JP4857199B2 - Information asset management system, log analysis device, and log analysis program - Google Patents

Description

  The present invention relates to an information asset management reporting technique for visualizing and reporting the location of information assets under the management of an organization.

  In recent years, information such as personal information and trade secrets in organizations is increasingly digitized. Computerized information exists as files on the computer or data on the memory, but from the point of view of information leakage, it can be said that the damage when the file storing the information is large and the frequency of occurrence is not low. . Hereinafter, a file including confidential information such as personal information and trade secrets is referred to as an information asset. Since information assets are files, they can be easily copied, transferred, processed, etc., and it is difficult to know where they are located compared to physical fixed assets. For this reason, it is almost impossible to grasp the usage status of who uses information assets and how, for example, the information assets copied without the user's knowledge should be leaked, or deleted according to organizational rules. However, it is increasingly difficult to deal with leakage accidents such as leakage of information assets that have been forgotten to be erased.

  Also, outsourcing companies often carry out their operations after depositing information assets from a consignment source company. It is also necessary to delete the information asset after it has expired. Therefore, it can be easily predicted that an outsourcing company will be required to prove to the consignor that the information assets they have been handling are properly handled in the business, and to delete them completely after the contract expires. .

  According to Patent Document 1, an authorized user can easily take out information assets and copies thereof outside a managed network environment or file management system (hereinafter referred to as a network environment). In order to counter this threat, it has been disclosed that it is easier to detect unexpected behavior patterns by monitoring the usage status of information assets in a network environment and reporting it to the administrator. According to Patent Document 1, in order to grasp where an information asset is under the management of an organization, for example, it has been transmitted attached to an e-mail, uploaded to a common storage area on the Internet, USB (Universal Serial Bus) It is possible to know that data has been written to flash memory or CD-R (CD Recordable) / DVD-R (Digital Versatile Disk Recordable).

  According to Non-Patent Document 1, in order to find out where the information asset is in the organization's network environment, the information asset can be found at high speed by crawling the file and indexing its contents. Is open to the public. According to Non-Patent Document 1, a user who wants to find an information asset can quickly find out where the information asset is, simply by specifying a search keyword.

  Further, according to Patent Document 2, in order to prevent an encrypted file from being decrypted by an arbitrary personal computer (Personal Computer, PC), a dependency file for generating a decryption key is arranged in a predetermined PC. It is disclosed that a decryption key is generated on a PC only when the dependency file is on a predetermined PC. According to this patent document 2, even if the information assets are taken out to an arbitrary PC, it is possible to prevent leakage by not decrypting the information assets.

JP-T-2006-518893 JP-A-2005-109779 Google, “Enterprise Solutions,” [online], January 2007, Google, [January 18, 2007 search], Internet <URL: http: // www. Google. co. jp / enterprise />

  In order to grasp the location of information assets that can be easily copied, transferred, and processed, it is necessary to keep following the information assets. For example, take information assets under management of the network environment in an organization to USB flash memory, CD-R / DVD-R, paper, e-mail, etc. I need to keep chasing. In the prior art disclosed in Patent Document 1, when a pair of events occur such as when an information asset taken out (exported) from management is brought back (managed) again under management, It was not possible to distinguish whether it was an existing information asset or a new file.

  Further, for example, even when information assets continue to exist under the management of the network environment in the organization, it is necessary to keep following the information assets. For example, even when there is an event such as compression or encryption of file format conversion, it is necessary to distinguish that the converted file is an information asset. In the prior art disclosed in Non-Patent Document 1, when the file format is converted, it is difficult to index the contents of the file, and it cannot be distinguished that it is an information asset.

  Furthermore, it is necessary to continue to follow even if there are information assets in portable media such as USB flash memory and compact flash (registered trademark), and the portable media may be copied to a home PC that is not managed. It is also necessary to follow up the traces to be made. Furthermore, it is necessary to prevent unauthorized use such as copying on a home PC via a portable medium and to prevent leakage of information assets from a lost or stolen portable medium.

  The present invention provides an information asset management system, an information asset analysis server, and an information asset analysis program capable of managing and reporting information assets under management of a network environment even when various events occur. For the purpose.

  To achieve the above object, the present invention provides an information asset management system in a network environment in which a terminal operated by a user and a log analysis device are connected, the terminal monitoring the operation of the user, A monitoring unit that outputs terminal logs including characteristic values of information assets before and after the occurrence of a pair of events for the asset, and the log analyzer collects the integrated logs obtained by collecting the terminal logs collected via the network. And an information asset management system, a log analysis device, and a log analysis program for reporting an analysis result by the correlation analysis unit.

That is, according to the present invention, when a file is exported from a managed network environment to a USB flash memory, CD-R / DVD-R, paper, e-mail, etc., which is a pair of events, and when the file is imported to a network environment. Monitoring is performed including the feature values of the file, comparing the feature values before export and the feature values after import to determine whether they are the same information asset, and reporting a list of information assets in the organization.
In addition, the present invention performs monitoring including file characteristic values when performing file format conversion processing such as compression and encryption, which is a pair of events when there is a file in the network environment under management, Monitoring including the feature values of newly created files when performing reverse conversion processing of file formats such as decompression and decryption, and comparing feature values before conversion and feature values after reverse conversion Determine whether or not the information assets are the same, and report a list of information assets in the organization.

  In addition, the present invention is limited to writing only a file of a self-decoding format with a decoding condition (self-decoding format file) when writing to a portable medium such as a USB flash memory or a compact flash. Is provided with a condition for determining whether or not a predetermined portable medium is connected to a PC for decoding and a condition for determining whether or not a predetermined portable medium is connected to a predetermined PC. The main features are to leave a connection destination and a log of success or failure of decryption on the medium and to prevent leakage of information assets to other than a predetermined PC.

  The information asset management system of the present invention is advantageous in that it can keep track of files that are defined as information assets in the organization. For example, there is an advantage that an administrator can accurately and easily grasp information assets in a place with a high risk of leakage such as a portable medium. In addition, for an outsourcing company, there is an advantage that it is possible to accurately and easily know where the information assets that need to be deleted after the contract term has expired, including the case where the information assets are encrypted.

  Embodiments of the information asset management system will be described below with reference to the drawings as appropriate.

  FIG. 1 is a diagram showing the entire information asset management reporting system 100 according to the first embodiment. An information asset management reporting system 100 that forms a network environment includes one or more clients (terminals such as PCs) 10a and 10b, a log collection server 20 that functions as a log collection device, and a log analysis server 30 that functions as a log analysis device. The network 40 is connected to the network 40 by wire or wireless. Further, in the information asset management reporting system 100, an Internet server 41, a multi-function device 60, and an index server 70 are also connected to the network 40.

