證券業資通訊委外供應商資訊安全成熟度之研究-以某綜合券商為例

Abstract

資訊安全成熟度（CyberSecurity Maturity）White, G. B. (2011, November)是指組織在資訊安全管理方面的成熟程度。近年來發展成熟度模型通常用來評估和衡量組織的資訊安全水平，以確保其能夠有效地因應日益複雜和多變的威脅環境，透過常見的資訊安全成熟度模型和相關概念，建立一套最適切於公司運作的資訊安全成熟度評估模型，常見評估模型有下述幾項：一、 FFIEC CAT (CybersecurityAssessment Tool)，CAT是美國聯邦金融機構監督委員會(Federal Financial Institutions Examination Council, FFIEC) 在 2015年6月公布「網路安全評估工具」，採固有風險及五大管理領域評估，是目前金融業最普遍的應用工具。二、 CMMC：(Cybersecurity Maturity Model Certification)，CMMC 是專注於資訊安全管理系統的成熟度認證方法。它提供了一個框架，讓公司可以評估其資訊安全管理的成熟程度，並採取適切成熟度提升措施。三、 ISO/IEC 27001：國際標準化组織（ISO）與國際電工委員會（IEC）所制定的資訊安全管理系統（ISMS）標準。組織可以使用ISO/IEC 27001來確保其資訊資產受到適當的保護，同時不斷進行風險管理和改進，透過管理體系的驗證審查，確保資訊作業成熟度。四、 NIST Cybersecurity Framework：透過美國國家標準與技術研究院（NIST）制定，此框架強調資訊安全的風險管理，包括識別、保護、檢測、回應和復原等關鍵領域。五、 零信任安全架構：強調在網路中不信任任何設備或使用者，要求持續驗證身份和授權。這種方法建立在「永不信任，持續驗證」的原則上，並透過「身分鑑別」、「設備鑑別」及「信任推斷」三階段架構依序導入之必要考量。資訊安全成熟度評估議題中，公司可透過專門的工具和方法，評估其在資訊安全方面的管理深度及廣度和改善建議。這種評估通常包括策略和治理、風險管理、操作安全、安全監控等多個層面。資訊安全成熟度不僅僅取決於技術和流程，在人員教育訓練和資安意識建立尤為重要也是成熟度提升的重要關鍵，且成熟度評估是一個動態的過程，需要組織不斷監控和改進其資訊安全管理系統，這可以通過進行定期的風險評估、弱點掃描、事件監控等活動實踐資訊安全的作業水準。金融業乃為主管機關高度監理之特許行業，有一定的資訊安全管理水平，駭客透過供應商潛在的資訊安全風險，進行資料竊取、惡意滲透、權限取得乃至用加密勒索的一連串惡意活動，而供應鏈資訊安全管理也是近年來主管機關要求重點，希望能藉此研究強化公司的資安治理並提升資安管理成熟度。

CyberSecurity Maturity White, G. B. (2011, November) refers to the maturity level of an organization in information security management. In recent years, development maturity models are often used to assess and measure an organization's information security level to ensure that it can effectively respond to an increasingly complex and changing threat environment. Through common information security maturity models and related concepts, a set of The most suitable information security maturity assessment model for company operations. Common assessment models include the following: 1. FFIEC CAT (Cybersecurity Assessment Tool), CAT is the "Cybersecurity Assessment Tool" announced by the Federal Financial Institutions ExaminationCouncil (FFIEC) in June 2015. It adopts inherent risks and five major management areas for assessment. It is currently the most common application tool in the financial industry.2. CMMC: (Cybersecurity Maturity Model Certification), CMMC is a maturity certification method focusing on information security management systems. It provides a framework that allows companies to assess the maturity of their information security management and take appropriate steps to improve maturity.3. ISO/IEC 27001: Information Security Management System (ISMS) standard formulated by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Organizations can use ISO/IEC 27001 to ensure that their information assets are appropriately protected while continuously managing risk and improving it.4. NIST Cybersecurity Framework: Developed by the National Institute of Standards and Technology (NIST), this framework emphasizes risk management of information security, including key areas such as identification, protection, detection, response and recovery.5. Zero-trust security architecture: Emphasizes the distrust of any device or user in the network and requires continuous verification of identity and authorization. This method is based on the principle of"never trust, continue to verify" and adopts the necessary considerations of sequentially introducing the three-stage architecture of "identity authentication", "device authentication" and "trust inference". In the information security maturity assessment topic, companies can use specialized tools and methods to assess the depth and breadth of their information security management and provide improvement suggestions. This assessment usually includes multiple levels such as strategy and governance, risk management, operational security, and security monitoring. Information security maturity not only depends on technology and processes, but also is particularly important in personnel education and training and the establishment of information security awareness, which is also an important key to improving maturity. Maturity assessment is a dynamic process that requires organizations to continuously monitor and improve their information security. Management system, which can achieve information security operational standards through regular risk assessment, vulnerability scanning, event monitoring and other activities.The financial industry is a highly supervised industry and has a certain level of information security management. Hackers use potential information security risks of suppliers to carry out a series of malicious activities such as data theft, malicious penetration, permission acquisition and even encryption blackmail. Supply chain management has also been in recent years. The competent authorities have requested focus, hoping to use this research to strengthen the company's information security governance and improve the maturity of information security management.