研究生: |
許志偉 Hsu, Chi-Wei |
---|---|
論文名稱: |
證券業資通訊委外供應商資訊安全成熟度之研究-以某綜合券商為例 Research on the Information Security Maturity of Outsourced Information and Communication Suppliers in the Securities Industry - Taking a Comprehensive Securities Company as an Example |
指導教授: |
張佳榮
Chang, Chia-Jung |
口試委員: |
張佳榮
Chang, Chia-Jung 劉素娟 Liu, Su-Juan 鄒蘊欣 Chou, Yun-Hsin |
口試日期: | 2024/05/28 |
學位類別: |
碩士 Master |
系所名稱: |
高階經理人企業管理碩士在職專班(EMBA) Executive Master of Business Administration |
論文出版年: | 2024 |
畢業學年度: | 112 |
語文別: | 中文 |
論文頁數: | 120 |
中文關鍵詞: | 資訊安全 、成熟度 、風險管理 、驗證 、鑑別 、推斷 、滲透 、加密勒索 、供應鏈 |
英文關鍵詞: | information security, maturity, risk management, verification, dentification, inference, penetration, crypto-ransomware, supply chain |
研究方法: | 比較研究 、 深度訪談法 、 半結構式訪談法 、 實證研究法 |
DOI URL: | http://doi.org/10.6345/NTNU202400638 |
論文種類: | 學術論文 |
相關次數: | 點閱:96 下載:9 |
分享至: |
查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報 |
資訊安全成熟度(CyberSecurity Maturity)White, G. B. (2011, November)是指組織在資訊安全管理方面的成熟程度。近年來發展成熟度模型通常用來評估和衡量組織的資訊安全水平,以確保其能夠有效地因應日益複雜和多變的威脅環境,透過常見的資訊安全成熟度模型和相關概念,建立一套最適切於公司運作的資訊安全成熟度評估模型,常見評估模型有下述幾項:
一、 FFIEC CAT (CybersecurityAssessment Tool),CAT是美國聯邦金融機構監督委員會(Federal Financial Institutions Examination Council, FFIEC) 在 2015年6月公布「網路安全評估工具」,採固有風險及五大管理領域評估,是目前金融業最普遍的應用工具。
二、 CMMC:(Cybersecurity Maturity Model Certification),CMMC 是專注於資訊安全管理系統的成熟度認證方法。它提供了一個框架,讓公司可以評估其資訊安全管理的成熟程度,並採取適切成熟度提升措施。
三、 ISO/IEC 27001:國際標準化组織(ISO)與國際電工委員會(IEC)所制定的資訊安全管理系統(ISMS)標準。組織可以使用ISO/IEC 27001來確保其資訊資產受到適當的保護,同時不斷進行風險管理和改進,透過管理體系的驗證審查,確保資訊作業成熟度。
四、 NIST Cybersecurity Framework:透過美國國家標準與技術研究院(NIST)制定,此框架強調資訊安全的風險管理,包括識別、保護、檢測、回應和復原等關鍵領域。
五、 零信任安全架構:強調在網路中不信任任何設備或使用者,要求持續驗證身份和授權。這種方法建立在「永不信任,持續驗證」的原則上,並透過「身分鑑別」、「設備鑑別」及「信任推斷」三階段架構依序導入之必要考量。
資訊安全成熟度評估議題中,公司可透過專門的工具和方法,評估其在資訊安全方面的管理深度及廣度和改善建議。這種評估通常包括策略和治理、風險管理、操作安全、安全監控等多個層面。資訊安全成熟度不僅僅取決於技術和流程,在人員教育訓練和資安意識建立尤為重要也是成熟度提升的重要關鍵,且成熟度評估是一個動態的過程,需要組織不斷監控和改進其資訊安全管理系統,這可以通過進行定期的風險評估、弱點掃描、事件監控等活動實踐資訊安全的作業水準。
金融業乃為主管機關高度監理之特許行業,有一定的資訊安全管理水平,駭客透過供應商潛在的資訊安全風險,進行資料竊取、惡意滲透、權限取得乃至用加密勒索的一連串惡意活動,而供應鏈資訊安全管理也是近年來主管機關要求重點,希望能藉此研究強化公司的資安治理並提升資安管理成熟度。
CyberSecurity Maturity White, G. B. (2011, November) refers to the maturity level of an organization in information security management. In recent years, development maturity models are often used to assess and measure an organization's information security level to ensure that it can effectively respond to an increasingly complex and changing threat environment. Through common information security maturity models and related concepts, a set of The most suitable information security maturity assessment model for company operations. Common assessment models include the following:
1. FFIEC CAT (Cybersecurity Assessment Tool), CAT is the "Cybersecurity Assessment Tool" announced by the Federal Financial Institutions Examination Council (FFIEC) in June 2015. It adopts inherent risks and five major management areas for assessment. It is currently the most common application tool in the financial industry.
