在資安作業上,對人員的管理是非常關鍵的,因為許多資安事件都是由內部人員的錯誤或惡意行為引起的。以下是幾個重點與日常應注意事項:
In information security operations, personnel management is very critical because many information security incidents are caused by mistakes or malicious behavior of internal personnel. The following are some key points and daily matters that should be paid attention to:
✅權限管理Permission management
採取最小權限原則 (Least Privilege),確保員工只能存取其工作所需的系統與資料。
定期審查並調整權限,避免多餘或過時的存取權限。
確保離職或職務變動人員的存取權限被適當移除或更新。
Adopt the principle of least privilege to ensure that employees can only access the systems and data required for their work.
Review and adjust permissions regularly to avoid redundant or outdated access permissions.
Ensure access rights are appropriately removed or updated for personnel who leave or change roles.
✅帳號管理Account Management
每位員工應有獨立的帳號,避免共用帳號。
強制使用強密碼策略(如 8碼以上、混合英數字大小寫、及特殊字元)。
啟用多因素驗證 (MFA) 增強安全性。
Each person should have a separate account to avoid sharing account numbers.
Strictly use password principles (such as 8 digits, mixed case letters and numbers, number of characters, etc.).
Enhanced security with multi-factor authentication (MFA).
✅人員管理People Management
人員聘任時應立即進行資安作業宣導及必要項之告知,同時簽具保密切結等文件。
機關任何員工離職或調職時,應立即撤銷其系統存取權限同時若其具有特權帳號之管理權限,應對該帳號進行必要處理,如變更密碼。
When hiring personnel, they should be immediately briefed on information security operations and necessary matters, and should also sign documents such as a security agreement.
When any employee resigns or is transferred, his/her system access rights should be revoked immediately. If he/she has administrative rights to a privileged account, necessary actions should be taken on the account, such as changing the password.
✅資安意識培訓Information security awareness training
定期舉辦資安培訓,提高員工的資安意識,如防範社交工程攻擊(釣魚郵件、電話詐騙等)。
進行模擬演練,例如定期發送釣魚測試信件,以測試員工警覺性。
Regularly organize information security training to enhance employees’ information security awareness, such as preventing social engineering attacks (phishing emails, telephone scams, etc.).
Conduct mock drills, such as sending out phishing test letters at regular intervals, to test employee vigilance.
✅內部監督與稽核Internal Supervision and Audit
設置日誌監控機制,記錄並分析員工對關鍵系統的操作紀錄。
記錄系統登入、重要資料存取、變更設定等日誌,並定期審查。
透過 SIEM (Security Information and Event Management) 監測異常行為。
定期進行內部資安稽核,確保符合標準、政策與法規。
Set up a log monitoring mechanism to record and analyze employees' operations on key systems.
Record system logins, access to important data, changes to settings, etc., and review them regularly.
Monitor abnormal behavior through SIEM (Security Information and Event Management).
Conduct regular internal information security audits to ensure compliance with standards, policies and regulations.
✅應變計畫與回應機制Contingency Planning and Response Mechanism
建立資安事件應變計畫(Incident Response Plan, IRP)。
設立通報機制,讓員工能快速回報可疑活動。
定期進行資安演練,例如模擬駭客攻擊或資料外洩應變。
Establish an Incident Response Plan (IRP).
Establish a reporting mechanism to enable employees to quickly report suspicious activities.
Conduct cybersecurity drills regularly, such as simulated hacker attacks or data breach responses.
✅密碼與身份安全Password and Identity Security
使用高強度密碼,避免使用與個人資訊相關的字串。
不與他人共用帳號或密碼,必要時使用密碼管理工具。
Use strong passwords and avoid using strings related to personal information.
Do not share your account or password with others, and use password management tools when necessary.
✅防範社交工程攻擊Protecting against social engineering attacks
不隨意點擊來路不明的電子郵件連結或附件。
遇到可疑電話、郵件要求提供敏感資訊時,先確認對方身份。
Do not click on links or attachments in emails from unknown sources.
When receiving suspicious phone calls or emails asking for sensitive information, confirm the identity of the other party first.
✅設備與資料安全Equipment and data security
鎖定未使用的電腦、手機,避免未經授權存取。
不在公用電腦或不安全網路上存取敏感資訊。
確保重要資料加密存放,避免未經授權存取或外洩。
Lock unused computers and mobile phones to prevent unauthorized access.
Do not access sensitive information on public computers or unsecured networks.
Ensure that important data is stored in encrypted form to prevent unauthorized access or leakage.
✅系統與軟體更新System and software updates
定期更新作業系統與應用程式,以修補已知漏洞。
移除不再使用的軟體與服務,以降低攻擊面。
僅使用公司授權與核准的軟體,避免安裝來路不明的應用程式。
Regularly update operating systems and applications to patch known vulnerabilities.
Remove unused software and services to reduce the attack surface.
Use only company-authorized and approved software and avoid installing applications from unknown sources.
✅行為監控與回報Behavior monitoring and reporting
若發現異常行為,如未授權的存取、設備異常運作等,應立即通報資訊部門或資安團隊。
可設定 DLP(資料外洩防護)系統來監控異常的資料流動。
If any abnormal behavior is found, such as unauthorized access, abnormal operation of equipment, etc., it should be reported to the information department or information security team immediately.
DLP (Data Loss Prevention) system can be configured to monitor abnormal data flows.
✅設備與環境管理Equipment and environment management
應確保工作電腦、伺服器、儲存裝置等設備上鎖,防止未授權存取。
嚴禁使用私人 USB 隨身碟、未授權的雲端存儲 (如個人 Google Drive不應常駐連線或存放公務資料)。
Ensure work computers, servers, storage devices, etc. are locked to prevent unauthorized access.
The use of personal USB drives and unauthorized cloud storage is strictly prohibited (for example, a personal Google Drive should not be permanently connected to work equipment or used to store official documents).
✅安全通訊Secure Communications
不應透過個人郵件或即時通訊軟體(如 Line、WhatsApp)傳輸公司機密資料。
使用公司授權的 VPN 進行遠端存取,避免在公共 Wi-Fi 環境下進行敏感作業。
Confidential company information should not be transmitted via personal emails or instant messaging software (such as Line, WhatsApp).
Use company-authorized VPN for remote access and avoid performing sensitive tasks in public Wi-Fi environments.
✅異常回報機制Abnormal return mechanism
若發現可疑郵件、異常系統行為或可能的資安威脅,應立即向資訊單位或資安人員回報。
設置緊急應變計畫 (Incident Response Plan),確保發生資安事件時能迅速應對。
If you find any suspicious emails, abnormal system behavior or possible information security threats, you should report them to the information unit or information security personnel immediately.
Set up an Incident Response Plan to ensure rapid response when a security incident occurs.
💡結論:Summarize
資訊安全是每個人的責任,而不僅僅是資訊部門的工作!
Information security is everyone's responsibility, not just the IT department's job!
