「政大法學評論」，163 期，頁 139-218。鄭仁偉等人(2006)，〈組織信任、合作與機會主義對組織間知識分享之影響研究〉，「商管科技季刊」，第七卷，第二期，頁45-75。 (三) 學位論文吳昀蓁(2018)，「從合做元則探討我國有機認證制度之法理建構」，成功大學法研所碩士論文。林文腕(2021)，「我國資通安全法與歐盟網路安全法制比較分析-以資安事件通報責任為例」，東吳大學法律學研究所。陳仕弘(2019)，「我國資通安全法之探討-以規範對象為中心」，嶺東科技大學財經法律研究所。陳玠廷(2014)，「臺灣有機農業反身現代現象之研究」，國立臺灣大學生物產業傳播暨發展學研究所碩士論文。黃奕翔(2022)，「論開放金融之金融消費者保護法制」，國立臺灣大學法律學院法律學研究所。劉凱翔(2007)，「有機農業法規及政策之研究」，國立臺灣大學生物資源暨農學院農藝學系碩士論文。 (四) 認證規範、驗證規範、法規命令、行政指導、計畫 ISO/IEC 17021-1 管理系統驗證機構，載於：https://www.taftw.org.tw/document/scheme/msv/。 ISO/IEC 27006:2015 AMD 1:2020 資訊安全管理系統認證規範，載於https://www.taftw.org.tw/report/2021/39/ISO-IEC-AMD/。中華民國一百十一年八月二十四日行政院院臺規字第 1110184307 號公告。台灣資通產業標準協會(2020)，「物聯網資安認驗證制度V3.0」，載於：https://www.taics.org.tw/files/FileDownload/%E7%89%A9%E8%81%AF%E7%B6%B2%E8%B3%87%E5%AE%89%E8%AA%8D%E9%A9%97%E8%AD%89%E5%88%B6%E5%BA%A6%20V3.0_1.pdf。台灣資通產業標準協會(2021)，〈影像監控系統資安標準-第一部：一般要求 v2〉，載於：https://www.taics.org.tw/files/FileDownload/20210401_TAICS%20TS%200014-1%20v2.0-%E5%BD%B1%E5%83%8F%E7%9B%A3%E6%8E%A7%E7%B3%BB%E7%B5%B1%E8%B3%87%E5%AE%89%E6%A8%99%E6%BA%96-%E7%AC%AC%E4%B8%80%E9%83%A8_%E4%B8%80%E8%88%AC%E8%A6%81%E6%B1%82_2.pdf。台灣資通產業標準協會(2023)，〈驗證部(物聯網標章)認驗證制度規章 Rev 3.8〉。行政院(2022)，「國家關鍵基礎設施安全防護指導綱要」，附件一。行動應用資安聯盟，〈物聯網資安認驗證制度規章V1.1〉。金融資安行動方案2.0執行措施彙總表 2.1 說明。金融監督管理委員會(2022)，「金融資安行動方案2.0」。附件一，關鍵電信基礎設施資通設備資通安全審驗(認證)申請作業流程。行政院公報，第028卷第186期。財團法人全國認證基金會(2017)，「產品驗證機構認證規範（ISO/IEC 17065:2012）」。財團法人全國認證基金會(2022)，〈管理系統驗證機構證方案服務手冊〉。經濟部(2021)，「中華民國國家標準 CNS 資訊安全、網宇安全及隱私保護－IT 安全之評估準則－第3部：安全保證組件，CNS 15408-3(草修 1100157:2021)」。 (五) 計畫報告台灣資通產業標準協會(2019)，〈臺灣物聯網產品資安認驗證制度介紹-活絡產業標準擴展國際鏈結〉，頁8。載於：https://s.itho.me/cybersec/2019/slides/twpavillion/0319_%E8%87%BA%E7%81%A3%E7%89%A9%E8%81%AF%E7%B6%B2%E7%94%A2%E5%93%81%E8%B3%87%E5%AE%89%E8%AA%8D%E9%A9%97%E8%AD%89%E5%88%B6%E5%BA%A6%E4%BB%8B%E7%B4%B9_TAICS_%E9%BB%83%E9%9B%85%E7%90%A4%E5%89%AF%E8%99%95%E9%95%B7.pdf 台灣資通產業標準協會會議紀錄，會議名稱: 物聯網資安測試實驗室一致性會議#10，時間：2021年12月7日下午 2:00-4:00，載於：https://www.taics.org.tw/LatestASSForm.aspx?Type=2&Ass_id=12087 行政院(2021)，〈國家資通安全發展方案 (110 年至 113 年)〉，「行政院國家資通安全會報」。行政院資通安全處(2019)，「深化各機關落實資訊安全管理系統CNS27001規劃」。官大智，〈行動應用資安防護制度〉，頁3，載於：https://www.cisanet.org.tw/ReadFile/?p=Activity&n=9bbb365b-38c1-4f76-91ef-6a25f166d3e7.pdf。花俊傑(2016)，「評估雲端服務安全性就從認識國際標準開始」，載於：https://reurl.cc/4W0rY3。金融監督管理委員會(2020)，「金融科技發展路徑圖」。金管會推動「金融資安行動方案」，追求安全便利不中斷的金融服務目標，載於：https://reurl.cc/kaZAnG。財團法人全國認證基金會(2020)，「因應資通安全法公布-強化資訊安全管理系統(ISMS)驗證機構之認證管理」，載於：https://www.taftw.org.tw/report/2022/45/ISO_IEC-27001/。財團法人全國認證基金會(2022)，〈「資通安全法驗證方案」認證服務介紹〉，載於：https://www.taftw.org.tw/report/2022/45/ISO_IEC-27001/。財團法人全國認證基金會(2023)，「ISO/IEC 17065 產品驗證機構」，載於：https://www.taftw.org.tw/applyCert/field/isoiec17065ProdVer/。財團法人全國認證基金會(2023)，「權責機關採認」，載於：https://www.taftw.org.tw/cooperation/responsibility-organs/。通傳會(2019)，「出席2018年第17屆國際共同準則研討會（ICCC 2018）」，載於：https://reurl.cc/ed8Gdm。通傳會第912次委員會議紀錄第八案審議通過，載於： https://reurl.cc/My0edW。國際資訊安全組織臺灣高峰會，載於：https://www.twcert.org.tw/tw/cp-105-2933-5f27c-1.html。梁日誠(2020)，「ISO 27001驗證及資安評估作業」，載於：https://reurl.cc/r689qO。黃彥棻(2013)，「首款第三方驗證用雲端資安標準出爐」，載於https://reurl.cc/nL8N92。經濟日報(2023)，「陳冲：P2P虛擬通貨平台應納管」，載於https://reurl.cc/3eaxeX。經濟部工業局(2017)，〈行動應用App基本資安自主檢測制度介紹〉，頁9，載於：https://www.itc.ntnu.edu.tw/wp-content/uploads/2019/02/UP02_21.pdf。