JP2007058257A - Management system and management program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To manage states of personal information and confidential information to prevent surely the personal information and the confidential information from carelessly flowing out, leaking and being used illegally, without obtaining a human cooperation and imposing a special burden, even when the personal information and the confidential information are stored in a distributed manner, in a plurality of PCs or servers in an enterprise. <P>SOLUTION: A user terminal 10 is provided with a survey means for searching a file to be managed out of a data in a storage part, and a transmitting means for transmitting a search result therein to a management server 20, and the management server 20 is provided with a log collection means for collecting and recording an access log to the file to be managed from the user terminal 10, based on the search result from the user terminal 10, and a management means for managing the user terminal 10, based on the search result and the access log collected by the log collection means. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to a technique for managing files containing personal information, confidential information, and the like held in an information processing apparatus (user terminal, server, etc.) such as a personal computer.

  In recent years, with an increase in awareness of protection of personal information, it has been desired to reliably prevent inadvertent leakage and leakage of personal information and unauthorized use of personal information. In particular, with the enforcement of the Personal Information Protection Law, there is a need for businesses that handle personal information to more reliably prevent the leakage or leakage of personal information and unauthorized use. Here, personal information is information that can identify a specific individual by itself or in combination, and includes, for example, name, date of birth, contact information (address, address, telephone number, e-mail address, etc.). . Customer information, business partner information, etc. stored and handled in various companies often correspond to personal information.

  Naturally, such personal information corresponds to confidential information with high confidentiality for companies, but as confidential information for companies, in addition to personal information, new products before publication, technology before patent application, Information related to management strategies, etc. According to the Institute of Systems Audits, confidential information is defined as information that may impair the value of management resources when disclosed to anyone other than the authorized person or used for other purposes. Has been.

  In order to reliably prevent the outflow / leakage and unauthorized use of personal information and confidential information as described above, it is desirable to introduce a centralized management system and centrally manage such personal information and confidential information. However, in reality, personal information such as customer information and business partner information in a company includes a plurality of user terminals [personal computers (hereinafter sometimes abbreviated as PCs)] used by individual employees, In many cases, they are distributed and stored in department servers. More specifically, individual employees store their personal information (customer information, etc.) on their PCs for their own work, or a central database or a subset of personal information collected by each employee. It exists in various places on the PC.

  For this reason, when constructing the above centralized management system, the administrator first identifies personal information and confidential information that are scattered in the company, and what kind of personal information and confidential information is located in the company. It is necessary to grasp whether it exists, but personal information and confidential information are identified by the manager instructing each employee and with the cooperation of the entire company and all departments in person-to-person relations. .

  For example, in Patent Document 1 below, in accordance with the enforcement of the Personal Information Protection Law, the technology “Personal Information Protection Service Business Processing Method for Providing Personal Information Protection Service to Prevent Personal Information Outflow / Leakage and Unauthorized Use” And device "have been proposed and disclosed. In this patent document 1, it is possible to identify and warn a company that has acquired personal information inappropriately, and to prevent illegal leakage of personal information from a company that has acquired it appropriately. However, it does not disclose how to deal with the case where personal information is distributed in the company as described above.

  Further, for example, Patent Document 2 below discloses a file copy management technique for preventing unauthorized copying of a file in a computer system or other data processing device or system, and in particular, a special copy prohibition measure is taken for a file. Technology for preventing unauthorized copying of source code files written in a specific language or multimedia data files of a specific file format has been disclosed. There is no disclosure of what to do if they exist in a distributed manner.

Further, for example, in Patent Document 3 below, an integrated internal information leakage prevention system is disclosed, and in particular, offline information leakage through an output device and a movable storage device and online information leakage due to a communication program are fundamentally prevented. And the technology to prevent important information from leaking from the internal system by monitoring is disclosed, but again, as mentioned above, coping with the case where personal information is distributed in the company Is not disclosed.
JP 2002-183367 A JP 2001-350671 A Special table 2003-535398 gazette

  As mentioned above, identifying personal information and confidential information with human cooperation such as reporting from each employee is not only time-consuming, but it is also difficult to ensure that all personal information and confidential information are identified without omissions. become. In particular, when personal information and confidential information are being distributed, it is extremely difficult to identify personal information and confidential information. In addition, if there is a leak in identifying personal information or confidential information, the state of the personal information or confidential information cannot be managed, and there is a risk of inadvertent outflow / leakage or unauthorized use.

  The present invention was devised in view of such a situation, and even if personal information and confidential information are distributed and stored in a plurality of PCs and servers in a company, they are not in charge without human cooperation. The purpose is to make it possible to manage the status of personal information and confidential information without imposing a special burden on the user, and to prevent inadvertent leakage, leakage or unauthorized use of personal information or confidential information. .

  In order to achieve the above object, the management system of the present invention (Claim 1) can communicate with a user terminal having a storage unit for storing data including an electronic file, and the user terminal via a network. A management server that manages a management target file that satisfies a predetermined condition in the user terminal, and the user terminal specifies a management target file that satisfies the predetermined condition from data in the storage unit And a transmission means for transmitting the result of the search by the search means to the management server via the network, and the management server is transmitted from the user terminal. Based on the result of the search, the management target file in the user terminal is grasped, and the access log for the management target file is stored in the user terminal. Log collecting means for collecting and recording; management means for managing the user terminal based on the result of the search, and the access log for the management target file collected and recorded by the log collecting means; It is characterized by being configured.

  In the management system, the management means, based on the search result transmitted from the user terminal, and the access log for the management target file collected and recorded by the log collection means, It is also possible to create public information relating to the access status to the management target file, and disclose the created public information (claim 2). The public information includes the file name of the management target file, information that can specify the user terminal that has accessed the management target file, and information that can specify the owner of the user terminal. It may be included, and may include a totaling result of the number of the management target files and a totaling result of the number of accesses to the management target file.

  Further, in the management system, the management server is further configured to include a survey unit that investigates whether or not a driver for an external storage medium is installed in the user terminal, and the management unit includes the user The user terminal is managed based on the access log for the management target file collected and recorded by the log collection unit as a result of the search transmitted from the terminal, and the result of the survey by the survey unit. (Claim 3). At this time, as a result of the search transmitted from the user terminal, the management means collects and records the access log for the management target file collected by the log collection means, and the investigation by the investigation means. Based on the result, public information regarding the user terminal in which the driver for the external storage medium is installed may be created, and the created public information may be disclosed (claim 4). Information that can identify the user terminal that has the management target file and that has installed the driver for the external storage medium, information that can identify the owner of the user terminal, and possession in the user terminal And the file name of the managed file that has been executed, and the management target file written to the external storage medium executed on the user terminal It may contain a number.

