JP4773298B2 - Information leakage prevention program and information processing apparatus - Google Patents

Description

The present invention relates to an information leakage prevention program and an information processing device that prevent leakage of confidential information, and in particular, an information leakage prevention program and information leakage that can prevent information leakage while suppressing the introduction cost without requiring a special device. The present invention relates to a prevention method and an information leakage prevention device.

  In recent years, information terminals excellent in portability and portability, such as small notebook computers and PDAs, have become widespread. Along with this, for example, companies have increased opportunities to carry confidential information such as personal information and confidential information using such information terminals when going out, and at the same time, confidential information leaked due to loss or theft of information terminals, etc. The situation to do is increasing.

  As a means for preventing such confidential information leakage, the computer is mounted on a computer, for example, the position of the computer is confirmed using GPS, and the distance between the reference position and the information terminal position is a predetermined distance. In the case of exceeding the limit, it is determined that the computer is stolen, and an apparatus for automatically deleting a preset file to be deleted has been devised (see, for example, Patent Document 1).

Japanese Patent Laid-Open No. 2003-280992

  However, in the above prior art, a device such as GPS for measuring position information, power for continuing to measure the position after the computer is shut down, and processing for deleting a file to be deleted There is a problem in that the installation cost is high because it is necessary to provide each computer with a special power supply for supplying power.

  In addition, if it is determined that the computer is stolen, the files to be deleted are automatically deleted. For example, if regular backup is not performed, important information cannot be recovered. There is also a problem that can be.

The present invention has been made in order to solve the above-described problems caused by the prior art, and provides an information leakage prevention program and an information processing apparatus that can suppress the introduction cost without requiring a special apparatus. Objective.

In order to solve the above-described problems and achieve the object, the present invention is an information leakage prevention program for preventing leakage of confidential information held in a computer, and confirms whether the computer is connected to a network. A connection confirmation procedure, and when it is confirmed by the connection confirmation procedure that the computer is not connected to the network, a disclosure corresponding to a secret key held in another computer connected to the computer via the network An information concealment procedure for encrypting the concealment information with a key is executed by the computer.

Also, the present invention is characterized in that, in the above invention, the secret key is divided into a plurality of pieces and distributed and held in the plurality of other computers connected to the network.

Further, in the present invention, in the above invention, when it is confirmed that the information concealment procedure is not connected to the network, the system date of the computer is compared with a first deadline, and the system date is If the first deadline has been exceeded, the computer is disabled, and if the system date has not exceeded the first deadline, a second deadline shorter than the first deadline. And the system date are compared, and if the system date exceeds the second time limit, the secret information is encrypted with the public key.

Further, the present invention is the above invention, wherein the computer further executes a take-out deadline acquisition procedure for obtaining a take-out deadline from the other computer while the computer is connected to the network, and the information concealment procedure includes: When it is confirmed that it is not connected to the network, the first period is calculated by adding a first period to the take-out deadline, and a second period shorter than the first period is taken out of the take-out deadline The second time limit is calculated by adding.

Further, according to the present invention, in the above invention, when it is confirmed that the information concealment procedure is not connected to the network, it is determined whether or not the take-out time limit has been acquired, and the information is not acquired. The computer is disabled after a predetermined time has elapsed. Further, according to the present invention, in the above invention, the information concealment procedure outputs a warning message to a display unit provided in the computer and outputs the warning message when the take-out time limit is not acquired. The computer is disabled after a predetermined time has elapsed. Further, the present invention is characterized in that, in the above-mentioned invention, the take-out time limit obtaining procedure transmits the list of confidential information to the other computer when the take-out time limit is acquired.

Further, the present invention provides the information concealment procedure according to the above invention, further causing the computer to execute a communication procedure for periodically communicating with the other computer while the computer is connected to the network. When it is confirmed that it is not connected to the network, it compares the latest communication time, which is the time when communication with the other computer was last performed by the communication procedure, with the system date. When the system date is before the latest communication time, the secret information is encrypted with the public key. Also, in the present invention according to the above-mentioned invention, the information concealment procedure destroys a startup file of a control system of the computer or controls the computer as a process for making the computer unusable. It is characterized by shutting down the system.

Further, the present invention provides an information processing apparatus for preventing leakage of confidential information held in its own device, comprising: a connection confirmation means for confirming whether the own apparatus is connected to a network; and the connection confirmation means. When it is confirmed that it is not connected to the network, the secret information is encrypted with a public key corresponding to a secret key held in another information processing apparatus connected to the own apparatus via the network. And an information concealment means for performing the operation.

Also, the present invention is characterized in that, in the above invention, the secret key is divided into a plurality of pieces and distributed and held in the plurality of other information processing apparatuses connected to the network.

Further, in the present invention, the information concealment unit compares the system date of its own device with the first time limit when it is confirmed that the information concealment unit is not connected to the network. If the first deadline has been exceeded, the device is disabled, and if the system date has not exceeded the first deadline, a second deadline shorter than the first deadline. And the system date are compared, and if the system date exceeds the second time limit, the secret information is encrypted with the public key.

In the above invention , the present invention further includes take-out time limit acquisition means for acquiring a take-out time limit from the other information processing apparatus while the own apparatus is connected to the network, and the information concealment means is connected to the network. When it is confirmed that the connection is not established, the first period is calculated by adding the first period to the take-out deadline, and the second period shorter than the first period is added to the take-out deadline. Thus, the second time limit is calculated. Further, according to the present invention, in the above invention, when it is confirmed that the information concealment unit is not connected to the network, the information concealment unit determines whether or not the take-out time limit has been acquired, and is not acquired. In this case, after a predetermined time elapses, the apparatus is made unusable. Also, in the present invention according to the above invention, the information concealment means outputs a warning message to a display unit provided in the device when the take-out time limit has not been acquired, and outputs the warning message. After a predetermined time elapses, the device is made unusable. Further, the present invention is characterized in that, in the above invention, the take-out time limit acquisition unit transmits the list of confidential information to the other information processing apparatus when the take-out time limit is acquired.

According to the present invention , whether or not the computer is connected to the network is confirmed, and when it is confirmed that the computer is not connected to the network, the first deadline is compared with the system date, and the system date is If the system deadline is exceeded, the computer is disabled, and if the system date does not exceed the first deadline, the system compares the second deadline shorter than the first deadline with the system date. However, when the system date has exceeded the second deadline, the computer user is warned, or the confidential information is encrypted, so that no special device such as GPS is required. In addition to being able to detect theft, if theft is detected, it is possible to make the confidential data unreadable by encryption or make the computer unusable. An effect that reliably confidential data can be prevented from leaking.

Further, according to the present invention , when it is confirmed that the system date is not connected to the network, the system date is compared with the first deadline including the first period in addition to the carry-out deadline, and the system date is the first deadline. If the system date does not exceed the first deadline, the take-out deadline includes a second period shorter than the first period. The second date and the system date are compared. If the system date exceeds the second date, the confidential information is encrypted. Therefore, the computer is not required to use a special device such as GPS. In addition to being able to detect theft, if theft is detected, it can be securely concealed by making it impossible to refer to confidential data by encryption or making the computer unbootable. An effect that it is possible to prevent over data leakage.

In addition, according to the present invention , when it is confirmed that the computer is not connected to the network, the first deadline is compared with the system date, and if the system date exceeds the first deadline, Shut down the control system, and if the system date does not exceed the first deadline, compare the system date with a second deadline that is shorter than the first deadline, and the system date has exceeded the second deadline In this case, since it is configured to warn the computer user, it is possible to detect theft of the computer without requiring a special device such as GPS, and when a theft is detected, a warning is given. Later, by shutting down the computer, it is possible to reliably prevent leakage of confidential data.

Further, according to the present invention , the first period and the second period are transmitted from the other computer by transmitting a take-out application to the other computer connected to the network based on an instruction from the user. The system date is over the first deadline by comparing the first deadline with the first period added to the carry-out deadline and the system date. In this case, the startup file of the control system is destroyed, and if the system date does not exceed the first deadline, the system date is compared with the second deadline that takes the second period into account for the take-out deadline, If the system date has exceeded the second deadline, it is configured to encrypt the confidential information, so users can remove the computer from their network before disconnecting it from the network. By making an application out, the second period and the first period is automatically paid out to the computer, an effect that it is possible to prevent the computer information leakage by an easy operating method.

Further, according to the present invention , the first deadline and the second deadline can be obtained from another computer by sending a take-out application to the other computer connected to the network based on an instruction from the user. If the system date is exceeded and the system date is exceeded, the computer control system is checked. If the system date does not exceed the first deadline, compare the acquired second deadline with the system date, and if the system date exceeds the second deadline, use the computer Since the system is configured to warn the user, the user must take out the application from his / her computer before disconnecting the computer from the network. Te, the first date and the second date is automatically set to the computer, an effect that it is possible to prevent the computer information leakage by an easy operating method.

Further, according to the present invention , a take-out extension period approved by another computer is obtained by transmitting a take-out extension request to another computer connected to the network based on an instruction from the user. When it is confirmed that the device is not connected to the network, the system date is compared with the system date and the first time limit that includes the first period in addition to the acquired extension time limit, and the system date exceeds the first time limit. In this case, if the control system startup file is destroyed and the system date does not exceed the first deadline, the second deadline with the second period added to the acquired carry-out extension deadline and the system date In comparison, when the system date has exceeded the second deadline, the confidential information is encrypted, so that, for example, an emergency occurs when the user goes out and the computer is held. Even if the period issue will extend, by extending the takeout deadline, an effect that it is possible to use the computer to continue.

Further, according to the present invention , a take-out extension period approved by another computer is obtained by transmitting a take-out extension request to another computer connected to the network based on an instruction from the user. When it is confirmed that it is not connected to the network, the system compares the first deadline with the acquired take-out extension deadline and the system date, and if the system date exceeds the first deadline, control When the system is shut down and the system date does not exceed the first deadline, the system date is compared with the second deadline taking into account the acquired extension extension date and the system date exceeds the second deadline. In such a case, a warning is given to the user, so that, for example, an emergency occurs when the user is away from home and the period for taking out the computer is extended. In case, there is an effect that by extending the takeout deadline, it is possible to use the computer to continue.

Further, according to the present invention , since the other computer is configured as a server device that manages the computers connected to the network, it becomes possible to centrally manage the setting information regarding each computer, and to manage the network. There is an effect that it can be easily performed.

Exemplary embodiments of an information leakage prevention program and an information processing apparatus according to the present invention will be explained below in detail with reference to the accompanying drawings. Note that the present invention is not limited to the embodiments.

First, the concept of the information leakage prevention apparatus according to the first embodiment will be described. FIG. 1 is an explanatory diagram for explaining the concept of the information leakage prevention apparatus according to the first embodiment. A network 10 shown in FIG. 1 shows an in-house LAN in a company, for example, and each of the computers 100 _{1 to} 100 ₃ connected to the network 10 is provided with the information leakage prevention apparatus according to the first embodiment. Yes.

This information leakage prevention device allows important data held in the computers 100 _{1 to} 100 ₃ to be transferred to a third party when the computers 100 _{1 to} 100 ₃ are stolen or taken away when the computers 100 _{1 to} 100 ₃ are lost. It is a device for preventing reference to the above. Therefore, the information leakage prevention apparatus periodically monitors whether or not the computer provided with the information leakage prevention apparatus is connected to the network 10.

A plurality of computers 100 _{1 to} 100 ₃ connected to the network 10 shown in FIG. 1 are grouped in advance by an administrator. The computers 100 _{1 to} 100 ₃ perform take-out applications and backup of confidential data to other computers belonging to the same group.

Taking out in such environments, for example, a computer 100 ₃ user, when disconnecting the computer 100 ₃ itself owned to bring when going out from the network 10 in advance from the computer 100 ₃ to the computer 100 ₁ and 100 ₂ The application is transmitted ((1) in FIG. 1). Then, the user of the computer 100 ₁ or 100 ₂ approves the received take-out application.

For example, it is assumed that the user of the computer 100 ₁ performs approval. Then, the information leakage prevention apparatus provided in the computer 100 ₁ transmits two periods (first processing time limit and second processing time limit) to the computer 100 ₃ ((2) in FIG. 1). A predetermined period is set for each of the two periods transmitted here, and a period longer than the first process deadline is set for the second process deadline. When receiving such two periods, the information leak-preventing device provided in the computer 100 _3, by adding to the filing date taking out each period, it determines the first deadline and a second deadline.

After thus taken out application was made, a provided security apparatus in a computer 100 ₃ confirms that the computer 100 ₃ is not connected to the network 10, the system date and first period of the computer 100 ₃ Date comparing, system date when exceeding the first deadline, it encrypts the confidential data stored in the computer 100 _3. Thereby, the secret data cannot be referred to.

Furthermore, the information leak-preventing device provided in the computer 100 ₃ compares the system date and the second date of the computer 100 ₃ time, if the system date of the computer 100 ₃ exceeds the second deadline, meaningless by overwriting a data, destroy computer 100 ₃ startup file (bOOT files). As a result, the computer 100 _3, after the shutdown, it is impossible start.

On the other hand, the information leak-preventing device provided in the computer 100 _3, while the computer 100 ₃ is connected to the network 10 sends periodically confidential data to belong computer 100 ₁ and 100 ₂ in the same group . Then, the information leakage prevention apparatus provided in the computers 100 ₁ and 100 ₂ backs up the received confidential data in a predetermined save area.

Thus, when the information leakage prevention apparatus, the computer 100 ₁ to 100 ₃ to confirm whether or not it is connected to the network, it was confirmed that the computer 100 ₁ to 100 ₃ is not connected to the network, the The two deadlines and the computer system date are compared. If the system date exceeds the second deadline, the system startup files of the computers 100 _{1 to} 100 ₃ are destroyed, and the system date is the second deadline. If it does not exceed a compares the system date of the first deadline and the computer 100 ₁ to 100 _3, system date If exceeds a first deadline, the computer 100 ₁ to 100 ₃ is held since encrypting confidential data, to detect the theft of the computer 100 ₁ to 100 ₃ without requiring special equipment such as a GPS It is possible, if it is detected theft, or impossible see confidential data by encryption, by disabling start the computer 100 ₁ to 100 _3, be prevented reliably confidential data leakage it can.

  The “first deadline date” in the first embodiment corresponds to the “second deadline” described in the claims, and the “second deadline date” corresponds to the “first deadline” described in the claims. ".

Next, the configuration of the information leakage prevention apparatus according to the first embodiment will be described. FIG. 2 is a functional block diagram illustrating the configuration of the information leakage prevention apparatus according to the first embodiment. As shown in the figure, the information leakage prevention apparatus 200 is mounted on the computer 100 and includes a management function control unit 210, a terminal function control unit 220, and a storage unit 230. The computer 100 shown here corresponds to the computers 100 _{1 to} 100 ₃ described above.

  An HDD (Hard Disk Drive) 130 provided in the computer 100 stores various programs executed by the computer 100 and various data necessary for executing the programs, and is particularly closely related to the present invention. As shown in the figure, confidential data 131 that is a target for leakage prevention and a startup file 132 that stores a program for calling an OS (Operating System) when the computer 100 is started up are stored. .

  The management function control unit 210 is a processing unit that controls the entire management function of the information leakage prevention apparatus 200, and includes a management side key management unit 211, a user management unit 212, a terminal management unit 213, and a management side synchronization process. Unit 214, take-out management unit 215, take-out extension management unit 216, management-side backup processing unit 217, and management-side recovery processing unit 218.

  Specifically, the management function control unit 210 is configured to transfer control between the function units or between the function units based on a request from another computer 100 connected to the network 10 or an instruction from the administrator. Such as data transfer.