經濟部標檢局(2018)，「參加106年國際認證論壇(IAF)及國際實驗室認證聯盟(ILAC)聯合會員大會」。廖志恆(2012)，〈認可、認證及驗證等名稱介紹與剖析〉，「疫情報導」，28卷4期。廖珮君(2016)，「建立雲服務可信度從標準或驗證制度開始 (上篇)〉，載於：https://reurl.cc/3e2XK0。 (六) 網路資料 2018年世界認證日暨 TAF 15週年大會活動報導，載於：https://www.taftw.org.tw/report/2018/30/2018-TAF-15/。中央銀行(2021)，「二手車市場只有檸檬車？沒有桃子車」，載於：https://reurl.cc/Z1NYj6。台灣雲端運算產業協會(2014)，「工業局推動有成中華電雲端服務國際掛保證」，載於https://www.digitimes.com.tw/tech/dt/n/shwnws.asp?id=0000383971_U7ILBS5L6KVN472J4A0IC。數位發展部資通安全署，「關鍵基礎設施資安防護」，載於https://moda.gov.tw/ACS/operations/ciip/650。鄭惠如(2014)，「雲端安全聯盟(CSA)STAR驗證簡介」，載於：https://reurl.cc/5OAvnR。貳、英文文獻（一）專書 BUTHE, TIM ET AL.(ed.) (2011), THE NEW GLOBAL RULERS: THE PRIVATIZATION OF REGULATION IN THE WORLD ECONOMY. CHEIT, ROSS E. (ed.) (1990), SETTING SAFETY STANDARDS: REGULATION IN THE PUBLIC AND PRIVATE SECTORS . COFFEE JR., JOHN C. (ed.) (2006), GATEKEEPERS: THE PROFESSIONS AND CORPORATE GOVERNANCE. HANSMANN, HENRY(ed.) (1996), THE OWNERSHIP OF ENTERPRISE. HARCUM, E. RAE & ELLEN F., ROSEN (eds.) (1993), THE GATEKEEPERS OF PSYCHOLOGY: EVALUATION OF PEER REVIEW BY CASE HISTORY. HOPKINS, BRUCE R. (ed.) (2007), THE LAW OF TAX-EXEMPT ORGANIZATIONS. （二）期刊論文 Akerlof, George A. (1970), The Market for "Lemons": Quality Uncertainty and the Market Mechanism, 84(3) QUARTERLY JOURNAL OF ECONOMICS 488. Alchian, Armen & Harold, Demsetz(1972), Production, Information Costs, and Economic Organization, 62 AMERICAN ECONOMIC REVIEW 777. Arrow, Kenneth J. et al.(1996), Is There a Role for Benefit-Cost Analysis in Environmental, Health, and Safety Regulation?, 272 SCIENCE 221. Hamdani, Assaf (2004), Gatekeeper Liability, 77 Southern California Law Review 53. Bai, Lynn (2010), On Regulating Conflicts of Interest in the Credit Rating Industry, 13 NEW YORK UNIVERSITY JOURNAL OF LEGISLATION AND PUBLIC POLICY 253. Beaver, William H. et al. (2006), Differential Properties in the Ratings of Certified vs. Non-Certified Bond Ratings Agencies, 42(3) JOURNAL OF ACCOUNTING AND ECONOMICS 303. Blair, Margaret M. et al. (2008), The New Role for Assurance Services in Global Commerce, 33 JOURNAL OF CORPORATION LAW 325. Bonewitz, Paul Lasell (2010), Implications of Reputation Economics on Regulatory Reform of the Credit Rating Agency, 1 WILLIAM & MARY BUSINESS LAW REVIEW.. 405. Bonewitz, Paul Lasell (2010), Implications of Reputation Economics on Regulatory Reform of the Credit Rating Agency, 1 WILLIAM & MARY BUSINESS LAW REVIEW. 391. Bubb, Ryan & Alex, Kaufman (2013), Consumer Biases and Firm Ownership, 105 NYU LAW AND ECONOMICS RESEARCH PAPER NO. 11-35 1. Bunjevac, Tin A. (2009), Credit Rating Agencies: A Regulatory Challenge for Australia, 33 MELBOURNE UNIVERSITY LAW REVIEW 39. Cafaggi, Fabrizio (2011), New Foundations of Transnational Private Regulation, 38 JOURNAL OF LAW AND SOCIETY, 20 Coffee Jr, John C. (2004), Gatekeeper Failure and Reform: The Challenge of Fashioning Relevant Reforms, 84 BOSTON UNIVERSITY LAW REVIEW 302. Darcy, Deryn (2009)., Credit Rating Agencies and the Credit Crisis: How the “Issuer Pays” Conflict Contributed and What Regulators Might Do about It, 2009 COLUMBIA BUSINESS LAW REVIEW COLUM. BUS. L. 605. Denzau, Arthur T. & McKay, Robert (1983), Gatekeeping and Monopoly Power of Committees: An Analysis of Sincere and Sophisticated Behavior, 27 AMERICAN JOURNAL OF POLITICAL SCIENCE. 