  Further, in the management system, the management means is based on the result of the search transmitted from the user terminal and the access log for the management target file collected and recorded by the log collection means. Changing or setting the security level in the user terminal for preventing the management target file from flowing out from the user terminal, and restricting access to the file in the user terminal according to the security level. You may comprise so that it may change (Claim 5). At this time, for the user terminal that has executed the processing / operation related to the management target file, the management means sets the security level high to tighten the restriction on access to the file, while relating to the management target file. For user terminals that have not executed processing / operation for a predetermined period, the security level may be set low to release or relax access restrictions on files (claim 6). More specifically, the management means sets a high security level for the user terminal that holds the management target file in the storage unit to tighten access restrictions on the file while the storage unit stores the storage target file. For a user terminal that does not have the management target file, the security level may be set low to release or relax access restrictions on the file (claim 7), or the management means may For user terminals that do not have an encryption function that automatically encrypts files sent to the network, the security level is set high to tighten access restrictions on the file, while the encryption function is set. For user terminals that have been set, the security level is set low to remove or relax restrictions on file access. Which may (claim 8).

  The management server further includes an installation unit that installs a program that causes a computer to function as the search unit in the user terminal, and the function as the search unit in the user terminal is the installation unit. It may be configured to be realized by executing the program installed in the user terminal by means, and in this case, the installation means of the management server may be configured such that a user terminal not installed with the program When the connection to the network is detected, the program may be installed in the user terminal, and the user terminal may be caused to execute the program to search for a management target file.

  In addition, the predetermined condition is that a predetermined number or more of personal information elements that can identify a specific individual are held, and the search unit manages a file that satisfies the predetermined condition from the data in the storage unit In other words, the personal information file may be specified and searched (claim 9). At that time, the searching means extracts the text data included in the determination target file, and the extracting means Cutout means for cutting out character sections delimited by delimiters from the extracted text data, and character strings in the character sections cut out by the cutout means are preset telephone number determination conditions, e-mail address determination By determining whether or not any one of the conditions and address determination conditions is satisfied, a telephone number, electronic mail, which is a personal information element other than the name, is used. A first determination means for determining whether the address corresponds to any one of an email address and an address, and a character determined by the first determination means as not corresponding to any of a telephone number, an e-mail address, and an address A character determining means for determining whether the number of characters in the section is within a predetermined range and whether the character in the character section is a kanji, and the character determining means determines that the number is within the predetermined range and is a kanji. By comparing a character or character string included in the character section with an inappropriate character or inappropriate character string preset as a kanji or character string that cannot appear in the name, A collating means for judging whether or not the above-mentioned inappropriate character or inappropriate character string is included, and a telephone number, an e-mail address and the like by the first judging means. And the number of character sections determined to correspond to any one of the addresses and the number of character sections determined not to include the inappropriate character or inappropriate character string by the matching means, respectively. The second determination means for determining whether or not the determination target file is a personal information file based on the counting result may be included (claim 10).

  On the other hand, the management server of the present invention (claim 11) is connected to a user terminal via a network so that they can communicate with each other, and manages files to be managed that satisfy a predetermined condition in the user terminal. , Grasping the management target file in the user terminal based on the search result of the management target file that satisfies the predetermined condition, searched by the searching means from the data in the storage unit of the user terminal, Log collection means for collecting and recording the access log for the management target file from the user terminal, the result of the search by the search means, and the access to the management target file collected and recorded by the log collection means It is characterized by comprising management means for managing the user terminal based on the log.

  In the management server, based on the result of the search and the access log for the management target file collected and recorded by the log collection unit, the management unit discloses public information regarding the access status to the management target file. And the created public information may be disclosed (claim 12). The public information includes the file name of the management target file, information that can specify the user terminal that has accessed the management target file, and information that can specify the owner of the user terminal. It may be included, and may include a totaling result of the number of the management target files and a totaling result of the number of accesses to the management target file.

  Further, the management server further includes an investigation unit that investigates whether or not a driver for an external storage medium is installed in the user terminal, and the management unit collects the log collection unit as a result of the search. -You may comprise so that this user terminal may be managed based on the recorded access log with respect to this management object file, and the result of the investigation by the investigation means. At this time, based on the access log for the management target file collected and recorded by the log collection unit as a result of the search, and the result of the investigation by the investigation unit, the management unit The public information regarding the user terminal in which the driver for the device is installed may be created, and the created public information may be disclosed. The public information includes the management target file and the external storage medium Including information that can identify the user terminal in which the driver is installed, information that can identify the owner of the user terminal, and the file name of the managed file that is held in the user terminal It may also include the number of times the management target file has been written to the external storage medium executed by the user terminal.

  Further, in the management server, the management means performs the management from the user terminal based on the search result and the access log for the management target file collected and recorded by the log collection means. The security level in the user terminal for preventing the target file from leaking may be changed and set, and the access restriction on the file in the user terminal may be changed according to the security level. ). At this time, for the user terminal that has executed the processing / operation related to the management target file, the security means sets the security level high to tighten the restriction on access to the file, while relating to the management target file. For a user terminal that has not executed processing / operation for a predetermined period, the security level may be set low to release or relax access restrictions on the file. More specifically, the management means sets a high security level for the user terminal that holds the management target file in the storage unit to tighten access restrictions on the file while the storage unit stores the storage target file. For user terminals that do not have the management target file, the security level may be set low to release or relax access restrictions on the file, or the management means may send the file to the outside. For user terminals that do not have an encryption function that automatically encrypts files, the security level is set high to tighten restrictions on access to files, while users with the encryption function set For terminals, the security level may be set low to remove or relax access restrictions on files.

  In addition, an installation unit that installs a program that causes a computer to function as the exploration unit may be further installed in the user terminal. When the connection is detected, the program may be installed in the user terminal, and the program may be executed by the user terminal to determine whether there is a management target file.

  Also, the file management program of the present invention (claims 15 to 18) is a management server that manages a management target file that satisfies a predetermined condition in user terminals connected to each other via a network. The computer functions, and the functions as the management server described above (claims 11 to 14) are realized.

  According to the present invention described above, a management target file (a file containing personal information, confidential information, etc.) satisfying a predetermined condition is searched for at each user terminal, and the search result and management target file are managed by a management server (management means). The user terminal is managed based on the access log. As a result, even if personal information and confidential information are distributed and stored in a plurality of user terminals, the status of the management target file can be changed without obtaining human cooperation and applying a special load to the person in charge. It can be managed, and personal information and confidential information can be prevented from being inadvertently leaked or leaked or illegally used.

  At this time, the access status to the management target file (for example, the file name of the management target file, information that can identify the user terminal, information that can specify the owner of the user terminal, the result of counting the number of management target files, management (Such as the aggregated results of the number of accesses to the target file) will provide an environment in which the user will not voluntarily access the managed file. Personal information and confidential information Inadvertent outflow / leakage and unauthorized use can be prevented more reliably.