  The management-side key management unit 211 is a processing unit that generates and holds a secret key and a public key for encrypting data exchanged in the network 10. Specifically, when the management-side key management unit 211 is instructed by the administrator to execute the management initial setting process, the management-side key management unit 211 uses an arbitrary master password input by the administrator at that time and the date and time at that time. Generate a master key. Then, a secret key A and a public key A are generated from the generated master key using a known encryption technique such as a public key cryptosystem.

  When receiving the terminal initial setting request data from the other computer 100 via the network 10, the management-side key management unit 211 holds the public key C included in the received terminal initial setting request data. A secret key B and a public key B are generated from a terminal ID included in the terminal initial setting request data using a known encryption technique such as a public key cryptosystem. Then, the management-side key management unit 211 generates a key pair B obtained by encrypting the generated secret key B and public key B with the secret key A, and transmits the terminal initial setting request data together with the public key A to the computer 100 is transmitted. The process procedure of the terminal initial setting process will be described later with reference to FIG.

  In the first embodiment, the management-side key management unit 211 holds the secret key A. For example, the secret key A is divided into the same number as the number of computers 100 connected to the network 10, and It may be divided and held. As a result, the data encrypted with the private key A cannot be decrypted unless all the computers registered in the network 10 are connected together, that is, all users who use the network 10 are all together. Unless you meet, you can't decrypt the data, so you can build stronger security.

  The user management unit 212 authenticates an administrator and a user, an administrator registration process for registering an administrator of the computer 100 connected to the network 10, a user registration process for registering a user of each computer 100, and the administrator. It is a processing unit that performs user authentication processing.

  Specifically, the user management unit 212 generates an administrator ID for identifying the administrator when the administrator instructs execution of the administrator registration process, and the generated administrator ID and the administrator The administrator name input from, and the authority ID assigned to the administrator are registered in the user management table 231 described later. Furthermore, the user management unit 212 generates a terminal ID from the hardware information (for example, MAC address) of the computer 100, the generated terminal ID, the terminal name input by the administrator, and the terminal manager (owned) The emergency contact address and e-mail address are registered in the terminal management table 233 described later.

  In addition, when the administrator instructs the execution of user registration processing, the user management unit 212 generates a user ID for each user input by the administrator at that time, and is input by the administrator. The user name and the authority ID assigned to each user are also registered in the user management table 231. Thereby, users of a plurality of computers 100 are grouped. The authority ID used here is defined in a user authority management table 232 described later.

  Based on the administrator information and the user information registered in the user management table 231 in this way, when the user management unit 212 receives a user authentication request from the administrator or the user, the authentication process for each is performed. I do. Specifically, the user management unit 212 confirms whether or not the combination of the user ID and password input at the time of user authentication request is registered in the user management table 231. A warning message prompting confirmation of the user ID and password is displayed on an output device such as a display provided in the computer 100.

  The terminal management unit 213 is a processing unit that performs terminal initial setting processing for managing attribute information of each terminal and a take-out situation. Specifically, when the terminal management unit 213 receives the terminal initial setting request data from the other computer 100 via the network 10, the terminal ID, the terminal name, the terminal name included in the received terminal initial setting request data are received. The administrator, emergency contact address, and e-mail address are registered in the terminal management table 233. By registering in the terminal management table 233, a plurality of computers 100 are grouped.

  Furthermore, the terminal management unit 213 generates a take-out management ID that is unique in a take-out management table 234 described later, and stores the generated take-out management ID, the above-described terminal ID, and the situation in the take-out management table 234. At this time, “unapplied” is set as the situation. The details of the terminal initial setting process will be described later in detail with reference to FIG.

  The management-side synchronization processing unit 214 is a processing unit that periodically synchronizes data in the management table, time information, and backup data with the computer 100 connected to the network 10.

  Specifically, the management-side synchronization processing unit 214 sends the terminal-side synchronization time and each management table data (a user management table 231 and a user authority management table 232 described later) from another computer 100 connected to the network 10. When the terminal management table 233, take-out management table 234, take-out application management table 235, take-out extension application management table 236, and secret area management table 237) are received, the data of the computer 100 stored in the terminal management table 233 is received. The received terminal-side synchronization time is set as the terminal-side synchronization time.

  Also, the management-side synchronization processing unit 214 compares each management table data described above with each management table held by itself together with the terminal-side synchronization time, and the time stamp of the management table held by itself is determined. If it is older than the time stamp of the received management table, the received management table data is overwritten on each management table data held by itself.

  Then, the management-side synchronization processing unit 214 transmits the synchronization result and the management-side synchronization time (system date) to the computer 100 that has transmitted the terminal-side synchronization time and each management table. In this synchronization result, “success” is set when the terminal management table 233 and each management table are successfully updated, and “failure” is set when the table update fails due to, for example, an access error. The process procedure of the terminal synchronization process will be described later with reference to FIG.

  The take-out management unit 215 is a processing unit that receives and approves a take-out application from each user. Specifically, when the take-out management unit 215 receives take-out application data from another computer 100 via the network 10, it is unique in the take-out application management table 235 after the authentication process by the user management unit 212. A take-out application ID is generated, and the generated take-out application ID, the applicant included in the received take-out application data, application date and time, application reason and take-out time limit, and approval status are registered in the take-out application management table 235. At this time, “unapproved” is set as the approval status.

  In addition, the take-out management unit 215 refers to the take-out management table 234, changes the status from “unapplied” to “applied” for the terminal ID data included in the received take-out application data, and sets the take-out deadline. Set.

  After the above processing, the takeout management unit 215 outputs a message for selecting whether to approve the takeout application to an output device such as a display provided in the computer 100. When approval information is input by an administrator or the like, the take-out management unit 215 generates a take-out approval ID that is unique in the take-out application management table 235, and uses the generated take-out approval ID as an approver, an approval date and time, It sets with respect to the data of the said terminal ID of the taking-out application management table 235 with approval status. At this time, the approval status is changed from “unapproved” to “approved”.

  The take-out management unit 215 sets a take-out approval ID for the data of the terminal ID in the take-out management table 234.

  Further, the take-out management unit 215 encrypts the first processing time limit and the second processing time limit that specify a predetermined period (for example, the number of hours or days) with the private key B held in the management-side key management unit 211. The information and take-out approval ID are transmitted to the computer 100 that has transmitted the take-out application data. The processing procedure of the take-out application process will be described later with reference to FIG.

  The first processing time limit set here is a value representing a time period such as “+ 24H (hours)”, for example, and is added to the take-out time limit or an extension time limit to be described later, thereby encrypting the confidential data. It is used to determine the deadline until conversion. Similarly, for the second processing deadline, a value representing a period such as “+ 48H (hour)” is set, and the computer 100 is started by being added to the take-out deadline or an extended deadline to be described later. Used to determine the deadline for destroying startup files required for A period longer than the first process deadline is set as the second process deadline.

  The take-out extension management unit 216 is a processing unit that receives and approves a take-out extension application from each user. Specifically, when the take-out extension management unit 216 receives take-out extension application data from, for example, a mobile phone via a WWW server in an intranet, the take-out extension is performed after the user authentication process by the user management unit 212. A unique take-out extension ID is generated in the application management table 236, and the generated take-out extension ID, take-out approval ID, extension application date / time, extension applicant, extension application reason, and extension deadline included in the received take-out extension application data (The take-out extension application information is input to the mobile phone by the user), and the approval status is registered in the take-out extension application management table 236. At this time, “unapproved” is set as the approval status.

  After the above processing, the take-out extension management unit 216 outputs a message for selecting whether to approve the take-out extension application to an output device such as a display provided in the computer 100. When the approval information is input by the administrator or the like, the take-out extension management unit 216 changes the approval status from “unapproved” to “approved” for the data of the take-out approval ID in the take-out extension application management table 236. And set the approver and approval date and time.

  Further, the take-out extension management unit 216 refers to the take-out management table 234 and sets the above-described extension deadline and take-out extension ID for the take-out approval ID data included in the received take-out extension application data.

  Further, the take-out extension management unit 216 transmits take-out extension approval data including the take-out approval ID, the take-out extension ID, and the extension deadline to the mobile phone or the like that has transmitted the take-out extension application data. The details of the take-out extension application process will be described later in detail with reference to FIG.

  The management-side backup processing unit 217 is a processing unit that performs backup processing that receives backup data transmitted from each computer 100 connected to the network 10 and stores it in a predetermined save location. Specifically, when the management-side backup processing unit 217 receives backup data obtained by encrypting confidential data from another computer 100 connected to the network 10, the management-side backup processing unit 217 decrypts the received backup data with the public key A. Above, it stores in a predetermined save area.

  Here, when the management-side backup processing unit 217 backs up the confidential data received from another computer 100, the system date exceeds the first expiration date due to carelessness or the like, and the confidential data is encrypted. Even when the startup file is destroyed when the system date exceeds the second deadline date and the operating system needs to be reinstalled, the computer 100 can obtain resources for restoring the confidential data.

  Further, the management-side backup processing unit 217 generates a secret area ID that is unique in the secret area management table 237, and stores the generated secret area ID, the received terminal ID (set to the evacuated terminal ID), and the secret data. Location (set to save terminal path), own terminal ID (set to save destination terminal ID), save area location (set to save destination terminal path), own system date (set to latest synchronization time) Are registered in the secret area management table 237.

  Further, the management-side backup processing unit 217 transmits the backup result (success or failure) and the secret area ID to the computer 100 that transmitted the backup data. Note that the processing procedure of such backup processing will be described later with reference to FIG. 13 as part of the terminal synchronization processing.

  The management-side recovery processing unit 218 is a processing unit that transmits backup data to each computer 100 connected to the network 10. Specifically, when the management-side recovery processing unit 218 receives recovery request data from another computer 100 connected to the network 10, first, the management-side recovery processing unit 218 refers to the secret area management table 237 and receives the received recovery request data. The backup data save location (save destination terminal path) corresponding to the secret area ID included in the ID is acquired. Then, the backup data stored in the acquired save location is encrypted with the public key C and transmitted to the computer 100 that transmitted the recovery request data.

  Here, the management-side recovery processing unit 218 transmits the backup data stored in a predetermined save area to the computer 100, so that the secret date is inadvertently encrypted with the system date exceeding the first deadline date and time. Even when the system date exceeds the second deadline date and the startup file is destroyed and the operating system needs to be reinstalled, the secret data can be restored to the computer 100.

  The terminal function control unit 220 is a processing unit that controls the entire terminal function of the information leakage prevention apparatus 200, and includes a terminal side key management unit 221, a terminal side synchronization processing unit 222, a take-out application unit 223, and a take-out extension application unit. 224, a terminal side backup processing unit 225, a terminal side recovery processing unit 226, and an information concealment processing unit 227.

  The terminal function control unit 220 transfers control between the function units and transfers data between the function units based on a request from another computer 100 connected to the network 10 or an instruction from a user. Etc.

  The terminal-side key management unit 221 generates a secret key C and a public key C held for each computer 100 and transmits terminal information of the computer 100 to another computer 100 registered in the terminal management table 233. Part. Specifically, when the terminal-side key management unit 221 is instructed by the user to execute the terminal initial setting process, the terminal-side key management unit 221 generates a terminal ID from hardware information (for example, a MAC address) of the computer 100, and A secret key C and a public key C are generated from the generated terminal ID using a known encryption technique such as a public key cryptosystem.

  Then, after performing user authentication of the user, the terminal-side key management unit 221 includes other initial registration request data including the generated public key C and terminal ID registered in the terminal management table 233. It transmits to the computer 100.

  Thereafter, when receiving the public key A and the key pair B, the terminal-side key management unit 221 extracts the public key B by decrypting the received key pair B with the public key A, and holds the public key A and the public key B. The process procedure of the terminal initial setting process will be described later with reference to FIG.

  The terminal-side synchronization processing unit 222 is a processing unit that synchronizes time information and data in the management table with other computers 100 belonging to the same group. Specifically, the terminal-side synchronization processing unit 222 starts to operate periodically, and first generates a synchronization management ID that is unique in a synchronization management table 238 to be described later. The system date (set to the latest synchronization time) of the computer 100 provided is registered in the synchronization management table 238.

  Then, the terminal-side synchronization processing unit 222 extracts the management table data that has been updated since the previous synchronization, and manages each of the management table data together with the terminal-side synchronization time (system date of the computer 100). The data is transmitted to all other computers 100 registered in the table 233.

  When the terminal-side synchronization processing unit 222 receives the synchronization result and the management-side synchronization time from the other computer 100, the terminal-side synchronization processing unit 222 adds the synchronization result of the data of the synchronization management ID stored in the synchronization management table 238 to the synchronization result. If all received synchronization results are “success”, set “success”, if there is any “failure”, set “failure”. The latest management side synchronization time is set to the management mechanism side synchronization time.

  Here, the terminal side synchronization processing unit 222 synchronizes the data in the management table with other computers 100 belonging to the same group, so that the setting information is shared between the computers 100 connected to the network 10 and important. Risk due to concentration of data in one place can be avoided.

  After performing the above processing, the terminal-side synchronization processing unit 222 instructs the terminal-side backup processing unit, and subsequently performs backup processing. The processing procedure of the setting information synchronization processing will be described later with reference to FIG. 13 as part of the terminal synchronization processing.

  The take-out application unit 223 is a processing unit that makes a take-out application for the computer 100. Specifically, when the take-out application unit 223 is instructed by the user of the computer 100 to execute the take-out application process, the user and the application input by the user after the user authentication of the user is performed. The take-out application data including the date and time, reason for application, and take-out time limit is transmitted to all other computers 100 registered in the terminal management table 233.

  When the deadline information and the carry-out approval ID are received from the computer 100 that has approved the taken-out take-out application data, the take-out application unit 223 discloses the deadline information held in the terminal-side key management unit 221. By decrypting with the key B, the first processing time limit and the second processing time limit are taken out.

  Then, the take-out application unit 223 generates a take-out deadline ID that is unique in the take-out deadline table 239 described later, and the received take-out deadline ID, the received take-out approval ID, and the take-out deadline input by the user are received. The first processing time limit and the second processing time limit extracted from the time limit information are registered in the take-out time limit table 239. The processing procedure of the take-out application process will be described later with reference to FIG.

  The take-out extension application unit 224 is a processing unit that extends the take-out time limit based on the approval result when the take-out extension of the computer 100 is approved. Specifically, when the take-out extension application unit 224 receives take-out extension approval data acquired by a user using, for example, a mobile phone, the taken-out extension approval data is held in the terminal-side key management unit 221. The public key A is combined, and the take-out approval ID, take-out extension ID, and extension deadline included in the take-out extension approval data are extracted.

  Then, the take-out extension application unit 224 refers to the take-out time limit table 239 and, for the data corresponding to the take-out approval ID extracted from the take-out extension approval data, similarly applies the take-out approval ID and the extension time limit extracted from the take-out extension approval data. Set. The processing procedure of the take-out extension application process will be described later with reference to FIG.

  The terminal-side backup processing unit 225 is a processing unit that backs up the confidential data of the computer 100 provided therein to the computers 100 belonging to the same group. Specifically, the terminal-side backup processing unit 225 starts the operation in response to an instruction from the terminal-side synchronization processing unit 222, first refers to the synchronization management table 238, and stores the last data whose save status is “success” The latest synchronization time is acquired, and the acquired latest synchronization time is compared with the time stamp of the confidential data.

  Here, when the time stamp of the secret data is after the latest synchronization time, it is determined that the secret data has been changed since the previous backup, and the terminal side backup processing unit 225 determines the terminal side key management. It is confirmed whether or not the public key A is held in the unit 221. If the public key A is held, the secret data is encrypted with the public key A as backup data, and the backup data and the terminal ID And the storage location of the confidential data are transmitted to all the other computers 100 registered in the terminal management table 233.

