機密資訊管控作業風險之初探

Research on Operation Risks in Confidential Information Management

何志昱、黃讚松
C. Y. Ho and T. S. Huang

銘傳大學 犯罪防治學系


摘要

近年來,國際發生維基解密曼寧案(Bradley Manning)、史諾登案(Andrew Snowden)與巴拿馬文件案(Panama Papers)等重大的機密公開揭露事件,其洩密管道均來自於單位內部人員,造成國際恐慌、爭議與省思。然而,在我國亦接連發生數起公務人員洩漏公務上應保守之資訊,或是企業之營業秘密遭員工竊取等重大洩密案件,對單位造成莫大損害,甚至危及國家安全或整體產業競爭力。

我國在洩密罪的管制作為上,於國家機密保護法、刑法、陸海空軍刑法、國家安全法與政風機構維護公務機密作業要點等法令規範中,皆有訂定機密維護措施、處置流程與相關罰則,然而在處理過程中易衍風險,如何有效降低風險,成為重要議題。本研究以作業風險管理軟體(Operational Risk Management Integration Tools, ORMIT)針對現行機密資訊管控機制進行風險評估問卷調查,藉以發揮其管控效能,降低失效風險發生,從「處理、分發、傳送、保管、清查及銷毀」等6項機密處置流程評估,提出「律定專責人員處理、有效限縮知密人員、區分機密等級傳送、提升儲存防護能力、落實定期清點稽核與定期銷毀失效機密」等建議方案,供政府及企業管制參考。

關鍵字:機密資訊、管控機制、風險評估。

ABSTRACT

In recent major incidents involving the disclosure of confidential information, such as the Bradley Manning, Andrew Snowden, and Panama Papers incidents, the leakage channels were individual employees who were members of the internal staff. The incidents have resulted in international panic, disputes, and reflection. A series of leakage incidents have taken place in Taiwan, including the leakage of confidential information by government officers and the stealing of corporate secrets by company employees. These incidents caused have major damage to many organizations, imposing a threat to national security and overall industrial competitiveness.

With regard to the management and control of leakage offenses in Taiwan, the confidentiality protection measures, management procedures, and related penalty provisions are stipulated in the Classified National Security Information Protection Act, Criminal Code, Criminal Code of the Armed Forces, National Security Act, and Regulations for Protection of Confidential Business Operations by Government Mechanisms. However, various risks are likely to occur in the management process and the efficient reduction of risks is an important issue. Operational Risk Management Integration Tools (ORMIT) were used to conduct a questionnaire survey regarding the risk assessment aspects of current confidential information management mechanisms in order to explore management efficiency and reduce failure risks. The secrets disposal procedure was evaluated according to six components, including “processing,” “distribution,” “delivery,” “protection,” “verification,” and “destruction,” and based on this, a model was proposed which included the performance of processing by a responsible personnel, effective reduction of personnel familiar with the confidential information, distinction of confidentiality levels for delivery, improvement of protection, regular inventory and inspection, and regular disposal of expired secrets. The proposed model provides a reference for governmental and corporate management.


Keywords: Official Secrets; Risk Assessment; Operation Risk Management (ORM)