  The Internet server 41 relays transmission / reception of the electronic mail 43 exchanged in the network 40 or on the Internet 42, and stores an electronic mail server 43 that stores the transmitted / received electronic mail 43 or a Proxy server that relays Web communication with the Internet 42. It is. The multi-function device 60 is a device that prints out the paper 61 in response to a print request from the client 10 and stores the contents of the paper 61 as a read file by a scanner. Further, the index server 70 periodically crawls files stored in the client 10, files stored in the Internet server 41, and e-mails, and indexes the contents for search. It is a device that enables high-speed searching simply by specifying keywords.

  Further, in the information asset management reporting system 100, the client 10 can be connected to a portable medium 50 such as a CD-R / DVD-R, a USB flash memory, a floppy (registered trademark) disk, and the client 10 is portable. 50 and file exchange.

  Here, in principle, the client 10 is assigned to each user 1. Note that the client 10 may be assigned to two or more users. In this case, the client 10 can identify which user has used the client 10 by identifying and authenticating the user. You can do it. Hereinafter, in order to simplify the description, it is assumed that the user 1a uses the client 10a and the user 1b uses the client 10b to perform business in the organization. The log analysis server 30 is operated by the administrator 2.

  Further, a software configuration in the client (terminal) 10, the log collection server 20, and the log analysis server 30 will be described with reference to FIG. In the client 10, a monitoring program 11 for monitoring and recording in detail an event operated by the user 1 in the client 10 operates and stores a terminal log 12 that is a result of recording by the monitoring program 11. This monitoring program 11 constitutes a monitoring unit of the client 10 in this embodiment. In the log collection server 20, a terminal log collection program 21 that constitutes a log collection unit for collecting the terminal logs 12 a and 12 b operates and stores an integrated log 22 that is a result of collection by the terminal log collection program 21. In the log analysis server 30, the correlation analysis program 31 constituting the correlation analysis unit that analyzes the integrated log 22 and visualizes the location of the information asset in the organization operates, and the information asset that is the result of the analysis by the correlation analysis program 31 A list 32 is stored.

  Note that the client 10a and the client 10b do not need to be equipped with the same operating system (Operating System, OS), and different monitoring programs 11a and 11b may operate on different OSs. In the case of different types of OSs, a unified format may be used for the integrated log 22 that is a result of collecting the terminal log 12a and the terminal log 12b.

  Next, a block diagram of the client 10 will be described with reference to FIG. The client 10 temporarily stores data and programs in the processing unit (CPU) 201, which is a central processing process for controlling the client 10 and calculating / processing data, and the CPU 201 can directly read and write data. A memory 202 that is a storage device, a storage device 203 for storing data and programs so that they are not lost even if the client 10 is turned off, a communication unit 204 that communicates with the network 40 in a wired or wireless manner, and a user 1, a display unit 205 for displaying data calculation / processing results on a display, an operation unit 206 for receiving keyboard input, mouse input, and the like from the user 1, and a portable medium 50. A portable medium connection unit 207 for reading and writing data and the like is connected to each other via a bus 208. With the hardware configuration. The monitoring program 11 is loaded into the memory 202 and is processed by the CPU 201. The terminal log 12 is stored in the storage device 203.

  The log collection server 20 and the log analysis server 30 also have the same hardware configuration as that of the block diagram of the client 10 shown in FIG. However, the portable medium connection unit 207 is not necessarily required. Also, the storage device 203 stores the integrated log 22 and the information asset list 32, respectively, and the processing unit (CPU) 201 includes a terminal log collection program 21 that is a terminal log collection unit and a correlation analysis program that is a correlation analysis unit, respectively. 31 is executed. Needless to say, the log collection server 20 and the log analysis server 30 may be composed of a single server.

  Next, the data formats of the terminal log 12, the accumulation log 22, and the information asset list 32 will be described with reference to FIGS.

FIG. 3 explains the data format of the terminal log 12 and the integrated log 22. The terminal log 12 is recorded by the monitoring program 11 in the storage device 203 by monitoring events such as export and import and file format conversion in the client 10. In the terminal log 12, one entry includes a date and time 301 indicating the time when the event occurred, a path 1 (302) that is the state of the file before the occurrence of the event, a file name 1 (303), a feature value 1 (304), A table composed of zero or more entries, consisting of event 305 indicating the type of event, path 2 (306) which is the state of the file after the event, file name 2 (307), and feature value 2 (308) It is data. The path 1 (302) and the path 2 (306) are uniquely identifiable paths in the network environment of the information asset management reporting system 100. For example, the path 1 (302) and the path 2 (306) have one of the following formats or other paths. May be.
・ "Computer name" + "Drive letter" + "Path on hard disk"
・ "Computer name" + "Hard disk drive number" + "Hard disk path"
・ "IP address" + "drive letter" + "path on hard disk"
・ "IP address" + "Hard disk drive number" + "Hard disk path"
・ "MAC address" + "drive letter" + "path on hard disk"
・ "MAC address" + "hard disk drive number" + "path on hard disk"
Further, the feature value 1 (304) and the feature value 2 (308) output a fixed data length with respect to input data such as MD5 (Message Digest Algorithm 5) and SHA1 (Secure Hash Algorithm 1), for example, and are the same. The output result of the hash function is such that it is difficult to find different input data that will result in

  The terminal log 12 is recorded for each client as a terminal log 12 a and a terminal log 12 b, and these are collected by the terminal log collection program 21 and become an integrated log 22. The data format of the integrated log 22 is the same as that of the terminal log 12.

  FIG. 4 illustrates the data format of the information asset list 32 stored in the storage device corresponding to the storage device 203 of FIG. 2 of the log analysis server 30. The information asset list 32 is obtained by recording the result of analyzing the accumulated log 22 by the correlation analysis program 31 which is the correlation analysis unit of the log analysis server 30 in the storage device 203. The information asset list 32 includes sheets 410a, 410b, and 410c that differ by the number of different information assets. In each sheet, one entry includes one path 401, file name 402, and feature value 403. It includes table data composed of entries and a sheet name 404. The sheet 410 indicates where and how many of the same information assets exist in the information asset management reporting system 100.

  The block diagram and data format of the information asset management reporting system 100 have been described above. Next, an operation flowchart and an operation example will be described with reference to FIGS.

