根據行政院研考會科技顧問組於「國家資通訊安全發展方案（98年-101年）」中，將推動資通安全治理納為行動方案之一，並提供適用於政府部門機關之資通安全治理成熟度評估工具，期望藉由此方案落實我國政府機關的資通安全治理制度。
本論文研究目的為，透過評估工具評估臺北市政府資通安全治理成熟度，並搭配深入訪談活動，深入了解其資通安全工作落實程度與現況，且進一步探討未來落實資通安全治理可能遇到的困難。本論文研究採用個案研究的單一個案類型為研究方法，針對臺北市政府進行資通安全治理成熟度之評估，以了解機關資通安全治理成熟度與實際情況，並加以分析與比較，本論文研究成果為：提出臺北市政府對資通安全治理的落實程度、可能遭遇問題、改善項目及時程建議。本論文研究對象在機關業務IT依賴度分數級距主要落在非常高，而評估結果發現機關資通安全治理成熟度之整體評價與整體加權平均落在「持續改善」項次，因此表示臺北市政府在資通安全治理方面，需加強實施風險管理之評估為主要目標。透過深入訪談與研究討論發現，導入資通安全治理可能遭遇問題，對於風險管理作業有觀念與想法，但在落實上仍需加強，並且缺乏制定流程來改善資通安全政策、程序、落實所面臨的缺失，所以應建立資通安全計畫，規劃推動組織及規劃資通安全治理流程，用以支援單位營運及落實資通安全管理，經由專責人員進行定期檢核相關程序是否適宜，並持續進行資通安全治理改善，以達到良好之成效。

According to the RDEC (Research, Development and Evaluation Commission, Executive Yuan) and Technology Advisory Group, "National Information and Communications Security Development programme (2009-2012)" in promoting information and communication security control will accept one of the options for action, and to provide authority for information on government departments communication security governance maturity assessment tool, expected by the implementation of this program our government authorities information and communication security management system.
The purpose of this study, the Taipei City Government, through assessment tools to assess the maturity of information security governance, and activities with in-depth interviews, in-depth understanding of the extent of implementation of information security, and current status of work then to further discuss with management of the implementation of information and communication security may experience difficulties. In this study, a single case by case study type of research method, for the Taipei City Government to conduct information and communication security governance maturity assessments, to understand the authority information and communication security governance maturity with the actual situation, and make analysis and comparison, this thesis results: make the Taipei City Government on the implementation of information and communication security management level, may encounter problems, to improve the process of the proposed project in a timely manner. In this research, dependence on IT in business organizations from the main falls scores very high level, while the evaluation found that agencies information and communication security governance maturity of the overall evaluation of the overall weighted average fall on "continuous improvement" entry times, so that Taipei Government information and communication security governance, risk management need to strengthen the implementation of the main objectives of the evaluation. Through interviews and research and discussion shows that, information and communication security control may encounter problems with the concept of risk management practices and ideas, but on the need to be strengthened in the implementation and the lack of the development process to improve information and communication security policies, procedures, implementation of face absence, it should be the establishment of information and communication security plan, and planned to promote the organization and management of information security, process planning, to support unit operations and the implementation of information security management, and through dedicated personnel regularly check the suitability of the relevant procedures, and ongoing improve information and communication security control in order to achieve effect.

目 錄
中文摘要	I
英文摘要	II
目錄	IV
表目錄	VI
圖目錄	VII
第壹章	緒論	1
第一節	研究背景與動機	1
第二節	研究目的	1
第三節	研究範圍與限制	2
第四節	論文架構	2
第貳章	文獻探討	3
第一節	治理之定義	3
第二節	IT治理之定義	3
第三節	資通安全治理之定義	4
第四節	資安治理成熟度之內涵	7
第五節	國內外相關文獻	9
第參章	研究設計	13
第一節	研究方法	13
第二節	研究對象	13
第三節	研究流程	13
第四節	資安治理成熟度評估問卷設計	14
第肆章	個案研究與結果分析	16
第一節	個案描述	16
第二節	機關資安治理成熟度評估	17
第三節	評估結果分析	20
第四節	改善項目與時程建議	40
第五節	可能遭遇問題	41
第伍章	結論與建議	42
第一節	結論	42
第二節	建議	42
參考文獻	44
附錄一 機關資通安全治理與成熟度評估問卷內容	47
附錄二 資通安全治理與成熟度評估問卷	57
附錄三 資通安全治理成熟度評估之先期測試	72

表目錄
表1	國內相關文獻	9
表2	國外相關文獻	10
表3	機關資通安全治理成熟度評分結果	18
表4	機關業務IT依賴度結果	18
表5	資通安全治理成熟度之加權平均值	19
表6	機關資通安全治理成熟度之整體評價	19
表7	機關之訪談結果整體彙總表	39
表8	建議改善時程表	40