740. Duhigg, Charles (2009), Clean Water Laws Are Neglected, at a Cost in Suffering, N.Y. TIMES A1. Fagotto, Elena (2010), Governing a Global Food Supply: How the 2010 FDA Food Safety Modernization Act Promises to Strengthen Import Safety in the US, 3 ERASMUS LAW REVIEW 257. Fama, Eugene F. & Michael C. Jensen (1983), Separation of Ownership and Control, 26 JOURNAL OF LAW AND ECONOMICS 301. Gilson, Ronald & Rainier H., Kraakman (2003), The Mechanisms of Market Efficiency Twenty Years Later: The Hindsight Bias, 28 JOURNAL OF CORPORATION LAW 715 Gilson, Ronald & Reinier H., Kraakman (1984), The Mechanisms of Market Efficiency, 70 VIRGINIA LAW REVIEW 549. Gilson, Ronald (1984), Value Creation by Business Lawyers: Legal Skills and Asset Pricing, 94 YALE LAW JOURNAL 239. Hawkins, Keith (1989), Rule and Discretion in Comparative Perspective: The Case of Social Regulation, 50 OHIO STATE LAW JOURNAL. 663. Hill, Claire A. (2004)., Regulating the Rating Agencies, 82 WASHINGTON UNIVERSITY LAW REVIEW 43. Howe, Jonathan T. & Leland J., Badger (1982), The Antitrust Challenge to Non-Profit Certification Organizations: Conflicts of Interest and a Practical Rule of Reason Approach to Certification Programs as Industry-Wide Builders of Competition and Efficiency, 60 WASHINGTON UNIVERSITY LAW REVIEW 357. Hunt, John Patrick (2009), Credit Rating Agencies and The “Worldwide Credit Crisis”: The Limits of Reputation, the Insufficiency of Reform, and A Proposal for Improvement, 2009 COLUMBIA BUSINESS LAW REVIEW 109. Karkkainen, Bradley C. (2001), Information as Environmental Regulation: TRI and Performance Benchmarking Precursor to a New Paradigm?, 89 GEO. L.J. 257. Klein, Alec (2004), Moody's Board Members Have Tie to Clients, WASHINGTON POST A09. Klein, Benjamin & Keith B. (1981), Leffler, The Role of Market Forces in Assuring Contractual Performance, 89 JOURNAL OF POLITICAL ECONOMY 615. Klein, Benjamin & Keith, B. Leffler (1981), The Role of Market Forces in Assuring Contractual Performance, 89 JOURNAL OF POLITICAL ECONOMY 615. Kraakman, Reinier H. (1986), Gatekeepers: The Anatomy of a Third-Party Enforcement Strategy, 2 JOURNAL OF LAW, ECONOMICS, & ORGANIZATION 53. Kraakman, Reinier H. (1984), Corporate Liability Strategies and the Costs of Legal Controls, 93 YALE LAW JOURNAL 857. Kraakman, Reinier H. (1986), Gatekeepers: The Anatomy of a Third-Party Enforcement Strategy, 2 J.L. ECON. & ORG. 53. Kelman, Steven(1981), Cost-Benefit Analysis: An Ethical Critique, 5 REGIONAL AND SECTORAL ECONOMIC STUDIES. 33. Laby, Arthur B. (2006)., Differenting Gatekeepers, Symposium New Models for Securities Law Enforcement Outsourcing, Compelled Corporation, and Gatekeepers Article, 1 BROOKLYN JOURNAL OF CORPORATE, FINANCIAL & COMMERCIAL LAW 119. Lawrence, David M. (1986), Private Exercise of Governmental Power, 61 INDIANA UNIVERSITY MAURER SCHOOL OF LAW 647. Listokin, Yair & Benjamin, Taibleson (2010), If You Misrate, then You Lose: Improving Credit Rating Accuracy through Incentive Compensation, 27 YALE JOURNAL ON REGULATION. 