  FIG. 5 is a diagram showing an operation flowchart of the monitoring program 11 executed by the CPU 201 of the client 10. In addition, the figure shows a pair of events monitored by the monitoring program 11. When the user 1 turns on the client 10 (step 501), the monitoring program 11 is also activated in accordance with the activation of the OS (step 502). The activated monitoring program 502 monitors various events, such as network communication, use of portable media, printing, and file format conversion, which occur in the client 10 (step 503). These paired events include an export 510 in which a file is taken out of the management of the information asset management reporting system 100 that is a network environment, an import 511 in which the file is brought into management, and a conversion operation for converting the file format. 512 and an inverse transformation operation 513 can be broadly classified. The monitoring program 11 records the monitored event as the terminal log 12 (step 504). The monitoring program 11 continues to operate while the client 10 is powered on (step 505). If the user 1 tries to shut down the client 10, the monitoring program 506 stops (step 506) and turns off the power of the client 10 (step 507). Through the processing of the monitoring program 11 described above, all events that have occurred in the client 10 can be recorded as the terminal log 12.

  Note that the pair of events illustrated in FIG. 5 do not need to occur in the same client, and it goes without saying that, for example, export 510 and import 511 in network communication may be performed by different clients 10.

  FIG. 6 is an operation flowchart of the correlation analysis program 31 that is executed by the CPU of the log analysis server 30 and functions as a correlation analysis unit. The correlation analysis program 31 first reads the integrated log 22 in the log collection server 20 (step 601), and rearranges the entries in the order of date and time 301 (step 602). The correlation analysis program 31 starts processing from the old entry, extracts one entry from the accumulation log 22, and checks the type of the event 305 (step 603). If the type of the event 305 is the export 510 or the conversion operation 512 described in FIG. 5, the information asset that matches both the path 1 (302) and the file name 1 (303) indicating the state of the file before the event occurs. An entry in the list 32 is searched (step 604). The sheet 410 of the matched information asset list 32 is updated to path 2 (306), file name 2 (307), and feature value 2 (308) indicating the state of the file after the event has occurred (step 605). On the other hand, in step 603, if the type of the event 305 is the import 511 or the inverse conversion operation 513 described in FIG. It is searched whether there is any (step 606).

  If there is a matching entry (YES), the sheet 410 of the information asset list 32 is updated as in step 605. If there is no matching entry (NO), a new sheet 410 is added to the information asset list 32, and the path 2 (306), file name 2 (307), and feature value 2 are the file states after the event has occurred. (308) is regarded as a new information asset (step 607). When the processing of one entry extracted from the accumulation log 22 is completed as described above, the processing proceeds to the next entry until the processing of all the accumulation logs 22 is completed (step 608). Through the above-described processing of the correlation analysis program 31, it is possible to grasp the location of the information asset in the information asset management reporting system 100 and to grasp that it is exposed to a leakage risk due to the large number of information assets dispersed. Become.

  Here, in step 607, if the feature value does not match the information asset list 32, it is uniformly added to the information asset list 32, but it is uniformly stored in a database different from the information asset list 32 and managed. You may do it. Alternatively, the data may not be stored in the database at all.

  Next, specific events and specific processing of the monitoring program 11 and the correlation analysis program 31 will be described with reference to FIGS.

  FIG. 7 shows an example of attachment to an e-mail and storage of an attached file as an example of network communication. A plurality of files can be attached to one e-mail. Here, it is assumed that the user 1 a attaches the file 701 and the file 702 to the e-mail 43. At this time, the monitoring program 11a calculates the feature value 1 of the file 701, and the entry 711 indicating that the file 701 having the feature value 1 is attached to the mail as the terminal log 12a, and the file 702 having the feature value 2 in the same manner. Two entries 712 indicating that the message is attached to the mail are recorded.

  When the user 1b saves the attached file of the e-mail on the side receiving the e-mail 43, two files 703 having a path 3 and a file name 3 and a file 704 having a path 4 and a file name 4 are generated. At this time, the monitoring program 11b calculates the feature value 3 of the file 703, and saves the file having the feature value 4 in the same manner as the entry 713 indicating that the file having the feature value 3 is saved as the terminal log 12b. Two entries 714 indicating the above are recorded. The terminal log collection program 21 collects these terminal logs 12 a and terminal logs 12 b and aggregates them as an integrated log 22.

  The correlation analysis program 31 reads the integrated log 22 and analyzes the location of information assets. As a precondition before analysis, it is assumed that a sheet 721 indicating the location of the file 701 and a sheet 722 indicating the location of the file 702 are already stored as the information asset list 32. When reading the entry 711, the correlation analysis program 31 finds an entry in the sheet 721 that matches the state of the file (path 1, file name 1) before the occurrence of the event because the type of the event 305 is export mail attachment. Next, the correlation analysis program 31 adds the state of the file after the occurrence of the event to the sheet 721 and updates the information asset having the characteristic value 1 as shown in the sheet 723 to indicate that the information is also present in the e-mail. Similarly, when the correlation analysis program 31 reads the entry 712, as shown in the sheet 724, the information asset having the characteristic value 2 is updated so as to indicate that it is also present in the e-mail.

  Further, when the entry 713 is read, the correlation analysis program 31 finds a sheet 723 that matches the state of the file after the event occurrence (feature value 3) because the type of the event 305 is an import of saving attachment. Further, the file status (path 3, file name 3) after saving the file attached to the mail is added to the sheet 723, and updated so that the same information asset is stored in the same sheet as shown in the sheet 725. . Similarly, when the correlation analysis program 31 reads the entry 714, as shown in the sheet 726, the same information asset is updated so as to be stored in the same sheet.

  As described above, the information assets on the information asset management reporting system 100 can be obtained by monitoring and recording events by the monitoring program 11 and analyzing the correlation analysis program 31 with respect to attachments to e-mails and storage of attached files. However, you can easily understand where and how many are there, including attachments to e-mails. FIG. 7 shows an example of attaching to an e-mail and storing the attached file, but in addition to this, saving the file attached to and attached to the instant messenger (IM), uploading the Web, and Web Information assets can be followed for download by FTP, FTP file transmission and FTP file reception.

  FIG. 8 shows an example of writing to the USB flash memory and copying from the USB flash memory as an example of using the portable medium. In writing to the USB flash memory, one or more files can be simultaneously written. Here, the user 1a writes the file 801 with path 1 and file name 1 and the file 802 with path 2 and file name 2 to the USB flash memory. 50 is written. At this time, the monitoring program 11a calculates the feature value 1 of the file 801 and is similar to the entry 811 indicating that the file 801 having the feature value 1 is written in the USB flash memory 50 having a unique device ID as the terminal log 12a. Thus, two entries 812 indicating that the file 802 having the feature value 2 is written in the USB flash memory 50 having the unique device ID are recorded.

