| dc.contributor.advisor | 陳恭 | zh_TW |
| dc.contributor.advisor | Chen, Kung | en_US |
| dc.contributor.author (Authors) | 鄭明璋 | zh_TW |
| dc.contributor.author (Authors) | Cheng, Ming Chang | en_US |
| dc.creator (作者) | 鄭明璋 | zh_TW |
| dc.creator (作者) | Cheng, Ming Chang | en_US |
| dc.date (日期) | 2012 | en_US |
| dc.date.accessioned | 1-Oct-2013 13:46:54 (UTC+8) | - |
| dc.date.available | 1-Oct-2013 13:46:54 (UTC+8) | - |
| dc.date.issued (上傳時間) | 1-Oct-2013 13:46:54 (UTC+8) | - |
| dc.identifier (Other Identifiers) | G0095971007 | en_US |
| dc.identifier.uri (URI) | http://nccur.lib.nccu.edu.tw/handle/140.119/61197 | - |
| dc.description (描述) | 碩士 | zh_TW |
| dc.description (描述) | 國立政治大學 | zh_TW |
| dc.description (描述) | 資訊科學學系 | zh_TW |
| dc.description (描述) | 95971007 | zh_TW |
| dc.description (描述) | 101 | zh_TW |
| dc.description.abstract (摘要) | 新版「個人資料保護法」在民國99年5月公布,並正式實施於民國101年10月;隨著新法的實施,不管是公部門或民間組織,都投入大量資源以期改善並確保自己的組織對於個人資料之蒐集、處理與利用,能夠符合「個人資料保護法」的要求。 由於業務特性,個人資料的蒐集、處理與利用,乃是銀行業者日常必須面對的課題。雖然舊版個資相關法令「電腦處理個人資料保護法」與「銀行法」對於個人資料的處理都已有相關規定,但由於稽核與舉證困難、罰則過輕等原因,業者並未真正重視個資保護課題,善盡個資保護的責任,所以銀行發生個資外洩的案例時有所聞。新版「個人資料保護法」正式實施後,舉證責任歸屬由當事人變成企業,在疑似個資外洩事件發生時,企業須舉證其組織之系統或機制已對個人資料之控管機制已滿足「個人資料保護法」的要求,盡到完善管理之責任。因此業者不得不投入大量資源來周全組織內對於個人資料的保護與稽核機制,把新版法規的各項規定要求納入系統功能範疇。 伴隨「個人資料保護法」的實施,法務部頒布了「個人資料保護法之特定目的及個人資料之類別」細則來明確規範個人資料的類別範疇、以及存取個人資料之目的。本研究即針對此項要求,歸納分析銀行業的業務現況,並納入未來業務發展之可能需求,設計一具備彈性之個資存取框架以管理個資分類與存取目的,進而滿足「個人資料保護法」的要求。 | zh_TW |
| dc.description.abstract (摘要) | As the latest version of the "Personal Data Protection Act (PDPA)" published on May, 2010, and formally implemented since October, 2012, all public and private sector organizations need to put in significant resources to meet the strengthened legal requirements of personal data collection, processing and utilization. Yet banks are among the first to be affected by them, as personal data collection, usage and handling are essential to their daily operations. Therefore, this thesis investigates the compliance of PDPA from a banking perspective. A distinguished feature of the new "Personal Data Protection Act" is the inclusion of "purposes" in regulating access to personal data, namelyan organization must get the informed consent from its customer regarding how her personal data will be used, namely privacy preferences. Currently, employing a proper access control mechanism to protect customer`s data is a well-accepted discipline in bank information system (BIS) development. However, the design of such mechanisms hardly includes the requirement of supporting customers’ preferences regarding the use of their personal data. It is therefore highly desirable to extend a BIS`s access control to handle customers` privacy preferences. This thesis investigates the common practices of bank operations and presents a purpose-based access control framework for future BIS development. Specifically, we derive a classification of bank customers` personal data and purpose categories for bank operations so that the proposedaccees control framework can ensure all accesses to customers` personal data match their granted access purposes. As a result, the framework will lay a foundation to the compliance of PDPA for a bank. | en_US |
