Establishing Trustworthy Information Security Managment System for EducationalSystem

• Main Authors: Yu-hsiu Chuang, 莊育秀
• Other Authors: Tzong-chen Wu
• Format: Others
• Language: zh-TW
• Published: 2014
• Online Access: http://ndltd.ncl.edu.tw/handle/53174006636855225581

博士 === 國立臺灣科技大學 === 管理研究所 === 102 === In our country, the Taiwan Academic Network (TANet) is constructed by the education system and its primary service target is providing students at all levels of the school with necessary Internet environment. Also, the service application of TANet is ranged from research, teaching and nurturing information literacy of network application service. The debut of World Wide Web (WWW) in 1990 connected people’s ordinary lives closely and so the flowing information on the Internet is more and more valuable or private. It occurs together with the information and communication security issues. They have made much greater influence than ever, from the influence on operation system and the file viruses interfering or breaking computers, and they have a variety of methods to attack computers. Due to the difference of the campus network resource allocation and application services, the network or system management mechanism should adopt different managing measures, plan different information security management policy, and take into account the objective conditions, executable practice needs and reaching the criteria of information safety, so that we can establish the information security environment which met the characteristics of the education system. Therefore, the present study is to investigate how to plan a credible education system information security management system. With the growing popularity of cloud applications, the Internet, Internet of Things and other technologies offer better technical support for us as well as enterprise development. It reduces costs, improves efficiency, but accompanied by information security management issues. So, from information security development trends, we could grasp the trend of information security attacks. And from information security event types, we can learn how to classify and handle information security events. Then, from the understanding of current information security protection technology, we can technologically deploy feasible information security defense-detection mechanisms in the information security environment. Also we can review current information security problems from the major countries in the world so that we can plan our information security policy that meets our needs. Establishing the information security system or mechanism is expected to prevent from the occurrence of security incidents. Also, when there is an information incident, we would look forward to controlling the risk effectively. Therefore, how can we plan a trustworthy information security model that can be measured and analyzed its effectiveness. By the defining the elements of information security trust model, we can understand as well as control over the characteristics of the realm or system to be implemented. Also, we can evaluate the service-level agreement (SLA) while achieving the its setting. Meanwhile, we should measure the information security protection resource that we can invest by ourselves and take the risk for the organization or the system. So that we can ensure the primary factors that can affect information security operations. Then we can continue to plan our information security model by those factors respectively, and also based on these models that we can plan and establish a reliable information security mechanism. After planning and constructing the overall information security protection mechanism as well as the establishment of the defensive measures in the education system, we can look forward to effectively enhancing the information security protection. Therefore, the successful and key factors are the four categories of information security basic indexes, and following by three dimensions: management dimension, environment dimension and education dimension to verify the credibility of these indexes and models. When verifying the whole education system whether can achieve the credibility or not, we would testify empirically them by the quantitative and qualitative dimensions to measure and evaluate the degrees of its credibility. Therefore, information security planning strategy proposed "3R" elements - Resource、 Risk、Requirement. Then by the Information Technology field for each campus information related facilities (including hardware and software systems and databases) view of its importance to construct assessment factors, compiled a trust model to assess the educational system elements, namely construction of information security "4A" assessment factor - the value of assets (Assets), application service range (Application), risk value (Assume), regulatory management degree (Administration).The verifying process and analysis would be reviewed by the collected information security events, including the pre-treatment discovery, during and post-treatment responses of these information security data. We can have statistical analysis results and the results can be viewed the integrated performance of the achievements. And these verification results can be the further basis of future information security policy or measure modifications. This study referred to the network operating infrastructure as well as the relating resources of the education system in our country and modified the PDCA model (Plan, Do, Check, and Act). The research proposed a “P2D(CA)2 recursive model” to evaluate the information management system of the education system continuously. The first phase of the cycle is used the “Plan, Do, Check, and Act” model, and the second phase is “Plan, Do, Correct, and Advise” model. We looked forward to reviewing the information security implementing strategies routinely by the modified recursive processes and escalating the information security protection compatibilities and skills. In the meanwhile, we could reduce the implementing cost as well as human resources and minimize its scale. So we could construct a robust information security compatibility. Taiwan Academic Network is built upon an open-based network infrastructure, and providing campus at all levels with a secured network. So, the education system comprehensively through the information related operations: policy management dimension, environmental technology dimension and the staff education dimension producing various ancillary measures. Continuously improve the correction of sophisticated mechanisms, and by the "prevention", "coping", "treatment" three-stage protection programs supplied by periodic analysis and index review of quantitative and qualitative performance evaluation, we believe the research can contribute to the education system to establish reliable information security mechanisms.