  When the user 1b copies from the USB flash memory 50 to the client 10b again, the monitoring program 11b calculates the feature value 3 of the file 803 and confirms that the file 803 having the feature value 3 as the terminal log 12 has been copied to the client 10. Two entries 813 indicating that the file 804 having the feature value 4 is copied to the client 10b are recorded. The terminal log collection program 21 collects these terminal logs 12 a and terminal logs 12 b and aggregates them as an integrated log 22.

  The correlation analysis program 31 reads the integrated log 22 and analyzes the location of information assets. As a precondition before analysis, it is assumed that a sheet 821 indicating the location of the file 801 and a sheet 822 indicating the location of the file 802 are already stored as the information asset list 32. When the correlation analysis program 31 reads the entry 811, the event 305 type is an export of writing to the USB flash memory, so the sheet 821 that matches the state of the file before the event occurrence (path 1, file name 1) Find an entry. Next, the correlation analysis program 31 adds the state of the file after the occurrence of the event to the sheet 821, and the information asset having the characteristic value 1 is also included in the USB flash memory having the unique device ID as shown in the sheet 823. Update to show that Similarly, when the correlation analysis program 31 reads the entry 812, as shown in the sheet 824, the information asset having the feature value 2 is updated to indicate that it is also included in the USB flash memory having the unique device ID. .

  Further, when reading the entry 813, the correlation analysis program 31 finds a sheet 823 that matches the state of the file after occurrence of the event (feature value 3) because the type of the event 305 is import of copying from the USB flash memory. Further, the state of the newly created file (path 3, file name 3) as a result of copying to the client 10b is added to the sheet 823, and the same information asset is stored in the same sheet as shown in the sheet 825. To do. Note that the contents of the file written to the USB flash memory 50 may be changed. In such a case, since the feature value is also changed, a new sheet 410 is added and information assets are managed on the added sheet 410 as described in step 607 of FIG. Similarly, when the correlation analysis program 31 reads the entry 814, the same information asset is updated so as to be stored in the same sheet as shown in the sheet 826.

  As described above, information on the information asset management reporting system 100 can be obtained by monitoring and recording events by the monitoring program 11 and analyzing by the correlation analysis program 31 for writing to the USB flash memory and copying from the USB flash memory. It becomes possible to easily grasp where and how many assets exist, including the USB flash memory. Although the USB flash memory is targeted in FIG. 8, information assets can also be followed when a portable medium such as a floppy disk, CD-R / DVD-R, or DVD-RAM is used.

  FIG. 9 shows an example of printing on paper and scanner reading as an example of printing. Here, it is assumed that the user 1a prints the file 901 with the path 1 and file name 1 on the paper 61, and the user 1b saves the result of reading the paper 61 with the scanner in the file 902 with the path 2 and file name 2. To do. At this time, the monitoring program 11a calculates the feature value 1 of the file 901, and records an entry 911 including the number of copies, indicating that the file having the feature value 1 is printed as the terminal log 12a. Furthermore, the monitoring program 11a embeds the feature value 1 with a digital watermark when printing on paper as disclosed in, for example, Japanese Patent Application Laid-Open Publication No. 2006-279640 “Information Embedding Device, Printing Medium, and Information Reading Device”. Do. When the user 1b reads it with the scanner, the embedded digital watermark is detected as shown in the patent document, and the monitoring program 11b records an entry 912 including the feature value 2 detected when the file 902 is saved. The terminal log collection program 21 collects these terminal logs 12 a and terminal logs 12 b and aggregates them as an integrated log 22.

  The correlation analysis program 31 reads the integrated log 22 and analyzes the location of information assets. As a precondition before the analysis, it is assumed that a sheet 921 indicating the location of the file 901 is already stored as the information asset list 32. When reading the entry 911, the correlation analysis program 31 finds an entry in the sheet 921 that matches the state of the file (path 1, file name 1) before the occurrence of the event because the type of the event 305 is export printing. Next, the correlation analysis program 31 adds the state of the file after the event occurrence to the sheet 921 and updates the information asset having the feature value 1 as shown in the sheet 922 to be included in the paper including the number of copies. To do. Furthermore, when the entry 912 is read, the correlation analysis program 31 finds a sheet 922 that matches the state of the file after the event occurrence (feature value 2) because the type of event 305 is an import called scanner reading. Further, the state (path 2, file name 2) of the file 902 in which the scanner reading result is stored is newly added to the sheet 922, and the update is performed so that the same information asset is stored in the same sheet as indicated by the sheet 923.

  As described above, with respect to printing and scanner reading, by monitoring and recording events by the monitoring program 11 and analysis by the correlation analysis program 31, where and how many information assets are on the information asset management reporting system 100. It will be possible to easily grasp including printing on paper. As a result, information assets can be followed for printing and scanning.

  The operation of the information asset management reporting system 100 has been described above including a specific example. FIG. 10 is an example of a screen interface when the information asset list 32 is displayed on the administrator 2 by the log analysis server 30.

  The screen interface 1001 for displaying the information asset list 32 displays the sheets 410a, 410b, 410c and the like shown in FIG. 4 in a tree format in the left area, and uses the sheet name 404 shown in FIG. 4 as the name of each sheet. indicate. Note that the administrator 2 can edit the sheet name 404 on the screen interface 1001. Further, when the administrator 2 selects one sheet in the tree format in the left area with a mouse click or the like, a list of information assets included in the sheet 410 is displayed in the list format in the right area.

  Alternatively, the screen interface for displaying the information asset list 32 may be as shown in FIG. The screen interface 1100 illustrated in FIG. 11 is realized by the log server 30 and the index server 70 in cooperation. The index server 70 can be used not only by the administrator 2 but also by the user 1 by providing an interface by a Web browser, for example.

  The screen interface 1100 is configured to input a search condition in the left area and display the search result in the right area. As a search condition, a keyword 1101, an information creation date 1102, or a path 1103 can be specified. When the search button 1104 is pressed, the log server 70 searches the indexed contents, displays a path 1105 and a file name 1106 as a search result in the right area, and further displays a button 1107 for viewing the same file. indicate. The search condition may be other, for example, a file hash value or a device ID of the USB flash memory can be specified.

  When a button for viewing the same file 1107 is pressed, the log server 30 searches the information asset list 32 for the same file as the file identified by the path 1105 and the file name 1106 and displays it in the information asset list dialog 1110. The dialog 1110 also displays a “Close” button for closing the dialog.

