資訊安全長之設置與責任初探

The Establishment and Responsibilities of Chief Information Security Officer

數位經濟已成為各國經濟發展重心，COVID-19 疫情更促使各行各業競相投入數位轉型，但資通訊科技日新月異與資料多元應用也使得資訊安全問題日趨嚴峻。資訊安全風險已是當前企業營運之重大挑戰，然而資訊安全風險管理涉及眾多層面與考量因素。面對資訊安全風險對企業帶來的威脅，建立充分對應相關風險的管理機制，成為資訊安全風險問題對應上的重要工作。對此，企業如何藉由設置「資訊安全長」，將資訊安全風險與企業經營加以連結，甫能充分判斷資訊安全事件對企業營運所產生的實際影響範圍與影響程度。美國「聯邦資訊安全管理法」強調「資訊安全長」的重要，帶動主要國家制定相近規範，而我國「資通安全法」亦首見於法律層級明訂「資通安全長」之設置要求。在非公務機關層面，金管會於「金融資安行動方案」及「金融資安行動方案2.0」中提出及擴大資訊安全長之設置要求，並採取分階段及分級方式加以推動。在個人資料保護議題受到重視並衍生應否設置隱私長／個人資料保護官之討論時，我國亦可參酌資訊安全長的設置要求，以分層分級方式逐步推動此一機制，協助企業在全力發展之餘，可得有效兼顧發展過程中所出現的資訊安全風險之管理需求。

The digital economy has become the focus of economic development in various countries. The COVID-19 epidemic has prompted all industries to invest in digital transformation. However, the rapid changes in information and communication technology, together with the multiple applications of data have also aggravated information security issues. Information security risk has become a major challenge for current business operations, but its management involves many levels and considerations.
Facing the threats brought by information security risks to enterprises, establishing a management mechanism that adequately responds to relevant risks has become an important task in dealing with information security risk issues. In particular, whether and how an enterprise can link information security risks with business operations by setting up a “Chief Information Security Officer” to fully judge the actual scope and degree of impact of information security incidents on business operations.
The Federal Information Security Management Act of the United States emphasizes the importance of the “Information Security Officer”, while leading major countries also formulate similar regulations. Taiwan’s Cyber Security Management Act is the first to clearly stipulate the establishment requirements of the “Chief Information Security Officer” at the legal level. At the level of non-government agencies, the Financial Supervisory Commission proposed and expanded the requirements for setting up chief information security officers in the “Financial Security Action Plan” and “Financial Security Action Plan 2.0”, as well as adopted a phased and hierarchical approach to promote it.
When the issue of personal data protection is taken seriously and leads to discussions on whether to set up a privacy officer/personal data protection officer, our country can also refer to the requirements for the establishment of an information security officer, and gradually promote this mechanism in a hierarchical manner. The establishment of an information security officer will gradually become an indispensable item in the operation of each enterprise, assisting enterprises to fully develop while effectively accommdating the management needs of information security risks that arise during the development process.