91. Lynch, Timothy E. (2009), Deeply and Persistently Conflicted: Credit Rating Agencies in the Current Regulatory Environment, 59 CASE WESTERN RESERVE LAW REVIEW 227. Macey, Jonathan R. (2004), Efficient Capital Markets, Corporate Disclosure, and Enron, 89 CORNELL LAW REVIEW 394. Macey, Jonathan R. (2010), The Demise of the Reputational Model in Capital Markets: The Problem of the "Last Period Parasites", 60 SYRACUSE LAW REVIEW 427. Magnuson, William (2018), Regulating Fintech, 71 VANDERBILT LAW REVIEW 1167. Mann, Ronald J., Regulating Internet Payment Intermediaries, 81 TEXAS. LAW REVIEW 681. Markell, David L. (2000), The Role of Deterrence-Based Enforcement in a "Reinvented" State/Federal Relationship: The Divide Between Theory and Reality, 24 HARVARD ENVIRONMENTAL LAW REVIEW 32. Mayer, Frederick & Gary, Gereffi (2010), Regulation and Economic Globalization: Prospects and Limits of Private Governance, 12(3) CAMBRIDGE UNIVERSITY PRESS 253. Minow, Martha (2003), Public and Private Partnerships: Accounting for the New Religion, 116 HARVARD LAW REVIEW 1229. Malhotra, Naresh K. (1982), Information Load and Consumer Decision Making, 8 JOURNAL OF CONSUMER RESEARCH 419. Reisinger, Will et al. (2010)., Environmental Enforcement and the Limits of Cooperative Federalism: Will Courts Allow Citizen Suits to Pick Up the Slack?, 20 DUKE ENVIRONMENTAL LAW & POLICY FORUM. 1. Rousseau, Stéphane (2006), Enhancing the Accountability of Credit Rating Agencies: The Case for a Disclosure-Based Approach, 51 MCGILL LAW JOURNAL 617. Salzman, James et al. (2002), Regulatory Traffic Jams, 2 WYOMING LAW REVIEW 253. Schellhorn, Carolin D. (2011), The Ownership Structure of Investment Banks: A Case for Private Partnerships, 1 ACADEMY OF BANKING STUDIES JOURNAL 109. Shapiro, Carl & Joseph, Stiglitz (1984), Equilibrium Unemployment as a Worker Discipline Device, 74 AMERICAN ECONOMIC REVIEW 433. Sunstein, Cass R. (1911), Administrative Substance, 1991 DUKE LAW JOURNAL 607. Speier, Cheri et al. (1999), The Influence of Task Interruption on Individual Decision Making: An Information Overload Perspective, 30(2) DECISION SCIENCES JOURNAL OF INNOVATIVE EDUCATION. 337. Schwarcz, Steven L. (2002), Private Ordering of Public Markets: The Rating Agency Paradox, 2002 UNIVERSITY OF ILLINOIS LAW REVIEW 1. Schwarcz, Steven L. (2008), Protecting Financial Markets: Lessons from the Subprime Mortgage Meltdown, 93 MINNESOTA LAW REVIEW 373. Shackelford, Scott J. et al. (2016), Bottoms Up: A Comparison of "Voluntary" Cybersecurity Frameworks, 16 UC DAVIS BUSINESS LAW JOURNAL 217. Simon, Herbert A. (1959), Theories of Decision-Making in Economics and Behavioral Science, 49 AMERICAN ECONOMIC REVIEW 253. Sales, Nathan A. (2018), Privatizing Cybersecurity, 65 UCLA LAW REVIEW 620. Tsang, Cheng-Yun (2019), From Industry Sandbox to Supervisory Control Box: Rethinking the Role of Regulators in the Era of FinTech, 2019 UNIVERSITY OF ILLINOIS JOURNAL OF LAW, TECHNOLOGY & POLICY 355. Tuch, Andrew (2010), Multiple Gatekeeper, 96(7) SYDNEY LAW SCHOOL RESEARCH PAPER NO. 10/33 1583. Vandenbergh, Michael P. (2007), The New Wal-Mart Effect: The Role of Private Contracting in Global Governance, 54 UCLA LAW REVIEW 913. Vandenbergh, Michael P. (2013), Private Environmental