  By using the screen interface 1001 shown in FIG. 10, the administrator 2 can easily and accurately grasp the location of information assets in the organization. Further, the manager 2 or the user 1 can use the screen interface 1100 shown in FIG. 11 to search for a specific information asset and easily and accurately grasp the location of the same file as the searched information asset. it can.

  In the second embodiment, the same configuration as that of the information asset management reporting system 100 described in the first embodiment is taken, and the information asset can be tracked even if the file format is converted, such as file decompression or file encryption. A possible information asset management reporting system is described.

FIG. 12 shows an example of file compression and file decompression as one example of file format conversion. In the file compression, one or more files can be compressed and archived as one file. Here, the user 1a has two files, a normal file 1201 with path 1 and file name 1 and a normal file 1202 with path 2 and file name 2. Is compressed into a compressed file 1203 with path 3 and file name 3. At this time, the monitoring program 11a calculates the feature value 1 of the normal file 1201, and the normal file having the feature value 2 in the same manner as the entry 1211 indicating that the normal file having the feature value 1 is compressed as the terminal log 12a. Two entries 1212 indicating that the file has been compressed are recorded.
When the user 1b decompresses the compressed file 1203, two files, a normal file 1204 with path 4 and file name 4 and a normal file 1205 with path 5 and file name 5, are generated. At this time, the monitoring program 11b calculates the feature value 4 of the normal file 1204, and an entry 1213 indicating that the normal file having the feature value 4 has been decompressed as the terminal log 12b, and the normal file having the feature value 5 in the same manner. Two entries 1214 indicating the decompression are recorded. The terminal log collection program 21 collects these terminal logs 12 a and terminal logs 12 b and aggregates them as an integrated log 22.

  The correlation analysis program 31 reads the integrated log 22 and analyzes the location of information assets. As a precondition before analysis, it is assumed that a sheet 1221 indicating the location of the normal file 1201 and a sheet 1222 indicating the location of the normal file 1202 are already stored as the information asset list 32. When the correlation analysis program 31 reads the entry 1211, since the event 305 type is a conversion operation called file compression, it finds an entry in the sheet 1221 that matches the state of the file before the event (path 1, file name 1). . Next, the correlation analysis program 31 adds the state of the file after the event occurrence to the sheet 1221 and updates the information file having the feature value 1 as shown in the sheet 1223 to be included in the compressed file. To do. Similarly, when the correlation analysis program 31 reads the entry 1212, the information is updated so as to indicate that the information asset having the feature value 2 is also included in the compressed file as shown in the sheet 1224.

Further, the correlation analysis program 31 reads the entry 1213. At this time, since the type of the event 305 is an inverse conversion operation called file decompression, a sheet 1223 that matches the state of the file after the event occurrence (feature value 4) is found. Further, the state (path 2, file name 2) of the file newly generated as a result of the file decompression is added to the sheet 1223, and updating is performed so that the same information asset is stored in the same sheet as indicated by the sheet 1225. Similarly, when the correlation analysis program 31 reads the entry 1214, as shown in the sheet 1226, the same information asset is updated so as to be stored in the same sheet.
As described above, for file compression and file decompression, where and how many information assets are on the information asset management reporting system 100 by monitoring and recording events by the monitoring program 11 and analysis by the correlation analysis program 31. Can be easily grasped including compressed files. Although FIG. 12 shows an example of file compression and file decompression, event monitoring and log analysis can be similarly performed for file encryption and file decryption.

  In the third embodiment, it is assumed that the portable medium is connected to a private PC and the file is illegally copied, or the portable medium is lost or stolen and the file is illegally referred to. An information asset management reporting system capable of preventing unauthorized use of a file and protecting a lost / stolen file even when a medium is connected to an unmanaged PC will be described.

  FIG. 13 shows an overall view of an information asset management reporting system 1300 in the third embodiment. The information asset management reporting system 1300 includes a client 10 and a WF server 1320. Note that WF is an abbreviation for workflow. On the WF server 1320, the WF manager 1321 operates and holds a take-out management DB 1322, a portable medium list 1323, and a client list 1324 as databases. On the client 10, a monitoring program 1311 and a WF agent 1312 operate and hold a terminal log 1313. Other components such as the log collection server 20 and the log analysis server 30 are the same as those in the information asset management reporting system described in the first embodiment. The network 40 is not limited to an in-house network and may be the Internet. It goes without saying that the internal configuration of the client 10 has the configuration shown in FIG. 2, the terminal log 1313 is stored in the storage device 203 that constitutes the storage unit, and the WF agent 1312 is a processing unit like the monitoring program 1311. It operates on the CPU 201. The WF server 1320 also has the same hardware configuration as that of the client 10 shown in FIG.

  Next, a block diagram of the portable medium 50 will be described with reference to FIG. Specifically, the portable medium 50 is a readable / writable portable storage device such as a USB flash memory, a compact flash, or a memory stick. In this portable medium 50, an area allocated for the user to read and write files from the OS, that is, a normally accessible area 1440 recognized as a partition, and an invisible area 1450 that is not allocated as a partition and is not visible to the OS. Exists. The invisible area 1450 is used as an area for writing a log. For example, as a writing method, there is a method of directly writing a log in sector units. The log includes a date and time 1431, a message 1432, and a checksum 1433. The checksum 1433 is used to check that the date 1431 and the message 1432 have not been tampered with. As a result, even when the portable medium 50 is referred to by the explorer or the like from the client, the invisible area 1450 cannot be referred to, and it is difficult to tamper and delete the log by a normal method. In order to make the size of the invisible area 1450 equal to or larger than a predetermined size, the administrator collectively sets the size of the normal accessible area 1440 smaller than the original size when the portable medium 50 is purchased by the organization. It may be distributed to users.

  Alternatively, the invisible area 1450 may be a tamper resistant area of the portable medium 50. In the tamper-resistant area, all of the date / time 1431, the message 1432, and the checksum 1433 may be placed, or only the checksum 1433 may be placed, and may be determined according to the size of the tamper-resistant area. Further, the access condition to the tamper resistant area includes collation with secret information such as PIN (Personal Identification Number), or access to the tamper resistant area only from a dedicated driver.

  Further, the date / time 1431, the message 1432, and the checksum 1433 may be written in the normal accessible area 1440 as a file that can be encrypted / decrypted only by the log recording program 1410. When the log recording program 1410 opens a log file, the file handle is opened by exclusive control, so that while the log recording program 1410 is running, it is possible to prevent other programs from falsifying and deleting the log.