  Here, when the terminal-side backup processing unit 225 periodically backs up the secret data to the computers 100 belonging to the same group, the secret date is inadvertently encrypted with the system date exceeding the first deadline date and time. Even if the system date exceeds the second deadline date and the startup file is destroyed and the operating system needs to be reinstalled, the computer 100 can obtain resources for recovering the confidential data.

  Thereafter, upon receiving the backup result and the secret area ID that are returned from the other computer 100 for the transmitted backup data, the terminal-side backup processing unit 225 receives the synchronization management ID stored in the synchronization management table 238. The received secret area ID is set as the secret area ID of the data, and if the received save processing result is “success” in the save status of the data, “success” is displayed. If it is “failure”, set “failure”.

  On the other hand, when the public key A is not held in the terminal-side key management unit 221, the terminal-side backup processing unit 225 warns the output device such as a display provided in the computer 100 to perform the terminal initial setting process. After displaying the message, wait for a predetermined time. If the public key A cannot be obtained even after a predetermined time, the terminal-side backup processing unit 225 determines that the computer 100 is stolen, and the startup file stored in the HDD 130 contains nothing. Overwrite meaningful data. As a result, the startup file necessary for starting up the computer 100 is destroyed, and the computer 100 does not start up after the shutdown. Note that the processing procedure of such backup processing will be described later with reference to FIG. 13 as part of the terminal synchronization processing.

  Here, when the public key A cannot be obtained despite the warning message being displayed, the terminal-side backup processing unit 225 determines that the computer 100 is stolen and destroys the startup file. Even when the computer 100 is intentionally taken out, leakage of confidential data can be prevented.

  The terminal-side recovery processing unit 226 is a processing unit that acquires backup data from another computer 100 belonging to the same group and recovers confidential data of the computer 100 provided with the terminal-side recovery processing unit 226. Specifically, the terminal-side recovery processing unit 226 conceals the computer 100 designated by the user when the user instructs the execution of the recovery process with the computer 100 connected to the network 10. Recovery request data including the area ID is transmitted.

  When the backup data transmitted from the other computer 100 is received according to the transmitted recovery request data, the terminal side recovery processing unit 226 stores the received backup data in the secret stored in the terminal side key management unit 221. While decrypting with the key C, the storage area of the secret data is overwritten.

  Here, the terminal-side recovery processing unit 226 obtains backup data from another computer 100 belonging to the same group, and recovers the confidential data of the computer 100 provided with the terminal-side recovery processing unit 226, so that the system date is inadvertently set to the first date. Even if the secret data is encrypted beyond the deadline date or when the system date exceeds the second deadline date and the startup file is destroyed and the operating system needs to be reinstalled, the computer 100 keeps it secret. Data can be recovered.

  The information concealment processing unit 227 is a processing unit that performs information concealment processing for concealing the concealment data of the computer 100 based on two processing deadlines acquired in a take-out application process described later. Specifically, the information concealment processing unit 227 periodically monitors whether or not the computer 100 is connected to the network 10 to which the computer 100 belongs, and confirms that the computer 100 is not connected first. The date is acquired, and the acquired system date is compared with the latest synchronization time of the final data stored in the synchronization management table 238. If the system date is before the latest synchronization time, the information concealment processing unit 227 encrypts the concealed data with the public key A.

  Here, the information concealment processing unit 227 compares the system date of the computer 100 with the latest synchronization time, and if the system date is earlier than the latest synchronization time, by encrypting the confidential data of the computer 100, Even when the system date of the computer 100 is artificially returned, leakage of confidential data can be prevented.

On the other hand, when the system date is after the latest synchronization time, the information concealment processing unit 227 refers to the take-out time limit table 239 and takes out the take-out time limit information (take-out time limit, extension time limit, first process time limit, second process time limit, etc. ) Is registered.

  If the carry-out time limit information is not registered, the information concealment processing unit 227 determines that the computer 100 is disconnected from the network without carrying out the take-out application process, and displays a warning message for prompting the implementation of the take-out application process. After outputting to an output device such as a display provided in 100, the apparatus waits for a predetermined time.

  During this time, the information concealment processing unit 227 repeatedly checks the take-out time limit information, but determines that the computer 100 is stolen if it cannot be confirmed that the take-out time limit information is registered even after a predetermined time. Then, the startup file stored in the HDD 130 is overwritten with meaningless data. As a result, the startup file required at startup is destroyed, and the computer 100 cannot be started up after being shut down.

  On the other hand, when the carry-out deadline information is registered in the take-out deadline table 239, the information concealment processing unit 227 sets the extended deadline when the extended deadline is set, and sets the carry-out deadline when the extended deadline is not registered. The first deadline date and the second deadline date are calculated by adding the first deadline and the second deadline.

  Here, the information concealment processing unit 227 sets the first deadline date and the second deadline date by adding the first processing deadline and the second processing deadline period to the takeout deadline, respectively. Information concealment processing can be performed based on the take-out deadline.

  In addition, when the extension deadline is set, the information concealment processing unit 227 calculates the first deadline date and the second deadline date by adding the periods of the first processing deadline and the second processing deadline to the extended deadline, respectively. Thus, the information concealment process can be performed on the basis of the take-out extension deadline set by the take-out extension application process.

  Then, the information concealment processing unit 227 compares the second deadline date and time with the system date, and if the system date is after the second deadline date and time, it overwrites meaningless data in the startup file stored in the HDD 130. To do. When the system date is after the first deadline date and time, the information concealment processing unit 227 encrypts the concealed data with the public key A. Note that the processing procedure of the information concealment processing will be described later with reference to FIG.

  Here, if the system date of the computer 100 exceeds the first deadline date and time, the information concealment processing unit 227 encrypts the confidential data held by the computer 100, and the system date of the computer 100 is the second date. When the expiration date has been exceeded, the startup file of the computer 100 is destroyed, so that the theft of the computer 100 can be detected without requiring a special device such as GPS, and the theft is detected. By making the confidential data inaccessible by encryption or making the computer incapable of starting up, it is possible to reliably prevent leakage of the confidential data.

  The storage unit 230 is a storage unit that stores data necessary for various processes performed by the management function control unit 210 and the terminal function control unit 220. The user management table 231, the user authority management table 232, the terminal management table 233, A take-out management table 234, a take-out application management table 235, a take-out extension application management table 236, a secret area management table 237, a synchronization management table 238, and a take-out time limit table 239 are stored.

  3 to 11 show an example of each table. 3 is a diagram illustrating an example of the user management table 231, FIG. 4 is a diagram illustrating an example of the user authority management table 232, and FIG. 5 is a diagram illustrating an example of the terminal management table 233. 6 is a diagram showing an example of the take-out management table 234, FIG. 7 is a diagram showing an example of the take-out application management table 235, and FIG. 8 is a diagram showing an example of the take-out extension application management table 236. 9 is a diagram illustrating an example of the secret area management table 237, FIG. 10 is a diagram illustrating an example of the synchronization management table 238, and FIG. 11 is a diagram illustrating an example of the take-out time limit table 239.

  The user management table 231 is a table that stores attribute information of users who use the computer 100. Specifically, as shown in FIG. 3, this user management table 231 is assigned to each user with a “user ID” that uniquely identifies the user, a “user name” that represents each user, and the like. “Authority ID” indicating authority is stored in association with each user ID. The authority ID here is an identifier indicating the authority determined by the rating of the user and the business scope, and is defined by a user authority management table 232 described later.

  The user authority management table 232 is a table that stores authorities assigned to users who use the computer 100. Specifically, as shown in FIG. 4, the user authority management table 232 associates “authority ID” for identifying each authority and “authority level” indicating the contents of each authority for each authority ID. And remember. For example, “administrator” and “user” are defined in this authority level. In the user management table 231, by assigning an authority ID for each user, each process can be performed so that only a user whose authority level is “administrator” can perform the user registration process. It is possible to limit the users who can perform each process.

  The terminal management table 233 is a table that stores attributes of each computer 100. Specifically, as shown in FIG. 5, the terminal management table 233 includes a “terminal ID” that uniquely identifies each computer 100, a “terminal name” that represents each computer 100, and an owner of each computer 100. “Administrator” indicating the phone number, “Emergency contact” indicating the telephone number of each administrator (the owner of the computer 100), “Mail address” serving as the contact information for each administrator, and setting information are finally synchronized. The “latest synchronization time” indicating the time of the other computer 100 at the time of the setting and the “terminal-side synchronization time” indicating the time of each computer when the setting information was last synchronized are stored.

  The take-out management table 234 is a table for managing the take-out status of each computer 100. Specifically, as shown in FIG. 6, the take-out management table 234 includes a “take-out management ID”, a “terminal ID”, a “take-out status”, and a “take-out time limit” for identifying the take-out status for each computer 100. ”,“ Take-out approval ID ”given when the take-out application is approved,“ extension deadline ”for take-out extension, and“ take-out extension ID ”given when the take-out extension application is approved, Each take-out management ID is stored in association with each other. Here, for example, “0” is set for “unapplied” and “1” is set for “applied”, for example.

  The take-out application management table 235 is a table for managing the take-out application of each computer 100. Specifically, as shown in FIG. 7, this take-out application management table 235 includes a “take-out application ID” given when a take-out application is made, an “applicant” of the take-out application, and “application date and time”. ”,“ Reason for application ”,“ Deadline for taking out ”,“ Approval status ”of the takeout application,“ Approver ”who approved the takeout application,“ Approval date ”, and“ Approval for takeout ” Each application ID is stored in association with each other. Here, for example, “0” is set in the case of “unapproved”, and “1” is set in the case of “approved”.

  The take-out extension application management table 236 is a table for managing the take-out extension application of each computer 100. Specifically, as shown in FIG. 8, the take-out extension application management table 236 includes a “take-out extension ID”, a “take-out approval ID”, and a take-out extension application that are given when a take-out extension application is made. "Applicant", "Application date", "Reason for application", "Extension due date" after extension, "Approval status", "Approver" who approved the take-out extension application, and "Approval date" Are stored in association with each take-out extension ID. Here, for example, “0” is set in the case of “unapproved”, and “1” is set in the case of “approved”.

  The secret area management table 237 is a table that stores setting information related to secret data of each computer 100. Specifically, as shown in FIG. 9, the secret area management table 237 includes a “secret area ID” that identifies secret data for each computer 100 and a “evacuated terminal” that indicates the computer 100 from which backup data is transmitted. ID ”,“ evacuated terminal path ”indicating the storage location of the confidential data,“ evacuation destination terminal ID ”indicating the backup data destination computer 100, and“ evacuation ”indicating the storage location of the backup data in the backup destination computer 100 The “destination terminal path” and the “latest synchronization time” indicating the time of the last backup process are stored in association with each secret area ID.

  The synchronization management table 238 is a table that stores the execution result of the terminal synchronization processing of the computer 100. Specifically, this synchronization management table 238 is held for each computer 100 and, as shown in FIG. 10, “synchronization management ID” given when synchronization is performed, and “ “Synchronization status”, “latest synchronization time” indicating the system date (including time) of the computer 100 when the synchronization processing is performed, and system dates (time of other computers 100 acquired when the synchronization processing is performed) “Management mechanism side synchronization time” indicating “included”, “evacuation status” indicating the processing result of the backup process, and “secret area ID” are stored in association with each synchronization management ID. Here, for example, “0” is set in the case of “failure”, and “1” is set in the case of “success”.

  The take-out time limit table 239 is a table that stores information related to the take-out time limit of the computer 100. Specifically, as shown in FIG. 11, the take-out time limit table 239 includes a “take-out time limit ID”, a “take-out approval ID”, a “take-out time limit”, which are given when a take-out application is made. The “carry out extension ID”, “extension deadline”, “first processing deadline”, and “second processing deadline” that are given when an extension application is made are stored in association with each takeout deadline ID. . In the first processing deadline and the second processing deadline set here, for example, values representing periods such as “+ 24H (hours)” and “+ 48H (hours)” are set. A period longer than the processing deadline is set.

  Next, a processing procedure of main processes performed by the information leakage prevention apparatus according to the first embodiment will be described with reference to FIGS.

  First, the processing procedure of information concealment processing will be described. FIG. 12 is a flowchart of the information concealment process according to the first embodiment. As shown in the figure, in this information concealment process, the terminal function control unit 220 periodically monitors whether or not the computer 100 is connected to the network (network to which the computer 100 should originally be connected) 10. When it is confirmed that the computer 100 is not connected to the network (step S101, No), after the information concealment processing unit 227 acquires the system date (current date) (step S102), The latest synchronization time of the final data stored in the synchronization management table 238 is compared (step S103).

  Here, when the system date is before the latest synchronization time (step S103, No), the information confidentiality processing unit 227 encrypts the confidential data with the public key A (step S104).

  On the other hand, when the system date is after the latest synchronization time (step S103, Yes), the information concealment processing unit 227 refers to the take-out time limit table 239 and confirms whether the take-out time limit information is registered.

  Here, when the carry-out deadline information is not registered in the carry-out deadline table 239 (step S105, No), the information concealment processing unit 227 displays a warning message prompting the implementation of the carry-out application process on the computer 100 or the like. After outputting to the output device, the apparatus waits for a predetermined time (step S106). If it is not possible to confirm that the carry-out time limit information has been registered even after a predetermined time has passed (step S107, No), the activation file stored in the HDD 130 is destroyed (step S108).

  On the other hand, when the carry-out deadline information is registered in the carry-out deadline table 239 (step S105, Yes), the information concealment processing unit 227 calculates the first deadline date and the second deadline date and time, The system date is compared, and if the system date is after the second deadline date (step S109, No), the startup file stored in the HDD 130 is destroyed (step S108). If the system date is after the first deadline date (step S110, No), the secret data is encrypted with the public key A (step S104).

  Here, when the system date is before the second deadline date (step S109, Yes) or when the system date is before the first deadline date (step S110, Yes), the information concealment processing unit In step S227, the information concealment process ends.

  As described above, the information concealment processing unit 227 calculates the first deadline date and the second deadline date based on the carryout deadline information stored in the carryout deadline table 239, and the system date is after the second deadline date and time. If the system date is after the first deadline date and time, the confidential data is encrypted, and theft can be detected by the deadline set based on the take-out deadline. It is possible to detect theft of the computer 100 without the need for a special device.

  Subsequently, a processing procedure of terminal synchronization processing (setting information synchronization processing and backup processing) will be described. FIG. 13 is a flowchart of the process procedure of the terminal synchronization process according to the first embodiment. As shown in the figure, in this terminal synchronization processing, the terminal-side synchronization processing unit 222 of the computer 100 starts to operate periodically, and first generates and generates a unique synchronization management ID in the synchronization management table 238. The synchronization management ID and the system date of the computer 100 (set to the latest synchronization time) are registered in the synchronization management table 238 (step S201).

  Then, the terminal side synchronization processing unit 222 extracts management table data that has been updated since the previous synchronization (step S202), and stores the management table data in the terminal management table 233 together with the terminal side synchronization time. It transmits to all the other registered computers 100 (step S203).

  The other computer 100 that has received the terminal side synchronization time and each management table data is the terminal side that the management side synchronization processing unit 214 has received at the terminal side synchronization time of the data of the computer 100 stored in the terminal management table 233. A synchronization time is set, and each management table data of itself is updated based on each received management table (step S204).

  Then, the management-side synchronization processing unit 214 transmits the synchronization result and the management-side synchronization time (system date) to the computer 100 that has transmitted the terminal-side synchronization time and each management table (step S205).

  The computer 100 that has received the synchronization result and the management-side synchronization time confirms the synchronization result, and if successful (step S206, Yes), the terminal-side synchronization processing unit 222 enters the synchronization management table 238. The synchronization result of the data of the stored synchronization management ID and the management mechanism side synchronization time are updated (step S207).

