摘要
「全功能網路銀行系統」（簡稱「全網銀」）意指銀行將所有和客戶有關的服務，全面透過網路直接提供給客戶使用。但是客戶如何可以信賴「全網銀」是安全的？尤其是當威脅來自四面八方的網際網路環境時。安全在本質上是一種既抽象又難以具體衡量的表述，在資訊安全的領域中，資訊安全代表的是多重工程跨越時空的持續協同運作結果，它更難以衡量；幸好國際上已有一個評估資訊產品或系統安全的準則-「共同準則」（Common Criteria），該準則的功用即在使資訊安全變成可以共同的語言具體表達及評量。
本文依照「共同準則」的方法，建立「全網銀」之安全目標，其主要的特點有：
1.? 在極度威脅的網際網路環境中提供客戶非常暢通、安全的且不中止的服務，特別是為維持高度的可用性，對「全網銀」提供服務所必需之資源，包括通信架構與容量，伺服主機處理容量均應維持適當的彈性與多餘性，系統容量擴充與調整、備援、災難應變及持續運作之需要應於系統構建時整體考量。
2.? 建立可信賴的帳務處理機制，本文從傳統銀行的內部控制制度之分工牽制精神著眼，擬訂虛擬角色、虛擬交易憑證等相關安全目標。
3.? 支援顧客建立安全計算環境的技術或直接提供顧客安全的計算環境，此係基於考量網際網路上諸多威脅正方興未艾，決非一般客戶所能持續安全應對。
本論文最後列出全網銀之安全環境與安全目標交互參照表，此表滿足「共同準則」對每一個安全目標均能追蹤至其處理的安全環境之要求，亦具體呈現了安全環境及安全目標交互關係；本研究所建立之安全目標可供一般使用者瞭解銀行之「全網銀」是否安全之參考，若銀行擬建置一個符合「共同準則」之「全網銀」，亦可循此發展後續的安全需求文件，另主管機關亦可藉以評估銀行「全網銀」之安全考量是否周延。

Abstract
The Full Functional Internet Banking System (FFIBS for short) provides all services to customer via Internet , but how could it be trusted ? Especially in the Internet environment that threats came from all direction. Security has abstract nature, and it is hard to describe with concrete measure. In the information technology (IT for short) domain, security is an effect of sustained corporate operations, and it is more difficult to measure. The Common Criteria is an international criteria for evaluating the security of an IT product or system. It was purposed to make that describing and evaluating the IT security with the common language become possible.
This thesis proposes security objectives of FFIBS according to the Common Criteria methodology. The security objectives proposed here have the following features:
1.? To provide customer with smooth, secure and non-suspend services in the internet environment, especially keeping extreme high availability. The necessary resources for FFIBS to provide service should keep flexibility and redundancy appropriately, such as data communication capacity, process capacity of the servers. The requirements of extension and adjustment of system capacity, backup, disaster and contingency planning should be considered while system is constructed.
2.? To create reliable accounting process, we propose security objectives of virtual roles and virtual transaction evidences which based on traditional duty segregation approach of internal control.
3.? To continuing educate customer, Supporting customer to set up or directly provide customer with secure operating environment.
Finally, to comply with the requirements of Common Criteria that each security objective should be able to be traced to corresponding security environments, we present a cross reference table of FFIBS security environments and security objectives. This table gives the relationships between security environment and security objective. The created security objectives could be used as reference by general customers to determinate if the bank’s FFIBS is secure. The banks could use it to develop the security requirements for constructing FFIBS which complies with the Common Criteria and the authorities also could use it to evaluate the soundness of a FFIBS.

[樊國楨,2002]樊國楨主編.”資通安全專輯之六－資訊安全能力評鑑”.行政院國家科學委員會科學技術資料中心,2002年12月
[樊徐楊李,2004]樊國楨,徐鈺宗,楊仲英,李孝詩.“美國聯邦政府資訊安全管理系統稽核作業相關標準初探”.http://www.im.cpu.edu.tw/cyber06/cyber06-a4.pdf,2004年10月
[沈誼中,2002]沈誼中.“電子公文系統安全評估方法之研究與設計”.國立成功大學資訊工程學系碩士論文,2002年06月
[簡智聰,2003]簡智聰.“銀行業電子金融商品之安全評估-以金融電子轉帳系統（金融EDI）為例”.東海大學資訊工程與科學系碩士論文,2003年07月
[楊嘉欣,2002]楊嘉欣.“智慧卡作業系統之驗證”.國立成功大學工程科學學系碩士論文,2002年07月
[朱天元,2004]朱天元.“新電子付款機制及其安全性之研究”.長庚大學企業管理研究所碩士論文,2004年01月
[林鈴玉,2001]林鈴玉.“國內網路銀行現況發展與交易安全之研究”.國立交通大學管理學院資訊管理學程碩士論文,2001年06月
[許妙靜,2004]許妙靜.”舞弊防制之計畫與控制要點”.會計研究月刊第221期,2004年04月
[萬戴,2005]萬幼筠、戴憶婷.“沙氏法案對我國金融業之影響”.財金資訊雙月刊第40期,2005年06月
[銀0297,2005]中華民國銀行商業同業公會全國聯合會.“電子銀行風險管理原則” . 2005年02月24日中華民國銀行商業同業公會全國聯合會全電字0297號函
[銀2189,2005]中華民國銀行商業同業公會全國聯合會.“金融機構辦理電子銀行業務安全控管作業基準”.2005年08月12日中華民國銀行商業同業公會全國聯合會全電字2189號函
[BCP,2003]Electronic Banking Group of the Basel Committee on Banking Supervision. “Risk Management Principles for Electronic Banking”. Basel Committee Publications No. 98, July 2003