Governance, 99 CORNELL LAW REVIEW129. Vogel, David (2010)., The Private Regulation of Global Corporate Conduct: Achievement and Limitations, 49(1) BUSINESS & SOCIETY 68. Yang, Yueh-Ping & Cheng-Yun, Tsang (2018), RegTech and the New Era of Financial Regulators: Envisaging More Public-Private-Partnership Models of Financial Regulators, 21 UNIVERSITY OF PENNSYLVANIA JOURNAL OF BUSINESS LAW 354. （三）專書論文 Freeman, Jody, Private Parties, Public Functions and the New Administrative Law, in RECRAFTING THE RULE OF LAW: THE LIMITS OF LEGAL ORDER 331(David Dyzenhaus ed., 1999). Guzman, Importers as Regulators: Product Safety in a Globalized World, in IMPORT SAFETY: REGULATORY GOVERNANCE IN THE GLOBAL ECONOMY 298(Cary Coglianese et al. eds., 2009). Lyon, Thomas P. & John W., Maxwell (1999), "Voluntary" Approaches to Environmental Regulation: A Survey, in ECONOMIC INSTITUTIONS AND ENVIRONMENTAL POLICY: PAST PRESENT AND FUTURE 75(Maurizio Franzini & Antonio Nicita eds., 2002). （四）判決案例 Basic Inc. v. Levinson, 485 U.S. 224, 229-30 (1988). Dileo v. Ernst & Young, 901 F.2d 624 (7th Cir. 1990) Melder v. Morris, 27 F.3d1097, 1103 (5thCir.1994); Robin v. Arthur Young & Co., 915 F.2d 1120, 1127 (7th Cir. 1990). （五）研究報告、國家報告 ARNOLD, ALVIN L., RATING AGENCIES: FUTURE OUTLOOK, MORTGAGE AND REAL ESTATE EXECUTIVES REPORT, THOMSON REUTERS 1-2 (2009). Commission of the European Communities, Proposal for a Regulation of the European Parliament and of the Council on Credit Rating Agencies, COM 704 Final, 20 (2008). Commission of the European Communities, Proposal for a Regulation of the European Parliament and of the Council on Amending Regulation(EC) No 1060/2009 on Credit Rating Agencies, COM 289 final 20-21 (2010). Commission of the European Communities, Proposal for a Regulation of the European Parliament and of the Council on Amending Regulation(EC) No 1060/2009 on Credit Rating Agencies, COM 289 final 21-22 (2010). Commission of the European Communities, Proposal for a Regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020, COM 454 final (2022). ENISA, EUCC, a candidate cybersecurity certification scheme to serve as a successor to the existing SOG-IS , V1.0, 6 (2020). ENISA, Public Consultation on the Draft Candidate Eucc Scheme 3 (2021). ENISA, Standardisation in support of the Cybersecurity Certification 10 (2019). Environmental Protection Agency office of Compliance, CWA Action Plan Implementation Priorities: Changes To Improve Water Quality, Increase Compliance And Expand Transparency 3 (2011) International Organisation of Securities Commissions, Code Of Conduct Fundamentals For Credit Rating Agencies 8-9 (2008). Cantor, Richard & Frank, Packer, Multiple Ratings and Credit Standards: Differences of Opinion in the Credit Rating Industry, Staff Reports 12, Federal Reserve Bank of New York 3 (1996). U.S. Environmental Protection Agency of Inspector General, Evaluation Report No. 2007-P-00027, Overcoming Obstacles To Measuring Compliance: Practices In Selected Federal Agencies 1 (2007). U.S. General Accounting Office, Government Accountability Office/RCED-93-21, Environmental Enforcement. EPA Cannot Ensure The Accuracy of Self-Reported Compliance Monitoring Data 2-5(1993). U.S. Securities and Exchange Commission, Annual Report On Nationally Recognized Statistical Rating Organizations 3-5 (2011). （六）網路資料 44 U.S. CODE § 3553 - AUTHORITY AND FUNCTIONS OF THE DIRECTOR AND THE SECRETARY, https://www.law.cornell.edu/uscode/text/44/3553。 