  Subsequently, in the computer 100, the terminal-side backup processing unit 225 compares the latest synchronization time in the synchronization management table 238 with the last update time of the confidential data. If the time stamp of the secret data is after the latest synchronization time, it is determined that the secret data has been changed since the previous backup (step S208, Yes), and the public key is sent to the terminal-side key management unit 221. Check whether A is held.

  Here, if the public key A is not held in the terminal-side key management unit 221 (No in step S209), the terminal-side backup processing unit 225 sets the terminal initial setting in an output device such as a display provided in the computer 100. After displaying a warning message prompting the execution of the process (step S210), the process waits for a predetermined time. If the public key A cannot be acquired even after a predetermined time (step S211, No), the terminal-side backup processing unit 225 destroys the startup file stored in the HDD 130.

  On the other hand, when the public key A is held (step S209, Yes), the secret data is encrypted with the public key A (step S213), and this is used as backup data and another computer 100 belonging to the same group. (Step S214).

  In the other computer 100 that has received the backup data, the management-side backup processing unit 217 decrypts the received backup data with the public key A and stores it in a predetermined save area (step S215).

  Further, the management-side backup processing unit 217 stores the secret area ID, the storage location of the received terminal ID and secret data, its own terminal ID, the location of the save area, and its own system date. It registers in 237 (step S216).

  Further, the management-side backup processing unit 217 registers the received backup information and the like in the secret area management table 237, and then stores the backup data save processing result (success or failure) to the computer 100 that transmitted the backup data. The secret area ID is transmitted (step S217).

  When the backup processing unit 225 receives the backup data backup processing result, the terminal-side backup processing unit 225 sets the saving status in the synchronization management table 238 when the received backup processing result is “success” (Yes in step S218). “Success” is set (step S219), and if the received save processing result is “failure” (step S218, No), “failure” is set as the save status in the synchronization management table 238 (step S220). .

  As described above, the management-side synchronization processing unit 214 of the other computer 100 belonging to the same group and the terminal-side synchronization processing unit 222 of the computer 100 perform management table data, time information, and backup data between the computers. Further, the terminal side backup processing unit 225 of the computer 100 transmits backup data obtained by encrypting the confidential data to the other computer 100, and the management side backup processing unit 217 of the other computer 100 The received backup data is stored in a predetermined save location. By performing this series of processing periodically, the risk of theft and data loss can be distributed.

  Subsequently, a processing procedure of the terminal initial setting process will be described. FIG. 14 is a flowchart of the process procedure of the terminal initial setting process according to the first embodiment. As shown in the figure, in this terminal initial setting process, when a user instructs the execution of the terminal initial setting process, the computer 100 causes the terminal-side key management unit 221 to execute hardware information (for example, the computer 100). (MAC address, etc.) is acquired (step S301), a terminal ID is generated from the acquired hardware information, and a secret key C and a public key C are generated from the generated terminal ID (step S302). Further, based on an instruction from the user, the computer 100 stores the confidential data in a predetermined storage location (step S303).

  Then, the terminal-side key management unit 221 transmits the user ID and password input by the user to other computers 100 belonging to the same group as a user authentication request (steps S304 and S305).

  In the other computer 100 that has received the user authentication request, the user management unit 212 refers to the user management table 231 and confirms whether or not the received combination of user ID and password is registered (step S306). The authentication result is transmitted to the computer 100 that has transmitted the user authentication request (step S307).

  When the authentication result is an error (No in step S308), the computer 100 that has received the authentication result causes the terminal-side key management unit 221 to check the user ID and password on an output device such as a display device, for example. A warning message for prompting is output (step S309).

  On the other hand, when the authentication result is not an error (step S308, Yes), the terminal-side key management unit 221 sends terminal initial setting request data including the generated public key C and terminal ID to the other computer 100. Transmit (step S310).

  In the other computer 100 that has received the terminal initial setting request data, the terminal management unit 213 stores the received terminal ID and the like in the terminal management table 233 and the take-out management table 234 (step S311). Further, after the management-side key management unit 211 generates the secret key B and the public key B from the received terminal ID (step S312), the generated secret key B and the public key B are encrypted with the secret key A. A key pair B is generated (step S313), and the key pair B is transmitted together with the public key A to the computer 100 that has transmitted the terminal initial setting request data (step S314).

  Subsequently, the processing procedure of the take-out application process will be described. FIG. 15 is a flowchart illustrating the processing procedure of the take-out application process according to the first embodiment. As shown in the figure, in this take-out application process, when the computer 100 is instructed by the user of the computer 100 to execute the take-out application process, the take-out application unit 223 takes out the take-out application information input from the user. (Step S401), the user ID and password input by the user are transmitted to another computer 100 as a user authentication request (step S402, step S403).

  In the other computer 100 that has received the user authentication request, the user management unit 212 refers to the user management table 231 to check whether or not the received combination of user ID and password is registered (step S404). The authentication result is transmitted to the computer 100 that has transmitted the user authentication request (step S405).

  When the authentication result is an error (No in step S406), the computer 100 that has received the authentication result warns the take-out application unit 223 to confirm the user ID and password to an output device such as a display device, for example. A message is output (step S407).

  On the other hand, if the authentication result is not an error (step S406, Yes), the terminal side key management unit 221 transmits take-out application data including the terminal ID to the other computer 100 (step S408).

  In the other computer 100 that has received the take-out application data, the take-out management unit 215 generates a unique take-out application ID in the take-out application management table 235, and the generated take-out application ID and the take-out application data included in the received take-out application data The application information is stored in the take-out application management table 235 and the take-out management table 234 (step S409).

  Then, the takeout management unit 215 outputs a message for selecting whether to approve the takeout application to an output device such as a display (step S410). If the administrator approves the take-out application in response to this message (step S411, Yes), the take-out management unit 215 stores the input approval information in the take-out application management table 235 and the take-out management table 234. Store (step S415).

  Further, the take-out management unit 215 has time limit information obtained by encrypting the first process time limit and the second process time limit specifying a predetermined period with the secret key B, and take-out approval data obtained by encrypting the approval information with the secret key A, Is transmitted to the computer 100 that has transmitted the take-out application data (step S416).

  When the take-out application is denied by the administrator or the like (No at Step S411), the take-out management unit 215 transmits an approval error to the computer 100 that has transmitted the take-out application data (Step S412).

  On the other hand, when the computer 100 receives the time limit information and take-out approval data (step S413, Yes), the take-out application unit 223 receives the first process time limit and the second process time limit from the received time limit information. The take-out approval ID is extracted from the data, and the extracted information is stored in the take-out time limit table 239 (step S417).

  When the computer 100 receives an approval error (No in step S413), the take-out application unit 223 outputs a message indicating that the take-out application has not been approved to an output device such as a display device (step S413). S414).

  In this way, the terminal-side key management unit 221 of the computer 100 transmits take-out application data to all other computers 100 belonging to the same group, and the take-out management unit 215 of the other computer 100 responds accordingly. The first processing deadline and the second processing deadline are transmitted to the computer 100, and the take-out application unit 223 of the computer 100 stores the received first processing deadline and second processing deadline in the take-out deadline table 239. Thus, when the user makes an application for taking out the computer 100 from the computer 100 before disconnecting the computer 100 from the network 10, the first deadline and the second deadline are automatically paid to the computer. There is an effect that information leakage of the computer can be prevented.

  Next, a processing procedure for taking out extension application processing will be described. FIG. 16 is a flowchart illustrating the processing procedure of the take-out extension application process according to the first embodiment. As shown in the figure, in this take-out extension application process, for example, when a user performs a take-out extension application process using a mobile phone, after the mobile phone acquires the extension application information input by the user ( In step S501), the user ID and password input by the user are transmitted as a user authentication request to another computer 100 belonging to the same group (step S502, step S503).

  In the other computer 100 that has received the user authentication request, the user management unit 212 refers to the user management table 231 and confirms whether or not the received combination of user ID and password is registered (step S504). The authentication result is transmitted to the computer 100 that transmitted the user authentication request (step S505).

  If the authentication result is an error (No in step S506), the mobile phone that has received the authentication result outputs a warning message for prompting confirmation of the user ID and password to an output device such as a display device (step S506). S507).

  On the other hand, if the authentication result is not an error (step S506, Yes), the mobile phone is taken out including the take-out approval ID, extension application date / time, extension applicant, reason for extension application, and extension deadline input by the user. The extension application data is transmitted to the other computer 100 (step S508).

  In the other computer 100 that has received the take-out extension application data, the take-out extension management unit 216 stores the take-out application information included in the received take-out extension application data in the take-out extension application management table 236 and the take-out management table 234 (step S509).

  Then, the take-out extension management unit 216 outputs a message for selecting whether to approve the take-out extension application to an output device such as a display provided in another computer 100 (step S510). If the administrator approves the take-out extension application in response to this message (step S511, Yes), the take-out extension management unit 216 takes the input approval information into the take-out extension application management table 236 and the take-out management. The data is stored in the table 234 (step S515).

  Further, the take-out extension management unit 216 transmits take-out extension approval data including the take-out approval ID, the take-out extension ID, and the extension deadline to the mobile phone that has transmitted the take-out extension application data (step S516).

  Here, when the take-out extension application is denied by the administrator or the like (No in step S511), the take-out extension management unit 216 transmits an approval error to the computer 100 that has transmitted the take-out extension application data (step S511). S512).

  On the other hand, if the mobile phone has received take-out extension approval data (step S513, Yes), the user can use the received take-out extension approval data by using, for example, a wireless communication device or a connection cable provided in the mobile phone. Is transmitted to the computer 100 owned by (step S517). Thereafter, in the computer 100 that has received the take-out extension approval data, the take-out extension application unit 224 registers the take-out extension ID and the extension time limit included in the received take-out extension approval data in the take-out time limit table 239.

  When the mobile phone receives an approval error (No at Step S513), the mobile phone outputs a message indicating that the take-out extension application has not been approved, for example, to an output device such as a display device (Step S514).

  In this way, a take-out extension application is made using a mobile phone or the like, take-out extension approval data received from another computer 100 is transmitted to the computer 100, and the take-out extension application unit 224 is included in the received take-out extension approval data. When the extension deadline is registered in the take-out deadline table 239 and the information concealment processing unit 227 performs the information concealment process based on the extension deadline, for example, an emergency occurs in the place of going out, and the period for taking out the computer 100 is extended. Even in this case, the computer 100 can be continuously used by extending the take-out time limit.

  As described above, in the first embodiment, when the information concealment processing unit 227 confirms whether the computer 100 is connected to the network 10 and confirms that the computer 100 is not connected to the network. The second deadline date and time including the second processing deadline in addition to the carry-out deadline is compared with the system date of the computer 100. If the system date exceeds the second deadline date and time, the system startup file 132 of the computer 100 is stored. If the system date does not exceed the second deadline date and time, the first deadline date and time that includes the first processing deadline shorter than the second processing deadline in the take-out deadline and the system date of the computer 100 are compared. If the date exceeds the first deadline date, the confidential data 131 held by the computer 100 is encrypted. Thus, the theft of the computer 100 can be detected without requiring a special device such as GPS. If the theft is detected, the confidential data cannot be referred to by encryption or the computer 100 cannot be started. By making it possible, leakage of confidential data can be surely prevented.

  Although the information leakage prevention apparatus has been described in the first embodiment, an information leakage prevention program having the same function can be obtained by realizing the configuration of the information leakage prevention apparatus with software. A computer that executes this information leakage prevention program will be described.

  FIG. 17 is a functional block diagram of the configuration of the computer that executes the information leakage prevention program according to the first embodiment. As shown in the figure, the computer 100 includes a RAM 110, a CPU 120, an HDD 130, a LAN interface 140, an input / output interface 150, and a DVD drive 160.

  The RAM 110 is a memory that stores a program, a program execution result, and the like. The CPU 120 is a central processing unit that reads a program from the RAM 110 and executes the program.

  The HDD 130 is a disk device that stores programs and data, and the LAN interface 140 is an interface for connecting the computer 100 to another computer via the LAN.

  The input / output interface 150 is an interface for connecting an input device such as a mouse or a keyboard and a display device, and the DVD drive 160 is a device for reading / writing a DVD.

  The information leakage prevention program 111 executed in the computer 100 is stored in the DVD, read from the DVD by the DVD drive 160, and installed in the computer 100.

  Alternatively, the information leakage prevention program 111 is stored in a database or the like of another computer system connected via the LAN interface 140, read from these databases, and installed in the computer 100.

  The installed information leakage prevention program 111 is stored in the HDD 130, read into the RAM 110, and executed by the CPU 120 as the information leakage prevention process 121.

  By the way, in the first embodiment, the take-out application and the take-out extension application are managed to be managed between computers belonging to the same group. However, using the management server device that manages the computers connected to the network, You may be allowed to centrally manage take-out extension applications. In other words, when a take-out application or take-out extension application is made, each computer notifies the management server of the application based on the user's instruction, and the management server that has accepted the application notice sends the first notification to the computer. Respond to the deadline and the second deadline.

  In the first embodiment, the information leakage prevention apparatus periodically compares the second deadline date and time with the computer system date. If the system date exceeds the second deadline date and time, the computer system activation is performed. Although the configuration is such that the file is destroyed, the OS of the computer may be shut down instead of destroying the startup file. In this case, a check based on the time limit is performed even when the computer is started.

  In the first embodiment, when the system date does not exceed the second deadline date and time, the first deadline date and time shorter than the second deadline date and the system date of the computer are compared, and the system date exceeds the first deadline date and time. In such a case, the confidential data stored in the computer is encrypted. However, when the data is stored in the HDD, the confidential data is encrypted in advance so that the system date exceeds the first deadline date and time. In such a case, instead of encrypting the confidential data, a warning message may be displayed to the user.

  Therefore, in the following, the management server centrally manages various applications, and each computer shuts down the OS when checking with the first deadline, and warns when checking with the second deadline shorter than the first deadline. A case where a message is configured to be displayed will be described as a second embodiment. In the second embodiment, the confidential data backup performed in the first embodiment is not performed, and each computer transmits a confidential data file list to the management server at the time of the take-out application. A case of centralized management will be described.

First, the concept of the information leakage prevention apparatus according to the second embodiment will be described. FIG. 18 is an explanatory diagram for explaining the concept of the information leakage preventing apparatus according to the second embodiment. A network 20 shown in FIG. 1 represents, for example, an in-house LAN in a company. Via this network 20, client terminal devices (computers) 300 ₁ and 300 ₂ and a management server device (each managing a client terminal device) Computer) 400 is connected.

Each of the client terminal devices 300 ₁ and 300 ₂ includes a terminal-side information leakage prevention device, and the management server device 400 includes a server-side information leakage prevention device.

The terminal-side information leakage prevention device is an important information held in the client terminal devices 300 ₁ and 300 ₂ when the client terminal devices 300 ₁ and 300 ₂ are stolen or taken out and lost when going out. This is a device for preventing data from being referred to by a third party.

On the other hand, the server-side information leakage prevention device is a device that manages various setting information related to the client terminal devices 300 ₁ and 300 ₂ and various applications notified from each client terminal device. When the take-out application is notified from the client terminal devices 300 ₁ and 300 ₂ , the server-side information leakage prevention device responds to the client terminal device that has notified the application of the first use time limit and the second use time limit. To do.

Here, the first expiration date, when the client terminal apparatus 300 ₁ from being performed is taken out application was brought, a time limit of up warning to the user is performed, the second redemption period, taking out the applicant when is taken out by the client terminal apparatus 300 ₁ from taking place, a time limit to the OS of the client terminal apparatus 300 ₁ is shut down, the second expiration date, is longer than the first usage period Is set.