圖目錄
圖1 公司治理、IT治理與資通安全治理關係圖	4
圖2 資通安全治理概念模式圖	5
圖3 資通安全治理構成要素圖	7
圖4 資通安全治理成熟度模型	8
圖5 研究流程圖	14
圖6 組織架構圖	16

參考文獻
[1]行政院國家資通安全會報，“國家資通訊安全發展方案(98年-101年)”，2009，頁18-21。
[2]行政院研考會，“我國政府資通安全應用調查報告”，2006。
[3]行政院科技顧問組，"資安推動發展政策整合研究－資安治理機制與資安建設持續發展規劃"，2007，頁7-43。
[4]行政院科技顧問組，"資安治理機制研究規劃報告"，2008，頁39-51。
[5]孫強，資訊安全治理，http://202.99.120.116:82/gate/big5/publish.it168.com/2004/0617/20040617010101.shtml，2004。
[6]Andersen, P. W., “Information Security Governance,” Information Security Technical Report, Vol. 6, No. 3, 2001, pp. 60-70.
[7]Benbasat, I., Goldstein, D., and Mead M., “The Case Research in Studies of Information System,” MIS Quarterly, Vol. 11, No. 3, 1987, pp. 369-386.
[8]Corporate Governance Task Force, "Information Security Governance - aCall to Action," Corporate Governance Task Force Report, April 2004.
[9]Entrust. Information Security Governance (ISG): an essential element of corporate governance. Available from: <http://itresearch.forbes.com/detail/RES/1082396487_702.html>; 2004.
[10]Information Technology Governance Institute, "Board Briefing on IT Governance 2nd Edition," 2003.
[11]ITGI, “Board Briefing on IT Governance 2nd Edition,” 2003.
[12]ITGI, “Information Security Governance: Guidance for Boards of Directors and Executives Management 2nd Edition,” 2006.
[13]Julia H Allen and Jody R Westby. "Characteristics of Effective Security Governance," EDPACS, 2007.
[14]K. R. Andrews.”Executive raining by the Case Method”, Harvard Business Review, 1951.
[15]Lynn, Jr., L. E., Heinrich, C. J. & Hill, C.J., "Studying Governance and Public Management: Challenges and Prospects", Journal of Public Administration Research and Theory, Vol.10, No.2, 2000, pp. 233- 261.
[16]MaManus, J., "Working towards an information governance strategy," Management Services, 48(8), 2004, pp. 8-13.
[17]Ministry of Economy, Trade and Industry, “Information Security Governance in Japan,” September 2005.
[18]Moulton, R., and Coles, R. S., "Applying Information Security Governance," Computer & Security, Vol.22, No.7, 2003, pp. 580-584.
[19]National Institute of Standards and Technology. Information Security Handbook: A Guide for Managers. Available from: <Information Security Handbook: A Guide for Managers>; October 2006.
[20]Peterson, R., "Crafting information technology governance," Information Systems Management, 21(4), 2004, pp. 7-22.
[21]Posthumus, S., Von Solms, R., “A framework for the governance of information security,” Computers & Security, Vol. 23, 2004, pp.638-646.
[22]Ralph Spencer Poore. Information Security Governance. EDPACS, 2005.
[23]Richard Koch, The 80/20 Principle: The Secret to Success by Achieving More with Less, Nicholas Brealey Publishing Ltd., Yarmouth, 1999.
[24]Rolf Moulton and Robert S. Coles. Applying Information Security Governance. Computers and Security, 22(7), 2003, pp. 580-584.
[25]Rossouw von Solmsa and Sebastiaan H. von Solms. Information Security Governance: A model based on the Direct- Control Cycle. Computers and Security, 25, 2006, pp. 408- 412.
[26]Sebastiaan H. von Solms. Information Security Governance- Compliance management vs. operational management. Computers and Security, 2005.
[27]Shaun Posthumus and Rossouw von Solms. A framework for the governance of information security. Computers and Security, 23, 2004, pp. 638- 646.
[28]Swindle, O., and Conner, B., "The Link between Information Security and Corporate Governance,"http://www.computerworld.com/securitytopics/security/story/0,,92915,00.html？SKC=security-92915, 2004.
[29]The World Bank, “What is our approach to governance,” http://web.worldbank.org/.
[30]Van Grembergen, W., “Introduction to the Minitrack IT Governance and its Mechanisms,” Proceedings of the 38th Hawaii International Conference on System Sciences, 2005.
[31]Von Solms, R., and Von Solms, S. H., "Information Security Governance: A model based on the Direct-Control Cycle," Computer & Security, Vol.26, No.6, 2006, pp. 408-412.
[32]Yin, R. K., “Case Study Research：Designs and Methods 2nd Edition,” U.S.A., SAGE, 1994.