Aline Darbellay & Frank Partnoy, Credit Rating Agencies and Regulatory Reform, SAN DIEGO LEGAL STUDIES RESEARCH PAPER SERIES NO. 12-083,20-21 (2012), http://ssrn.com/abstract=2042111. CSA KICKS OFF LICENSING FRAMEWORK FOR CYBERSECURITY SERVICE PROVIDERS, https://www.csa.gov.sg/News-Events/Press-Releases/2022/csa-kicks-off-licensing-framework-for-cybersecurity-service-providers. CYBERSECURITY LABELLING SCHEME (CLS), https://www.csa.gov.sg/our-programmes/certification-and-labelling-schemes/cybersecurity-labelling-scheme. CYBERSECURITY MATURITY MODEL CERTIFICATION (CMMC) 2.0 UPDATES AND WAY FORWARD, https://www.federalregister.gov/documents/2021/11/17/2021-24880/cybersecurity-maturity-model-certification-cmmc-20-updates-and-way-forward. CYBERSECURITY, PRIVACY AND FRAUD PROTECTION - EXTENDING THE APPLICATION DATE (RADIO EQUIPMENT DIRECTIVE DELEGATED ACT), https://reurl.cc/Ny7m59. Reiss, David J., Rating Agencies: Facilitators of Predatory Lending in the Subprime Market, BROOKLYN LAW SCH., LEGAL STUDIES PAPER NO. 157, 1-2 (2009), http://ssrn.com/abstract=1439748. EU CLOUD CERTIFICATION HEADED FOR TIERED APPROACH ON SOVEREIGNTY CRITERIA, https://reurl.cc/blOpGl. EU COUNCIL MOVES TO ADJUST PRODUCT LIFECYCLE, REPORTING IN NEW CYBERSECURITY LAW, https://reurl.cc/jvdj1n. EU CYBERSECURITY CERTIFICATION, https://certification.enisa.europa.eu/. FEDERAL INFORMATION SECURITY MODERNIZATION ACT, https://csrc.nist.gov/topics/laws-and-regulations/laws/fisma. Partnoy, Frank, Rethinking Regulation of Credit Rating Agencies: An Institutional Investor Perspective, SAN DIEGO LEGAL STUDIES PAPER NO. 09-014,2 (2009), http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1430608. Xia, Han & Günter Strobl, The Issuer-Pays Rating Model and Ratings Inflation: Evidence from Corporate Credit Ratings, SSRN WORKING PAPER, 24 (2012), http://ssrn.com/abstract=2002186. LEGISLATIVE TRAIN SCHEDULE FOR HORIZONTAL CYBERSECURITY REQUIREMENTS FOR PRODUCTS WITH DIGITAL ELEMENTS , https://reurl.cc/l7xjbv. Oceans Apart: THE EU AND US CYBERSECURITY CERTIFICATION STANDARDS FOR CLOUD SERVICES, https://reurl.cc/RyZMOZ. QUESTIONS AND ANSWERS: STRENGTHENING CYBERSECURITY OF WIRELESS DEVICES AND PRODUCTS, https://reurl.cc/y6yzp8. SEC 4.SECURITY STANDARDS AND GUIDELINES FOR AGENCIES ON USE AND MANAGEMENT OF INTERNET OF THINGS DEVICES, https://www.govtrack.us/congress/bills/116/hr1668/text. SOVEREIGNTY REQUIREMENTS REMAIN IN CLOUD CERTIFICATION SCHEME DESPITE BACKLASH，https://reurl.cc/z6D2aQ。 WHAT DOD CONTRACTORS NEED TO KNOW ABOUT CMMC 2.0, https://blog.24by7security.com/what-dod-contractors-need-to-know-about-cmmc-2.0.	-
dc.identifier.uri	http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/97328	-