  Also, information about the user terminal installed with the external storage medium driver (for example, information that can identify the user terminal, information that can identify the owner of the user terminal, file name of the management target file, The number of times the managed file is written, etc.), and the user will not voluntarily install the external storage medium driver, or the managed file using that driver even if it is installed This will provide an environment in which the writing of information is not performed, and personal information and confidential information can be prevented from being inadvertently leaked or leaked or illegally used.

  In addition, a user terminal that is likely to cause an inadvertent leak / leakage or unauthorized use of a managed file (for example, a terminal that has executed a process / operation related to a managed file, or has a managed file in a storage unit) For devices that do not have the encryption function set), set a high security level to tighten access restrictions, while setting a low security level for user terminals that are unlikely to By canceling or relaxing access restrictions, an environment where the terminal can be used efficiently in the case where the above possibility is low is provided, so that the user voluntarily attaches his / her terminal to the above possibility. As a result, the personal information and confidential information can be prevented from being inadvertently leaked or leaked or illegally used.

  When a user terminal that does not have a function as a search means for searching for a management target file is connected to the network, a program for realizing the function as the search means is installed by the management server. When the function as the exploration means is automatically introduced into the user terminal, and the existence of the management target file in the user terminal is further determined by the exploration means, so that a new user terminal is connected to the network However, it becomes possible to reliably search and identify the files to be managed on the user terminal and put them in a manageable state. Inadvertent leakage or leakage of personal information or confidential information, or personal information or confidential information Unauthorized use can be reliably prevented.

  When a personal information file having a predetermined number or more of personal information elements that can identify a specific individual is used as a management target file, the search means of the present invention can use any of a telephone number, an e-mail address, and an address. Character sections that are not applicable and contain inappropriate characters / inappropriate character strings are considered not related to personal information, but do not correspond to any of phone numbers, e-mail addresses, and addresses, and inappropriate characters / Character sections that do not contain an appropriate string are considered to be related to names.

  Therefore, for the character section determined to correspond to any one of the telephone number, e-mail address, and address, the determination process is terminated when the determination is made, and any of the telephone number, e-mail address, or address is terminated. Is also checked for inappropriate characters / unsuitable character strings only for character sections determined to be not applicable, and it is determined that even one inappropriate character / unsuitable character string is included in the character section. At that point, the collation process can be terminated, so that the name collation process can be performed at a higher speed than the method that collates with all the name strings included in the name list, that is, the personal information file search process Can be performed at high speed.

  In addition, since all character sections that do not contain inappropriate characters / inappropriate character strings are considered to correspond to names, there is a possibility of including files that do not contain inappropriate characters / inappropriate character strings for names, ie, name information. Therefore, it is possible to surely search for a file having a high possibility of being a personal information file. That is, the number of files that are determined to be personal information files by the search means of the present invention increases, and files that are highly likely to be personal information files (suspicious files) can be reliably identified.

  Furthermore, since it is determined whether or not the number of characters in the character section is within a predetermined range and all the characters in the character section are kanji, and only character sections that satisfy this character determination condition are targeted for verification, The character section is narrowed down to the character section having a higher possibility of the name, so that the name collation accuracy can be improved and the name collation process can be performed at high speed. In addition, since a long character section whose number of characters exceeds the predetermined range is excluded from the object to be collated, it contributes to further speeding up the name collating process, that is, further speeding up the personal information file search process.

Embodiments of the present invention will be described below with reference to the drawings.
[1] Configuration of Personal Information Management System of this Embodiment FIG. 1 is a block diagram showing the configuration of a personal information management system (management system) as an embodiment of the present invention. As shown in FIG. The personal information management system (management system) 1 according to the embodiment includes a personal information management server 20 in addition to a plurality of user terminals 10, and the terminals 10 and the server 20 are connected to a network [for example, an in-house LAN (Local Area Network)] 30 so as to be able to communicate with each other.

  Each user terminal 10 is configured by a terminal device such as a personal computer (PC) used by each employee (user) in the company or the like, and has a functional configuration as described later with reference to FIGS. 2 and 3. have. Note that each user terminal 10 in this embodiment is installed with a program (described later) for realizing various functions (described later) including searching for a personal information file from the personal information management server 20 to be resident as described later. It shall be.

  The personal information management server (management server) 20 is connected to a plurality of user terminals 10 through a network 30 so that they can communicate with each other, and the personal information file in each user terminal 10 is a management target file that satisfies a predetermined condition. A file access management server (a server that manages access to a management target file) as described later with reference to FIG. 5 in addition to having a functional configuration as described later with reference to FIG. It also has a functional configuration.

  The personal information file as the management target file in the present embodiment, as described later with reference to FIG. 2 and FIG. 3, on the precondition that a predetermined number or more of personal information elements capable of identifying a specific individual are held. The personal information is identified / explored by the exploration means 11, and as described above, the personal information is information (various personal information elements) that can identify a specific individual by itself or in combination, for example, name, date of birth, contact The destination (address, residence, telephone number, e-mail address) is included. In addition to these, personal information includes titles, basic resident register numbers, account numbers, credit card numbers, license numbers, passport numbers, and the like.

[1-1] Functional Configuration of User Terminal According to the Present Embodiment FIG. 2 is a block diagram showing the functional configuration of the user terminal 10 according to the present embodiment. As shown in FIG. 2, the user terminal according to the present embodiment. 10 includes a CPU (Central Processin Unit) 10a that executes various processes and a storage unit 10b that can hold data including electronic files such as personal information files, and a quarantine table provided from the personal information management server 20 10c and a P mark for holding a P mark (privacy level mark; a level indicating the possibility of being a personal information file, a level determined by a determination value described later) of the electronic file held in the storage unit 10b The personal information management server 20 includes a table 10d and a program for causing the CPU 10a to function as various means 11 and 12 described later. Is Luo installed.

  Here, the storage unit 10b is a hard disk built in the user terminal 10 or a storage device connected to or externally attached to the user terminal 10, such as a flexible disk, CD (CD-ROM, CD-R, CD-RW). Etc.), DVD (DVD-ROM, DVD-RAM, DVD-R, DVD-RW, DVD + R, DVD + RW, etc.), magnetic disks, optical disks, magneto-optical disks, IC cards, ROM cartridges, magnetic tapes and other recording media This is a storage device to be used. The quarantine table 10c and the P mark table 10d described above may be held in a RAM (Random Access Memory), a hard disk, or the like constituting the user terminal 10, or may be held in the storage unit 10b.

