A Study on the Certification of Information Security Management Systems

• Main Author: 方仁威
• Other Authors: 黃景彰
• Format: Others
• Language: zh-TW
• Published: 2004
• Online Access: http://ndltd.ncl.edu.tw/handle/55548681266535249701

博士 === 國立交通大學 === 資訊管理研究所 === 94 === Due to the continual occurrence of many information security problem incidents, there have been a lot of disasters in many organizations Many countries are paying more attention to the problems and the Information Security Management System (ISMS) Standard was passed in 2000. The aim of ISMS is to protect the confidentiality, integrity and availability in the organizations. By risk analysis, evaluation and management of the information assets, we cab lower the frequencies of the information security problem incidents and impact so as to improve the organizational information security management capabilities. Taiwan has brought out “Challenge 2008 – Nation’s Major Focus Plan” in which “The accomplishment of 50% information security management system in any government branch” is an indicator for the set up of secure information. Setting up a complete information security system is helpful to upgrade the country’s overall information and communication environments. In view with that, our study is based on the integrated operation mechanism of ISMS. It’s known that there is no such a thing as “Absolute information security”. Thus, it is practical to establish an integrated security solution. In this study, I am using the international standards, the related guides and similar studies as my research reference. Then this study also includes the security engineer, management and auditing and ISMS certification process. In the thesis, I also bring out the leveling process of ISMS for our country to meet the standard internationally. Through a “Plan, Do, Check and Action (PDCA) life cycle model” by making a systematic and rational information security and lowering the risk factors of accompanying security incidents, we can improve the process quality continuously and protect the systems. Hence, According to the “OECD Guidelines for the Security of Information Systems and Networks －Towards a Culture of Security” published by the OECD on July 25,2002. The planning, evaluation and internal auditing of are studied. In this study, we try to integrate ISO/IEC 15408, ISO/IEC 17799, and ISO/IEC 21827 for National Information Assurance Certification and Accreditation (NIACAP), and formulate the information security auditing capability and the its required education training for the future ISMS implementation guideline to ensure the organizational information systems security and long-term operation.