dc.description.abstract	自2020年疫情爆發後，遠距工作與數位轉型浪潮興起，資訊安全議題益顯重要。近年來資安事件頻仍，面對各種資安風險與系統漏洞，若未能適當控管，恐將削弱消費者對於網路安全之信賴。然而，就資安監理而言，主管機關須耗費龐大監理資源，方能因應眾多資安漏洞與威脅，如何有效分配監理資源，遂成為亟待關注之議題。藉由資安驗證機構對受監管對象進行監督，使政府得以將監理重點聚焦於資安驗證機構之監管，或可作為有效降低監理負擔之一策。倘若採行此種資安監理模式，則如何有效監理資安驗證機構，將成為未來資安監理之關鍵課題。透過法律經濟分析可見，資安市場存有資訊不對稱之問題，而有引進驗證制度之必要。然若政府直接介入，恐將致資源無法達致最有效率之運用，故較為適切之方式應為「私人驗證制度」。此外，私人標準於業界已發展成熟並行之有年，資安監理應審慎評估其運作機制，並適切導入私人驗證標準，以強化監理效能。再者，依據守門人理論，資安驗證機構作為守門人之一，其運作恐有發生「守門人失靈」之可能。「市場競爭性」即為守門人失靈之一類型，無論市場呈現寡占或過度競爭，皆可能產生監理難題。「付費模式」之採擇亦為守門人失靈之另一重要議題，本文認為應採「資訊受評價端付費模式」，而非「資訊利用者付費模式」，並輔以適當之「利益衝突防免配套措施」。關於「利益衝突防免」之議題，宜增訂具體規範，以確保資安驗證機構運作之公正性與獨立性。比較法研究上，本文主要聚焦於「歐盟網路安全法」與「歐盟網路韌性法」。儘管歐盟資安驗證法規範立法施行未久，然其關於「利益衝突防免」之具體規範已值得作為我國資安認驗證法制建構參考之借鏡。透過國際資安認驗證監管模式之比較與分析，亦得反思我國監管模式應採行之監管模式。最後，本文就我國資安認驗證監管模式之採擇以及守門人失靈相關問題，包括市場競爭性、付費模式及利益衝突防免，提出相應對策。此外，本文聚焦於現行驗證機構管理辦法之檢討，並提出修法建議，至於尚未制定驗證機構管理辦法之產業，亦提出立法方針，以供立法者與主管機關作為未來立法方向之參考。	zh_TW
dc.description.abstract	In 2020, COVID-19 broke out and caused a surge in remote work. Since then, cybersecurity has become an extremely unignorable issue. Inadequate control of cybersecurity risk has recently caused numerous noteworthy incidents, eroding the consumer trust of companies. Regarding cybersecurity supervision, competent authorities must consume significant resources to address millions of cybersecurity incidents. Thus, how to effectively allocate regulatory resources becomes a critical issue that requires attention. Laws can ask certification bodies to supervise the entities. In this way, governments can focus only on certification bodies without wasting numerous resources. This should be the way to efficiently reduce the overall regulatory burden. If this cybersecurity supervision method is adopted, how to effectively supervise cybersecurity certification bodies becomes the next significant cybersecurity supervision challenge. By examining the management regulations of cybersecurity certification in Taiwan, this thesis discovers several problems. Although there are some sporadic regulations, Taiwan lacks regulations for assessors and certification bodies. Furthermore, certification bodies of certain industry regulations are either insufficient or absent. It is necessary for lawmakers or cybersecurity competent authorities to legislate proactively to deal with the risks mentioned above. Which cybersecurity certification regulatory model to be adopted is an issue of allocating regulatory resources effectively. Through economic analysis of law, this thesis advocates that private certification systems and standards are necessary. If the government intervenes the market directly, the usage of resources will not be most effectively. Additionally, certification body is one of gatekeepers whose failure may occur under the gatekeeper theory. “Market competitiveness” is a potential factor of gatekeeper failure, including oligopoly and excessive competition. The pays model is another gatekeeper failure. Therefore, this thesis suggests adopting the "regulated entity pay" model rather than the "information user pay" model. Based on the above, this thesis argues that Taiwan should take measures to prevent of conflict of interests of certification bodies. In the comparative legal research, this thesis primarily focuses on the "EU Cybersecurity Act" and “EU Cyber Resilience Act”. Although EU cybersecurity certification regulations do not have a long history, this might be a worthwhile