  The CPU 10a functions as the exploration means 11, the access detection means 12, the transmission / reception means 13, the external storage medium driver 14, and the encryption means / registration means (encryption function) 15. Of these functions, the transmission / reception means 13 is originally provided in a terminal such as a PC. The functions as the exploration means 11 and the access detection means 12 are programs installed by the CPU 10a from the personal information management server 20 as will be described later (described later). This is realized by executing a user terminal program).

  The functions of the external storage medium driver 14 and the encryption unit / registration unit 15 are realized by the user (owner) of the user terminal 10 executing a program installed from the outside by his own will. With things. Accordingly, the user terminal 10 may or may not have the functions of the external storage medium driver 14 and the encryption means / registration means 15. Blocks indicating the driver 14 and the encryption / registration unit 15 are described with virtual lines (two-dot chain lines).

  The exploration means 11 is a personal information file that satisfies the above-mentioned predetermined condition from the data in the storage unit 10b immediately after installing a program that causes the CPU 10a to function as the exploration means 11, or when the user terminal 10 is activated or at predetermined intervals. (Management target file) is specified and searched, functions as a text extraction engine that converts each file (search target file) held in the storage unit 10b to a text file, and uses the quarantine table 10c to store the storage unit 10b. It functions as an exploration engine for exploring personal information files from data in

  That is, the exploration means 11 searches for the personal information file by referring to the determination target file according to the condition (quarantine table 10c) instructed from the personal information management server 20, and logs the file determined to be a personal information file. (Local cache database). In the present embodiment, the P mark determined based on the determination result (determination value / count value) obtained by the exploration means 11 is registered in the P mark table 10d. Details of the functional configuration of the exploration means 11 will be described later with reference to FIG.

  Note that the determination result (determination value / count value) and the P mark by the exploration means 11 are information for identifying the file (for example, a file name) for each file determined to be a personal information file. The information is transmitted / notified to the personal information management server 20 through the transmission / reception means 13 and the network 30.

  The access detection means 12 detects the access executed in the user terminal 10 for the file determined to be a personal information file by the exploration means 11, and records and saves the access contents as an access log for each file. The access log is used to manage personal information through the transmission / reception unit 13 and the network 30 at the time of access detection, periodically, or when requested from the personal information management server 20 (collection unit 23 described later). It is transmitted and notified to the server 20. The access contents include access types (for example, printing, writing to an external storage medium, deletion, rename (change), overwriting, uploading to an FTP (File Transfer Protocol) server), and access for each access type. Number of times.

  The transmission / reception means (transmission means) 13 transmits / receives various information to / from the personal information management server 20 and other user terminals 10 via the network 30. It also serves as a transmission means for transmitting the obtained access log and the like to the personal information management server 20.

  As described above, the external storage medium driver 14 is a function realized by the user (owner) of the user terminal 10 executing a program installed from the outside by his own will, and is designated by the user. The file is read from the storage unit 10b and written to the external storage medium 40. Examples of the external storage medium 40 in the present embodiment include various storage media such as a flexible disk, CD, DVD, magnetic disk, optical disk, magneto-optical disk, memory card, USB (Universal Serial Bus) memory, and external hard disk. It is done.

  As described above, the encryption means / registration means 15 is also a function realized by the user (owner) of the user terminal 10 executing a program installed from the outside by his own will, and this encryption means The / registration means 15 is for realizing an encryption function for automatically encrypting a file sent to the outside.

  When the function as the encryption unit / registration unit 15 is set (installed), particularly when the function as the encryption unit 15 is set, the encryption unit 15 is attached to the mail or externally. The file written to the storage medium 40 and transmitted to the outside is converted into a completed document file having a container function (here, a PDF (Portable Document Format) file that is difficult to falsify), and the container function is further converted. The original file of the electronic file is stored in the PDF file, and then the PDF file is stored in a predetermined encryption key (actually managed by a function (described later) as a file access management server in the personal information management server 20. Is received from the server 20) to create an encrypted file. Note that conversion to a PDF file is performed by, for example, a PDF driver, and when the PDF driver is activated, the electronic file is converted to PDF and a PDF file file is generated.

  In addition to the encryption operation, the user (user) who accesses the encrypted file has access authority to the encrypted file (for example, in addition to viewing, annotation, printing, copying, etc. It is assumed that the setting of the authority to execute the one selected from the access such as fetching, editing of the fetched file, and attachment is automatically performed from the encryption unit 15 to the server 20. Here, for example, only the necessary minimum access authority (for example, viewing authority) is set.

  On the other hand, when the function as the registration unit 15 is set, the registration unit 15 stores the file attached to the mail or written to the external storage medium 40 and sent to the outside in the personal information management server 20. The file is registered in the server 20 to be managed by a function (described later) as a file access management server. At the time of registration, the management target file is transmitted to the server 20 and the encryption of the server 20 is performed according to the registration process. The function of receiving the encrypted file created as described later by the converting means 28 is achieved.

[1-2] Detailed Functional Configuration of Searching Means of the Present Embodiment FIG. 3 is a block diagram showing a detailed functional configuration of the searching means 11 in the user terminal 10 of the present embodiment. As shown in FIG. The exploration means 11 of the present embodiment has functions as an extraction means 111, a cutting means 112, a first determination means 113, a character determination means 114, a collation means 115, and a second determination means 116, and these functions. This is also realized by the CPU 10a executing a program installed from the personal information management server 20 as described later.

The extraction unit 111 extracts text data [for example, CSV (Comma Separated Value) format data] of an electronic file (determination target file) in the storage unit 10b, and functions as the text extraction engine.
The cutout unit 112 cuts out character sections delimited by delimiters from the text data extracted by the extraction unit 111 and sequentially writes them in a buffer (not shown) as a determination target / collation target. Here, the delimiter is, for example, a half-width space, a half-width comma (half-width comma + half-width space is also regarded as a half-width comma), a tab character (half-width), CR (Carriage Return), or LF (Line Feed).

  In addition, symbols other than alphanumeric characters, katakana, hiragana, and kanji characters, such as hyphens, underbars, and parenthesis symbols, are removed from the character section cut out by the cutting means 112. In the present embodiment, it is assumed that the cutting means 112 has a function of removing the symbol characters as described above.

  The first determination unit 113 uses a personal information element (specifically, in the present embodiment, a telephone) in which a character string (hereinafter simply referred to as a character string) in the character section from which the symbol character has been removed by the cutting unit 112 is removed. In order to determine whether or not any one of a number, an e-mail address, and an address), functions as a telephone number determination unit 113a, an e-mail address determination unit 113b, and an address determination unit 113c are provided. . Note that the first determination unit 113 of the present embodiment performs the character string determination process in order of lighter determination processing load, that is, in the order of telephone number, e-mail address, and address.

