專題論文
Thesis

專題論文
Thesis

  1. 標題
  2. 中文關鍵字
  3. 中文摘要
  4. 英文關鍵字
  5. 英文摘要
  6. 目次
  7. 參考文獻

資訊安全長之設置與責任初探
The Establishment and Responsibilities of Chief Information Security Officer
全文下載 點閱率:559下載次數:34

編著譯者
余啟民
出版日期
刊登出處
74
授權者
ISSN
1561-6312
地址
台北市士林區華岡路55號大賢館
電話
02-2861-0511
關鍵字
數位經濟;資訊安全;資訊安全風險;資訊安全長;聯邦資訊安全管理法;資通安全法;金融資安行動方案
中文摘要
數位經濟已成為各國經濟發展重心,COVID-19疫情更促使各行各業競相投入數位轉型,但資通訊科技日新月異與資料多元應用也使得資訊安全問題日趨嚴峻。資訊安全風險已是當前企業營運之重大挑戰,然而資訊安全風險管理涉及眾多層面與考量因素。面對資訊安全風險對企業帶來的威脅,建立充分對應相關風險的管理機制,成為資訊安全風險問題對應上的重要工作。對此,企業如何藉由設置「資訊安全長」,將資訊安全風險與企業經營加以連結,甫能充分判斷資訊安全事件對企業營運所產生的實際影響範圍與影響程度。美國「聯邦資訊安全管理法」強調「資訊安全長」的重要,帶動主要國家制定相近規範,而我國「資通安全法」亦首見於法律層級明訂「資通安全長」之設置要求。在非公務機關層面,金管會於「金融資安行動方案」及「金融資安行動方案2.0」中提出及擴大資訊安全長之設置要求,並採取分階段及分級方式加以推動。在個人資料保護議題受到重視並衍生應否設置隱私長/個人資料保護官之討論時,我國亦可參酌資訊安全長的設置要求,以分層分級方式逐步推動此一機制,協助企業在全力發展之餘,可得有效兼顧發展過程中所出現的資訊安全風險之管理需求。
英文關鍵字
Digital Economy, Information Security Risk, Chief Information Security Officer, FISMA, Cyber Security Management Act, Financial Security Action Plan
英文摘要
The digital economy has become the focus of economic development in various countries. The COVID-19 epidemic has prompted all industries to invest in digital transformation. However, the rapid changes in information and communication technology, together with the multiple applications of data have also aggravated information security issues. Information security risk has become a major challenge for current business operations, but its management involves many levels and considerations. Facing the threats brought by information security risks to enterprises, establishing a management mechanism that adequately responds to relevant risks has become an important task in dealing with information security risk issues. In particular, whether and how an enterprise can link information security risks with business operations by setting up a “Chief Information Security Officer” to fully judge the actual scope and degree of impact of information security incidents on business operations. The Federal Information Security Management Act of the United States emphasizes the importance of the “Information Security Officer”, while leading major countries also formulate similar regulations. Taiwan’s Cyber Security Management Act is the first to clearly stipulate the establishment requirements of the “Chief Information Security Officer” at the legal level. At the level of non-government agencies, the Financial Supervisory Commission proposed and expanded the requirements for setting up chief information security officers in the “Financial Security Action Plan” and “Financial Security Action Plan 2.0”, as well as adopted a phased and hierarchical approach to promote it. When the issue of personal data protection is taken seriously and leads to discussions on whether to set up a privacy officer/personal data protection officer, our country can also refer to the requirements for the establishment of an information security officer, and gradually promote this mechanism in a hierarchical manner. The establishment of an information security officer will gradually become an indispensable item in the operation of each enterprise, assisting enterprises to fully develop while effectively accommdating the management needs of information security risks that arise during the development process.
目次
壹、前言 貳、資訊安全長之重要性與設置規範分析 一、資訊安全風險頻生突顯「資訊安全長」之價值 二、「資訊安全長」之概念、職責與設置必要性 三、我國資通安全法首見法律層級「資訊安全長」概念 四、源自美國FISMA之「資訊安全長」機制設計 五、非公務機關層面之「資訊安全長」設置規範分析 六、小結 參、隱私長(個人資料保護官)機制之對照觀察 一、個人資料外洩事件頻傳帶動保護需求 二、各國個人資料保護立法普遍受歐盟GDPR影響 三、應否設置隱私長/個人資料保護官機制受到重視 四、我國個人資料保護法相關規定之觀察 五、現時主要國家立法中之有關規範分析 六、國內後續思考議題 肆、結語