A Study on Information Security Management for Wireless Local Area Networks-A Case Study on Some University in Middle Ta
鄭宗恆、曹偉駿
E-mail: 9707378@mail.dyu.edu.tw
ABSTRACT
This thesis develops information security management for IEEE 802.11x wireless local area networks (WLAN) such that organizational security can be ensured. Campus is one kind of organization, and thus security issues of campus and business on WLAN are the same, such as privacy, confidentiality, etc. Therefore, it’s urgent to protect the security of organization by the information security management. The thesis is based on ISO 27001 and CMMI for the information security management. ISO 27001 can provide the standardization for information security management, and CMMI can evaluate and improve information security management process. The case study on some university in middle Taiwan is discussed. We affirm that the derived results can not only strengthen the security of campus WLAN, but also provide enterprises and governments with useful information security management strategies.
Keywords : Wireless Local Area Networks ; Information Security Management ; ISO 27001 ; CMMI Table of Contents
中文摘要 ....................... iii 英文摘要 ...................
.... iv 誌謝辭 ...................... v 內容目錄 ................
..... vi 表目錄 ...................... viii 圖目錄 ...............
....... ix 第一章 緒論 .................. 1 第一節 研究背景 ......
........ 1 第二節 研究動機 .............. 3 第三節 研究目的 .....
......... 4 第四節 研究流程 .............. 6 第二章 文獻探討 ......
.......... 8 第一節 無線區域網路安全 .......... 8 第二節 資訊安全管理 .
........... 23 第三節 ISO 27001與CMMI之探討 ....... 28 第三章 研究方法 ..
.............. 33 第一節 研究方法的選擇 ........... 33 第二節 研究流 程 .............. 38 第三節 研究對象 .............. 39 第四節 研 究範圍與限制 ............. 41 第五節 資料分析 .............. 41 第四章 個案探討 ................ 44 第一節 研究對象 .............. 45 第二節 命題推導 .............. 49 第三節 研究結果 .............. 60 第五章 結論與建議 ............... 61 第一節 結論 ...............
. 61 第二節 建議 ................ 62 參考文獻 ..................
... 63 REFERENCES
一、中文部份 BSi 英國標準協會著(2005),資訊科技-安全技術-資訊安全管理系統要,BSi 英國標準協會。 林秉忠,陳彥銘(2003),802.11 無線網路安全白皮書,台灣電腦網路危機處理?協調中心(TWCERT/CC)。 樊國楨(2003),資訊安全管理系統與稽核-資通安全專輯之十
,行政院國家科學委員會科學技術中心編印。 謝安田(2006),企業研究方法論(第3版),彰化:著者發行。 二、英文部份 Ahern, D. M., Clouse, A., & Turner, R. (2004). CMMI Distilled Second Edition. Addison-Wesley. Ahire, S. L., & Dreyfus, P. (2000). The impact of design management and process management on quality: An empirical investigation. Journal of Operations Management, 18(5), 549-575. Anderson, E.
E., & Choobineh, J. (2008). Enterprise information security strategies. Computers & Security, 27(1-2), 22-29. Anderson, J. M. (2003). Why we need a new definition of information security? Computers & Security, 22(4), 308-313. Baghaei, N., & Hunt, R. (2004). Security performance of loaded IEEE 802.11b wireless networks. Computer Communications, 27, 1746–1756. Barnard, L., & Von Solms, R. (2000) A formalized approach to the effective selection and evaluation of information security controls. Computers & Security, 19(2), 185-194. Bassellier, G., Benbasat, I., & Reich, B.
H. (2003). The influence of business managers' IT competence on championing IT. Information Systems Research, 14(4), 317-336. Bassellier, G., Reich, B. H., & Benbasat, I. (2001). Information technology competence of business managers: A definition and research model. Journal of Management Information Systems, 17(4), 159-182. Bharadwaj, A. S. (2000). A resourced-based perspective on information technology capability
and firm performance: An empirical investigation. MIS Quarterly, 24(1), 169-196. Boland, H., & Mousavi, H. (2004). Security issues of the IEEE 802.11b wireless LAN. Canadian Conference on Electrical and Computer Engineering, 1, 0333-0336. Boynton, A. C., Zmud, R. W., & Jaccobs, G C. (1994). The influence of IT management practice on IT use in large organizations. MIS Quarterly, 18(3), 299-318. Broderick, J. S. (2006) ISMS, security standards and security regulations. Information Security Technical Report, 11(1), 26-31. Chen, J. C., Jiang, M. C., and, Liu, Y. W. (2005).