While the client terminal device 300 ₁ or 300 ₂ is activated, the terminal-side information leakage prevention device provided in each client terminal device periodically synchronizes various setting information with the server-side information leakage prevention device. Processing is performed ((1) in FIG. 18). In this synchronization process, the terminal-side information leakage prevention apparatus acquires the first warning deadline and the second warning deadline from the server-side information leakage prevention apparatus in addition to synchronizing various setting information.

Here, the first warning limit, when the taking-out request has been taken out by the client terminal apparatus 300 ₁ is not performed, a period until the last warning to the user after the synchronization process is performed is performed, the second alert time limit, when the taking-out request has been taken out by the client terminal apparatus 300 ₁ is not performed, a period since the last time synchronization process is performed until the OS of the client terminal apparatus 300 ₁ is shut down, In the second warning deadline, a deadline longer than the first warning deadline is set.

For example, consider a case where the client terminal apparatus 300 ₁ of the user, the client terminal apparatus 300 ₁ is taken out is disconnected from the network 20.

First, when the operation of taking out the applicant is performed by the client terminal apparatus 300 ₁ of the user, taking out request are sent from the client terminal apparatus 300 ₁ to the management server apparatus 400 in advance (in FIG. 18 (2)). When the take-out application is received by the management server device 400, the administrator of the network 20 approves the take-out application.

When the approval is made by a provided server side security apparatus to the management server apparatus 400, to the client terminal apparatus 300 _1, a first usage period and a second usage period as described above is transmitted (FIG. 18 (3)). When receiving these two use-expiration date, the terminal side security apparatus provided in the client terminal apparatus 300 ₁ stores each expiration date.

When the client terminal device 300 ₁ is activated by the user at the take-out destination after the take-out application is made in this way, the terminal-side information leakage prevention device provided in the client terminal device 300 ₁ is first described above. Perform synchronous processing. Here, if the synchronization process is unsuccessful, the terminal side security apparatus determines that the client terminal apparatus 300 ₁ is disconnected from the network.

In this case, the terminal-side information leakage prevention device compares the first usage time limit acquired at the time of take-out application with the system date, and if the system date exceeds the first use time limit, it is further acquired at the time of take-out application. Compare the second expiration date with the system date. If the system date has not exceeded the second usage deadline, the terminal-side information leakage prevention device displays a warning message on the display device or the like, and if the system date has exceeded the second usage deadline. , after a predetermined grace period has elapsed, to shut down the OS of the client terminal apparatus 300 _1.

Thus, the user, although to a second usage maturing can use the client terminal apparatus 300 _1, when past the second expiration date is extended by the network administrator to connect to the network 20 again to get a new expiration date or has, unless extended usage period by performing a predetermined extension procedures, again, will not be able to use the client terminal apparatus 300 _1. Therefore, even if the client terminal device 300 ₁ is stolen at the take-out destination, a third party who is not an authorized user cannot use the client terminal device 300 ₁ if the second usage time limit has passed.

Further, when the client terminal device 300 ₁ is disconnected from the network 20 without being applied for take-out, the terminal-side information leakage prevention device causes the client terminal device 300 _{1 to} be connected to the network through periodic synchronization processing. If it is confirmed whether or not it has been disconnected, and if it is confirmed that it has been disconnected, the availability determination is performed using the warning deadline acquired when the synchronization process was last performed with the management server device 400. Do.

First, the terminal side security apparatus calculates the system date of the client terminal apparatus 300 _1, the time of the last sync processing with the management server device 400 (hereinafter, last synchronization time) the difference between, When the calculation result exceeds the first warning deadline, the calculation result is compared with the second warning deadline. The terminal-side information leakage prevention device displays a warning message on the display device or the like when the calculation result does not exceed the second warning deadline, and when the calculation result further exceeds the second warning deadline. , after a predetermined grace period has elapsed, to shut down the OS of the client terminal apparatus 300 _1.

As a result, even when a third party other than a regular user takes out the client terminal device 300 ₁ without making a take-out application, the client terminal device 300 ₁ Unusable.

Thus, the terminal side security apparatus is, checks whether the client terminal apparatus 300 ₁ is connected to the network, when it is confirmed that it is not connected to the network, the second acquired during taking out application comparing the system date expiration date and the computer, when the system date exceeds the second usage period, shut down the OS of the client terminal apparatus 300 _1, when the system date is not greater than the second usage period the, if comparing the first expiration date and the system date of the client terminal apparatus 300 ₁ acquired during carryout application, system date had exceeded a first expiration date, to the user of the client terminal apparatus 300 ₁ The warning message is sent to the client terminal device 300 ₁ without requiring a special device such as GPS. Detecting theft, by shutting down the OS of the client terminal apparatus 300 _1, it is possible to prevent leakage of confidential data.

In addition, even if no take-out application has been made, if the terminal-side information leakage prevention device confirms that it is not connected to the network, the second warning deadline acquired at the time of synchronization processing, and finally comparing the elapsed time after performing the synchronization process, if the elapsed time exceeds the second warning limit, shut down the OS of the client terminal apparatus 300 _1, the elapsed time has exceeded the second alert time limit If not, compare the first warning deadline obtained when the synchronization process was performed and the elapsed time since the last synchronization process. If the elapsed time exceeds the first warning deadline, since it notifies a warning message to the client terminal apparatus 300 ₁ of the user, as well as to detect the theft of the client terminal apparatus 300 ₁ without requiring special equipment such as GPS, the client end By shutting down the apparatus 300 ₁ of the OS, it is possible to prevent leakage of confidential data.

  The “first use deadline” and the “first warning deadline” in the second embodiment correspond to the “second deadline” described in the claims, and the “second use deadline” and the “second warning deadline”. "Corresponds to the" first deadline "recited in the claims.

  Next, configurations of the terminal-side information leakage prevention apparatus and the server-side information leakage prevention apparatus according to the second embodiment will be described. FIG. 19 is a functional block diagram illustrating configurations of the terminal-side information leakage prevention apparatus and the server-side information leakage prevention apparatus according to the second embodiment. As shown in the figure, the terminal-side information leakage prevention device 500 is mounted on the client terminal device 300, and the server-side information leakage prevention device 600 is mounted on the management server device 400. Connected through.

Here, for convenience of explanation, only one client terminal device 300 is illustrated, but it is assumed that a plurality of client terminal devices 300 are connected to the network 20. That is, the client terminal device 300 shown in the figure corresponds to the client terminal devices 300 ₁ and 300 ₂ shown in FIG.

  The client terminal device 300 includes an HDD (Hard Disk Drive) 330. This HDD is a storage device for storing various programs executed by the client terminal device 300 and various data necessary for the execution of the programs. Particularly, the HDD is closely related to the present invention. As shown, secret data 331 that is a target for leakage prevention is stored.

  The terminal-side information leakage prevention device 500 provided in the client terminal device 300 is a device for preventing confidential data held in the client terminal device 300 from being referred to by a third party, and includes interface control. Unit 510, storage unit 520, and control unit 530. Below, each function part is demonstrated concretely.

  The interface control unit 510 is a processing unit that controls transmission / reception of various data exchanged with the management server device 400. For example, the interface control unit 510 transmits a take-out application to the management server device 400 and receives a first usage time limit and a second usage time limit from the management server device 400.

  The storage unit 520 is a storage device that stores data and programs necessary for various processes performed by the control unit 530. As shown in FIG. 19, the storage unit 520 stores a terminal setting table 521 particularly closely related to the present invention. To do.

  The terminal setting table 521 stores terminal setting information regarding the client terminal device 300. FIG. 20 is a diagram illustrating an example of terminal setting information stored in the terminal setting table 521. As shown in the figure, the terminal setting table 521 includes “client ID”, “master code”, “secret information storage location”, “last synchronization time”, “first warning deadline”, “ The “second warning deadline”, “use permission flag”, “grace period”, “approval flag”, “first use deadline”, and “second use deadline” are stored.

  Here, the client ID is an identifier for uniquely identifying the client terminal device 300, and the master code is a code set in common to all client terminal devices and management servers connected to the network 20. . The confidential information storage location is path information indicating the location where the confidential data 331 is stored in the HDD 330, and the final synchronization time is the time at which synchronization was last performed with the management server by a synchronization process described later. .

  The first warning deadline is a period from when the client terminal device 300 is taken out without a take-out application to when a warning is given to the user after the last synchronization processing is performed. Is a period from when the client terminal device 300 is taken out without a take-out application to when the OS of the client terminal device 300 is shut down after the last synchronization process is performed. A period longer than the first warning deadline is set as the second warning deadline. For example, a period represented by time (H) is set for the first warning deadline and the second warning deadline, as shown in FIG. The period set for the first warning deadline and the second warning deadline may be a week (W), a day (D), a minute (M), or a combination of these.

  The use permission flag is a flag indicating whether or not the use of the client terminal device 300 is permitted by a network administrator or the like, and the approval flag is a flag indicating whether or not the client terminal device 300 is permitted to be taken out. is there. For example, “1” is set in the use permission flag and the approval flag as shown in FIG. Here, when “1” is set, it indicates that the flag is on, and when nothing is set, it indicates that the flag is off.

  The grace period is a period during which the client terminal device 300 can be temporarily used even when it is not connected to the network 20, and the client device 300 is activated by monitoring means not shown in FIG. The interval is reduced at any time, and the value stored in the table is rewritten as needed. For example, in the grace period, as shown in the figure, a period represented by time (H) is set. The period set as the grace period may be days (D), minutes (M), seconds (S), or a combination of these. This grace period is not recovered until the client terminal device 300 is connected to the network 20 and the synchronization processing unit 533 performs the synchronization processing normally.

  The first use time limit is a time limit for warning the user when the take-out application is made and the client terminal device 300 is taken out, and the second use time limit is the client terminal device after the take-out application is made. This is the time limit for shutting down the OS of the client terminal device 300 when the 300 is taken out. In the second usage time limit, a period longer than the first usage time limit is set. For example, as shown in the figure, time limits expressed in year, month, day, hour, and minute are set in the first use time limit and the second use time limit.

  Referring back to FIG. 19, the control unit 530 has a control program such as an OS, a program that defines various processing procedures, and an internal memory for storing required data, and a processing unit that executes various processes using these. As closely related to the present invention, the initial setting processing unit 531, the encryption processing unit 532, the synchronization processing unit 533, the take-out application processing unit 534, the usage time limit confirmation unit 535, the warning time limit, A confirmation unit 536, a time limit extension processing unit 537, and a recovery processing unit 538 are included.

  The initial setting processing unit 531 is a processing unit that stores terminal setting information input from a user in the terminal setting table 521. Specifically, the initial setting processing unit 531 stores these information in the terminal setting table 521 when a master code and a secret information storage location are input by the user at the time of initial setting. At the same time, the initial setting processing unit 531 generates a client ID unique to the client terminal device 300 and stores it in the terminal setting table 521. For example, the initial setting processing unit 531 generates a client ID based on the device number of the client terminal device 300 and the like.

  When the user stores the confidential data in the storage location indicated by the confidential information storage location stored in the terminal setting table 521, the encryption processing unit 532 encrypts the confidential data using a predetermined encryption key. It is a processing part to convert.

  The synchronization processing unit 533 is a processing unit that synchronizes various setting information with the management server device 400. Specifically, the synchronization processing unit 533 requests the management server device 400 for terminal setting information including the client ID when the client terminal device 300 is started up and periodically, and the management server device The first warning deadline, the second warning deadline, the use permission flag, the grace period, the approval flag, and the last synchronization time returned from 400 are acquired and stored in the terminal setting table 521, respectively.

  The take-out application processing unit 534 is a processing unit that performs processing related to a take-out application based on an operation from the user. Specifically, the take-out application processing unit 534 transmits a take-out application including the client ID to the management server apparatus 400 based on an operation from the user, and is returned from the management server apparatus 400 in response thereto. By storing the first usage time limit and the second usage time limit in the terminal setting table 521, the first usage time limit and the second usage time limit are set in the client terminal device 300.

  At the same time, the take-out application processing unit 534 generates a file list of confidential data stored in the location indicated by the confidential information storage location stored in the terminal setting table 521, and transmits the file list to the management server device 400. To do. The processing procedure of the take-out application process will be described later in detail with reference to FIG.

  Here, when the take-out application processing unit 534 acquires the first usage time limit and the second usage time limit from the management server device 400, all of them are transmitted to the management server device 400 by transmitting the confidential data file list. The secret data stored in the client terminal device 300 can be centrally managed by the management server device 400. Even if the client terminal device 300 is stolen at the take-out destination, it is retained in the client terminal device. It is possible to confirm the confidential data that has been used and to use it for studying countermeasures against theft.

  The usage time limit checking unit 535 is a processing unit that checks whether or not the client terminal device 300 can be used based on the first usage time limit and the second usage time limit when the client terminal device 300 is activated. Specifically, when the client terminal device 300 is activated by the user, the usage time limit confirming unit 535 performs the synchronization processing by the synchronization processing unit 533, and as a result, the synchronization processing is not performed normally. The client terminal device 300 is determined to be disconnected from the network, and the first usage time limit stored in the terminal setting table 521 is compared with the system date.

  Then, when the system date exceeds the first usage time limit, the usage time limit checking unit 535 further compares the second usage time limit stored in the terminal setting table 521 with the system date to determine the system date. If the second usage period has not been exceeded, a warning message is displayed on the display device or the like. On the other hand, if the system date has exceeded the second usage period, the usage period confirmation unit 535 displays a message prompting the input of the recovery key on the display device after a predetermined grace period has elapsed.

  Here, when the recovery key is not input from the user, the usage time limit checking unit 535 shuts down the OS of the client terminal device 300. Note that the processing procedure of the expiration date confirmation process will be described later in detail with reference to FIG.

  The warning deadline confirmation unit 536 is a processing unit that checks whether or not the client terminal device 300 can be used based on the first warning deadline and the second warning deadline when the client terminal device 300 is taken out without a take-out application. is there. Specifically, the warning time limit confirmation unit 536 confirms whether or not the synchronization processing has been normally performed when the periodic synchronization processing by the synchronization processing unit 533 is performed, and has not been performed normally. In this case, it is determined that the client terminal device 300 is disconnected from the network.

  Then, the warning deadline confirmation unit 536 first determines whether or not it can be used based on the first usage deadline and the second usage deadline as described above, and if the system date exceeds the second usage deadline, the client terminal device When the difference between the system date of 300 and the time when the synchronization process was last performed between the management server device 400 (hereinafter, the last synchronization time) is calculated, and the calculation result exceeds the first warning deadline Further, the calculation result is compared with the second warning deadline.

  The warning deadline confirmation unit 536 displays a warning message on the display device or the like when the calculation result does not exceed the second warning deadline, and when the calculation result exceeds the second warning deadline, After the predetermined grace period elapses, the OS of the client terminal device 300 is shut down. Note that the processing procedure of the warning time limit confirmation processing will be described later in detail with reference to FIG.

  The time limit extension processing unit 537 is a processing unit that extends the first use time limit and the second use time limit based on the extension time limit determined by the management server device 400. Specifically, the time limit extension processing unit 537 displays an input screen requesting input of the extension key on the display device in response to an instruction from the user. Then, when the extension key is input by the user, the period extension processing unit 537 acquires the client ID, the first usage period, the second usage period, and the extension period from the extension key.

  Then, the time limit extension processing unit 537 confirms whether or not the acquired client ID, the first usage time limit, and the second usage time limit are the same as those stored in the terminal setting table 521. In this case, the first use time limit and the second use time limit stored in the terminal setting table 521 are extended by adding the acquired extension time limit. Note that the processing procedure of the time limit extension processing will be described later in detail with reference to FIG.

  The recovery processing unit 538 is a processing unit that extends the first use time limit and the second use time limit based on the temporary use time limit determined by the management server device 400. Specifically, the recovery processing unit 538 displays an input screen for requesting the user to input a recovery key when instructed to perform recovery processing from the usage time limit confirmation unit 535 or the warning time limit confirmation unit 536. Display on the device.

