Publications-Theses

Article View/Open

Publication Export

Google ScholarTM

NCCU Library

Citation Infomation

Related Publications in TAIR

題名 The process-wide methodology for investigating the information security of a business process
作者 洪妙如
Hung, Miao-Ju
貢獻者 蔡瑞煌<br>江永裕
Tsaih, Ray<br>Chiang, Yung-Yu
洪妙如
Hung, Miao-Ju
關鍵詞 資訊安全
風險分析管理
企業流程
information security
risk analysis and management
business process
日期 2004
上傳時間 14-Sep-2009 09:18:17 (UTC+8)
摘要 為落實現行企業的資訊安全評估,研究一創新的方法論,從企業流程的角度做分析評估,將企業要面臨的風險降低到可接受的等級。我們提出的發法論主要分為: (1) 發展企業流程表,找出此流程中要完成的所有功能(2) 指出各功能中對應需運作的接觸點/資訊管道/資訊資源,並評估可能面臨的風險 (3) 將這些面臨的風險,依據風險的可能性、風險的影響性,決定出各風險的風險等級 (4)提出在需建議的風險等級以上的接觸點/資訊管道/資訊資源的控制措施 (5) 確認現行企業是否有落實建議之控制措施。並實際訪談個案公司,完成此方法論的案例雛型。
We are interested in evaluating the information security of a critical business process and its relevant issues. We try to provide a new security investigation method which is concerned with ensuring the continuity of business essential processes even the whole organization. This study will provide a methodology for analyzing the risk of each component of a process to replace the original information security method which was too widespread or too tiny. Base on such investigation, we can realize the security implements in the process and discover what component is needed to changed such as reduce risk or enhance security of that process to an acceptable level within the limited budget.
     In our methodology for each decisive business process., the following steps are proposed: (1) to develop the business process table, (2) to figure out all practices of CP/IC/IR corresponding to each function and the related risks, (3) to classify the risk likelihood, risk impact, and security level for each CP/IC/IR of the critical process, (4) to propose the corresponding controls for each CP/IC/IR, and (5) to check the installed controls: The last column, installed check, is took down if the proposed controls are installed or not. A case study of the loan process in a financial institution will be conducted here to illustrate the proposed methodology.
     We find that here are a number of benefits offered by the PWIO security investigation approach. It is designed from the higher level view point. It involves more members. It is easier to be supported by managers. It makes systematic analysis and check for the security controls in the business process. It costs less than the conventional risk analysis which is adopted for the whole enterprise. The PWIO security investigation methodology can be used in one of the processes and be modified to fit the unique enterprise, and then it can be followed out by the other processes. It can save time and money via try-and-modify steps.
參考文獻 1. Carr, N.G., “IT Doesn’t Matter,” Harvard Business Review, May, pp. 41- 49, 2003
2. Curtis, B., Keller, M.I. and Over, J., “Process Modeling”, Communication of the ACM, Vol.35, No.9, pp. 75 -90, 1992
3. Davenport, T.H. and Short, J.E., “The new industrial engineering: information technology and business process redesign”, Sloan Management Review, Vol. 31, No. 4, pp. 11-27, 1990
4. Denna, E.L., Perry, L.T. and Jasperson, J., “Reengineering and REAL business process modeling”, in Grover, V. and Kettinger, W.J. (Eds), Business Process Change: Reengineering Concepts, Methods, and Technologies, Idea Group Publishing, London, pp.350-375, 1995
5. ISO/IEC 17799, Information technology — Code of practice for information security management, First edition, 2000
6. Luo, W., and Tung, Y. A., “A framework for selecting business process modeling methods”, Industry Management and Data Systems, Vol. 99, No.7, pp.312-319, 1999
7. McAdams, A. C., “Security and risk management: a fundamental business issue”, Information Management Journal, Vol. 38, No. 4, ABI/INFORM Global pp.36 - 44, Jul/Aug 2004
8. Peltier, T. R., Information Security Risk analysis, CRC Press LLC, Florida, 2001
9. Peltier, T. R., “Developing an Enterprisewide Policy Structure”, Information Systems Security, New York, Vol.13, Iss. 1, pp. 44 -50, Mar/Apr 2004a
