國際資訊安全標準ISO 27001之網路架構設計－以國網中心為例探討風險管理

Abstract

ISO 27001:2005是資訊安全的國際標準。該標準協助組織降低資訊脆弱點所造成的損失及預防潛在風險的衝擊。傳統建構資訊安全的元素不外乎由防火牆、IDS、IDP等等所組成，缺乏一套系統性的分析工具，ISO27001標準的作業程序是將資訊資產列表，依據這些資產本身所存在的弱點，預測會面臨的威脅，進而評估該風險是否為組織可承受。國家高速網路與計算中心致力於建置高品質學術研究之平台，透過高速網路提供高效能計算主機、高容量儲存設施與主機代管服務。本文將以ISO27001的標準規範為基礎，介紹本中心在取得ISO27001認證的過程中，如何作風險評鑑，針對高風險資產規劃控制措施作風險處理，以設計出符合本中心風險期望之網路架構。

ISO 27001 is a new standard demonstrates a systematic approach to establish a system (ISMS) to guarantee the information security. The ISMS is established based on clever risk assessment to figure out high risk vulnerable assets and risk treatment to reduce the risk level below an acceptable level. National Center for High-Performance Computing recently applied this standard for the high performance storage system, and network is within the scope. In this paper, we introduce this standard briefly, describe the definitions in risk assessment, and contribute our experience establishing ISMS. Finally, we conclude a secure network architecture design to fit our organization’s risk expectation.