  In general, the portable medium 50 is often given a serial number assigned by a manufacturer. These exist as manufacturer ID 1460 and serial ID 1461 that cannot be changed. It is assumed that the portable medium 50 is uniquely identified using the manufacturer ID 1460 and the serial number 1461, and the portable medium list 1323 centrally manages the list of portable media 50 owned in the organization.

  Alternatively, when the portable medium 50 does not have the manufacturer ID 1460 and the serial ID 1461, or when the portable medium 50 has the manufacturer ID 1460 and the serial ID 1461, it cannot be referred to from the PC, the identification number is displayed in the invisible area 1450. 1421 and the digital signature 1422 may be written to uniquely identify the portable medium 50. Such an identification number 1421 and digital signature 1422 are used together with the portable medium 50 lent by the organization when the administrator collectively gives the portable medium 50 before the purchase and distribution to the user. It can be distinguished from portable media purchased by a person.

  In the normal accessible area 1440, a log recording program 1410 is stored. The log recording program 1410 is a program for writing a log in the invisible area 1450, and may be copied to the portable medium 50 when it is registered in the portable medium list 1323 of the WF server 1320. Alternatively, the log recording program 1410 may be written in a non-overwriteable area having a property similar to that of a CD-ROM on the portable medium.

A conditional self-decryptable file (self-decoding format file) 1400 stored in the normal accessible area 1440 will be described with reference to FIG. The conditional self-decoding format file 1400 is a file format when written to the portable medium 50. The conditional self-decoding file 1400 includes the following information.
Password 1401: Secret information that allows only user 1 to decrypt.
Take-out destination PC identifier 1402: Information registered in the client list 1324 for uniquely identifying the client 10. For example, machine name, MAC address, HDD serial number, OS license number, OS owner information, mail address, login user name, IP address, motherboard hardware number, CPU type, BIOS type, TPM ( (Trusted Platform Module) is a certificate held by the chip.
-Portable medium identifier 1403: Information registered in the portable medium list 1323 for uniquely identifying the portable medium 50.
Take-out period 1404: information on the time limit for which take-out is permitted.
Log recording program identifier 1405: Information for uniquely identifying the log recording program 1410. For example, the program name, the hash value of the program file, and the like.
Action 1406: Information indicating an action to be performed when a condition for decoding is not satisfied. For example, decryption is prohibited and forced deletion is performed.
Encryption date / time 1407: Information indicating the date and time when the conditional self-decryption file 1400 was created.

  The data diagram of the take-out management DB 1322 used in the information asset management reporting system 1300 and the relationship between related data will be described with reference to FIG. A take-out management DB 1322 accumulated on the WF server 1320 manages a take-out file table 1801 for managing files stored in the portable medium 50 and how the portable medium 50 is used at the take-out destination. And a take-out destination use history table 1802 for doing so. The take-out file table 1801 and the take-out destination use history table 1802 are composed of one sheet for each portable medium managed by the portable medium list 1323.

  The take-out file table 1801 is for the information asset list 32 of the information asset management reporting system 100 described in the first embodiment, and the device ID of the portable media managed by the portable media list 1323 is used. Stores the results of searching for files stored on a portable medium.

  The take-out destination use history table 1802 is a collection of log contents in the invisible area 1450 of the portable medium 50. When the portable medium 50 is connected to the client 10, the monitoring program 1311 operating on the client 10 reads the invisible area 1450, collects log contents, and accumulates them in the terminal log 1313. After that, as shown in FIG. 18, various programs are sequentially collected up to the take-out destination use history table 1802.

  Next, using FIG. 15 to FIG. 17, an operation flowchart and screen examples of the information asset management reporting system 1300 of the third embodiment shown in FIG. 13 will be described.

  FIG. 15 illustrates an operation flowchart when the user 1 takes a file to the portable medium 50. In step 1501, the user 1 logs in to the WF agent 1312 of the client 10 and sets a take-out application and decryption conditions.

  An example of the application screen displayed on the display unit of the client 10 in step 1501 will be described with reference to FIG. The application screen 1600 includes an applicant field 1601 for displaying a logged-in user name, a reference button 1603 for designating a take-out file, a take-out file field 1602 for displaying designated contents, and a reference button 1605 for designating a client to be taken out. A take-out destination field 1604 for displaying the designated contents, a take-out reason field 1606 for inputting the reason for take-out in text, a reference button 1608 for designating a portable medium used for taking-out, and a usable portable medium field 1607 for displaying the designated contents. , A period field 1609 for selecting a usage period from a pull-down menu, a password field 1610 for specifying a password, and an application button 1611.

  After logging in to the WF agent 1312, the user 1 presses a reference button 1603 to select a file to be taken out from the client 10 to the portable medium 50. Next, a reference button 1605 is pressed to select where to take out the clients managed in the client list 1324. By default, the client 10 of the writing source is set as standard, and the user 1 designates another take-out destination. Next, a reference button 1608 is pressed to select which of the portable media managed in the portable media list 1323 is to be taken out. Further, the reason is input in the take-out reason column 1606, the take-out period is selected in the period column 1609, and the password is input in the password column 1610. After completing the above input, the application button 1611 is pressed.

  Returning again to FIG. 15, in step 1502, the administrator 2 logs in to the WF manager 1321 of the WF server 1320 to check application contents.

  An example of the approval screen in step 1502 will be described with reference to FIG. An approval screen 1620 on the display unit of the WF server 1320 includes an applicant field 1621 for displaying an applicant name, a take-out file field 1622 for displaying a specified content of a take-out file, a display button 1623 for displaying the file content of the take-out file, A take-out destination field 1624 for displaying the specified contents of the take-out destination, a correction button 1625 for correcting the specified contents of the take-out destination, a take-out reason field 1626 for displaying the reason for take-out, and the specified contents of the portable medium used for take-out are displayed. A usable portable medium column 1627, a connection history button 1628 for viewing a connection history of portable media so far, a period column 1629 for displaying a take-out period, a password column 1630 for confirming that a password is set, Decryption-inhibited radio button for specifying actions when violated 631 and forced deletion radio button 1632, approval button 1633, and a reject button 1634 Metropolitan.

  After logging in to the WF manager 1321, the administrator 2 presses the display button 1623 to confirm that information that should not be taken out is not included in the take-out file, the take-out destination column 1624, the take-out reason column 1626, the period column 1629, etc. Confirm that there is no problem. Further, the user presses the connection history button 1628 to confirm that the portable medium 50 used for taking-out has not been connected to an unauthorized client in the past and that there is no evidence that the taken-out file has been illegally decrypted. After confirming the above, the action at the time of violation is designated by the decryption prohibition radio button 1631 or the forced deletion radio button 1632, and then the approval button 1633 or the reject button 1634 is pressed. Alternatively, when the connection history button 1628 is pressed, a log connected to an unmanaged PC may be highlighted by collating with the client list 1324.