Wireless LAN security and IEEE 802.11I. IEEE Wireless Communications. Christopher, M. K., Curtis, E. D., & Osmanoglu, T. E. (2002).
Security architecture: Design, deployment and operations. The McGraw-Hill Companies.Inc. CNS27001. (2007). Information technology - Security techniques - Information security management systems - Requirements. Chinese National Standards. CNS27002. (2007). Information technology - Security techniques - Code of practice for information security management. Chinese National Standards. Craiger, J. P. (2002).
802.11, 802.1x, and wireless security. SANS Institute. Forte, D. (2008). An integrated approach to security incident management. Network Security, 2008(2), 14-16. Gordon, L. A., Loeb, M. P., Lucyshyn, W. & Richardson, R. (2006). 2006 CSI/FBI computer crime and security survey.
Computer Security Journal, 22(3), 1-21. Gordon, L. A., Loeb, M. P., Lucyshyn, W. & Richardson, R. (2005). The 2005 CSI/FBI computer crime and security survey. Computer Security Journal, 21(3), 1-21. Ho"ne, K., & Eloff, J. H. P. (2002). Information security policy - what do international information security standards say? Computers & Security, 21(5), 402-409. IEEE Communications (2000). IEEE 802.11-1999 standard. IEEE Communications. ISACA. (2008). COBIT 4.1. Information Systems Audit and Control Association [Online]. Available: http://www.isaca.org/
[2008, February 2]. ISO/ICE TR 13335. (2008). Information technology - guideline for the management of IT security (All Parts). International Organization for Standardization [Online]. Available: http://www.iso.org/ [2008, Apirl 4]. Karnik, A., & Passerini, K. (2005). Wireless network security - a discussion from a business perspective. Wireless Telecommunications Symposium, 2005, 261-267. Kritzinger, E., & Smith, E. (2008).
Information security management: an information security retrieval and awareness model for industry. Computers & Security, In Press, Accepted Manuscript, Available online 7 June 2008. Lapiotis, G., Kim, B., Das, S., & Anjum, F. (2005). A policy-based approach to wireless LAN security management. Workshop of the 1st International Conference on Security and Privacy for Emerging Areas in Communication Networks, 2005, 175-183. Maiwald, E. (2004). Network security a beginner’s guide second edition. The McGraw-Hill Companie .Inc. Milanovic, S., &
Mastorakis, N. E. (2003). Integration of the wireless LANs into enterprise security architecture. Recent Advances in Communications and Computer Science, 2003, 373-378. NCHC. (2008). National Center for High-Performance Computing [Online]. Available:
http://www.nchc.org.tw/ [2008, March 9]. NIST. (2008). National Institute of Standards and Technology [Online]. Available:
http://www.nist.gov/ [2008, May 20]. Relyea, H. C. (2008). Federal government information policy and public policy analysis: A brief overview.
Library & Information Science Research, 30(1), 2-21. Richardson, R. (2007) CSI survey 2007. Computer Security Institute. SEI. (2008). CMMI 1.2. Software Engineering Institute [Online]. Available: http://www.sei.cmu.edu/ [2008, May 5]. SGS Group. (2008). ISO 27001 ISMS.
International Organization for Standardization [Online]. Available: http://www.iso.org/ [2008, Apirl 4]. Thong, J. Y. L. (1999). An integrated model of information systems adoption in small business. Journal of Management Information Systems, 15(4), 187-214. Thuraisingham, B. (1993) Multilevel security for information retrieval systems. Information & Management, 24(2), 93-103. Von Solms, R., Van de Haar, H., Von Solms, B.,
& Caelli, W. J. (1994). A framework for information security evaluation. Information & Management, 26(3), 143-153. Wilson, J. L., Turban, E., &
Zviran, M. (1992) Information systems security: A managerial perspective. International Journal of Information Management, 12(2), 105-119. Yin, R. K. (2001) Applications of case study research(2nd ed.). Thousand Oaks: Sage Publications.