[CL,1998]Theodore H. Clark and Ho Geun Lee. “Security First Network Bank: A Case Study of an Internet –pioneer”. Thirty-First Annual Hawaii International Conference on System Sciences-Vol 4 p.73 1998
[CCPS,2005A]Common Criteria Project Sponsoring Organisations.”Common Criteria Part 1: Introduction and general model V2.3”. http://www.commoncriteriaportal.org/ public/files/ccpart1v2.3.pdf ,Aug 2005
[CCPS,2005B]Common Criteria Project Sponsoring Organisations.”Common Criteria Part 2: Security functional requirements V2.3”. http://www.commoncriteriaportal.org/ public/files/ccpart2v2.3.pdf , Aug 2005
[CCPS,2005C]Common Criteria Project Sponsoring Organisations.”Common Criteria Part 3: Security Assurance Requirements V2.3”. http://www.commoncriteriaportal.org/ public/files/ccpart3v2.3.pdf , Aug 2005
[ECB,2003]European Central Bank. “Electronic money system security objectives – According to The Common Criteria Methodology ”. http://www.ecb.int/pub/pdf/other/ emoneysecurity200305en.pdf ,May 2003
[FRS,2005]Federal Reserve System USA. “A summary of the roundtable discussion on the risk and security involving retail payments over the Internet”. http://www.federalreserve.gov/paymentsystems/internetpayments/internetpayments.pdf,Jun 2005
[FFIE,2005]Federal Financial Institutions Examination Council USA. “Authentication in an Internet Banking Environment.”. http://www.ffiec.gov/pdf/authentication_ guidance.pdf, Oct 2005.
[FN,2004]Karen Furst and Daniel E. Nolle. “Technological Innovation in Retail Payments:Key Developments and Implications for Banks” . Office of the Comptroller of the Currency USA. http://www.occ.treas.gov/netbank/OCCFurstNolleJFT.pdf, Oct 2004
[HEAR,2004]Jim Hearn. “Does the Common Criteria Paradigm Have a Future?”. IEEE Security & Privacy, Vol. 2, No. 1, 2004, pp.64–65.
[HKW,2006]Alain Hiltgen, Thorsten Kramp & Thomas Weigold. “Secure Internet Banking Authentication” . Mar 2005, http://www.ubs.com/1/e/ubs_ch/authentication.html.
[HMT,2006]Kjell j. Hole, Vebjorn Moen, Thomas Tjostheim. “Case study -Online Banking Security”.IEEE Security and Privacy Vol 4 ,(Mar 2006) pp 14 – 20.
[KR,2000]Konstantin Knorr & Susanne R¨ohrig. “Security of Electronic Business Applications: Structure and Quantification”. http://www.occ.treas.gov/netbank/ OCCFurstNolleJFT.pdf Oct. 2004
[KS,2006]Feisal Keblawi & Dick Sullivan “Applying the Common Criteria in Systems Engineering”,. IEEE Security and Privacy Vol 4 , Issue 2 (Mar 2006) pp 50 - 55.
[LLOY,2006]Wes J. Lloyd. “A Common Criteria Based Approach for COTS Component Selection”. Journal of Object Technology, Vol. 4, No. 3 2005
[MT,2000]Stéphanie Motré & Corinne Téri. “Using B Method to Formalize the Java Card Runtime Security Policy for a Common Criteria Evaluation”. http://csrc.nist.gov/ nissc /2000/proceedings/papers/026.pdf , 2000
[NM,2005]Nie Jin & MA Fei-Cheng. “Network security risks in online banking”. Wireless Communications, Networking and Mobile Computing, 2005. Proceedings. 2005 International Conference on, Vol 2 Date: 23-26 Sep. 2005 ,pp 1229-1234.
[PM,2004]Bruce Potter & Gary Mcgraw. ”Software Security testing”. Security & Privacy Magazine, IEEE Sept.-Oct. 2004 Vol 2, pp 81- 85
[RF,2002]Philip O’Reilly & Pat Finnegan . ”Internet banking systems : An exploration of contemporary issues”. Journal of Systems & Information Technology 7(1) 2002 pp 93-110
[SYMA,2005]Symantec. “Internet Security Threat Report” . Sep 2005
[THIE,2004]Chad Thiele,”Internet Banking Transaction Volume and Costs”,Research Review Issue # 18,Credit Union National Association,2002/2003 Technolog & E-Commerce Survey Report.
[VWW,2002]Monika Vetterling, Guido Wimmel, Alexander Wisspeintner. “Secure Systems Development Based on the Common Criteria: The PalME Project”. Proceedings of SIGSOFT 2002/FSE-10. Nov. 18-22, 2002. .pp 129-138.