10. Peltier, T. R., “Risk analysis and risk management”, EDPACS, Vol. 32, No. 3; ABI/INFORM Global, pp. 1-17; Sep 2004b
11. Porter, M. E., The value chain and competitive advantage. In: Competitive Advantage: Creating and Sustaining Superior Performance, Free Press, New York., 1985
12. Halliday, S., Badenhorst, K., and Von Solms, R., “A business approach to effective information technology risk analysis and management”, Information Management & Computer Security, Bradford: Vol.4, Iss. 1, pp. 19-31, 1996
13. Tsaih, R., Lin, W., Hung, M. J., and Cheng, Y. L., “The business process investigation in the perspective of customer value”, The Fourth International Conference
on Electronic Business, Beijing, China, pp.596-603 , 2004
描述 碩士
國立政治大學
資訊管理研究所
92356027
93
資料來源 http://thesis.lib.nccu.edu.tw/record/#G0923560272
資料類型 thesis
dc.contributor.advisor 蔡瑞煌<br>江永裕zh_TW
dc.contributor.advisor Tsaih, Ray<br>Chiang, Yung-Yuen_US
dc.contributor.author (Authors) 洪妙如zh_TW
dc.contributor.author (Authors) Hung, Miao-Juen_US
dc.creator (作者) 洪妙如zh_TW
dc.creator (作者) Hung, Miao-Juen_US
dc.date (日期) 2004en_US
dc.date.accessioned 14-Sep-2009 09:18:17 (UTC+8)-
dc.date.available 14-Sep-2009 09:18:17 (UTC+8)-
dc.date.issued (上傳時間) 14-Sep-2009 09:18:17 (UTC+8)-
dc.identifier (Other Identifiers) G0923560272en_US
dc.identifier.uri (URI) https://nccur.lib.nccu.edu.tw/handle/140.119/31126-
dc.description (描述) 碩士zh_TW
dc.description (描述) 國立政治大學zh_TW
dc.description (描述) 資訊管理研究所zh_TW
dc.description (描述) 92356027zh_TW
dc.description (描述) 93zh_TW
dc.description.abstract (摘要) 為落實現行企業的資訊安全評估,研究一創新的方法論,從企業流程的角度做分析評估,將企業要面臨的風險降低到可接受的等級。我們提出的發法論主要分為: (1) 發展企業流程表,找出此流程中要完成的所有功能(2) 指出各功能中對應需運作的接觸點/資訊管道/資訊資源,並評估可能面臨的風險 (3) 將這些面臨的風險,依據風險的可能性、風險的影響性,決定出各風險的風險等級 (4)提出在需建議的風險等級以上的接觸點/資訊管道/資訊資源的控制措施 (5) 確認現行企業是否有落實建議之控制措施。並實際訪談個案公司,完成此方法論的案例雛型。zh_TW
dc.description.abstract (摘要) We are interested in evaluating the information security of a critical business process and its relevant issues. We try to provide a new security investigation method which is concerned with ensuring the continuity of business essential processes even the whole organization. This study will provide a methodology for analyzing the risk of each component of a process to replace the original information security method which was too widespread or too tiny. Base on such investigation, we can realize the security implements in the process and discover what component is needed to changed such as reduce risk or enhance security of that process to an acceptable level within the limited budget.
     In our methodology for each decisive business process., the following steps are proposed: (1) to develop the business process table, (2) to figure out all practices of CP/IC/IR corresponding to each function and the related risks, (3) to classify the risk likelihood, risk impact, and security level for each CP/IC/IR of the critical process, (4) to propose the corresponding controls for each CP/IC/IR, and (5) to check the installed controls: The last column, installed check, is took down if the proposed controls are installed or not. A case study of the loan process in a financial institution will be conducted here to illustrate the proposed methodology.
     We find that here are a number of benefits offered by the PWIO security investigation approach. It is designed from the higher level view point. It involves more members. It is easier to be supported by managers. It makes systematic analysis and check for the security controls in the business process. It costs less than the conventional risk analysis which is adopted for the whole enterprise. The PWIO security investigation methodology can be used in one of the processes and be modified to fit the unique enterprise, and then it can be followed out by the other processes. It can save time and money via try-and-modify steps.
en_US
dc.description.tableofcontents Chapter I Introduction 1
     1.1 Motivation and Objective 1
     1.2 Research methodology 2
     