  Then, when the recovery key is input by the user, the recovery processing unit 538 acquires the master code and the temporary use expiration date included in the recovery key, and the acquired master code is stored in the terminal setting table 521. The first use time limit and the second use time limit stored in the terminal setting table 521 are added by adding the acquired temporary use time limit. Respectively. Note that the processing procedure of the recovery processing will be described later in detail with reference to FIG.

  As described above, the recovery processing unit 538 acquires the recovery key generated based on the master code and the temporary use deadline in the management server device 400 and extends the first use deadline and the second use deadline. Even if the client terminal device 300 cannot be connected to the network 20 due to the occurrence of a problem, the user can temporarily extend the expiration date of the client terminal device 300 by acquiring the recovery key by telephone or e-mail. Can do.

On the other hand, the server-side information leakage prevention device 600 provided in the management server device 400 is a device that manages various setting information related to the client terminal devices 300 ₁ and 300 ₂ and various applications notified from each client terminal device. The interface control unit 610, the storage unit 620, and the control unit 630 are included. Below, each function part is demonstrated concretely.

  The interface control unit 610 is a processing unit that controls transmission / reception of various data exchanged with the client terminal device 300. For example, the interface control unit 610 receives a take-out application from the client terminal device 300 and transmits a first usage time limit and a second usage time limit to the client terminal device 300.

  The storage unit 620 is a storage device that stores data and programs necessary for various types of processing by the control unit 630. As particularly related to the present invention, as shown in FIG. 19, a management server setting table 621 and The terminal management table 622 is stored.

  The management server setting table 621 stores management server setting information regarding the management server device 400. FIG. 21 is a diagram illustrating an example of management server setting information stored in the management server setting table 621. As shown in the figure, the management server setting table 621 stores “master code” and “server warning deadline”. For example, in the server warning deadline, a period represented by time (H) is set as shown in FIG. The period set as the server warning deadline may be a week (W), a day (D), a minute (M), or a combination of these.

  The master code is a code that is set in common to all client terminal devices and management servers connected to the network 20. The server warning time limit is a time limit for giving a warning to the network administrator when the client terminal device 300 is not connected to the network 20 for a long period of time. The period until it is set.

  The terminal management table 622 stores terminal management information of all client terminals connected to the network 20. FIG. 22 is a diagram illustrating an example of terminal management information stored in the terminal management table 622. As shown in the figure, the terminal management table 622 includes “client ID”, “last synchronization time”, “first warning deadline”, “second warning deadline”, “use permission flag”, Terminal management information in which “grace period”, “approval flag”, “first usage time limit”, and “second usage time limit” are associated with each other is stored for each client terminal device.

  This terminal management table 622 stores terminal management information for each client terminal device, so that the network administrator can change the first warning deadline, the second warning deadline, etc. for each client terminal device. Terminal devices can be managed flexibly.

  Referring back to FIG. 19, the control unit 630 has a control program such as an OS (Operating System), a program that defines various processing procedures, and an internal memory for storing required data. The processing unit to be executed and closely related to the present invention includes an initial setting processing unit 631, a synchronization processing unit 632, a take-out application processing unit 633, a warning deadline confirmation unit 634, and a deadline extension processing unit 635. And a recovery processing unit 636. Below, each function part is demonstrated concretely.

  The initial setting processing unit 631 is a processing unit that stores management server setting information input from a network administrator or the like in the management server setting table 621. Specifically, the initial setting processing unit 631 stores the information in the management server setting table 621 when a master code and a server warning deadline are input by a network administrator or the like at the time of initial setting. The initial setting processing unit 631 receives the client ID, the first warning deadline, the second warning deadline, the use permission flag, the grace period, and the approval flag for each client terminal device by the network administrator or the like. Information is associated and stored in the terminal management table 622.

  The synchronization processing unit 632 is a processing unit that responds with terminal setting information in response to a request from the client terminal device 300. Specifically, when the terminal setting information is requested from the client terminal device 300, the synchronization processing unit 632, the first warning deadline, the second warning deadline, and the use permission corresponding to the client ID included in the terminal setting information. The flag, the grace period, and the approval flag are acquired from the terminal management table 622, and a response is made to the client terminal device 300 together with the final synchronization time in which the system date is set. Thereafter, the synchronization processing unit 632 updates the last synchronization time in the terminal management table 622 corresponding to the client ID with the system date.

  The take-out application processing unit 633 is a processing unit that responds to the first use time limit and the second use time limit in accordance with the take-out application transmitted from the client terminal device 300. Specifically, when the take-out application processing unit 633 receives a take-out application transmitted from the client terminal device 300, the first use deadline and the second use deadline corresponding to the client ID included in the take-out application are managed in the terminal. Obtained from the table 622 and transmitted to the client terminal device 300.

  In addition, when the take-out application processing unit 633 receives the secret data file list from the client terminal device 300, the take-out application processing unit 633 stores the file list for each client terminal device in a predetermined storage area. The processing procedure of the take-out application process will be described later in detail with reference to FIG.

  The warning deadline confirmation unit 634 is a processing unit that warns the network administrator when the client terminal device 300 is not connected to the network 20 for a long period of time. Specifically, the warning deadline confirmation unit 634 periodically refers to the terminal management table 622, and the difference between the last synchronization time and the system date indicates the server warning deadline stored in the management server setting table 621. If there is a client terminal device that exceeds the limit, a warning message specifying the client terminal device is displayed on the display device. Note that the processing procedure of the warning time limit confirmation processing will be described later in detail with reference to FIG.

  The term extension processing unit 635 is a processing unit that generates an extension key including an extension term based on an instruction from a network administrator or the like when an extension application is requested by a user of the client terminal device 300. Specifically, the time limit extension processing unit 635 is a client that is input by the network administrator or the like when the network administrator or the like receives an extension application from the user of the client terminal device 300 by telephone or email. Based on the ID, the first usage time limit and the second usage time limit are acquired from the terminal management table 622.

  Then, the period extension processing unit 635 generates an extension key based on the client ID, the acquired first usage period and second usage period, and the extension period determined by the network administrator or the like. Further, the time limit extension processing unit 635 updates the first use time limit and the second use time limit stored in the terminal management table 622 by adding the extension time limit. The extension key generated here is sent by the network administrator or the like to the user of the client terminal device 300 by telephone or mail. Note that the processing procedure of the time limit extension processing will be described later in detail with reference to FIG.

  The recovery processing unit 636 is a processing unit that generates a recovery key based on an instruction from a network administrator or the like when a recovery application is requested by a user of the client terminal device 300. Specifically, the recovery processing unit 636 responds to an instruction from the network administrator or the like when the network administrator or the like receives a recovery application from the user of the client terminal device 300 by telephone or email. The master code is acquired from the management server setting table 621.

  Then, the recovery processing unit 636 creates a recovery key based on the acquired master code and the temporary use expiration date determined by the network administrator or the like. Further, the recovery processing unit 636 updates the first use time limit and the second use time limit stored in the terminal management table 622 by adding the temporary use time limit. The recovery key generated here is sent to the user of the client terminal device 300 by a network administrator or the like using a telephone or mail. Note that the processing procedure of the recovery processing will be described later in detail with reference to FIG.

  Next, a processing procedure of main processes performed by the information leakage prevention apparatus (terminal-side information leakage prevention apparatus 500 and server-side information leakage prevention apparatus 600) according to the second embodiment will be described with reference to FIGS. .

  First, the overall flow of information leakage prevention by the information leakage prevention apparatus according to the second embodiment will be described. FIG. 23 is a sequence diagram illustrating an overall flow of information leakage prevention by the information leakage prevention apparatus according to the second embodiment.

  As shown in the figure, first, in the client terminal device 300, when a master code is input by the user, the initial setting processing unit 531 of the terminal side information leakage prevention device 500 stores the master code in the terminal setting table 521. Registration is performed (step S601). On the other hand, also in the management server apparatus 400, when a master code is input by a network administrator or the like, the initial setting processing unit 631 of the server side information leakage prevention apparatus 600 sets the master code in the management server setting table 621 ( Step S602).

  Thereafter, when the client terminal device 300 and the management server device 400 are connected via the network 20, when the synchronization processing unit 533 of the terminal side information leakage prevention device 500 performs the synchronization processing (step S603), the client terminal device The client ID of 300 is transmitted to the management server device 400, and the synchronization processing unit 632 of the server side information leakage prevention device 600 that has received the client ID updates the terminal management information in the terminal management table 622 with the client ID (client ID is changed). Register) (step S604).

  In the management server device 400, when the server warning deadline is input by the network administrator or the like, the initial setting processing unit 631 of the server-side information leakage prevention device 600 sets the server warning deadline to the management server setting table 621. (Step S605). When the network administrator inputs the first warning deadline, the second warning deadline, the use permission flag, and the grace period of the client terminal device 300 to the management server device 400 (steps S606, S608, and S610), the terminal side information The initial setting processing unit 531 of the leakage prevention apparatus 500 stores these pieces of information in the terminal setting table 521, and the synchronization processing unit 533 uses the first warning deadline, the second warning deadline, and the use permission in the next synchronization processing. A flag and a grace period are acquired (steps S607, S609, and S611).

  Thereafter, when the user makes a take-out application at the client terminal device 300, the take-out application processing unit 534 of the terminal-side information leakage prevention device 500 and the take-out application processing unit 633 of the server-side information leakage prevention device 600 are taken out. Application processing is performed (steps S612 and S613). This take-out application process will be described later with reference to FIG.

  Thereafter, when the client terminal device 300 is disconnected from the network 20 and taken out, the usage time limit checking unit 535 of the terminal-side information leakage prevention device 500 performs a usage time limit checking process when the client terminal device 300 is activated (step S614). Also, the warning deadline confirmation unit 536 periodically performs warning deadline confirmation processing (step S615). On the other hand, also in the management server device 400, the warning deadline confirmation unit 634 of the server device side information leakage prevention device 600 periodically performs warning deadline confirmation processing (step S616). These usage time limit confirmation processing and warning time limit confirmation processing will be described later with reference to FIGS. 25 and 26.

  Thereafter, when the client terminal device 300 is taken home and connected to the network 20 (step S617), the synchronization processing unit 533 of the terminal side information leakage prevention device 500 periodically performs synchronization processing (step S618), and the management server The server side information leakage prevention apparatus 600 of the apparatus 400 updates the terminal management information in the terminal management table 622 (step S619).

  Subsequently, a processing procedure of the terminal take-out application process according to the second embodiment will be described. FIG. 24 is a flowchart of the process procedure of the terminal take-out application process according to the second embodiment.

  As shown in the figure, first, in the management server device 400, when the approval flag is input by the user and the first usage time limit and the second usage time limit are set or extended, the server side information leakage prevention device 600 is displayed. The initial setting processing unit 631 registers these pieces of information in the terminal management table 622 (steps S701 and S702).

  Thereafter, when a take-out application is made by the user in the client terminal device 300, the take-out application processing unit 534 of the terminal-side information leakage prevention device 500 transmits a take-out application notification to the management server device 400 (step S703). .

  When the management server device 400 receives the take-out application notification, the take-out application processing unit 633 of the server-side information leakage prevention device 600 refers to the terminal management table 622 and approves the client terminal device 300 that has transmitted the take-out application. It is determined whether or not the flag is on.

  Here, when the approval flag is on (Yes in step S704), the take-out application processing unit 633 displays an approval result indicating that approval is possible, a first use time limit, and a second use time limit. If the approval flag is not on (step S704, No), an approval result indicating that the approval is not possible is sent to the client terminal device 300 (step S705). Transmit (step S706).

  Thereafter, when the client terminal device 300 receives the approval result, the first usage time limit and the second usage time limit, the take-out application processing unit 534 of the terminal-side information leakage prevention device 500 turns on the approval flag stored in the terminal setting table 521. If it is not on (step S707, No), the terminal take-out application process is terminated, and if it is on (step S707, Yes), the received first usage The first usage time limit and the second usage time limit are set or extended by updating the terminal setting table 521 with the time limit and the second usage time limit (step S708), and the file list of the confidential data stored in the confidential area is managed. It transmits with respect to the server apparatus 400 (step S709).

  When the management server device 400 receives the file list, the server-side information leakage prevention device 600 stores the file list in a predetermined storage area for each client terminal device (step S710). Thus, the take-out process of the client terminal device 300 ends (step S711).

  Subsequently, the processing procedure of the expiration date confirmation process according to the second embodiment will be described. FIG. 25 is a flowchart of a process procedure of a usage time limit confirmation process according to the second embodiment. This usage time limit confirmation process is a process performed in the terminal-side information leakage prevention apparatus 500 of the client terminal apparatus 300.

  As shown in the figure, when it is confirmed that the OS of the client terminal device 300 has been started (step S801), the synchronization processing unit 533 performs synchronization processing with the management server device 400 (step S802).

  Here, when the synchronization process can be performed (step S803, Yes), the use time limit confirming unit 535 confirms the use permission flag stored in the terminal setting table 521, and the use permission flag is ON. If there is (Yes in Step S804), the usage time confirmation process is terminated, and if the usage permission flag is not on (No in Step S804), the OS of the client terminal device 300 is shut down (Step S805). ).

  On the other hand, if the synchronization process could not be performed (step S803, No), the usage time limit confirming unit 535 refers to the terminal setting table 521 and sets the first usage time limit, the second usage time limit, and the grace period. Read (step S806). Then, when the system date (current date) is within the first usage time limit (Yes in step S807), the usage date confirmation unit 535 ends the usage date confirmation processing, and the system date is within the first usage time limit. When it has exceeded (step S807, No), the system date is compared with the second usage time limit.

  Here, if the system date is within the second usage period (step S808, Yes), the usage period confirmation unit 535 displays the warning message on the display device and notifies the user of the warning, and then the usage period. The confirmation process ends.

  On the other hand, when the system date has exceeded the second usage period (step S808, No), the usage period confirmation unit 535 determines that the system date is within the grace period (when the grace period is not 0) (step S810, Yes). ) After displaying the warning message on the display device and notifying the user of the warning (step S811), the expiration date checking process is terminated.

  Here, when it is not within the grace period (when the grace period is 0) (No in step S810), the usage time limit confirming unit 535 instructs the recovery processing unit 538 to perform the recovery process ( Step S812). When the first use time limit and the second use time limit are extended by the recovery process (step S813, Yes), the use time limit confirming unit 535 ends the use time limit check process, and when it is not extended ( In step S813, the OS of the client terminal device 300 is shut down (step S814).

  Subsequently, a processing procedure of warning time limit confirmation processing according to the second embodiment will be described. FIG. 26 is a flowchart illustrating a processing procedure of warning time limit confirmation processing according to the second embodiment.

  As shown in the figure, in the client terminal device 300, when synchronization with the management server device 400 is performed as a result of periodic synchronization processing by the synchronization processing unit 533 (step S901, Yes), the next synchronization is performed. If the process waits and synchronization is not performed (step S901, No), the warning deadline confirmation unit 536 of the terminal-side information leakage prevention apparatus 500 uses the first usage deadline and system stored in the terminal setting table 521. Compare the date.

  Here, when the system date is within the first usage time limit (Yes in step S902), the warning time limit confirmation unit 536 returns control to step S901, and when the system date is over the first usage time limit (step S902). (S902, No), the first use time limit stored in the terminal setting table 521 is compared with the system date.

  If the system date is within the second usage time limit (step S903, Yes), the warning time limit confirmation unit 536 displays the warning message on the display device (step S904), and then returns control to step S901. If the system date has exceeded the second usage time limit (step S903, No), the following warning notification process is started (step S905).

