資訊管理學報
楊欣哲;林裕倫;
頁: 107-137
日期: 2014/04
摘要: 由於全球資訊網(World Wide Web)技術發展與應用普及,因此帶動了企業資訊網站平台的興起。然而,提供安全的企業資訊網站平台(EIP)是網際網路應用之重要的服務品質關鍵之一。有鑑於此,本論文主要在針對企業資訊網站平台設計上之各種不同的風險構面,參照ISO27001文獻和國際標準組織OWASP與SANS組織所提出的資訊網站之風險,透過ISMS模式找出每一風險構面與風險因子以及經由專家焦點座談確認,並經由5位資訊安全或Web網站系統建置之專家或學者填寫各項構面因子問卷,再利用AHP層級分析法,計算出各項風險權重值與排序。然後,將制訂EIP之資訊安全的評估模式與評量工具。最後,我們將以現有的企業網站資訊平台,採用本論文所提出的資訊安全評估模式與評量工具來計算企業資訊網站平台之風險值,並且依風險值訂定風險等級的指標以驗證資訊網站之安全性,並提出相關改善策略之建議。總之,我們所提出的資訊安全之評估模式與評量工具,可用來作為安全的網頁系統建置之安全評量準則與參考模式。
關鍵字: 企業資訊網站;評估模式;資訊安全;評量工具;
Abstract: The WWW technology brings the rising of Enterprise Information Portal (EIP). However, providing a secure Enterprise Information Portal is one of essential quality of services (QoS) in Internet applications. Based on the security of designing EIP, the purposes of this paper are to find out various risk facets based on ISO 27001 reference standards and the ISMS process and also utilize AHP model to validate the factors of each risk facet using focus discussion of experts. Then, we refine and validate required factors of each risk facet through questionnaire method of five experts or scholars who are specialized in implementing a secure EIP system. In addition, we can establish an Information Security assessment model of EIP and design its algorithm. Finally, we develop a Metric Tool and also perform experiments to verify and validate the risk management of a selected EIP practice. According to the risk values, it can refine the risk level to verify and validate the security of EIP and propose related improving strategies. Based on the experimental result, our proposed assessment model and Metric Tool of EIP Information Security can be served as the security measure guidelines of implementing a secure Web application.
Keywords: EIP;Assessment Model;AHP;Information Security;Metric Tool;
瀏覽次數: 15901 下載次數: 602
引用 導入Endnote
頁: 107-137
日期: 2014/04
摘要: 由於全球資訊網(World Wide Web)技術發展與應用普及,因此帶動了企業資訊網站平台的興起。然而,提供安全的企業資訊網站平台(EIP)是網際網路應用之重要的服務品質關鍵之一。有鑑於此,本論文主要在針對企業資訊網站平台設計上之各種不同的風險構面,參照ISO27001文獻和國際標準組織OWASP與SANS組織所提出的資訊網站之風險,透過ISMS模式找出每一風險構面與風險因子以及經由專家焦點座談確認,並經由5位資訊安全或Web網站系統建置之專家或學者填寫各項構面因子問卷,再利用AHP層級分析法,計算出各項風險權重值與排序。然後,將制訂EIP之資訊安全的評估模式與評量工具。最後,我們將以現有的企業網站資訊平台,採用本論文所提出的資訊安全評估模式與評量工具來計算企業資訊網站平台之風險值,並且依風險值訂定風險等級的指標以驗證資訊網站之安全性,並提出相關改善策略之建議。總之,我們所提出的資訊安全之評估模式與評量工具,可用來作為安全的網頁系統建置之安全評量準則與參考模式。
關鍵字: 企業資訊網站;評估模式;資訊安全;評量工具;
An Approach to Assessment Model and Metric Tool of Information Security in Designing EIP
Abstract: The WWW technology brings the rising of Enterprise Information Portal (EIP). However, providing a secure Enterprise Information Portal is one of essential quality of services (QoS) in Internet applications. Based on the security of designing EIP, the purposes of this paper are to find out various risk facets based on ISO 27001 reference standards and the ISMS process and also utilize AHP model to validate the factors of each risk facet using focus discussion of experts. Then, we refine and validate required factors of each risk facet through questionnaire method of five experts or scholars who are specialized in implementing a secure EIP system. In addition, we can establish an Information Security assessment model of EIP and design its algorithm. Finally, we develop a Metric Tool and also perform experiments to verify and validate the risk management of a selected EIP practice. According to the risk values, it can refine the risk level to verify and validate the security of EIP and propose related improving strategies. Based on the experimental result, our proposed assessment model and Metric Tool of EIP Information Security can be served as the security measure guidelines of implementing a secure Web application.
Keywords: EIP;Assessment Model;AHP;Information Security;Metric Tool;
瀏覽次數: 15901 下載次數: 602
引用 導入Endnote