2. CMMC: (Cybersecurity Maturity Model Certification), CMMC is a maturity certification method focusing on information security management systems. It provides a framework that allows companies to assess the maturity of their information security management and take appropriate steps to improve maturity.
3. ISO/IEC 27001: Information Security Management System (ISMS) standard formulated by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Organizations can use ISO/IEC 27001 to ensure that their information assets are appropriately protected while continuously managing risk and improving it.
4. NIST Cybersecurity Framework: Developed by the National Institute of Standards and Technology (NIST), this framework emphasizes risk management of information security, including key areas such as identification, protection, detection, response and recovery.
5. Zero-trust security architecture: Emphasizes the distrust of any device or user in the network and requires continuous verification of identity and authorization. This method is based on the principle of "never trust, continue to verify" and adopts the necessary considerations of sequentially introducing the three-stage architecture of "identity authentication", "device authentication" and "trust inference".
In the information security maturity assessment topic, companies can use specialized tools and methods to assess the depth and breadth of their information security management and provide improvement suggestions. This assessment usually includes multiple levels such as strategy and governance, risk management, operational security, and security monitoring. Information security maturity not only depends on technology and processes, but also is particularly important in personnel education and training and the establishment of information security awareness, which is also an important key to improving maturity. Maturity assessment is a dynamic process that requires organizations to continuously monitor and improve their information security. Management system, which can achieve information security operational standards through regular risk assessment, vulnerability scanning, event monitoring and other activities.
The financial industry is a highly supervised industry and has a certain level of information security management. Hackers use potential information security risks of suppliers to carry out a series of malicious activities such as data theft, malicious penetration, permission acquisition and even encryption blackmail. Supply chain management has also been in recent years. The competent authorities have requested focus, hoping to use this research to strengthen the company's information security governance and improve the maturity of information security management.
1. White, G. B. (2011, November). The community cyber security maturity model. In 2011 IEEE international conference on technologies for homeland security (HST) (pp. 173-178). IEEE.
2. Vitunskaite, M., He, Y., Brandstetter, T., & Janicke, H. (2019). Smart cities and cyber security: Are we there yet? A comparative study on the role of standards, third party risk management and security ownership. Computers & Security, 83, 313-331.
3. 1. Aliyu, A., Maglaras, L., He, Y., Yevseyeva, I., Boiten, E., Cook, A., & Janicke, H. (2020). A holistic cybersecurity maturity assessment framework for higher education institutions in the United Kingdom. Applied Sciences, 10(10), 3660.
4. A. J. Neumann, N. Statland and R. D. Webb. Post-processing audit tools and techniques (PDF). US Department of Commerce, National Bureau of Standards: 11–3––11–4. 1977 [2021-03-16]. (原始內容存檔 (PDF)於2021-04-27).
5. Beckers, K. Pattern and Security Requirements: Engineering-Based Establishment of Security Standards. Springer. 2015: 100 [2021-03-16]. ISBN 9783319166643. (原始內容存檔於2021-04-27).
6. Bird, Katie. NEW VERSION OF ISO/IEC 27001 TO BETTER TACKLE IT SECURITY RISKS. iso.org. ISO. [21 August 2020]. (原始內容存檔於2019-09-20).
7. Stechyshyn, A. (2015). Security vulnerabilities in financial institutions (Doctoral dissertation, Utica College).
8. Almuhammadi, S., & Alsaleh, M. (2017). Information security maturity model for NIST cyber security framework. Computer Science & Information Technology (CS & IT), 7(3), 51-62.
9. Gökalp, E., & Martinez, V. (2021). Digital transformation capability maturity model enabling the assessment of industrial manufacturers. Computers in Industry, 132, 103522.
10. Godfrey, L. D., Horton, M., Johnson, E. A., Mooney, J. A., & Zimmermann, M. C. (2020). Recent developments in cybersecurity and data privacy. Tort Trial & Insurance Practice Law Journal, 55(2), 217-240.
11. EBA(Guidelines on ICT and security risk management), https://www.eba.europa.eu/guidelines-ict-and-security-risk-management
12. MAS(Guidelines on Risk Management Practices – Technology Risk)
https://www.mas.gov.sg/regulation/guidelines/technology-risk-management-guidelines
13. FED (Enhanced Cyber Risk Management Standards)
https://www.federalregister.gov/documents/2016/10/26/2016-25871/enhanced-cyber-risk-management-standards
14. BOE(PS6/21 | CP29/19 | DP1/18 Operational Resilience: Impact tolerances for important business services)
https://www.bankofengland.co.uk/prudential-regulation/publication/2018/building-the-uk-financial-sectors-operational-resilience-discussion-paper
15. CFTC(National Futures Association Cybersecurity Guidance)
https://www.cftc.gov/About/CFTCOrganization/NFACybersecurityGuidance083118
16. IOSCO (Principles on Outsourcing Final Report)
https://www.iosco.org/library/pubdocs/pdf/IOSCOPD687.pdf
17. 質性研究方法:訪談模式與實施步驟分析(林金定、嚴嘉楓、陳美花,2005)
18. 質性研究: 理論與應用(Breg1998;引自潘淑滿,2003)
19. Girth, A. M. (2017). Incentives in third‐party governance: management practices and accountability implications. Public Administration Review, 77(3), 433-444.