  In this warning notification process, the warning deadline confirmation unit 536 first calculates the difference between the system date of the client terminal device 300 and the last synchronization time stored in the terminal setting table 521. Then, when the calculation result does not exceed the first warning time limit (No at Step S906), the warning time limit confirmation unit 536 returns control to Step S901, and when the calculation result exceeds the first warning time limit. (Step S906, Yes), and further, the calculation result is compared with the second warning deadline.

  If the calculation result does not exceed the second warning time limit (No at Step S907), the warning time limit confirmation unit 536 displays a warning message on the display device or the like (Step S908), and then goes to Step S901. When the control result is returned and the calculation result exceeds the second warning time limit (step S907, Yes), the grace period stored in the terminal setting table 521 is referred to, and if it is within the grace period (the grace period is 0). If not (step S909, Yes), a warning message is displayed on the display device (step S910), control is returned to step S901, and the grace period is exceeded (when the grace period is 0). (Step S909, No), the recovery processing unit 538 is instructed to perform recovery processing (Step S911).

  When the first usage time limit and the second usage time limit are extended by the recovery process (step S912, Yes), the warning time limit confirmation unit 536 returns control to step S901, and when the time limit is not extended (step S912, No), the OS of the client terminal device 300 is shut down (step S913).

  On the other hand, in the management server device 400, the warning time limit confirmation unit 634 of the server-side information leakage prevention device 600 periodically starts warning notification processing (step S1001). In this warning notification process, the warning deadline confirmation unit 634 refers to the terminal management table 622, and the difference between the last synchronization time and the system date exceeds the server warning deadline stored in the management server setting table 621. If the client terminal device exists (step S1002, Yes), a warning message specifying the client terminal device is displayed on the display device (step S1003).

  Here, if there is no client terminal device in which the difference between the last synchronization time and the system date exceeds the server warning deadline (No in step S1002), the warning deadline confirmation unit 634 sends a warning notification. The process ends.

  Subsequently, a processing procedure of a time limit extension process according to the second embodiment will be described. FIG. 27 is a flowchart of the process procedure of the time limit extension process according to the second embodiment.

  As shown in the figure, when a network administrator or the like receives an extension application from a user of the client terminal device 300 by telephone or email, the management server device 400 creates an extension key by the network administrator or the like. When the instruction is given (step S1101), the time limit extension processing unit 635 of the server side information leakage prevention apparatus 600 acquires the client ID of the client terminal apparatus 300 that is input simultaneously with the creation instruction, and from the terminal management table 622, The first usage time limit and the second usage time limit corresponding to the client ID are acquired. Then, the period extension processing unit 635 generates an extension key based on the client ID, the acquired first usage period and second usage period, and the extension period determined by the network administrator or the like (step S1102). .

  Further, the time limit extension processing unit 635 updates the first usage time limit and the second usage time limit stored in the terminal management table 622 by adding the extension time limit (step S1103). The extension key generated here is sent by the network administrator or the like to the user of the client terminal device 300 by telephone or mail.

  Then, when the extension key sent from the network administrator or the like is input to the client terminal device 300 by the user of the client terminal device 300, the time limit extension processing unit 537 of the terminal-side information leakage prevention device 500 performs the extension. The key input is accepted (step S1104).

  Then, when the extension key is input by the user, the period extension processing unit 537 acquires the client ID, the first usage period, and the second usage period from the extension key. Then, the time limit extension processing unit 537 confirms whether or not the acquired client ID, the first usage time limit, and the second usage time limit are the same as those stored in the terminal setting table 521. (Step S1105, Yes), an extension time limit is acquired from the extension key (Step S1106), and the first use time limit and second use time stored in the terminal setting table 521 are added by adding the extension time limit. Each time limit is extended (step S1107).

  Here, when the acquired client ID, the first usage time limit, and the second usage time limit are not the same as those stored in the terminal setting table 521 (step S1105, No), the time limit extension processing unit 537 Returning to step S1104, the input of the extension key is accepted again.

  Subsequently, a processing procedure of recovery processing according to the second embodiment will be described. FIG. 28 is a flowchart of the recovery process according to the second embodiment.

  As shown in the figure, when a network administrator or the like receives a recovery application from a user of the client terminal device 300 by telephone or mail, the management server device 400 creates a recovery key by the network administrator or the like. When the instruction is given (step S1201), the recovery processing unit 636 of the server-side information leakage prevention apparatus 600 acquires the master code from the management server setting table 621, and the acquired master code and the temporary information determined by the network administrator or the like. A recovery key is generated based on the expiration date (step S1202). The extension key generated here is sent by the network administrator or the like to the user of the client terminal device 300 by telephone or mail.

  When the recovery key sent from the network administrator or the like is input to the client terminal device 300 by the user of the client terminal device 300, the recovery processing unit 538 of the terminal-side information leakage prevention device 500 performs the recovery. A key input is accepted (step S1203).

  Then, when the recovery key is input by the user, the recovery processing unit 538 acquires the master code from the recovery key, and the master code is the same as that stored in the terminal setting table 521. If it is the same, it is determined that the master code is correct (step S1204, Yes), the temporary use deadline is obtained from the recovery key (step S1205), and the temporary use deadline is set. By adding, the first usage time limit and the second usage time limit stored in the terminal setting table 521 are respectively extended (step S1206).

  If the acquired master code is not the same as the one stored in the terminal setting table 521, it is determined that the master code is not correct (No in step S1204), and the recovery processing unit 538 determines in step S1203. Returning to, the input of the recovery key is accepted again.

  As described above, in the second embodiment, in the terminal-side information leakage prevention apparatus 500, the synchronization processing unit 533 confirms whether or not the client terminal device 300 is connected to the network, and the usage time limit confirmation unit 535 When it is confirmed that it is not connected to the network, the second usage period obtained at the time of taking out application is compared with the computer system date. If the system date exceeds the second usage period, the client terminal When the OS of the device 300 is shut down and the system date does not exceed the second usage date, the first usage date acquired at the time of the take-out application is compared with the system date of the client terminal device 300, and the system date is the first. If the expiration date has been exceeded, a warning message is sent to the user of the client terminal device 300 Runode detects theft of the client terminal apparatus 300 without the need for special equipment such as a GPS, by shutting down the OS of the client terminal apparatus 300, it is possible to prevent leakage of confidential data.

  In the second embodiment, even when no take-out application has been made, when the warning deadline confirmation unit 536 confirms that the terminal-side information leakage prevention apparatus 500 is not connected to the network, the synchronization process is performed. The second warning deadline acquired at the time of execution is compared with the elapsed time since the last synchronization processing. If the elapsed time exceeds the second warning deadline, the OS of the client terminal device 300 is changed. If the elapsed time does not exceed the second warning deadline after the shutdown, the first warning deadline acquired when the synchronization processing was performed is compared with the elapsed time since the last synchronization processing, and the elapsed time When the time exceeds the first warning deadline, a warning message is notified to the user of the client terminal device 300. Similarly, the client is not required to use a special device such as GPS. Detecting theft bets terminal device 300, by shutting down the OS of the client terminal apparatus 300, it is possible to prevent leakage of confidential data.

  In the second embodiment, in the terminal-side information leakage prevention apparatus 500, the take-out application processing unit 534 transmits a take-out application to the management server apparatus 400 connected to the network based on an instruction from the user. Thus, when the first use time limit and the second use time limit are acquired from the management server device 400, and the warning time limit confirmation unit 536 confirms that it is not connected to the network, the acquired second use time limit and system When the system date exceeds the second usage deadline, the OS of the client terminal device 300 is shut down. When the system date does not exceed the second usage deadline, the acquired first When the usage date is compared with the system date and the system date exceeds the first usage date, the user of the client terminal device 300 is notified. The first deadline and the second deadline are automatically set in the computer when the user makes an application for taking out the client terminal device 300 from the client terminal device 300 before disconnecting the client terminal device 300 from the network. Thus, information leakage of the client terminal device 300 can be prevented with an easy operation method.

  In the second embodiment, in the terminal-side information leakage prevention apparatus 500, the time limit extension processing unit 537 transmits a take-out extension application to the management server apparatus 400 connected to the network based on an instruction from the user. By doing so, the approved take-out extension deadline is acquired from the management server device 400, and when it is confirmed that it is not connected to the network, the second use deadline taking into account the acquired take-out extension deadline is compared with the system date. If the system date exceeds the second usage deadline, the control system is shut down. The system date is compared, and if the system date exceeds the first usage date, a warning is issued to the user. Since the, for example, the go even when urgent business will extend the period during which bring the computer generated, by extending the takeout deadline, it is possible to use the client terminal device 300 continues.

  In the second embodiment, since the server device that manages the client terminal devices connected to the network manages the take-out application and the extension application, it becomes possible to centrally manage the setting information regarding each client terminal device. The network can be easily managed.

  In the second embodiment, the terminal-side information leakage prevention device and the server-side information leakage prevention device have been described. However, by realizing the configuration of the information leakage prevention device with software, the terminal-side information leakage having the same function is provided. Prevention program and server side information leakage prevention program can be obtained. Therefore, the client terminal device (computer) 300 that executes the terminal side information leakage prevention program and the management server device (computer) 400 that executes the server side information leakage prevention program will be described.

  FIG. 29 is a functional block diagram illustrating the configuration of the client terminal device 300 that executes the terminal-side information leakage prevention program according to the second embodiment. As shown in the figure, the client terminal device 300 includes a RAM 310, a CPU 320, an HDD 330, a LAN interface 340, an input / output interface 350, and a DVD drive 360.

  The RAM 310 is a memory that stores a program, a program execution result, and the like. The CPU 320 is a central processing unit that reads a program from the RAM 310 and executes the program.

  The HDD 330 is a disk device that stores programs and data, and the LAN interface 340 is an interface for connecting the client terminal device 300 to another computer via the LAN.

  The input / output interface 350 is an interface for connecting an input device such as a mouse or a keyboard and a display device, and the DVD drive 360 is a device for reading / writing a DVD.

  The terminal-side information leakage prevention program 311 executed in the client terminal device 300 is stored in the DVD, read from the DVD by the DVD drive 360, and installed in the client terminal device 300.

  Alternatively, the terminal-side information leakage prevention program 311 is stored in a database or the like of another computer system connected via the LAN interface 340, read from these databases, and installed in the client terminal device 300.

  The installed terminal side information leakage prevention program 311 is stored in the HDD 330, read out to the RAM 310, and executed by the CPU 320 as the terminal side information leakage prevention process 321.

  FIG. 30 is a functional block diagram illustrating the configuration of the management server device 400 that executes the server-side information leakage prevention program according to the second embodiment. As shown in the figure, the management server device 400 includes a RAM 410, a CPU 420, an HDD 430, a LAN interface 440, an input / output interface 450, and a DVD drive 460.

  The RAM 410 is a memory that stores a program and a program execution result, and the CPU 420 is a central processing unit that reads the program from the RAM 410 and executes the program.

  The HDD 430 is a disk device that stores programs and data, and the LAN interface 440 is an interface for connecting the management server device 400 to another computer via the LAN.

  The input / output interface 450 is an interface for connecting an input device such as a mouse or a keyboard and a display device, and the DVD drive 460 is a device for reading / writing a DVD.

  The server-side information leakage prevention program 411 executed in the management server device 400 is stored in the DVD, read from the DVD by the DVD drive 460, and installed in the management server device 400.

  Alternatively, the server-side information leakage prevention program 411 is stored in a database or the like of another computer system connected via the LAN interface 440, read from these databases, and installed in the management server device 400.

  The installed server-side information leakage prevention program 411 is stored in the HDD 430, read into the RAM 410, and executed by the CPU 420 as the server-side information leakage prevention process 421.

  Now, the embodiments of the present invention have been described so far. Of the processes described in this embodiment, all or a part of the processes described as being automatically performed can be manually performed, or All or part of the processing described as being manually performed can be automatically performed by a known method.

  In addition, the processing procedure, control procedure, specific name, and information including various data and parameters shown in the above-described document and drawings can be arbitrarily changed unless otherwise specified.

  Each component of each illustrated device is functionally conceptual and does not necessarily need to be physically configured as illustrated. In other words, the specific form of distribution / integration of each device is not limited to that shown in the figure, and all or a part thereof may be functionally or physically distributed or arbitrarily distributed in arbitrary units according to various loads or usage conditions. Can be integrated and configured.

  Furthermore, all or a part of each processing function performed in each device may be realized by a CPU and a program that is analyzed and executed by the CPU, or may be realized as hardware by wired logic.

(Appendix 1) An information leakage prevention program for preventing leakage of confidential information held in a computer,
A connection confirmation procedure for confirming whether the computer is connected to a network;
When it is confirmed by the connection confirmation procedure that the computer is not connected to the network, a first deadline is compared with a system date, and if the system date exceeds the first deadline, the computer Is disabled and the system date does not exceed the first deadline, a second deadline shorter than the first deadline is compared with the system date, and the system date is If the second time limit has been exceeded, a warning to the user of the computer, or an information concealment procedure for encrypting the concealment information;
An information leakage prevention program for causing a computer to execute

(Supplementary note 2) When it is confirmed that the information concealment procedure is not connected to the network by the connection confirmation procedure, the system compares the first deadline with the first period added to the carry-out deadline and the system date. If the system date exceeds the first time limit, the startup file of the control system of the computer is destroyed, and if the system date does not exceed the first time limit, the take-out time limit Comparing the second deadline with a second period shorter than the first period to the system date, and encrypting the confidential information if the system date exceeds the second deadline The information leakage prevention program according to appendix 1, wherein:

(Supplementary note 3) When it is confirmed that the information concealment procedure is not connected to the network by the connection confirmation procedure, the first date and the system date are compared, and the system date is the first date The computer control system is shut down, and if the system date does not exceed the first deadline, a second deadline shorter than the first deadline and the system date The information leakage prevention program according to appendix 1, wherein a warning is given to a user of the computer when the system date exceeds the second time limit.

(Supplementary Note 4) Based on an instruction from a user, by sending a take-out application to another computer connected to the network, the other computer can send the first period and the second period. The computer to further execute the take-out application procedure to acquire
The information concealment procedure, when it is confirmed that the connection confirmation procedure is not connected to the network, the first deadline that takes into account the first period acquired by the take-out application procedure to the take-out deadline, The system date is compared, and if the system date exceeds the first deadline, the control system startup file is destroyed, and if the system date does not exceed the first deadline, , Comparing the system date with a second deadline that takes into account the second period acquired by the take-out application procedure in the take-out deadline, and if the system date exceeds the second deadline, The information leakage prevention program according to appendix 2, wherein the secret information is encrypted.

(Additional remark 5) Based on the instruction | indication from a user, by sending out taking-out application with respect to the other computer connected to the said network, said 1st time limit and said 2nd time limit are sent from this other computer The computer to further execute the take-out application procedure to acquire
The information concealment procedure, when it is confirmed that the connection confirmation procedure is not connected to the network, compares the first deadline acquired by the take-out application procedure with the system date, and the system date is If the first deadline has been exceeded, the control system is shut down, and if the system date has not exceeded the first deadline, the second deadline obtained by the take-out application procedure and The information leakage prevention program according to appendix 3, wherein the system date is compared, and if the system date exceeds the second time limit, a warning is given to the user.

(Appendix 6) Based on an instruction from a user, a take-out extension for obtaining a take-out extension time limit approved by the other computer by transmitting a take-out extension request to the other computer connected to the network Let the computer execute the application procedure further,
The information concealment procedure is a first method in which the first period is added to the takeout extension deadline obtained by the takeout extension application procedure when it is confirmed that the connection confirmation procedure is not connected to the network. If the system date is compared with the system date, and the system date exceeds the first date, the startup file of the control system is destroyed, and the system date does not exceed the first date In this case, the system date is compared with a second deadline obtained by adding the second period to the takeout extension deadline obtained by the takeout extension application procedure, and the system date exceeds the second deadline. The information leakage prevention program according to appendix 2 or 4, wherein the secret information is encrypted when the secret information is encrypted.

