政大機構典藏-National Chengchi University Institutional Repository(NCCUR):Item 140.119/31050
English  |  正體中文  |  简体中文  |  Post-Print筆數 : 27 |  Items with full text/Total items : 113160/144130 (79%)
Visitors : 50760846      Online Users : 640
RC Version 6.0 © Powered By DSPACE, MIT. Enhanced by NTU Library IR team.
Scope Tips:
  • please add "double quotation mark" for query phrases to get precise results
  • please goto advance search for comprehansive author search
  • Adv. Search
    HomeLoginUploadHelpAboutAdminister Goto mobile version
    政大典藏 > College of Commerce > Department of MIS > Theses >  Item 140.119/31050
    Please use this identifier to cite or link to this item: https://nccur.lib.nccu.edu.tw/handle/140.119/31050


    Title: 應用錯誤樹分析方法獲取組織資訊安全需求之研究
    A Study of Appling Fault Tree Analysis to Acquire the Security Requirements of An Information System
    Authors: 顏小娟
    Hsiao Chuan Yen
    Contributors: 周宣光
    朱惠中

    Shrane Koung Chou
    Huei-Chung Chu

    顏小娟
    Hsiao Chuan Yen
    Keywords: 資訊安全
    錯誤樹分析
    Information Security
    Fault Tree Analysis
    Date: 2002
    Issue Date: 2009-09-14 09:09:32 (UTC+8)
    Abstract: 根據研究報告調查發現,即使組織已經使用了安全機制仍無法完全阻止危害組織資訊安全事件的發生,這是因為組織的資訊安全管理是一個不斷改善的過程,並不是使用了安全防護措施之後,就可以高枕無憂,除了架構安全防護機制外,還需要去分析資訊的機密性、完整性或可得性等是否真能夠受到保護?所使用的安全機制是否真能解決組織的資訊安全問題?或是所提供的安全程度是否能接受等?

    為了解決上述等問題,本研究希望從管理的角度切入,應用錯誤樹分析方法在資訊安全管理的領域上,希望藉由此方法幫助管理者獲知組織的資訊安全需求,然後透過資訊安全管理不斷改善的過程,改善組織資訊安全的弱點,提高組織安全的可靠度。

    依據研究架構,結合BS7799此資訊安全管理標準,並應用錯誤樹分析方法,將資訊安全政策轉換為資訊安全模型,由此資訊安全模型作進一步的定性與定量分析;本研究利用錯誤樹分析方法的六個步驟,實際模擬組織資訊安全需求獲得的過程,並透過分析的結果,幫助組織從中獲取資訊安全的需求,找出資訊安全的弱點,作為組織資訊安全改進的參考與依據。
    As the investigate report dictated, the degree of security of an information system does not only depend on the security mechanism installed by the organization. It is a continuous and recursive procedure. Most researches are technique-oriented currently. In order to adjust this bias, this research propose a new approach, which is from the management perspective.

