臺灣博碩士論文加值系統

國民中學教師經常透過雲端學務系統便捷的紀錄學生資料，但因資料攸關國民中學學生升學比序，故在享受雲端資源服務的同時，如何避免伴隨而來的資訊安全風險實屬重要。在現有之資訊安全管理系統(ISMS)架構下，確保國民中學雲端學務系統之安全，儼然已成當務之急。
本研究基於ISO 27001：2013的控制項，採個案深入探討的方式，以P (規劃)、D (執行)、C (查核)、A (改善)為構面推導相關命題，藉此了解新竹市某國中學生事務之雲端資訊安全管理現況。研究成果顯示該個案學校學務系統存在以下問題: 因人力短缺導致資安組織不夠健全、教育訓練及帳號密碼強度不足、備份不夠確實、實體環境控管不佳、資安問題處理流程未有一歷史性紀錄等。因此，本研究針對國民中學雲端環境的資訊安全管理系統存在之問題，進一步提出人為疏失、實體安全漏洞、網路安全漏洞、系統損壞與資安事件之處理流程等五項問題之解決方案建議，以作為國民中學雲端學務系統之資訊安全管理參考。
關鍵字：資訊安全管理系統、雲端運算、ISO 27001、學務系統

Recently, junior high school teachers have often recorded students’ performance through the cloud school affairs information system. The record is so crucial to affect students’ enrollment order for high schools. While teachers enjoy the convenience from cloud systems, the security risks accompany with its imperative. Therefore, it would be an urgent affair to consider how we may ensure the information security of junior high school affairs information system in clouds under the existing architecture of Information Security Management System.
This research is based on ISO 27001：2013 for the control objectives. Researching with the case study in one of junior high schools in Hsin-Chu City, the research derives several propositions from four dimensions including P (Plan), D (Do), C (Check) and A (Act) to review the status of the existing cloud information security management for school affairs information system. The case study shows that there are a few issues including manpower shortage due to inadequate information, lack of course training and account password strength, insufficient backup, poor physical environment control, no historical records for security incidents response procedure. Therefore, based on further study on the above-mentioned issues, suggestions are provided for the management strategy of cloud information security in junior high schools. Furthermore, this thesis also gives five suggestions for managing human errors, physical security vulnerabilities, network security vulnerabilities, system damage, and security incidents response procedure.
Key Words: Information　Security　Management　System, PDCA mode, ISO 27001, School　Affairs　Information　Systems.

第一章 緒論
第一節 研究背景與動機
第二節 研究目的
第三節 研究範圍與限制
第四節 研究流程
第二章 文獻探討
第一節 ISO 27001：2013資訊安全管理國際標準
第二節 PDCA 品質管理循環
第三節 資訊安全管理系統
第四節 國民中學學務系統
第五節 雲端運算
第三章 研究設計與方法
第一節 研究設計
第二節 研究方法
第四章 研究過程與成果分析
第一節 個案探討
第二節 命題推導
第三節 研究成果
第五章 結論與未來發展方向
第一節 結論
第二節 未來發展方向
參考文獻

一、中文部分
吳佳鴻、林大為、何懷江、戴孟宗( 2011)，國立臺灣藝術大學校務行政資訊系統使用者之滿意度調查－以選課系統為例，圖文傳播藝術學報 。
林玉山(2010)，導入ISO 27001 ISMS資訊安全管理系統──以醫療院所核心資料庫安全性的策略和方法為例，電腦稽核期刊。
徐立冰(2013)，和Cisco、FB及Google網路巨頭，共同制定下十年的網路標準：新一代雲端網路技術白皮書。台北：上奇科技。
袁欣梅、由瑞華（2009），淺議信息安全管理體系的建立，認證技術。
黃慶裕(2010)，行政院主計處電子處理資料中心導入「資訊安全管理制度」歷程， 主計月刊。
陳振南、林永修、王瑞祥編著(2013)，資訊教育與法律特訓教材。 台北：碁峯。
雷萬云(2015)，雲端時代資訊安全白皮書。台北：佳魁。
樊國楨、謝麗珠(2011)，資訊安全治理(ISG)與資訊安全管理系統(ISMS)實作初探：根基於ISG 框架之策略校準，行政院國家科學委員會。
蔡政道、鍾允中、歐義隆、丁一能(2003)，電腦化校務系統之系統轉換評估與解決方案實務， 士林高商學報第二期
Patton, M.Q (1995)，質的評鑑與研究Qualitative evaluation and research methods，吳芝儀、李奉儒譯。台北：桂冠。

