系統識別號 | U0002-1307201423260400 |
---|---|
DOI | 10.6846/TKU.2014.00379 |
論文名稱(中文) | 系統開發生命週期結合資訊安全機制之研究 |
論文名稱(英文) | The Study of Information Security Management Mechanism in System Development Life Cycle. |
第三語言論文名稱 | |
校院名稱 | 淡江大學 |
系所名稱(中文) | 資訊管理學系碩士班 |
系所名稱(英文) | Department of Information Management |
外國學位學校名稱 | |
外國學位學院名稱 | |
外國學位研究所名稱 | |
學年度 | 102 |
學期 | 2 |
出版年 | 103 |
研究生(中文) | 呂品慧 |
研究生(英文) | Pin-Hui Lu |
學號 | 601630493 |
學位類別 | 碩士 |
語言別 | 繁體中文 |
第二語言別 | |
口試日期 | 2014-06-21 |
論文頁數 | 52頁 |
口試委員 |
指導教授
-
游佳萍
委員 - 施盛寶 委員 - 林至中 |
關鍵字(中) |
資訊安全 系統開發生命週期 紮根理論 |
關鍵字(英) |
Information security System development life cycle Grounded theory |
第三語言關鍵字 | |
學科別分類 | |
中文摘要 |
本研究使用質性研究以及紮跟理論的三種編碼方法,希望從中探究資訊系統開發過程應注意之資訊安全議題。在研究結果中發現,第一,組織對於不同資訊安全議題,其所注重的程度也不盡相同。第二,各種不同的資訊安全議題,也會互相影響。第三,一個資訊安全議題,可能在數個不同的系統開發階段中受到重視,組織在進行資訊系統開發時,應該注重這些在不同開發階段都會引起討論的議題。 基於本研究的結果,第一,我們建議資訊系統開發的管理者,在系統開發的階段中,應該更重視資訊安全的議題,以建立更完善的資訊安全管理機制。第二,各個資訊安全議題之間可能互相影響。因此組織在進行系統開發時,應該注意到許多的資訊安全議題都是會互相影響的。最後,組織所看重的資訊安全議題,會因不同的系統開發階段,而有所區別。也可以讓組織更加注意到,在多個系統開發階段中都會引起重視的資訊安全議題。 |
英文摘要 |
This research used qualitative research and grounded theory, to explore information security issues in the information system development process. In this study, there are several findings. First, the organizations identify various information security issues to implement the information security mechanisms. Second, there are strong connections between security issues. Third, several critical security issue are addressed in the system development process. Based on our findings, first, we suggest the information system managers have to establish robust information security mechanism to implement high quality services. Second, organizations should focus on different information security issues in different system development processes, because there are significant mutual operations between several critical security mechanisms. Finally, the managers have to focus on key information security mechanism from the initial to the end of the system development phases. |
第三語言摘要 | |
論文目次 |
摘要 I Abstract II 第一章 緒論 1 第二章 文獻探討 5 2.1 資訊安全 5 2.2 資訊安全管理標準 9 2.3 系統開發與資訊安全 13 第三章 研究方法 18 3.1 研究個案 18 3.2 訪談流程 20 3.3 資料分析 22 第四章 資料分析與結果 24 4.1 開放性編碼與結果 24 4.1.1 「規範」之編碼統計 26 4.1.2 「組織安全計畫」之編碼統計 28 4.1.3 「資源」之編碼統計 30 4.2 主軸編碼與結果 31 4.2.1 「規範」之編碼交互統計 31 4.2.2 「組織安全計畫」之編碼交互統計 31 4.2.3 「資源」之編碼交互統計 34 4.3 選擇性編碼與結果 37 第五章 結論 43 5.1 研究結果 43 5.2 研究貢獻 45 5.3 研究限制 46 參考文獻 47 附錄 50 表目錄 表2-1:資訊安全定義 7 表2-2:ISO 27001與COBIT標準比較表 11 表2-3:TCSEC安全等級介紹 12 表3-1:訪談對象分類表 20 表4-1:編碼統計表 24 表4-2:「規範」編碼統計表 27 表4-3:「組織安全計畫」編碼統計表 29 表4-4:「資源」編碼統計表 30 表4-5:編碼交互關係表 36 表4-6:選擇性編碼統計表 40 表4-7:各階段重視項目表 42 |
參考文獻 |
1.Amit, R., and Belcourt, M.,“Human resources management processes: a value-creating source of competitive advantage,” European Management Journal(17:2), 1999, pp.174-181. 2.Barnard, L., and von Solms, R. “A formalized approach to the effective selection and evaluation of information security controls,” Computers & Security(19:2), 2000, pp.185-194. 3.Boehm, B. W.“A spiral model of software development and enhancement,” Computer (21:5), 1988,pp.61-72. 4.Budde, R., andZullighoven, H. “Prototyping revisited,” CompEuro'90. Proceedings of the 1990 IEEE International Conference on Computer Systems and Software Engineering,IEEE, 1990, pp. 418-427. 5.Chen, C. C., Shaw, R. S., and Yang, S. C.“Mitigating information security risks by increasing user security awareness: A case study of an information security awareness system,” Information Technology Learning and Performance Journal (24:1), 2006, pp.1. 6.Clarke, R.A. “Information Technology and Data Surveillance,”Communication of the ACM(31:5), 2000, pp.498-512. 7.COBIT 5, A Business Framework for the Governance and Management of Enterprise IT. 8.Dhillon, G., andBackhouse, J. “Technical opinion: Information system security management in the new millennium,” Communications of the ACM (43:7), 2000,pp.125-128. 9.Ellison, R. J., Linger, R. C., Longstaff, T., and Mead, N. R.“Survivable network system analysis: a case study,” IEEE Software (16:4), 1990, pp.70-77. 10.Eloff, M.M., and Von solms S.H. “Information security Management: An Approach to Combine Process certification and Product Evalutio,”Computers and Security(19:8), 2000, pp.698-709. 11.Garfinkel, S., Spafford, G., and Schwartz, A. Practical UNIX and Internet security, O'reilly, 2003. 