  The telephone number determination means 113a determines whether or not the character string corresponds to a telephone number. If the character string satisfies the telephone number determination condition set in the quarantine table 10c, the character string is a telephone number. It judges that it corresponds to a number, notifies that to the 2nd judgment means 116, and ends the judgment processing by the 1st judgment means 113 to the above-mentioned character string. In the present embodiment, it is assumed that the telephone number determination condition includes a 9-15 digit number in the character string.

  The e-mail address determination unit 113b determines whether or not the character string corresponds to a telephone mail address when the telephone number determination unit 113a determines that the character string does not correspond to a telephone number. If the character string satisfies the e-mail address determination condition set in the quarantine table 10c, it is determined that the character string corresponds to the e-mail address, and that is notified to the second determination means 116. The determination process by the first determination unit 113 is terminated. In the present embodiment, the e-mail address determination condition is as follows: “One or more ASCII (American Standard Code for Information Interchange)” + “@ (at sign)” + “One or more ASCII characters” + “. It is assumed that a character string “dot)” + “ASCII of one or more characters” is included. In this case, the shortest e-mail address is “a@a.a”, for example.

  The address determination unit 113c determines whether or not the character string corresponds to an address (residence) when the e-mail address determination unit 113b determines that the character string does not correspond to an e-mail address. When the character string satisfies the address determination condition set in the quarantine table 10c, it is determined that the character string corresponds to the address, and the second determination means 116 is notified of this. In the present embodiment, the address determination condition includes a character string of “one or more double-byte characters” + “city” or “city” or “county” + “one or more double-byte characters” in the character string. Suppose that At this time, if the arithmetic processing capability of the CPU 10a is sufficiently high, it may be added to the address determination condition that a 7-digit number corresponding to the postal code is included in addition to the character string. In addition, the address determination condition is that the character string includes a 7-digit numeric string corresponding to the postal code or “3-digit numeric string” + “− (−” instead of the above-described conditions. Hyphens) ”+“ a digit string of four digits ”may be included.

  The character determination unit 114 sets the character string in the quarantine table 10c when the first determination unit 113 determines that the character string does not correspond to any of a telephone number, an e-mail address, and an address. Specifically, it is determined whether the number of characters in the character string is within a predetermined range and whether all the characters in the character string are kanji. In the present embodiment, the character determination condition is that, as described above, the number of characters in the character string is within a predetermined range and all the characters in the character string are kanji characters. Is set to a general (appropriate) number range, for example, 1 to 6 as the number of characters of the name (including only the last name and only the name).

  The collating unit 115 is a character section determined by the first determining unit 113 as not corresponding to any of a telephone number, an e-mail address, and an address, and is further within the predetermined range by the character determining unit 114 and For a character section in which all characters are determined to be kanji, a character / character string included in the character section and an inappropriate character / inappropriate character string preset as a character / character string that cannot appear in the name Is checked to determine whether or not the character section includes an inappropriate character / unsuitable character string, and the result of the verification determination is notified to the second determination means 116.

  Here, the inappropriate character / unsuitable character string is preset in the quarantine table 10c. For example, Tokyo, Osaka, Yokohama, Kyushu, Hokkaido, Kyoto, capital, individual, school, store, stock, prefecture, university , Gakuin, Tokyo Stock Exchange, Research, Administration, General Affairs, Accounting, Sales, Administration, Pharmaceutical, Sales, School, Education, Specialty, Architecture, Machine, Corporation, Factory, Manufacturing, Technology, Commerce, Books, Unknown, Deputy Director, Public, Publication , Advertising, Broadcasting, Target, Wholesale, Retail, Planning, HR, Information, Department, President, Regulatory, General Manager, Section Manager, Section Manager, Officer, Head Office, Branch Office, Business, Business, Education, Precision, Oil, Transportation, Management, Strategy , Materials, engineer, electricity, production, tax, public relations, transportation, chief, computer, finance, office work, development, policy, production, economy, industry, finance, banking, research, English, quality, warranty, equipment, charge, chief , Director, Audit, Support, Design, Insurance, Safe, Business, Representative, Transportation, First, No. , Third, Fourth, Fifth, Sixth, Seventh, Eighth, Ninth, Special Sales, Facility, Name, Mail, Name, Name, City Hall, Affiliation, Characteristic, Childhood, Christianity, Association, Church, Union , Cult, commerce, nationwide, branch, contact, parliament, life, consumption, promotion, city hall, ward office, general, modification, function, overview, composition, company, organization, association, deletion, document, deadline, valid A character / character string that cannot appear in a full name, that is, a character / character string inappropriate as a name.

  The second determination unit 116 determines the electronic file to be determined based on the determination result by the telephone number determination unit 113a, the e-mail address determination unit 113b and the address determination unit 113c in the first determination unit 113 and the collation determination result by the collation unit 115. Is a personal information file.

  More specifically, the second determination unit 116 receives notification of determination results from the telephone number determination unit 113a, the e-mail address determination unit 113b, and the address determination unit 113c. Counts the number of character sections considered to be applicable, and receives the collation determination result from the collating means 115, and the character section determined by the collating means 115 as not including an inappropriate character / inappropriate character string as the name Count the number.

  Then, the second determination means 116 is based on the counting results (four count values; the number of telephone numbers, the number of e-mail addresses, the number of addresses, the number of names) for each of the telephone number, the e-mail address, the address, and the name. A determination value that increases as these count values increase is calculated. For example, the second determination means 116 may calculate the sum of four count values as the determination value, or set a weighting factor in advance for each of the telephone number, e-mail address, address, and name. The sum of the multiplication results of the weighting coefficient and the count value for the personal information element may be calculated as the determination value, and various methods for calculating the determination value are conceivable.

  When the determination value as described above is calculated, the second determination unit 116 determines whether or not the determination target file is a personal information file based on the determination value. Specifically, when the determination value exceeds a predetermined threshold, it is determined that the determination target file is a personal information file. When making such a determination, the second determination means 116 further assigns a P mark (private level mark) according to the size of the determination value to the determination target file and sets it in the P mark table 10d. Register and rank. As described above, the P mark is a level indicating the high possibility that the determination target file is a personal information file. The larger the determination value, the higher the P mark is set.

  For example, when the determination value is 10 or more, it is determined that the determination target file is a personal information file. When the determination value is 10 or more and less than 100, “P1” is assigned as the P mark, and when the determination value is 100 or more and less than 1000, “P2” is assigned as the P mark. When it is 1000 or more and less than 10,000, “P3” is assigned as the P mark, and when the determination value is 10000 or more, “P4” is assigned as the P mark. The predetermined threshold for determining the personal information file and the reference value for determining the P mark are set as appropriate from the personal information management server 20 (a management console 24 described later). In addition, although the P mark is ranked into four “P1” to “P4” here, the number of ranks is not limited to this. Furthermore, as the above-mentioned predetermined threshold value and reference value, common (identical) values may be set for all user terminals 10, or for each user terminal 10 or for a facility (company) that introduces the present system 1. ) Different ones may be set for each.