二、英文部分
Armbrust, M., Fox, A., Griffith, R., Anthony D. , Katz, R., Konwinski, A., Lee, G., Patterson, D., Rabkin, A., Stoica, I., & Zaharia, M. (2009), “Above the Clouds: A Berkeley View of Cloud Computing” UC Berkeley Reliable Adaptive
Distributed Systems Laboratory, p.3,Retrivedfromhttp://radlab.cs.berkeley.edu/
Bhardwaj, A., & Kumar, V. (2011), Cloud Security Assessment and Identity Management, Computer & Information Technology (ICCIT), (14) International Conference, pp. 387-392.
Chandersekaran, C., Simpson, W. R., & Wagner, R. R. (2011), High Assurance Challenges for Cloud Based Computing, Proceedings of the World Congress on Engineering and Computer, (1), pp. 1-6.
Chang, H.-C., & Wang, C.-Y. (2015),“Cloud Incident Data Analytics: Change-point Analysis and Text Visualization,” (48) Hawaii International Conference on System Sciences , pp. 5320 - 5330.
Chemerkin, Y. (2013), “Increasing Security Guidelines’ Framework Efficiency, ” International Journal for Information Security Research (IJISR), 3(4) , pp. 354-362.
Fang, J., & Meng, X. (2011), “ Application Investigation on Private Cloud in the Field of Group Company Financial Information Management,”International Conference on Mechatronic Science, Electric Engineering and Computer, pp. 1926-1929.
Hajdarevic, K., & Allen, P. (2013),“A new method for the identification of proactive information security management system metrics,” (36) International Convention on Information & Communication Technology Electronics & Microelectronics (MIPRO), pp. 1121 - 1126.
Hidayah, N., & Kwang, R. (2015), A survey of information security incident handling in the cloud, Computers & Security, ( 4 9) , March, PP. 45-69.
Harfoushi, O., Alfawwaz, B., Nazeeh, A., Obiedat1 R., Abu-Faraj M., & Faris1, H. (2014), “Data Security Issues and Challenges in Cloud Computing:A Conceptual Analysis and Review,” Communications and Network, 2014, 6( 1), PP. 15-21.
IDC (2010), The Digital Universe 2009-2020 Growing by a Factor
of 44,sponsored by EMC.
ISO 27001: 2013. (2013), Information technology - Security techniques - Information security management systems - Requirements, International Organization for Standardization.
Krueger, R. A., & Casey, M. A. (2000), Focus group: A practical guide for applied research (3rd ed.).Thousand Oaks, CA:Sage.
Kretzschmar, M., Golling, M., & Hanigk S., (2011),“Security Management Areas in the Inter-Cloud,” IEEE International Conference on Cloud Computing, pp. 762-763.
Kshetri, N. (2015), “ Institutional and economic factors affecting the development of the Chinese cloud computing industry and market,” Telecommunications Policy, (40), PP. 116-129.
Li, J., Zhang, X., Zhou, T., & Ma, R. (2010), Medical Process Management by Applying PDCA to EMR. 2010 International Conference on Biomedical Engineering and Computer Science (ICBECS), pp. 1 - 4.
Miles, M. B., & Huberman, A. M. (1994), Qualitative Data Analysis, 2nd ed., Thousand Oaks: Sage Publications.
Miller, W. L., & Crabtree, B. F. (1992), Primary care research: A multimethod typology and qualitative road map, pp. 3-28. Doing Qualitative Research. Newbury Park,C A: Sage.
Patton, M.Q. (2014), Qualitative Research & Evaluation Methods: Integrating Theory and Pratice, 4nd ed., Thousand Oaks: Sage Publications.
Praxiom Research Group Limited (2015), ISO IEC 27001 & 27002- Information Security Library, from http://www.praxiom.com/27001.htm .
Shaikh , F. B., & Haider, S. (2011), “Internet technology and secured transactions (ICITST), ”IEEE, pp. 214-219.
Salvi, S., Sanjay, H.A., Deepika, K.M., & Rangavittala, S.R. (2015), “An encryption, compression and key(ECK) management based data security framework for infrastructure as a service in Cloud,” Advance Computing Conference (IACC), IEEE International , pp. 872-876, pp. 12-13 .
Talib, M.A., Khelifi, A., & Ugurlu, T. (2012), Using ISO 27001 in Teaching Information Security . IECON (38) Annual Conference on IEEE Industrial Electronics Society, pp. 3149 - 3153 .
Yin, R. K. (2014), Case Study Research: Design and Methods, 5nd ed., Thousand Oaks: Sage Publications.

三、其他文獻
行政院國家資通安全會報 (2013) ，「資訊技術-安全技術-資訊安全管理系統－要求事項」國家標準，引自http://www.nicst.ey.gov.tw/， 2015/08/01
忠信中學打造 e 世代教學先驅，新竹忠信中學導入 Visual Studio .NET 建立高度整合教育資源 ，引自cat.hfu.edu.tw/~b9205008/susses.htm， 2015/08/15
財團法人資訊工業策進會(2015) ，引自http://www.iii.org.tw/about/1_4_1.asp2015/08/01
教育部校園資訊安全服務網（2015），教育體系資通安全管理規範，引自https://cissnet.edu.tw/News， 2015/07/28
教育部校園資訊安全服務網（2014），國中、小學資通安全管理系統實施原則，引自https://cissnet.edu.tw/News， 2015/07/28
雲端安全聯盟(CSA)可信任雲端運算計畫，引自http://www.trusted-cloud.com ，2015/08/15
黃彥棻（2013），新版ISO 27001：2013正式出爐，企業2015年適用新標準，引自http://www.ithome.com.tw/node/83807， 2016/06/03
經濟部標準檢驗局簡報（2007），ISO 27001資訊安全管理系統─ 要求
新竹市12年國民教育資訊網（2015），引自http://12basic.hc.edu.tw/， 2015/12/03
臺灣學術網路危機處理中心（2016），引自http://cert.tanet.edu.tw/prog/index.php，2016/02/28
CSA. (2015), Top Threats to Cloud Computing. Cloud Security Alliance, Institute for Learning Technologies. Retrieved fromhttps://cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf (accessed July 10,2015)
Computer Security Institute (2009), “Computer Crime and Security Survey 2009,”, Retrieved from http://www.gocsi.com/forms/ csi_survey.html. (accessed Jan 8, 2010)
ischool澔學學習系統有限公司，引自http://www.ischool.com.tw/2341621209.html，2015/08/10
NIST. (2011), The NIST Definition of Cloud Computing, National Institute of Standards and Technology, Institute for Learning Technologies Web, Retrieved from http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf (accessed July 5,2015).