reference of cybersecurity certification regulations for Taiwan. Taiwan can also reflect on what kinds of regulatory models to take via the study of international cybersecurity certification regulatory models. Finally, this thesis proposes corresponding solutions to the choice of cybersecurity accreditation and certifications regulatory model in Taiwan. It specifically attempts to figure out the solution to gatekeeper failures, including market competition issues, fee structures, and prevention of conflict of interests. For industries without regulations of certification bodies, this thesis also suggests legislative directions for legislators and competent authorities to introduce them in the future.	en
dc.description.provenance	Submitted by admin ntu (admin@lib.ntu.edu.tw) on 2025-04-24T16:10:09Z No. of bitstreams: 0	en
dc.description.provenance	Made available in DSpace on 2025-04-24T16:10:09Z (GMT). No. of bitstreams: 0	en
dc.description.tableofcontents	口試委員會審定書 i 摘要 ii ABSTRACT iv 目次 vi 圖次 ix 表次 ix 第一章緒論 1 第一節研究動機 1 第二節研究對象及範圍 1 第四節研究架構 3 第二章我國資安認驗證制度之發展現況 5 第一節我國資安認驗證制度之概論 5 第一項認證 5 第二項驗證 6 第三項我國認驗證流程 7 第四項資安驗證規範之類別 7 第五項國際標準於我國認驗證制度之適用 9 第六項資安監理之架構 11 第二節我國認驗證制度總論 12 第一項標準法 12 第二項中華民國認證實施辦法 12 第三節我國ICT服務與流程的認驗證制度 13 第一項資通安全管理法 13 第二項公眾電信網路驗證機構管理辦法 19 第三項雲端服務驗證 21 第四節我國ICT產品認驗證制度 24 第一項 ICT產品認驗證制度概介 24 第二項物聯網資安標章 24 第三項關鍵電信基礎設施資通設備測試機構及驗證機構管理辦法 30 第五節我國資安認驗證監管模式 34 第一項直接監理與間接監理 35 第二項監管模式概介 36 第三項我國各資安驗證規範監管模式之檢視 39 第六節小結—論我國資安驗證法制上不足之處 42 第三章認驗證制度之法律經濟分析 44 第一節私人驗證制度與私人標準的必要性分析 44 第一項私人驗證制度之必要性 44 第二項私人驗證制度與私人標準 53 第二節私人驗證制度之失靈 57 第一項守門人之意涵 57 第二項守門人失靈 60 第三節守門人失靈之解方 66 第一項競爭性之解方 66 第二項利益衝突之解方 69 第四節小結 72 第四章資安認驗證制度之比較法研究 73 第一節歐盟 73 第一項歐盟網路安全法 74 第二項 EUCC 計劃 80 第三項歐盟網路韌性法 86 第二節各國資安認驗證制度之監管模式 89 第一項編號2模式 89 第二項編號3模式 91 第三項編號4模式 94 第四項編號3或編號5模式 96 第五項編號5模式 98 第三節小結 98 第五章我國資安認驗證法制調適之建議 100 第一節我國資安認驗證監管模式之採擇 100 第一項監管模式之採擇 100 第二項我國資安認驗證監管模式應採編號5模式 105 第二節競爭性 105 第三節付費模式與利益衝突 107 第六章結論 122 參考文獻 125	-
dc.language.iso	zh_TW	-
dc.subject	驗證機構	zh_TW
dc.subject	歐盟網路韌性法	zh_TW
dc.subject	歐盟網路安全法	zh_TW
dc.subject	利益衝突	zh_TW
dc.subject	守門人理論	zh_TW
dc.subject	資訊安全	zh_TW
dc.subject	Conflict of Interests	en
dc.subject	Gatekeeper Theory	en
dc.subject	Certification body	en
dc.subject	Cybersecurity	en
dc.subject	EU Cyber Resilience Act	en
dc.subject	EU Cybersecurity Act	en
dc.title	論我國資訊安全法制與驗證機構監理—以利益衝突防免為中心	zh_TW
dc.title	Taiwan's Cybersecurity Laws and Certification Body Regulations: Focusing on Prevention of Conflict of Interests	en
dc.type	Thesis	-
dc.date.schoolyear	113-2	-
dc.description.degree	碩士	-
dc.contributor.oralexamcommittee	黃種甲;洪令家	zh_TW
dc.contributor.oralexamcommittee	Chung-Chia Huang;Leng-Chia Hung	en
dc.subject.keyword	資訊安全,驗證機構,守門人理論,利益衝突,歐盟網路安全法,歐盟網路韌性法,	zh_TW
dc.subject.keyword	Cybersecurity,Certification body,Gatekeeper Theory,Conflict of Interests,EU Cybersecurity Act,EU Cyber Resilience Act,	en
dc.relation.page	140	-
dc.identifier.doi	10.6342/NTU202500777	-
dc.rights.note	未授權	-
dc.date.accepted	2025-03-24	-
dc.contributor.author-college	法律學院	-
dc.contributor.author-dept	法律學系	-
dc.date.embargo-lift	N/A	-
顯示於系所單位：	法律學系

文件中的檔案：

檔案	大小	格式
ntu-113-2.pdf 未授權公開取用	2.56 MB	Adobe PDF

顯示文件簡單紀錄

系統中的文件，除了特別指名其著作權條款之外，均受到著作權保護，並且保留所有的權利。