個資隱私保護規範與資安風險管理研究探討
|
摘要 資訊安全對組織而言相當重要,資訊是一種資產,就像其他的重要企業資產一樣,對單位組織具有價值,因此需要受到適當的保護。而資訊安全在於保障企業資訊資產免於不可承受的風險。個人資料保護法為規範個人資料之蒐集、處理及利用,以避免人格權受侵害,並促進個人資料之合理利用。資訊安全具三個特性,包括有機密性、完整性與及可用性。機密性在確保只有經授權的人方能允許存取資訊,完整性在於確保資訊內容及資訊處理方法正確且完整,可用性則確保經授權的使用者當需要時,能存取資訊及使用相關資產。2000年12月1日,資訊安全管理系統控制措施之ISO/IEC 17799:2000(E)公布,2002年12月5日我國CNS國家標準正式頒布建立ISMS,並擴大推動驗證成為資訊安全工作項目重點。國際標準組織自2000年起進行管理系統標準之標準化工作,ISO/IEC27001並納入個人資料/隱私管理系統安全規範之議題。本論文研究以國家資通安全發展、資訊安全準則技術與風險管理相關理論角度切入,並且針對個資隱私與資訊安全風險防護作研究探討。
關鍵字:資通安全、風險管理、個資保護、資訊安全管理系統、一般資料保護規範。 ABSTRACT To information security aspect, information is an asset like other important corporate assets, is of value to the organization and therefore needs to be properly protected. Information security lies in protecting corporate information assets from unacceptable risks. Information security has three characteristics, including Confidentiality, Integrity, and Availability. Confidentiality ensures that only authorized persons can access information. On December 1, 2000, ISO/IEC 17799:2000(E) of the information security management system control measures was promulgated. On December 5, 2002, Chinese National Standards were officially promulgated, and the establishment of ISMS and expansion of verification to become the focus of information security work projects. The International Standards Organization has been standardizing work on management system standards since 2000, and ISO/IEC 27001 has been included in the issue of personal data/privacy management system security specifications. This thesis is based on the research of national security, information security technology and risk management theory for the protection of individual privacy and information security risk.
Keywords: Information Security; Crisis Management; Personal Protection; ISMS; General Data Protection Specification. |