12.Glaser, B. G., and Strauss, A. L. The Discovery of Grounded Theory: Strategies for Qualitative Research, London, Weidenfeld and Nicholson, 1967. 13.Goldman, J.E. Applied data Communications: A Business Oriented Approach, 2nd ed. NY, John Wiley & Sons, 1988. 14.Gollmann, D. Computer Security. NY, John Wiley & Sons, 1999. 15.Gollmann, D. “Computer security,” Wiley Interdisciplinary Reviews: Computational Statistics (2:5), 2010,pp.544-554. 16.Hall, A., and Chapman, R. “Correctness by construction: Developing a commercial secure system,” IEEE Software (19:1), 2000,pp.18-25. 17.Hartman, B., Donald, J. F., and Konstantin B. Enterprise Security with EJB and CORBA, Vol. 16, NY, John Wiley & Sons, 2002. 18.Hone, K., andEloff, J. H. P.“What makes an effective information security policy?”Network Security(6), 2002,pp.14-16. 19.ISO/IEC 17799, Information technology –code of practice for information security management. 20.Kankanhalli, A., Teo, H. H., Tan, B. C., and Wei, K. K. ”An integrative study of information systems security effectiveness,” International Journal of Information Management (23:2), 2003, pp.139-154. 21.Karyda, M., Kiountouzis, E., and Kokolakis, S., “Information systems security policies: a contextual perspective”, Computers & Security (24), 2005, pp. 246-260. 22.Keen, P. G. W., Ballauce, C., Chan, S., and Schrump, S. Electronic commerce relationship: Trust by design, Englewood Cliffs: Prentice Hall, 2000. 23.Kemp, M., and Kemp, M. “Beyond trust: security policies and defence-in-depth,” Network Security(2005:8), 2005, pp.14-16. 24.Kwon, S., Jang, S., Lee, J., & Kim, S. ”Common defects in information security management system of Korean companies,” Journal of Systems and Software, 80(10), 2007 ,pp.1631-1638. 25.Laudon, K. C., and Laudon, J. P. Management information systems: organization and technology in the networked enterprise, 6th ed. Upper Saddle River, New Jersey, Prentice-Hall, Inc, 2000. 26.Lewis, B. R., Snyder, C. A., and RainerJr, R. K.“An empirical assessment of the information resource management construct,” Journal of Management Information Systems (12:1), 1995, pp.199-223. 27.Loch, K. D., Carr, H. H., and Warkentin, M. E.“Threats to information systems: today's reality, yesterday's understanding,” MIS Quarterly (32:3), 1992,pp.173-186. 28.Marron, J. S., Adak, S., Johnstone, I. M., Neumann, M. H., andPatil, P.“Exact risk analysis of wavelet regression,” Journal of Computational and Graphical Statistics(7:3), 1998, pp.278-309. 29.Neumann, P.G.Computer Related Risks, NY, ACM Press, 1995. 30.Osborne, K. “Auditing the IT security function,” Computers & Security(17:1), 1998, pp.34-41. 31.Parker, D. B. “The Srategic Values of Information Security in Business, “ Computers and Security, 16, 1997, pp. 572-582. 32.Premkumar, G., and King, W. R. “Organizational characteristics and information systems planning: an empirical study,” Information Systems Research(5:2), 1994, pp.75-109. 33.Royce, W.W. “Managing the development of large software systems: Concepts and techniques,”IEEE WESTCON, Los Angeles, CA, 1970. 34.Russell, D. A., and Gangemi, G. T. Computer security basics, O'Reilly, 1992. 35.Schneider, E.C., and Therkalsen,G.W.“How Secure Are Your Systems?” Avenues to Automation,1990, pp.68-72. 36.Shelly, G. B., Cashman, T. J., and Rosenblatt, H. J. Systems analysis and design. Cengage Learning, 2010. 37.Siponen, M., and Willison, R.“Information security management standards: Problems and solutions,” Information & Management (46:5), 2009, pp. 267-270. 38.Smith, M. “Computer security-threats, vulnerabilities and countermeasures,” Information Age(11:4), 1989, pp.205-210. 39.Straub, D. W., and Welke, R. J.“Coping with systems risk: security planning models for management decision making,” MIS Quarterly, 1998, pp. 441-469. 40.TCSEC: Trusted computer system evaluation criteria, Technical Report 5200.28-STD, U.S. Department of Defense 41.Vroom, C., and von Solms, R., “Towards information security behavioral compliance,” Computers & Security, (23), 2004, pp. 191-198 42.Von Solms R., Van Haar H., Von Solms S. H., and Caelli W. J., “A Framework for Information Security Evaluation ,” Information & Management , 26, 1994, pp. 143-153. 43.Weber, R. Information System Control and Audit. New Jersey, Upper Saddle River: Prentice Hall, 1999. |
論文全文使用權限 |
如有問題,歡迎洽詢!
圖書館數位資訊組 (02)2621-5656 轉 2487 或 來信