基於CMMI資訊安全管理系統之研究

A Study on CMMI-Based Information Security Management System

在現行組織中，資訊安全為組織一個重要的要素。若是組織內外部之資訊系統有良好的運作，則能強化整體組織之資訊安全，更能提升組織整體的營運效率與員工工作績效。目前已有許多組織成功導入資訊安全，並能系統化的運作，但因各組織單位性質之不同，在導入時仍會產生不同的問題。因此，本論文採用卡內基－美隆大學軟體工程學院發展之能力成熟度整合模式(Capability Maturity Model Integration, CMMI)其中的成熟度第二級及成熟度第三級實現流程導向的知識管理(Process-oriented Knowledge Management)。此外，本論文應用知識本體(Ontology)技術，建構資訊安全管理系統(Information Security Management System, ISMS)知識本體，並依據國立臺南大學流程改善小組(Engineering Process Group, EPG)所定義之重要標準流程來導入資訊安全管理系統，期許未來能作為其他行政單位進行流程知識蒐集、利用及分享，流程改善及資訊安全導入之參考。

Information security has gradually become one of the most important factors in the current organizations. If the internal and external information of the organizations could work both well and effectively, it can enhance the whole organizations' information security to increase the organizations' work efficiency and employees' work performance. Currently, many organizations have successfully introduced the information security and systematically operated with each other. However, owing to the differences in properties among the organizations, the introduction of the information security sometimes still encounters some difficulties. Because of this, this paper adopts the Capability Maturity Model Integration (CMMI), developed by the Software Engineering institute (SEI) of Carnegie Mellon University (CMU) of USA, as a process-improvement standard to carry out the process-oriented Knowledge Management (KM) in the information security. In addition, based on the technologies of the ontology, the Information Security Management System (ISMS) ontology is also constructed according to the ISMS-introduction standard processes defined by the Engineering Process Group (EPG) of computer center of National University of Tainan (NUTN). It is hoped that the paper's performance will make as a reference case for other administrative units to introduce the information security in the future.