  As described above, the P mark (P mark table 10d) added to the determination target file is information for identifying the file (for example, a file name) for each file determined to be a personal information file. The data is transmitted to the personal information management server 20 via the transmission / reception means 13 and the network 30, and stored in the database 20b by the collection means 23 as described later with reference to FIG. Then, the management target file (personal information file) to which the P mark is assigned is determined by the personal information management server 20 (a management unit 25 described later) according to the rank of the P mark, as will be described later with reference to FIG. The management target file is managed as described later.

[1-3] Functional Configuration of Personal Information Management Server of this Embodiment FIG. 4 is a block diagram showing a functional configuration of the personal information management server (management server) 20 of this embodiment. As shown in FIG. The information management server (management server) 20 includes a CPU 20a that executes various processes, a database (RDB: Relational DataBase) 20b that stores and saves information related to access logs and personal information files from each user terminal 10, and the like. The display unit 20c is configured to display various types of information stored in the database 20b and public information aggregated and created by the management unit 25 described later.

  The CPU 20a functions as a user information collection unit 21, an installation unit 22, a collection unit 23, a management console 24, a management unit 25, a display control unit 26, and a transmission / reception unit 27. These functions are performed by the CPU 20a. This is realized by executing a management program. Here, the management program includes a program (user terminal program) to be installed in the user terminal 10 in order to cause the user terminal 10 to function as the search means 11 and the access detection means 12 described above. To do.

  The user information collection means 21 is connected via the network 30 and the transmission / reception means 27 when the system 1 is started up, when it is detected that the user terminal 10 is connected to the network 30, or at predetermined intervals. User information (host information) such as a MAC address is collected from communicably connected user terminals 10, and the user terminal 10 is connected to the user terminal 10 in addition to the user terminal program. It recognizes whether or not a program that functions as the external storage medium driver 14 or the encryption means / registration means 15 is installed. Since the installation status of the program that causes the user terminal 10 to function as the external storage medium driver 14 or the encryption unit / registration unit 15 described above is used in the processing of the management unit 25 as will be described later, Registered and stored in association with the user terminal 10. That is, the user information collection unit 21 functions as a survey unit that investigates whether or not the external storage medium driver 14 is installed in the user terminal 10.

  When the user terminal 10 in which the user terminal program is not installed is detected based on the information collected by the user information collecting means 21, the installing means 22 passes through the transmitting / receiving means 27 and the network 30. The user terminal program is installed in the user terminal 10 and the user terminal program is executed by the user terminal 10 to search for a management target file in the storage unit 10b of the user terminal 10. is there.

  The collection unit 23 receives the search result of the personal information file (file name, link destination information, determination value, P mark, etc. of the personal information file) executed on the user terminal 10 via the network 30 and the transmission / reception unit 27. In addition to performing the function of collecting and associating with each user terminal 10 and storing it in the database 20b, the personal information file in each user terminal 10 is grasped based on the search result transmitted from each user terminal 10. In addition, it functions as a log collecting unit that collects and records an access log for each personal information file from the user terminal 10 via the network 30 and the transmission / reception unit 27.

The collection of the access log by the collection unit 23 may be performed passively by receiving the access log of each user terminal 10 or periodically from the collection unit 23 side to each user terminal 10. This may be done actively by making an access log transmission request.
As described above, the access log collected here is detected and recorded for each personal information file by the access detection means 12 of each user terminal 10, and includes the access type and the number of accesses. It is associated with a file name, information (PC name) that can specify the user terminal 10 that has accessed the personal information, and information (owner name) that can specify the owner of the user terminal 10. Are registered and stored in the database 20b. In the present embodiment, the collection unit 23 also collects the number of accesses to the browsing-prohibited site at each user terminal 10 as an access log, and registers and saves it in the database 20b in association with each user terminal 10. Shall.

  The management console 24 sets and manages the determination conditions for the personal information file (the quarantine table 10c, a predetermined threshold necessary for determining the personal information file and the P mark, etc.). In the quarantine table 10c, the above-described telephone number determination condition, e-mail address determination condition, address determination condition, character determination condition (predetermined range) and inappropriate characters / unsuitable character strings are set.

  The management means 25 manages the personal information file in each user terminal 10 according to the search results collected by the collection means 23 and stored in the database 20b (counting results obtained by the second determination means 116). A file determined by the exploration means 11 as a personal information file (a file with a P mark; hereinafter referred to as a personal information file) is a management target.

  This management means 25 responds to the user (holder) of the personal information file according to the judgment value (or P mark) of the personal information file registered in the P mark table stored in the database 20b. Warning information is notified, a personal information file is forcibly captured and collected from the user terminal 10 storing the personal information file, and the personal information file is output from the user terminal 10 to the outside. Forcibly prohibiting, storing the personal information file in a folder (not shown) accessible only by the administrator, or accessing the personal information file as a file access management server function (described later). ).

  For example, when the rank of the P mark is “P1”, the recommendation by the warning information is not performed, but the fact that the personal information file of “P1” exists is recorded as a log. When the rank of the P mark is “P2”, notice information in a pop-up display is notified in order to call attention to the user of the personal information file. When the rank of the P mark is “P3”, the system administrator (administrator terminal 40) is notified of the existence of a user who stores the personal information file as warning information by e-mail, etc. Instruct the user to return the personal information file. When the rank of the P mark is “P4”, the personal information file is forcibly captured and collected from the user terminal 10 or the personal information file is forcibly output from the user terminal 10 to the outside. The personal information file is prohibited, stored in a folder accessible only to the administrator, or access to the personal information file is managed by the function of the personal information management server 20 as a file access management server. Even if the P mark rank is not “P4”, if the personal information file of “P3” is left for a predetermined number of days, the rank of the P mark is “P4” for the personal information file. You may make it perform the treatment similar to the case.

Further, the management means 25 has a function of searching the personal information file stored in each user terminal 10 or the database 20b with various accuracy, and a function of causing the display control means 26 to display the search result on the display unit 20c. Have.
The display control unit 26 controls the display state of the display unit 20c so that various types of information, for example, public information to be described later, is displayed on the display unit 20c. The transmission / reception unit 27 is connected to each user terminal via the network 30. Various information is transmitted / received to / from 10.

  In addition, the management unit 25 of the present embodiment includes a search result by each user terminal 10, an access log collected / recorded by the collection unit 23, and an investigation result (use) collected / recorded by the user information collection unit 21. Based on the presence / absence of a program that causes the user terminal 10 to function as the external storage medium driver 14), public information regarding the access status with respect to each personal information file, or for external storage medium, in order to manage each user terminal 10. The public information about the user terminal 10 in which the driver 14 is installed is created, and the public information is displayed on the display unit 20c, is disclosed to all the user terminals 10 via the network 30, or the network 30 The function of notifying all the user terminals 10 by e-mail or the like via the e.g.