| dc.description.tableofcontents | 第1章 緒論 1 1.1 研究背景 1 1.2 研究動機 2 1.3 研究目的 3 1.4 論文成果 3 1.5 章節架構 3 第2章 相關研究與技術背景 5 2.1 個人資料保護法 5 2.2 XACML 8 2.3 LINQ 11 2.4 Privacy-Aware Access Control 15 第3章 系統設計與架構 18 3.1 設計理念 18 3.2 假設與限制 19 3.3 系統架構與範圍 20 3.3.1 資料關聯與功能模組 21 3.3.2 資料流程 22 3.3.3 個資中間設定資料(PII Configuration) 24 3.4 管理模組 24 3.5 API設計 25 第4章 系統實作與展示 28 4.1 管理模組 28 4.2 測試模組 35 第5章 結論 41 5.1 結論 41 5.2 未來發展 41 第6章 參考文獻 43 | zh_TW |
| dc.language.iso | en_US | - |
| dc.source.uri (資料來源) | http://thesis.lib.nccu.edu.tw/record/#G0095971007 | en_US |
| dc.subject (關鍵詞) | 個人資料保護法 | zh_TW |
| dc.subject (關鍵詞) | 隱私 | zh_TW |
| dc.subject (關鍵詞) | 目的 | zh_TW |
| dc.subject (關鍵詞) | Personal Data Protection Act | en_US |
| dc.subject (關鍵詞) | Privacy | en_US |
| dc.subject (關鍵詞) | Purpose | en_US |
| dc.title (題名) | 基於存取目的之個資控管框架-以銀行業為例 | zh_TW |
| dc.title (題名) | Purpose-Based PII Control Framework - A Banking Perspective. | en_US |
| dc.type (資料類型) | thesis | en |
| dc.relation.reference (參考文獻) | [1] 法務部, 個人資料保護法, 2010 from: http://law.moj.gov.tw/LawClass/LawAll.aspx?PCode=I0050021 (Accessed 2013/7) [2] 法務部, 個人資料保護法施行細則, 2012 from: http://law.moj.gov.tw/LawClass/LawAll.aspx?PCode=I0050022 (Accessed 2013/7) [3] 法務部, 個人資料保護法之特定目的及個人資料之類別, 2012 from: http://mojlaw.moj.gov.tw/LawContentDetails.aspx?id=FL010631 (Accessed 2013/7) [4] Sandhu R, et al. (1996), Role-based access control models, IEEE Computer, 29(2), 1996, pp. 38-47 [5] OASIS, A Brief Introduction to XACML, 2003 from: https://www.oasis-open.org/committees/download.php/2713/ (Accessed 2013/7) [6] Maco Casassa Mont, Dealing with Privacy Obligaions in Enterprises ,HP Laboratories Bristol, HPL-2004-109, 2004 [7] OASIS, eXtensible Access Control Markup Language (XACML) V3.0, from: https://www.oasis-open.org/committees/tc_home.php ?wg_abbrev=xacml (Accessed 2013/7) [8] MicroSoft, LINQ 簡介 from: http://msdn.microsoft.com/zh-tw/library/bb397897(v=vs.90).aspx (Accessed 2013/7) [9] MicroSoft, 支援LINQ的C#3.0功能 from: http://msdn.microsoft.com/zh-tw/library/bb397909(v=vs.90).aspx (Accessed 2013/7) [10] F.Massacci, N. Zannone, Privacy is Linking Permission to Purpose, Lecture Notes in Computer Science Vol. 3957, Springer Berlin / Heidelberg, 2006 [11] Kung Chen and D.W. Wang, Supporting Patients` Privacy Preferences Using Aspects, Japan Journal of Medical Informatics, Vol. 29, No. 3, 2009, pp. 117-128. (ISSN 0289-8055) [12] Ni Q, Alberto Tromnetta, Bertino E., Lobo J., Privacy-Aware Role Based Access Control, Security & Privacy, IEEE (Volume:7 , Issue: 4 ) , July-Aug.2009, pp. 35-43 (ISSN 1540-7993) [13] OASIS, XACML v3.0 Privacy Policy Profile Version 1.0 ,2010 from: http://docs.oasis-open.org/xacml/3.0/xacml-3.0-privacy-v1-spec-cs-01-en.pdf [14] Ji-Won Byun, Ningbui Li, Purpose Based Access Control for Privacy Protection in Relational Database System, VLDB Journal International Journal on Very Large Data Bases;Jul2008, Vol. 17 Issue 4, p603-p619 [15] 陳恭, 從應用系統的權限控管到隱私保護, 2012 [16] APEC, APEC Privacy Framework, 2005 from: http://publications.apec.org/publication-detail.php?pub_id=390 (Accessed 2013/7) [17] ISO 29100-Privacy Framework First Edt., 2011 [18] Marco Casassa Mont, Dealing with Privacy Obligations: Important Aspects and Technical Approach,HP Laboratories Bristol, HPL-2004-34, 2004 [19] Marco Casassa Mont, Robert Thyne, Privacy Policy Enforcement in Enterprises with Identity Management Solutions,HP Laboratories Bristol [20] Andrew S. Patrick, Steve Kenny, From Privacy Legislation to Interface Design: Implementing Information Privacy in Human-Computer Interactions,2003 | zh_TW |