    BS7799 is used for the information security policy reference. FTA is used to build up the information security model and acquire the requirements of an information system and verify its effectiveness. The result can promote the reliability of the information system and reduce the vulnerability of the system too.
    Reference: 參考文獻
    英文部份:
    [1] GAO, Information Security Risk Assessment Practices of Leading Organizations, GAO/AIMD-00-33, 1999
    [2] ITSEC, Information Technology Security Evaluation Creiteria), Version 1.2, The European Commission, 1991
    [3] Maiwald E., Network Security: A Buginner’s Guide, The McGraw-Hill Companies, Inc., 2001
    [4] NIST, Risk Management Guide for Information Technology Systems, Special Publication 800-300, 2001
    [5] OECD, OECD Guidelines for the Security of Information System and Networks: Toward a Culture of Security, 2002
    [6] Peliter R. T., Information Security Risk Analysis, AUERBACH, 2001
    [7] Rada R., HIPAA @ IT Reference: Health Information Transactions, Privacy, and Security, Hypermedia Solutions Limited, 2003
    [8] Vesely W. E. and Goldberg F. F. and Roberts N. H., Fault Tree Handbook, University of Washington, 1981
    [9] Bertino E., “Data Security,” Data & Knowledge Engineering 25, 1998
    [10] BSI BS 7799-2, “Information Security Management-Part 2: Specification for Information Security Management Systems,” 2002
    [11] Clements P. L., “Fault Tree Analysis,” JACOBS SVERDRUP, 4th Edition, 2002
    [12] CSI/FBI, “Computer Crime and Security Survey,” 2002
    [13] Faber Prof. M. F., “Logical Tree in Risk Analysis an Introduction,” 2001
    [14] Fussel J.B. and Vesely W. E., “A New Methodology for Obtaining Cut Sets for Fault Trees,” American Nuclear Society Transactions, 1972
    [15] Helmer G. et al., “A Software Fault Tree Approach to Requirements Analysis of an Intrusion Detection System,” 2000
    [16] Irvine C. and Levin T., “Toward a Taxonomy and Costing Method for Security Services,” 1999
    [17] ISO/IEC TR13335-3, “Information Technology – Guidelines for the management of IT Security – Part3: Techniques for management of IT Security,” 1998
    [18] Knorr K. and Rohrig S., “Security Requirements of E-Business Process,” 2001
    [19] Moberg F., “Security Analysis of an Information System Using an Attack Tree-based Methodology”, 2000
    [20] Olovsson T., “A Structured Approach to Computer Security,” 1992
    [21] Opplgier R. and Hogrefe D., “Security Concepts for Corporate Networks,” 2002
    [22] Wang C. and Wulf W., “Towards a Framework for Security Measurement,” 1995
    [23] “Introduction to Security Risk Analysis and Security Risk Assessment,” http://www.security-risk-analysis.com/
    中文部份:
    [1] 中國國家標準,「CNS17799資訊技術-資訊安全管理之作業要點」,經濟部標準檢驗局印行,2002年12月
    [2] 中國國家標準,「CNS17800資訊技術-資訊安全管理系統規範」,經濟部標準檢驗局印行,2002年12月
    [3] 李乾銘,「可靠度技術的執行與策略」,財團法人中衛發展中心,2002年8月
    [4] 張盛益、許美玲譯,「電腦安全的威脅與對策」,資訊工業策進會,1995年1月
    [5] 鈴木順二郎、牧野鐵治、石坂茂樹著,先鋒可靠度研究小組譯,「FMEA、FTA實施法」,先鋒企業管理發展中心,2000年6月
    [6] 鄧永基,「BS7799 part1 and part2-2002」,台北:BSiPacific台灣分公司,2002年
    [7] 謝財源、張忠孝、鐘清章、邱柏松、王英一等譯,「可靠度管理手冊」,中華民國品質管制學會,1990年四月
    [8] 古政元、蔡逢裕,「軟體開發之風險評估系統」,第三屆產業資訊管理暨新興科技學術研討會,2002年
    [9] 林勤經、樊國楨、方仁威、徐士坦,「網際網路發展與應用環境之安全標準芻議」,國防通信電子及資訊季刊第2期,2002
    [10] 葉明哲、廖耕億,「資訊系統風險分析方法之現況與展望」,第三屆產業資訊管理暨新興科技學術研討會,2002年
    [11] 林雅惠,「FEMA與FTA技術於可靠度應用之研究」,國立台灣科技大學管理技術研究所工業管理學程碩士論文,1999年6月
    [12] 曾淑惠,「以BS7799為基礎評估銀行業的資訊安全環境」,私立淡江大學資訊管理系碩士論文,2002年6月
    [13] 劉永禮,「以BS7799資訊安全管理規範建構組織資訊安全風險管理模式之研究」,元智大學工業工程與管理研究所碩士論文,2002年6月
    Description: 碩士
    國立政治大學
    資訊管理研究所
    90356003
    91
    Source URI: http://thesis.lib.nccu.edu.tw/record/#G0090356003
    Data Type: thesis
    Appears in Collections:[Department of MIS] Theses

    Files in This Item:

    File SizeFormat
    index.html0KbHTML2271View/Open


    All items in 政大典藏 are protected by copyright, with all rights reserved.


    社群 sharing

    著作權政策宣告 Copyright Announcement
    1.本網站之數位內容為國立政治大學所收錄之機構典藏,無償提供學術研究與公眾教育等公益性使用,惟仍請適度,合理使用本網站之內容,以尊重著作權人之權益。商業上之利用,則請先取得著作權人之授權。
    The digital content of this website is part of National Chengchi University Institutional Repository. It provides free access to academic research and public education for non-commercial use. Please utilize it in a proper and reasonable manner and respect the rights of copyright owners. For commercial use, please obtain authorization from the copyright owner in advance.

    2.本網站之製作,已盡力防止侵害著作權人之權益,如仍發現本網站之數位內容有侵害著作權人權益情事者,請權利人通知本網站維護人員(nccur@nccu.edu.tw),維護人員將立即採取移除該數位著作等補救措施。
    NCCU Institutional Repository is made to protect the interests of copyright owners. If you believe that any material on the website infringes copyright, please contact our staff(nccur@nccu.edu.tw). We will remove the work from the repository and investigate your claim.
    DSpace Software Copyright © 2002-2004  MIT &  Hewlett-Packard  /   Enhanced by   NTU Library IR team Copyright ©   - Feedback