(Supplementary note 7) Based on an instruction from the user, a take-out extension for obtaining a take-out extension period approved by the other computer by transmitting a take-out extension request to the other computer connected to the network Let the computer execute the application procedure further,
The information concealment procedure, when it is confirmed that the connection confirmation procedure is not connected to the network, the first date and the system date taking into account the take-out extension date acquired by the take-out extension application procedure If the system date exceeds the first deadline, the control system is shut down, and if the system date does not exceed the first deadline, the take-out extension application procedure Comparing the second deadline taking into account the extension deadline for taking out and the system date, and warning the user if the system date exceeds the second deadline. The information leakage prevention program according to appendix 3 or 5.

(Appendix 8) A time synchronization procedure for periodically synchronizing time between a plurality of computers connected to the network;
When it is confirmed by the connection confirmation procedure that it is not connected to the network, the last synchronization time synchronized by the time synchronization procedure is compared with the system date, and the system date is compared with the last synchronization time. If not, the information leakage prevention program according to any one of appendices 1 to 7, further causing a computer to execute a system date check procedure for encrypting the confidential data.

(Supplementary note 9) The secret information backup procedure for periodically backing up the secret information to another computer connected to the network is further caused to be executed by the computer. Information leakage prevention program.

(Additional remark 10) The secret information recovery procedure which acquires the secret information backed up by the other computer connected to the network by the secret information backup procedure and restores the held secret data is further executed by the computer. The information leakage prevention program according to appendix 8.

(Supplementary Note 11) When the take-out application procedure acquires the first time limit and the second time limit from the other computer, the take-out application procedure transmits a list of the confidential information to the other computer. The information leakage prevention program according to appendix 7, which is a feature.

(Additional remark 12) The said other computer is a server apparatus which manages the computer connected to the said network, The information leakage prevention program as described in any one of additional remarks 1-11 characterized by the above-mentioned.

(Supplementary note 13) An information leakage prevention method for preventing leakage of confidential information held in a computer,
A connection confirmation step for confirming whether or not the computer is connected to a network;
When it is confirmed by the connection confirmation step that the computer is not connected to the network, a first deadline is compared with the system date. If the system date exceeds the first deadline, the computer Is disabled and the system date does not exceed the first deadline, a second deadline shorter than the first deadline is compared with the system date, and the system date is If the second time limit has been exceeded, a warning to the computer user, or an information concealment step for encrypting the concealment information;
The information leakage prevention method characterized by including.

(Supplementary note 14) When it is confirmed that the information concealment step is not connected to the network by the connection confirmation step, the first deadline including the first period is added to the take-out deadline and the system date is compared. If the system date exceeds the first time limit, the startup file of the control system of the computer is destroyed, and if the system date does not exceed the first time limit, the take-out time limit Comparing the second deadline with a second period shorter than the first period to the system date, and encrypting the confidential information if the system date exceeds the second deadline The information leakage prevention method according to supplementary note 13, wherein the information leakage prevention method is performed.

(Supplementary Note 15) When it is confirmed that the information concealment step is not connected to the network by the connection confirmation step, the first date and the system date are compared, and the system date is the first date The computer control system is shut down, and if the system date does not exceed the first deadline, a second deadline shorter than the first deadline and the system date 14. The information leakage prevention method according to appendix 13, wherein a warning is given to a user of the computer when the system date exceeds the second time limit.

(Supplementary Note 16) Based on an instruction from a user, by sending a take-out application to another computer connected to the network, the other computer can send the first period and the second period. Further including a take-out application process for obtaining
The information concealment step, when it is confirmed that the connection confirmation step is not connected to the network, the first deadline that takes into account the first period acquired by the take-out application step to the take-out deadline, The system date is compared, and if the system date exceeds the first deadline, the control system startup file is destroyed, and if the system date does not exceed the first deadline, , Comparing the system date with a second deadline that takes into account the second period acquired by the take-out application process in the take-out deadline, and if the system date exceeds the second deadline, 15. The information leakage prevention method according to appendix 14, wherein the secret information is encrypted.

(Supplementary Note 17) Based on an instruction from a user, by sending out a take-out application to another computer connected to the network, the other computer has the first deadline and the second deadline. Further including a take-out application process for obtaining
The information concealment step compares the first date acquired in the take-out application step with the system date when the connection confirmation step confirms that the system date is not connected, and the system date is If the first deadline has been exceeded, the control system is shut down, and if the system date has not exceeded the first deadline, the second deadline obtained by the take-out application process and 16. The information leakage prevention method according to appendix 15, wherein the system date is compared, and if the system date exceeds the second time limit, a warning is given to the user.

(Supplementary Note 18) Based on an instruction from a user, a take-out extension time limit approved by the other computer is obtained by transmitting a take-out extension request to the other computer connected to the network. Further includes an application process,
The information concealment step is a first that takes the first period into consideration in the take-out extension deadline acquired in the take-out extension application step when it is confirmed that the connection confirmation step is not connected to the network. If the system date is compared with the system date, and the system date exceeds the first date, the startup file of the control system is destroyed, and the system date does not exceed the first date In this case, the system date is compared with a second deadline obtained by adding the second period to the take-out extension deadline acquired in the take-out extension application process, and the system date exceeds the second deadline. The information leakage prevention method according to appendix 14 or 16, wherein the secret information is encrypted.

(Supplementary note 19) Based on an instruction from a user, a take-out extension time limit that is approved by the other computer is obtained by transmitting a take-out extension request to the other computer connected to the network. Further includes an application process,
In the information concealment step, when it is confirmed that the connection confirmation step is not connected to the network, the first date and the system date including the take-out extension date acquired in the take-out extension application step If the system date exceeds the first time limit, the control system is shut down. If the system date does not exceed the first time limit, the take-out extension application step Comparing the second deadline taking into account the extension deadline for taking out and the system date, and warning the user if the system date exceeds the second deadline. The information leakage prevention method according to Supplementary Note 15 or 17.

(Supplementary note 20) An information leakage prevention apparatus for preventing leakage of confidential information held in a computer,
Connection confirmation means for confirming whether the computer is connected to a network;
When it is confirmed by the connection confirmation means that it is not connected to the network, the first deadline is compared with the system date, and if the system date exceeds the first deadline, the computer Is disabled and the system date does not exceed the first deadline, a second deadline shorter than the first deadline is compared with the system date, and the system date is If the second time limit has been exceeded, a warning to the user of the computer, or information concealment means for encrypting the confidential information;
An information leakage prevention device characterized by comprising:

As described above, the information leakage prevention program and the information processing apparatus according to the present invention are useful for preventing leakage of confidential information, and in particular, prevent information leakage while suppressing the introduction cost without requiring a special apparatus. Suitable when required.

It is a figure for demonstrating the concept of the information leakage prevention apparatus which concerns on the present Example 1. FIG. 1 is a functional block diagram illustrating a configuration of an information leakage prevention apparatus according to a first embodiment. It is a figure which shows an example of a user management table. It is a figure which shows an example of a user authority management table. It is a figure which shows an example of a terminal management table. It is a figure which shows an example of a take-out management table. It is a figure which shows an example of a take-out application management table. It is a figure which shows an example of a take-out extension application management table. It is a figure which shows an example of a confidential area management table. It is a figure which shows an example of a synchronous management table. It is a figure which shows an example of a take-out time limit table. 5 is a flowchart illustrating a processing procedure of information concealment processing according to the first embodiment. 4 is a flowchart illustrating a processing procedure of terminal synchronization processing according to the first embodiment. 4 is a flowchart illustrating a processing procedure of terminal initial setting processing according to the first embodiment. It is a flowchart which shows the process sequence of the take-out application process which concerns on the present Example 1. FIG. It is a flowchart which shows the process sequence of the take-out extension application process which concerns on the present Example 1. FIG. FIG. 2 is a functional block diagram illustrating a configuration of a computer that executes an information leakage prevention program according to the first embodiment. It is explanatory drawing for demonstrating the concept of the information leakage prevention apparatus which concerns on the present Example 2. FIG. It is a functional block diagram which shows the structure of the terminal side information leakage prevention apparatus which concerns on the present Example 2, and a server side information leakage prevention apparatus. It is a figure which shows an example of the terminal setting information memorize | stored in a terminal setting table. It is a figure which shows an example of the management server setting information memorize | stored in a management server setting table. It is a figure which shows an example of the terminal management information memorize | stored in a terminal management table. It is a sequence diagram which shows the whole flow of the information leakage prevention by the information leakage prevention apparatus which concerns on the present Example 2. FIG. It is a flowchart which shows the process sequence of the terminal taking-out application process which concerns on the present Example 2. FIG. It is a flowchart which shows the process sequence of the use time limit confirmation process which concerns on the present Example 2. FIG. It is a flowchart which shows the process sequence of the warning time limit confirmation process which concerns on the present Example 2. FIG. It is a flowchart which shows the process sequence of the time limit extension process which concerns on the present Example 2. FIG. 10 is a flowchart illustrating a processing procedure of recovery processing according to the second embodiment. It is a functional block diagram which shows the structure of the client terminal device which performs the terminal side information leakage prevention program which concerns on the present Example 2. FIG. It is a functional block diagram which shows the structure of the management server apparatus which performs the server side information leakage prevention program which concerns on the present Example 2. FIG.

Explanation of symbols

10 Network 100, 100 _{1 to} 100 ₃ Computer 110 RAM
111 Information leakage prevention program 120 CPU
121 Information leakage prevention process 130 HDD
131 Secret Data 132 Startup File 140 LAN Interface 150 Input / Output Interface 160 DVD Drive 200 Information Leakage Prevention Device 210 Management Function Control Unit 211 Management Side Key Management Unit 212 User Management Unit 213 Terminal Management Unit 214 Management Side Synchronization Processing Unit 215 Take-out Management Unit 216 take-out extension management unit 217 management-side backup processing unit 218 management-side recovery processing unit 220 terminal function control unit 221 terminal-side key management unit 222 terminal-side synchronization processing unit 223 take-out application unit 224 take-out extension application unit 225 terminal-side backup processing unit 226 Terminal side recovery processing unit 227 Information concealment processing unit 230 Storage unit 231 User management table 232 User authority management table 233 Terminal management table 234 Take-out management table 235 Chi out application management table 236 takeout extended application management table 237 hidden area management table 238 synchronization management table 239 taking out date table 300, 300 _1, 300 ₂ client terminal apparatus 310 RAM
311 Terminal side information leakage prevention program 320 CPU
321 Terminal side information leakage prevention process 330 HDD
331 Secret data 340 LAN interface 350 Input / output interface 360 DVD drive 400 Management server device 410 RAM
411 Server side information leakage prevention program 420 CPU
421 Server side information leakage prevention process 430 HDD
440 LAN interface 450 I / O interface 460 DVD drive 500 terminal side information leakage prevention device 510 interface control unit 520 storage unit 521 terminal setting table 530 control unit 531 initial setting processing unit 532 encryption processing unit 533 synchronization processing unit 534 take-out application processing unit 535 Usage period confirmation unit 536 Warning period confirmation unit 537 Term extension processing unit 538 Recovery processing unit 600 Server side information leakage prevention device 610 Interface control unit 620 Storage unit 621 Management server setting table 622 Terminal management table 630 Control unit 631 Initial setting processing unit 632 Synchronization processing unit 633 Take-out application processing unit 634 Warning deadline confirmation unit 635 Time limit extension processing unit 636 Recovery processing unit

Claims (14)

An information leakage prevention program for preventing leakage of confidential information held in a computer,
While the computer is connected to the network, the public key paired with the private key held by the other computer is acquired from another computer connected via the network, and held in the key management unit Public key acquisition procedure;
A connection confirmation procedure for confirming whether the computer is connected to the network,
An information concealment procedure for encrypting the concealment information with a public key held in the key management unit when it is confirmed by the connection confirmation procedure that the computer is not connected to the network;
An information leakage prevention program for causing a computer to execute When it is confirmed that the information concealment procedure is not connected to the network, the system date of the computer is compared with a first deadline, and when the system date exceeds the first deadline. Makes the computer unusable and, if the system date does not exceed the first deadline, compares a second deadline shorter than the first deadline with the system date, If the system date is exceeded the said second time limit, information leakage prevention program as claimed in claim 1, characterized in that for encrypting the confidential information with the public key. Causing the computer to further execute a take-out time limit obtaining procedure for obtaining a take-out time limit from the other computer while the computer is connected to the network;
When it is confirmed that the information concealment procedure is not connected to the network, the first time limit is calculated by adding the first time period to the take-out time limit, and the first time period is set to the take-out time limit. The information leakage prevention program according to claim 2 , wherein the second time limit is calculated by adding a shorter second period. When it is confirmed that the information concealment procedure is not connected to the network, it is determined whether or not the take-out time limit has been acquired, and if it has not been acquired, a predetermined time has elapsed. 4. The information leakage prevention program according to claim 3 , wherein the computer is made unusable afterwards. The information concealment procedure outputs a warning message to a display unit provided in the computer when the take-out deadline has not been acquired, and after a predetermined time has passed since the warning message was output, 5. The information leakage prevention program according to claim 4 , wherein the computer is disabled. 6. The information leakage prevention program according to claim 3 , wherein the take-out time limit acquisition procedure transmits the list of the confidential information to the other computer when the take-out time limit is acquired. . A communication procedure for periodically communicating with the other computer while the computer is connected to the network;
When it is confirmed that the information concealment procedure is not connected to the network, the latest communication time and the system date which are the last communication time with the other computer by the communication procedure. comparing the door, if the system date is earlier than the latest communication time, according to any one of claims 1 to 6, characterized in that the encryption of the secret information in the public key Information leakage prevention program. The information concealment procedure, as a process for making the computer unusable, destroys a startup file of the control system of the computer or shuts down the control system of the computer. Item 3. The information leakage prevention program according to item 2 . An information processing apparatus for preventing leakage of confidential information held in the own apparatus,
Key management means for acquiring and holding a public key that is paired with a private key held by another computer while the computer is connected to the network from another computer connected via the network; ,
A connection confirming means for confirming whether or not the own device is connected to the network,
An information concealment unit that encrypts the confidential information with the public key held by the key management unit when the connection confirmation unit confirms that the device is not connected to the network;
An information processing apparatus comprising: When it is confirmed that the information concealment unit is not connected to the network, the information concealment unit compares the system date of the device with the first deadline, and when the system date exceeds the first deadline. Makes the device unusable, and if the system date does not exceed the first deadline, compares the system date with a second deadline shorter than the first deadline, The information processing apparatus according to claim 9 , wherein the secret information is encrypted with the public key when a system date exceeds the second time limit. Further comprising take-out time limit acquisition means for acquiring a take-out time limit from the other information processing device while the own device is connected to the network;
When it is confirmed that the information concealment unit is not connected to the network, the first period is calculated by adding the first period to the take-out deadline, and the first period is added to the take-out deadline. The information processing apparatus according to claim 10 , wherein the second time limit is calculated by adding a shorter second period. When it is confirmed that the information concealment unit is not connected to the network, the information concealment unit determines whether or not the take-out time limit has been acquired, and if it has not been acquired, a predetermined time has elapsed. The information processing apparatus according to claim 11 , wherein the information processing apparatus is made unusable afterwards. The information concealment means outputs a warning message to a display unit provided in its own device when the take-out deadline has not been acquired, and automatically outputs a predetermined time after the warning message is output. The information processing apparatus according to claim 12 , wherein the apparatus is disabled. 14. The information processing according to claim 11 , wherein the take-out time limit acquisition unit transmits the list of confidential information to the other information processing apparatus when the take-out time limit is acquired. apparatus.

Images