  Returning to FIG. 15 again, in step 1503, if the administrator 2 presses the approval button 1633 in step 1502, the process proceeds to step 1504. If the reject button 1634 is pressed, the process proceeds to step 1505. move on. In step 1505, a rejection notification is made and the take-out process is terminated.

  In step 1504, the WF manager 1321 writes out the decryption conditions approved on the approval screen 1602 as a file, and adds a signature together with the approved take-out file.

  In step 1506, the user 1 receives an approval notification from the WF agent 1312, and the user 1 performs a file writing operation from the client 10 to the portable medium 50. When the portable medium 50 is connected to the client 10, it is determined whether or not the portable medium 50 is in the portable medium list 1323. If the portable medium 50 is not in the portable medium list 1323, the portable medium 50 is forcibly disconnected. It may be a thing.

  In step 1507, the monitoring program 1311 monitoring the writing to the portable medium 50 in the client 10 verifies the file to be written and the signature attached to the decryption condition. If the verification is successful, the process proceeds to step 1508. If the verification fails or no signature is attached, the process proceeds to step 1509. In step 1509, the monitoring program 1311 prohibits writing to the portable medium 50 and the process ends.

  In step 1508 after successful verification, the monitoring program 1311 encrypts the file to be written into a conditional self-decryption file 1400 in which the decryption conditions are embedded, based on the decryption conditions approved in step 1504.

  In step 1510, the monitoring program 1311 of the client 10 writes out to the normal accessible area 1440 of the portable medium 50. In step 1511, after the portable medium 50 stores the conditional self-decoding format file 1400, the process ends.

  When the portable medium 50 is connected to the client 10 (step 1521), the monitoring program 1311 detects that the portable medium is connected (step 1522) and reads the log information in the invisible area 1450. And recorded in the terminal log 1313 (step 1523). The terminal log 1313 is stored in the take-out management DB 1322 as described with reference to FIG.

  Next, an operation flowchart when the portable medium 50 is taken out will be described with reference to FIG.

  When the user 1 connects the portable medium 50 to the take-out destination PC (step 1701), the log recording program 1410 in the portable medium 50 is automatically started (step 1702). Note that the log recording program 1410 is not limited to being automatically activated, but may be manually activated by the user 1. The log recording program 1410 collects information of the connected PC (step 1703), generates and accesses a handle for opening the invisible area 1450 by exclusive control, and logs the information of the connected PC. To record. By opening the handle with exclusive control, while the log recording program 1410 is running, reading and writing of information in the invisible area 1450 using, for example, a computer forensic tool is prevented.

  Next, when the user 1 performs a decoding operation by clicking the conditional self-decoding format file 1400 in the portable medium 50 (step 1711), the log recording program 1410 is executing the conditional self-decoding format file 1400. Is checked (step 1712). Next, it is checked using the log recording program identifier 1405 that the program being executed has not been tampered with (step 1713). If it is determined in step 1712 that the log recording program 1410 is not being executed or in step 1713 that the log recording program 1410 has been tampered with, decoding is stopped (step 1714).

  Further, the self-decoding format file 1400 transmits the decoding conditions to the log recording program 1410 (step 1715). The log recording program 1410 uses the take-out destination PC identifier 1402 to check whether it is the designated connection destination PC (step 1716). Next, the portable medium identifier 1403 is used to check whether the designated portable medium is used (step 1717). Next, the consistency between the time of the connection destination PC and the date and time 1431 in the log in the invisible area 1450 is confirmed. For example, the current PC time is later than the date and time when the portable medium 50 was last disconnected, or the current time is more than the date and time when the conditional self-decoding file 1400 succeeded or failed in decoding. It is slower. Alternatively, the encryption date / time 1407 may be used to check that the current PC time is later than the encryption date / time. Next, using the take-out period 1404, it is checked whether it is within a certain period from the approved date (step 1719). Finally, the user 1 is requested to input a password, and it is checked whether or not it matches the password 1401 (step 1720).

  If any one of frauds is found from step 1716 to step 1720, the action designated by action 1406 is executed, and a message indicating that decoding has failed is logged in the invisible area 1450 (step 1722). When the above processing is completed, the user 1 is prompted to specify the decryption destination (step 1721), decrypts to the designated decryption destination, and logs the successfully decrypted message in the invisible area 1450 (step 1722). ).

  When the user 1 disconnects the portable medium 50 from the PC, the log recording program 1410 logs the message disconnected at the end of the program in the invisible area 1450 (step 1732).

  In the operation flowchart shown in FIG. 17, as another embodiment, as a program in which the conditional self-decoding file 1400 and the log recording program 1410 are integrated in order to determine whether or not the decoding conditions are met, Steps 1711 to 1722 may be executed.

  The information asset management reporting system 1300 of the present embodiment described above has been described for the case where the information asset of the portable medium 50 is written. However, the information asset management reporting system 1300 is not limited to the portable medium 50 and can be attached to an e-mail or The same information asset management can be performed for file storage in a portable notebook PC or PDA, and these can also be called portable media in a broad sense. The WF server 1320 centrally manages the destinations attached to e-mails and portable notebook PCs, and appropriately changes the decoding conditions of conditional self-decoding files even in the case of e-mails, portable notebook PCs and PDAs Thus, the same information asset management as when writing to the portable medium 50 described above is possible.

  With the information asset management reporting system of the third embodiment described above, even if a file is copied to a portable medium and taken out, it is left in the portable medium and audited after the fact. It is possible to check for unauthorized use such as copying to a home PC. Furthermore, even when a file is copied to an unmanaged PC, it is possible to prevent the file from leaking on an arbitrary PC by checking that the conditional self-decoding file satisfies the decryption condition. Furthermore, if a lost or stolen portable medium is found, it can be checked whether there was suspicious access during a period when it was not at hand.

  As described above, the information asset management reporting system of the present invention can be applied to a network environment of an information system in a call center that handles personal information, a sales department that handles trade secrets, and a design and development department that handles intellectual property information. . It can also be applied to an information system network environment in an outsourcing company that conducts business by entrusting sales information from a consignment company.

BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 is an explanatory diagram showing an overall image of an information asset management reporting system according to a first embodiment. FIG. 3 is an explanatory diagram illustrating a block diagram of a client according to the first embodiment. Explanatory drawing which showed the data figure of the terminal log of Example 1, and an accumulation | storage log. Explanatory drawing which showed the data figure of the information asset list of Example 1. FIG. Explanatory drawing which showed the operation | movement flowchart of the monitoring program of Example 1. FIG. Explanatory drawing which showed the operation | movement flowchart of the correlation analysis program of Example 1. FIG. FIG. 3 is an explanatory diagram illustrating an example of log analysis related to network communication according to the first embodiment. FIG. 3 is an explanatory diagram illustrating an example of log analysis regarding use of a portable medium according to the first embodiment. FIG. 3 is an explanatory diagram illustrating an example of log analysis regarding printing according to the first exemplary embodiment. Explanatory drawing which showed an example of the screen interface which displays the information asset list of Example 1. FIG. Explanatory drawing which showed an example of the screen interface which displays the information asset list of Example 1. FIG. Explanatory drawing which showed an example of the log analysis regarding the file format conversion of Example 2. FIG. Explanatory drawing which showed the whole figure of the information asset management reporting system in Example 3. FIG. Explanatory drawing which showed the block diagram of the portable medium in Example 3. FIG. Explanatory drawing which showed the operation | movement flowchart at the time of taking out to the portable medium in Example 3. FIG. Explanatory drawing which showed an example of the WF screen at the time of taking out to the portable medium in Example 3. FIG. Explanatory drawing which showed the operation | movement flowchart in the take-out destination to the portable medium in Example 3. FIG. Explanatory drawing which showed the data figure of taking-out management DB in Example 3. FIG.

Explanation of symbols

  DESCRIPTION OF SYMBOLS 1 ... User, 2 ... Administrator, 10 ... Client, 11 ... Monitoring program, 12 ... Terminal log, 20 ... Log collection server, 21 ... Terminal log collection program, 22 ... Integrated log, 30 ... Log analysis server, 31 ... Correlation analysis program, 32 ... Information asset list, 40 ... Network, 41 ... Internet server, 42 ... Internet, 43 ... E-mail, 50 ... Portable media, 60 ... Multifunction machine, 61 ... Paper, 70 ... Index server, 100 ... Information asset management reporting system, 201 ... CPU, 202 ... memory, 203 ... storage device, 204 ... communication unit, 205 ... display unit, 206 ... operation unit, 207 ... portable medium connection unit, 1300 ... information asset management reporting system, 1311 ... Monitoring program, 1312 ... WF agent, 1313 ... Terminal log, 132 ... WF server, 1321 ... WF manager, 1322 ... taking out management DB, 1323 ... portable medium list, 1324 ... client list.

Claims (8)

An information asset management system including a terminal operated by a user, a log collection device, and a log analysis device,
The log collection device includes:
Monitoring the event occurrence pertaining to information assets by the user's operation via the terminal, in the event occurrence before and after with respect to the information assets, status information of the information assets outputs including terminal log,
The log analyzer is
An information asset list that manages a sheet for each information asset, and the terminal log output by the log collection device,
If the event is an export process from the information asset management system or a conversion process of the information asset, the information asset list is searched using the state information before the event occurrence of each entry of the terminal log as a key, and the same If there is a sheet indicating the information asset, the information on the sheet is updated with the information after the event of the matching entry,
If the event is an import process from the information asset management system or an inverse conversion process of the information asset, the information asset list is searched using the state information after the event occurrence of each entry of the terminal log as a key, If there is a sheet indicating the same information asset, the information asset management system updates information on the sheet with information after the event of the matching entry . An information asset management system according to claim 1,
The log collection device includes:
If the event is the export process or the conversion process, the terminal log including the file name and path name of the information asset before the event occurrence for the information asset is output,
Outputting the terminal log including a file name and a path name of the information asset after the occurrence of the event for the information asset;
If the event is the import process or the reverse conversion process, the terminal log including the characteristic value of the information asset after the event occurrence for the information asset is output,
The log analyzer is
If the event is the export process or the conversion process, the information asset list is searched using the file name and path name before the event occurrence of each entry of the terminal log as the key,
When the event is the import process or the inverse conversion process, the information asset list is searched using the feature value after the event occurrence of each entry of the terminal log as a key . An information asset management system according to claim 2,
The log analyzer is
If the same information asset is not found by the search when the event is the import process or the reverse conversion process, create a new sheet recording the information asset described in the log entry. An information asset management system registered in the information asset list . An information asset management system according to claim 1,
The event that is the export process or the conversion process is the writing of the information asset to a portable medium, the printing output of the information asset, the network transmission of the information asset, the file compression, or the file encryption. Yes,
The event that is the import process or the reverse conversion process is reading of the information asset from a portable medium, reading by a scanner, network reception, file decompression, or file decoding. Information asset management system. A log analysis device for analyzing a terminal log related to information asset management output by a log collection device,
It has an information asset list that manages sheets for each information asset,
About the terminal log output by the log collection device,
If the event is an export process from the information asset management system or a conversion process of the information asset, the information asset list is searched using the state information before the event occurrence of each entry of the terminal log as a key,
If there is a sheet indicating the same information asset, the information on the sheet is updated with the information after the event of the matching entry,
If the event is an import process from the information asset management system or an inverse conversion process of the information asset, the information asset list is searched using the state information after the event occurrence of each entry of the terminal log as a key,
If there is a sheet indicating the same information asset, the information on the sheet is updated with the information after the event of the matching entry.
Log analyzer . The log analyzer according to claim 5 ,
When the event is the export process or the conversion process, the information asset list is searched using the file name and path name before the event occurrence of each entry of the terminal log as the key,
When the event is the import process or the inverse conversion process, the information asset list is searched using the feature value after the event occurrence of each entry of the terminal log as a key.
Log analyzer . A log analysis program for information asset management executed by the processing unit in a log analysis device having at least a processing unit ,
It has an information asset list that manages sheets for each information asset,
Based on the status information of the integrated log that monitors the event occurrence related to the information asset by the user's operation through the terminal, and accumulates the terminal log including the status information of the information asset before and after the event occurrence for the information asset,
If the event is an export process from the information asset management system or the conversion process of the information asset, the information asset list is searched using the state information before the event occurrence of each entry of the terminal log as a key,
If there is a sheet indicating the same information asset, the information on the sheet is updated with the information after the event of the matching entry,
If the event is an import process from the information asset management system or an inverse conversion process of the information asset, the information asset list is searched using the state information after the event occurrence of each entry of the terminal log as a key,
If there is a sheet indicating the same information asset, the information on the sheet is updated with the information after the event of the matching entry.
Log analysis program . The log analysis program according to claim 7,
The processing unit is further operated to search the information asset list based on a search condition input to the log analysis device and output a search result.
Log analysis program .

Images