     Chapter II Literature Review 2
     2.1 Business process analysis 2
     2.1.1 Classification of process modeling 3
     2.1.2 The Process-wide Information Organism (PWIO) approach 6
     2.2 Risk Analysis 10
     2.2.1 Three classification of information requirement 13
     2.2.2 Facilitated risk analysis process (FRAP) risk analysis 14
     2.2.3 Information security lifecycle 15
     2.2.4 Business-oriented risk analysis 16
     2.3 Information security control 23
     2.3.1 Four layers of controls 23
     2.3.2 FRAP Control list 24
     2.3.3 Business-oriented risk management 27
     2.3.4 BS ISO/IEC 17799:2000 Information technology – Code of practice for information security management 30
     
     Chapter III The PWIO security investigation 36
     3.1 The methodology for the information security investigation of the critical business process 36
     
     Chapter IV Case study 44
     4.1 The background of bank A 44
     4.2 The managerial implications obtained from the proposed methodology 46
     4.3 The discovery of the case study 53
     
     Chapter V Conclusion and future work 55
     
     Reference 56
     
     Appendix 57
zh_TW
dc.language.iso en_US-
dc.source.uri (資料來源) http://thesis.lib.nccu.edu.tw/record/#G0923560272en_US
dc.subject (關鍵詞) 資訊安全zh_TW
dc.subject (關鍵詞) 風險分析管理zh_TW
dc.subject (關鍵詞) 企業流程zh_TW
dc.subject (關鍵詞) information securityen_US
dc.subject (關鍵詞) risk analysis and managementen_US
dc.subject (關鍵詞) business processen_US
dc.title (題名) The process-wide methodology for investigating the information security of a business processzh_TW
dc.type (資料類型) thesisen
dc.relation.reference (參考文獻) 1. Carr, N.G., “IT Doesn’t Matter,” Harvard Business Review, May, pp. 41- 49, 2003zh_TW
dc.relation.reference (參考文獻) 2. Curtis, B., Keller, M.I. and Over, J., “Process Modeling”, Communication of the ACM, Vol.35, No.9, pp. 75 -90, 1992zh_TW
dc.relation.reference (參考文獻) 3. Davenport, T.H. and Short, J.E., “The new industrial engineering: information technology and business process redesign”, Sloan Management Review, Vol. 31, No. 4, pp. 11-27, 1990zh_TW
dc.relation.reference (參考文獻) 4. Denna, E.L., Perry, L.T. and Jasperson, J., “Reengineering and REAL business process modeling”, in Grover, V. and Kettinger, W.J. (Eds), Business Process Change: Reengineering Concepts, Methods, and Technologies, Idea Group Publishing, London, pp.350-375, 1995zh_TW
dc.relation.reference (參考文獻) 5. ISO/IEC 17799, Information technology — Code of practice for information security management, First edition, 2000zh_TW
dc.relation.reference (參考文獻) 6. Luo, W., and Tung, Y. A., “A framework for selecting business process modeling methods”, Industry Management and Data Systems, Vol. 99, No.7, pp.312-319, 1999zh_TW
dc.relation.reference (參考文獻) 7. McAdams, A. C., “Security and risk management: a fundamental business issue”, Information Management Journal, Vol. 38, No. 4, ABI/INFORM Global pp.36 - 44, Jul/Aug 2004zh_TW
dc.relation.reference (參考文獻) 8. Peltier, T. R., Information Security Risk analysis, CRC Press LLC, Florida, 2001zh_TW
dc.relation.reference (參考文獻) 9. Peltier, T. R., “Developing an Enterprisewide Policy Structure”, Information Systems Security, New York, Vol.13, Iss. 1, pp. 44 -50, Mar/Apr 2004azh_TW
dc.relation.reference (參考文獻) 10. Peltier, T. R., “Risk analysis and risk management”, EDPACS, Vol. 32, No. 3; ABI/INFORM Global, pp. 1-17; Sep 2004bzh_TW
dc.relation.reference (參考文獻) 11. Porter, M. E., The value chain and competitive advantage. In: Competitive Advantage: Creating and Sustaining Superior Performance, Free Press, New York., 1985zh_TW
dc.relation.reference (參考文獻) 12. Halliday, S., Badenhorst, K., and Von Solms, R., “A business approach to effective information technology risk analysis and management”, Information Management & Computer Security, Bradford: Vol.4, Iss. 1, pp. 19-31, 1996zh_TW
dc.relation.reference (參考文獻) 13. Tsaih, R., Lin, W., Hung, M. J., and Cheng, Y. L., “The business process investigation in the perspective of customer value”, The Fourth International Conferencezh_TW
dc.relation.reference (參考文獻) on Electronic Business, Beijing, China, pp.596-603 , 2004zh_TW