    https://nccur.lib.nccu.edu.tw/handle/140.119/124900

    Title: 我國資訊安全管理法律之探討: 以關鍵資訊基礎建設保護為核心
    The study on Taiwan`s Cybersecurity Management Act: Focus on Critical Information Infrastructure Protection
    Authors: 萬幼筠
    Wan, Youyen
    Contributors: 陳起行
    Wan, Youyen
    Keywords: 網際安全
    Cybersecurity Law
    Critical Information Infrastructure Protection
    Risk management
    Digital governance
    Date: 2019
    Issue Date: 2019-08-07 16:41:08 (UTC+8)
    Abstract: 網路與資訊科技的發展,對於國家與社會或社群的發展,以及群己關係都出現典範移轉,近年來隨著資通訊與網路科技的便利性與效率逐步滲透入各公私領域,成為不可或缺的操作工具與能力,也因此進而影響到經濟發展、民生活動,甚且地緣政治與國際關係的角力。

    至近二十年來的網路與通訊革命,使得社會、國家和資訊網路緊密相依性改變了群己生活的面貌。此種趨勢使得虛擬社會(Cyberspace)概念的出現,也讓網路、資通訊技術以及多元應用,成為現代化國家競爭與經濟發展的基石之一。然基於此基石之保護,已成為國家未來競爭力環節的重要部份,我國總統蔡英文女士亦提出「資安即國安」的策略,冀引起政府與民間的通力合作,以期促成先進的數位化國家,帶給人民福祉。但是若無規畫完善的法制環境,還有社會理解,並無法形成一個穩定的網際空間,除此之外,足夠的資安人才的培育,並透過政府與民間合作的格局,促使網路虛擬世界 (Cyberspace) 與資訊法律(Cyberlaw)的完善規畫,吾人得以界定網路世界的安全與保護的方式。此所以我國隨全球先進國家之腳步,訂定資訊或網路安全法律(Cybersecurity Law)來保護國家資通訊環境之發展。

    基於歐盟資訊安全法律(Cybersecurity Act)的設計與建構可說是相對領先的法形成過程,且完整具備政策綱領,法規與執行規範,足為參考之外。歐盟以國家資通訊基礎建設保護(Critical Information Infrastructure Protection)作為立法理念,屏除過去資訊安全立法,不同於政府或國家安全與情報保護的保護想法,亦迴異於傳統資訊安全規管以國安或情報監察,或仰賴不具技術中立性技術保護規格的迷思。皆為相對洞見的立法內容,歐盟資訊安全法透過公私機構合作,落實情資交換、人才培育,與專責機構協力等方式,帶動美日亞洲各國紛紛起而仿效,因此本研究將針對歐盟,美國兩者以實施資訊安全法三年以上之國家,對我國甫通過之資訊安全法律(Cybersecurity Law)進行比較與分析,並嘗試以具落實發展效果之框架,比較法規內容架構,運作情形與可能運作問題等,提出我國資通訊安全法律未來調適或改進的可能方向。

    本研究的結果發現,我國目前的資通安全管理機制,較缺乏清楚的政策綱領僅以保護方法為要,缺乏如歐盟以「數位單一市場」(Digital Single Market)為發展資通訊法律之綱領作為政策選擇的依據,此外,目前之我國之資訊安全法律並缺乏整合跨產業CII(關鍵資訊基礎建設)具融合性的資訊安全治理方法 (歐盟以數位治理為準則),或與其他資料保護法律的連結,使得資訊安全的防護缺乏明確的連結。 除了強調公營機構與政府機關之外受該法之觀照之外,目前我國的經特許之民營金融,電信與部分醫療產業,作為民生與經濟基石的私部門資訊安全皆尚未完全妥善納入治理,並針對人才別,產業別與市場需要且法律落實(Law in Action)發展的實務與執行面上, 使的我國資通安全法律尚有相當大未來之調適空間。

    【關鍵字】 : 網際安全、資訊安全、關鍵資訊基礎建設保護、風險管理、資訊安全法律、Cybersecurity Law、Cyberspace、Interdependency、Resilience、Cyberethics

    This study examines and analyzes the information security laws (Cybersecurity Law) adopted by the European Union,the United States and Taiwan from the perspective of implementation effectiveness of the regulations by comparing their legal framework,contents of the regulations,implementation status as well as discussing relevant regulatory issues and challenges,and proposes approaches for future modification or improvement of Taiwan`s cybersecurity regulations.

    The European Union`s information security regulations were selected as the main subject of study in view of the characteristics of their design framework and implementation requirements are relatively effective. The European Union takes the protection of the Critical Information Infrastructure (CII) as the core issue of the information security regulations,which requires public-private partnerships in information exchange and personnel training,and demands the cooperation of the responsible organizations and competent authorities. The design of information security laws and regulations in the United States and Japan has also adopted such approaches.

    The network and information technology has shifted the paradigm of development for nations,societies,or communities,as well as the relationship between group and individual. Over the past two decades,with the convenience and efficiency of access to information and network technology,it has gradually permeated into every facet of everyday life,and have become indispensable tools and functions as the foundation of almost all public and private sectors,which in turn have impact on economic development,people`s livelihood,and even the geopolitical and international relations.

    Such trend and the ubiquity of the Internet have led to the emergence of the virtual community,"Cyberspace",and making Internet and communication technology one of the cornerstones of national competitiveness and economic development in modern countries. The protection of such cornerstones is critical for a country to stay competitive in the future and it is important that the government to work with the private sectors to secure the network services and infrastructure of information technology.
    In addition to the current protection measures of the information infrastructure and services,it is critical to take into account the trends that are defining the future of our societies and governance systems when planning the protection program of national information and communication. For example,the education of information security professionals should then not only consider the status quo but the needs of the future society,and Cybersecurity Law shall be enacted under the Network and Information Law (Cyberlaw) to protect the development of the information society.

    The results of this study show that Taiwan`s current control and management mechanism of information and communication security lacks a clear policy framework,and only adopts protection operations as the control measures. The European Union,however,has established the policy framework,"Digital Single Market",as the guideline for the development of information and communication regulations and the basis for policy formulation. In addition,Taiwan`s current information security regulations lacks an integrated information security regulatory regime,such as a cross-industry CII information security governing system,whereas the European Union adopts Digital Governance as the integrated system,and there is also a lack of connections with other data protection regulations,which makes the protection measures of information security without clear connection to the protection objectives.

    Taiwan`s public institutions and government agencies are subject to information security regulations by law,however,with respect to those private franchising financial institutions,telecommunications and medical industries,as these industries of the private sector also serve as the cornerstone of people`s livelihood and economic development,the current regulation of information security management for the private sectors shall be Retrieved and enhanced. In response to the revision and development of Taiwan`s Cybersecurity Law and Cyberlaw,it is suggested that to conduct a complete review and revision from the perspective of human resources and professional training,industries and sectors,market needs,law in action,and the implementation and practice of information security regulations.

    [Keywords] : Cybersecurity,Cybersecurity Law,Critical Information Infrastructure Protection,Digital Governance,Cyberethics,Interdependency,Risk Management
    Reference: 參考文獻
    Description: 碩士
    Source URI: http://thesis.lib.nccu.edu.tw/record/#G0101961009
    Data Type: thesis
    DOI: 10.6814/NCCU201900557
    Appears in Collections:[法學院碩士在職專班] 學位論文

