Building an Information Security Metrics for Securities Firms

• Main Authors: Chang, Yong-Ming, 張永明
• Other Authors: Hwang, Shiuh-Nan
• Format: Others
• Language: zh-TW
• Published: 2017
• Online Access: http://ndltd.ncl.edu.tw/handle/53497632274206495916

碩士 === 銘傳大學 === 管理學院高階經理碩士學程 === 105 === In recent years, the issue of information security has been changed from to show off technology, fool and joke, into a targeted, collective, international, extortionist and other criminal acts. Therefore, information security is not just a technical problem, but a management problem, especially in the Bank 3.0 environment, the financial industry. This study examines how to set up an information security metrics as a performance measurement for security, how to verify whether the security metrics can reflect the real situation and improve the vulnerability of security within organization, as well as establishing a security metrics program for securities firms. This study is based on literature collation, expert interviews, case studies and data comparison analysis to produce results. First, the study found that the focus of information security of securities firms is to ensure that the company's key core business systems are operational and correct, which is the primary determinant. This important factor should be taken into account when we are establishing security metrics. Secondly, through the securities industry experts interview, we summarized the important factors affecting information security, and then filter out the most important nine control domains from 14 control domains of the ISO 27001: 2013 ISMS, to build a securities firm's information security metrics. This study suggested that securities firms should be based on the "Establishing Information Security Inspection Mechanisms for Securities Firms" of Taiwan Securities Exchange and ISO 27001 ISMS control domains. Then to establish strategic projects in those domains, so that it can quickly develop a security metrics according to the company's own environment and business model. Security metrics can provide a tool for the effectiveness measurement of organizational information security. And make good use of security metrics as evidence of decision-making, adjust resource allocation, achieve accountability and improve organizational security.