20. Keskin, O. F., Caramancion, K. M., Tatar, I., Raza, O., & Tatar, U. (2021). Cyber third-party risk management: A comparison of non-intrusive risk scoring reports. Electronics, 10(10), 1168.
21. Mitre ATT&CK Matrix for Enterprise, https://attack.mitre.org/
22. 臺灣集中保管結算所股份有限公司,資訊委外之資安應注意事項檢查表
23. 國家資通安全研究院人才培力中心,https://ctts.nics.nat.gov.tw/
24. Preimesberger, Chris. DDoS Attack Volume Escalates as New Methods Emerge. eWeek. 2014-05-28 [2015-05-09]. (原始內容存檔於2019-07-13)
25. 淺析證券暨期貨業密碼撞庫事件,(葉琨煒 2021) https://www.twse.com.tw/rwd/staticFiles/product/publication/0001069413.pdf
26. Chen, P., Desmet, L., & Huygens, C. (2014). A study on advanced persistent threats. In Communications and Multimedia Security: 15th IFIP TC 6/TC 11 International Conference, CMS 2014, Aveiro, Portugal, September 25-26, 2014. Proceedings 15 (pp. 63-72). Springer Berlin Heidelberg.
27. Bilge, L., & Dumitraş, T. (2012, October). Before we knew it: an empirical study of zero-day attacks in the real world. In Proceedings of the 2012 ACM conference on Computer and communications security (pp. 833-844).
28. Yarygina, T., & Bagge, A. H. (2018, March). Overcoming security challenges in microservice architectures. In 2018 IEEE Symposium on Service-Oriented System Engineering (SOSE) (pp. 11-20). IEEE.
29. Hong, J., Dreibholz, T., Schenkel, J. A., & Hu, J. A. (2019). An overview of multi-cloud computing. In Web, Artificial Intelligence and Network Applications: Proceedings of the Workshops of the 33rd International Conference on Advanced Information Networking and Applications (WAINA-2019) 33 (pp. 1055-1068). Springer International Publishing.
30. Zhang, Z., Nan, G., & Tan, Y. (2020). Cloud services vs. on-premises software: Competition under security risk and product customization. Information Systems Research, 31(3), 848-864.
31. Bertino, E., Kantarcioglu, M., Akcora, C. G., Samtani, S., Mittal, S., & Gupta, M. (2021, April). AI for Security and Security for AI. In Proceedings of the Eleventh ACM Conference on Data and Application Security and Privacy (pp. 333-334).
32. Skene, J., Lamanna, D. D., & Emmerich, W. (2004, May). Precise service level agreements. In Proceedings. 26th International Conference on Software Engineering (pp. 179-188). IEEE.
33. Rajput, V. U. (2013). Research on know your customer (KYC). International Journal of Scientific and Research Publications, 3(7), 541-546.
34. Kinyua, J., & Awuah, L. (2021). AI/ML in Security Orchestration, Automation and Response: Future Research Directions. Intelligent Automation & Soft Computing, 28(2).
35. Hofmann, T. (2020). How organisations can ethically negotiate ransomware payments. Network Security, 2020(10), 13-17.
36. Silvius, A. J., & Schipper, R. P. (2014). Sustainability in project management: A literature review and impact analysis. Social business, 4(1), 63-96.
37. Bajgoric, N. (2014). Business continuity management: a systemic framework for implementation. Kybernetes, 43(2), 156-177.
38. Hass, A. M. J. (2003). Configuration management principles and practice. Addison-Wesley Professional. Horawalavithana, S., Bhattacharjee, A., Liu, R., Choudhury, N., O. Hall, L., & Iamnitchi, A. (2019, October). Mentions of security vulnerabilities on reddit, twitter and github. In IEEE/WIC/ACM International Conference on Web Intelligence (pp. 200-207).
39. Shashanka, M., Shen, M. Y., & Wang, J. (2016, December). User and entity behavior analytics for enterprise security. In 2016 IEEE International Conference on Big Data (Big Data) (pp. 1867-1874). IEEE.
40. Ye, Y., Li, T., Adjeroh, D., & Iyengar, S. S. (2017). A survey on malware detection using data mining techniques. ACM Computing Surveys (CSUR), 50(3), 1-40.
41. Verma, R., & Hossain, N. (2017). Semantic feature selection for text with application to phishing email detection. Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security.