  Here, as public information, the file name of the personal information file, information (PC name) that can identify the user terminal 10 that has accessed the personal information file, the owner of the user terminal 10 Information (owner name), the total number of personal information files (the number of personal information files and the number of personal information possessed by the user terminal 10), and the total number of accesses to the personal information file (individuals) Information file / access type). The access type includes printing, writing to an external storage medium, deletion, rename (change), overwriting, uploading to an FTP server, and the like.

  Also, as public information, information (PC name) that can identify the user terminal 10 that has a personal information file and that has the external storage medium driver 14 installed, and the owner of the user terminal 10 are specified. Possible information (owner name), the file name of the personal information file held in the user terminal 10, and the number of times of writing the personal information file to the external storage medium 40 executed in the user terminal 10 is there.

Furthermore, the management means 25 of the present embodiment, in addition to information related to the access status to the personal information file, the number of accesses to the browsing-prohibited site in each user terminal 10 (see, for example, FIG. 19) It also has a function of monitoring / collecting the number of accesses to the personal information file in other terminals / servers and creating / disclosing it as public information.
A specific example of public information created and disclosed by the management unit 25 will be described later with reference to FIGS.

  Furthermore, the management means 25 of the present embodiment includes the search results by each user terminal 10, the access logs collected and recorded by the collection means 23, and the survey results (uses collected and recorded by the user information collection means 21). Information on the presence or absence of a program that causes the user terminal 10 to function as the external storage medium driver 14 or the encryption unit / registration unit 15), the number of accesses to the browsing prohibited site, and the number of accesses to the personal information file in other terminals / servers. In order to manage each user terminal 10, based on the security level, the security level in each user terminal 10 for preventing the leakage of the personal information file from each user terminal 10 is changed and set. The user terminal 10 can also be configured to change the access restriction on the file. It is.

The management means 25 of this embodiment shall set the security level (setting of the access restriction with respect to a file) of each user terminal 10 according to the criteria of the following items (1) to (5), for example.
(1) The security level is set high for the user terminal 10 that has executed processing / operation related to the personal information file (some access to the personal information file in the own terminal 10 / other terminal / server), and the file (only the personal information file) (Including regular files as well), while the user terminal 10 that has not executed any processing / operation related to the personal information file for a predetermined period of time is set to a low security level to access the file. Remove or relax restrictions.

    (2) For the user terminal 10 that has the personal information file in the storage unit 10b, the security level is set high to tighten access restrictions on the file, while the personal information file is not held in the storage unit 10b. For the user terminal 10, the security level is set low to cancel or relax the access restriction on the file.

    (3) A high security level is set for the user terminal 10 for which the encryption function for automatically encrypting the file sent to the outside (function as the encryption means / registration means 15 described above) is not set. On the other hand, the access restriction on the file is tightened, while the user terminal 10 to which the encryption function is set is set to a low security level to release or relax the access restriction on the file.

    (4) For the user terminal 10 in which the external storage medium driver 14 is installed, the security level is set high to tighten access restrictions on files, while the user who has not installed the external storage medium driver 14 The terminal 10 is set to a low security level to release or relax the access restriction on the file.

    (5) For the user terminal 10 that is accessing the browsing-prohibited site, the security level is set high to tighten access restrictions on the file, while the user terminal 10 that is not accessing when browsing is prohibited For 10, the security level is set low to remove or relax the access restriction on the file.

  When the management unit 25 performs such security level settings (file access restriction settings), the user terminal 10 is less likely to cause an inadvertent outflow / leakage or unauthorized use of personal information files. Specifically, the personal information file is not accessed at all for a predetermined period, the personal information file is not held, and the external transmission file is encrypted. In addition, for the user terminal 10 in which the external storage medium driver 14 is not installed and the browsing prohibited site is not accessed at all, the access restriction is released or relaxed, and the user terminal 10 is An environment that can be used efficiently is provided to users.

  Here, the access restriction status includes all types of access, such as printing, writing to an external storage medium, deletion, rename (change), overwriting, uploading to an FTP server, and all types of access. If the security level “Low” is set and the security level “Low” is set, all types of access are switched to the executable state, while the security level “High” is set. For example, all types of access may be switched to an inexecutable state. In addition, as a state of access restriction, multiple levels are set from a state where all types of access can be performed to a state where all types of access cannot be performed, and the security level is set from low to high. You may make it change in steps corresponding to each level.

  In addition, the security level is set (access restriction is set) for each of the criteria of the above items (1) to (5). The degree of satisfying each criteria is digitized and based on the total value of the numeric values. The security level may be set by comprehensively determining whether the criteria of the items (1) to (5) are satisfied.

[1-4] Functional Configuration as File Access Management Server of This Embodiment FIG. 5 is a block diagram showing a functional configuration as a file access management server provided in the personal information management server (management server) 20 of this embodiment. is there. In the present embodiment, the personal information management server 20 has a function as a file access management server. However, the personal information is connected to each user terminal 10 through the network 30 so as to be able to communicate with the personal information. The management server 20 may be configured to be realized by a separate server.

  As shown in FIG. 5, the function of the personal information management server 20 as a file access management server is, for example, a file encrypted by the encryption unit 15 in each user terminal 10 or a registration unit of each user terminal 10. 15 and personal information files (personal information files with a P mark rank of “P4”) are managed. Here, the personal information file whose P mark rank is “P4” is managed, but all electronic files that are determined to be personal information files by the exploration means 11 are accessed regardless of the P mark rank. It may be a management target of the management server.

  The CPU 20a functions as means 27a to 27d, 28, and 29 described later, and these functions are realized by the CPU 20a executing a file access management server program. In addition to the above-described various information, the database 20b includes an encryption key for encrypting a personal information file, a decryption key for decrypting an encrypted personal information file, Access authority (to be described later) for the registered personal information file, a user ID / password of a registered user [registrant (employee) permitted to view the encrypted file), and the like are stored.

  In addition to the functions described above, the transmission / reception means 27 functions as a file reception means 27a, an encrypted file transmission means 27b, an authentication information reception means 27c, and a decryption key transmission means 27d described later. Further, the transmission / reception means 27 of the present embodiment sends a predetermined encryption key used for the encryption processing in the encryption means 15 to each user terminal 10 through the network 30 in response to a request from each user terminal 10. The function to transmit is also fulfilled.

The file receiving unit 27a receives a file to be registered (file registered by the registering unit 15) from each user terminal 10 via the network 30.
The encryption means 28 is a file to be registered (managed object) received from the personal information management server 20 by the file receiving means 27a, a personal information file with a P mark rank of "P4", a PDF file that is difficult to tamper with, etc. And the PDF file is encrypted using a predetermined encryption key. Conversion to a PDF file is realized by, for example, a PDF driver. By starting the PDF driver, the personal information file is converted to PDF and a PDF file as a completed document file is generated.

The encrypted file transmission unit 27 b transmits a file encrypted (keyed) by the encryption unit 28 (hereinafter referred to as an encrypted file) to the user terminal 10 via the network 30.
In the management by the function as the file access management server, various access authorities (permissions such as browsing, printing, copying, etc.) for each encrypted file are set according to policy settings when encryption is performed by the encryption unit 28 as described above. Set for each user and each encrypted file. At that time, one type of policy is set in order to simplify the system operation, and the access right at each user terminal 10 for all encrypted files is set by the policy setting [for example, in-house where the present system 1 is installed. Access rights for all employees / all users (all registrants registered in the file access management server function in advance) are automatically set (granted) only viewing rights, and access other than browsing For example, access such as printing, copying, alias saving, and screen capture (screen shot) may not be performed.

  The authentication information receiving unit 27c receives authentication information transmitted from the user terminal 10 via the network 30 when the user terminal 10 accesses the encrypted file. Here, the authentication information is determined by the file access management server 20 that the user of the user terminal 10 trying to open the encrypted file is a valid transmission destination (user / registrant) of the encrypted file. Information necessary for authentication, and includes a user ID and password registered in advance in the file access management server 20 (database 20b) for the user of the service by the file access management server 20. These user ID and password are input by the user operating the keyboard and mouse when opening the encrypted file.

  The determination unit 29 determines whether or not the user terminal 10 that transmitted the authentication information is a valid transmission destination of the encrypted file based on the authentication information received by the authentication information reception unit 27c. The user ID and password input by the user are determined by determining whether or not the user ID and password registered and stored in the database 20b of the file access management server 20 in advance match the user ID and password. Is to determine and authenticate whether or not is a valid registrant.

The decryption key transmission unit 27d reads out the decryption key for decrypting the encrypted file from the database 20b and sends it to the user terminal 10 when the determination unit 29 authenticates that the user is a valid registrant. It is transmitted via the network 30.
Upon receiving the decryption key from the file access management server 20, the user terminal 10 decrypts the encrypted file using the decryption key, restores the original personal information file, and restores the restored personal information file. On the other hand, access (for example, browsing) according to the given access authority is performed.

[2] Operation of Personal Information Management System of the Present Embodiment Next, the operation of the personal information management system 1 of the present embodiment configured as described above will be described with reference to FIGS.
[2-1] Operation of User Terminal In this system 1, the personal information management server 20 recognizes whether or not the user terminal program is installed in the user terminal 10 connected to the network 30. If not installed, the user terminal program is installed in the user terminal 10.

  In the user terminal 10 in which the user terminal program is installed, the following process is performed by executing the user terminal program. The operation of the user terminal 10 of the present embodiment will be described according to the flowchart (steps S11 to S17) shown in FIG.

  In the user terminal 10, whether or not the exploration means 11 has reached the exploration timing of the personal information file (step S 11), whether or not there has been access to the personal information file (from the NO route in step S 11 to step S 14), access Whether or not the log transmission timing has come (from the NO route in step S14 to step S16) is constantly monitored.

  Searching of the personal information file by the search means 11 indicates that the user terminal program program has been installed from the personal information management server 20, or that the user terminal 10 has been started, or that a predetermined search cycle has passed. When the timing is detected (YES route in step S11), the function as the exploration means 11 is activated, and the exploration means 11 identifies and searches for the personal information file from the data in the storage unit 10b (step S12; The detailed exploration procedure will be described later with reference to FIG.

  Then, for each personal information file searched by the search means 11, the determination result (determination value / system value) and P mark together with information for specifying the file (for example, file name) and the transmission / reception means 13 and the network 30 is sent to the personal information management server 20 as a search result (step S13).

  In the user terminal 10, when access to the personal information file searched by the searching unit 11 is detected by the access detecting unit 12 (YES route in step S14), the access content is stored as an access log for each file. It is recorded and saved in the storage unit 10b (step S15). It is assumed that the personal information file to be detected by the access detection unit 12 includes not only those stored in the storage unit 10b of the terminal itself but also those stored in other terminals / servers.

  Further, when the access is detected by the access detection unit 12, or when a predetermined access log transmission cycle or when an access log transmission is requested from the personal information management server 20 (collection unit 23), it is detected as an access log transmission timing. Then (YES route of step S16), the access log immediately after being detected by the access detecting means 12, or the access log recorded / accumulated in the storage unit 10b until then is managed through the transmitting / receiving means 13 and the network 30. It is transmitted / notified to the server 20 (step S17).

  When the function as the encryption unit 15 is set in the user terminal 10, the file attached to the mail or written to the external storage medium 40 and sent to the outside is stored as the encryption unit 15. The PDF file is converted into a PDF file having a container function by the function, the original file of the file is stored in the PDF file using the container function, and then the PDF file is stored in a predetermined file managed by the file access management server 20. It is encrypted with the encryption key and an encrypted file is created. At this time, for the user who accesses the encrypted file, the access authority (for example, viewing authority) for the encrypted file is automatically set from the encryption unit 15 to the file access management server 20.

  Further, when the function as the registration unit 15 is set in the user terminal 10, the file attached to the mail or written to the external storage medium 40 and sent to the outside depends on the function as the registration unit 15. The personal information management server 20 is registered in the server 20 to be managed under the function of the file access management server. At the time of registration, the file is transmitted from the registration unit 15 to the server 20 via the transmission / reception unit 13 and the network 30, and an encrypted file created by a procedure described later with reference to FIG. Is received from the server 20.

[2-2] Operation of exploration means In the exploration means 11 of this embodiment, the appearance frequency of a telephone number, an e-mail address, an address, and a name is quantified as follows to determine the personal information file (specific / exploration) ). At that time, when the character section cut out by the cutting means 112 includes an inappropriate character / unsuitable character string preset as a character / character string that cannot appear in the personal information, the character section is As a character / character string that cannot be seen in the personal information in advance in the character section cut out by the cutting means 112, it is excluded because it is regarded as not corresponding to the personal information element (name in this embodiment). If the specified inappropriate character / inappropriate character string is not included, the character section is regarded as corresponding to the personal information element constituting the personal information, that is, the personal information element appears. , Count up the number of appearances.

In the user terminal 10 of the present embodiment, the procedure of the personal information file search operation executed by the search unit 11 (user terminal program) described above will be described according to the flowchart (steps S102 to S118) shown in FIG. To do.
First, a file that is not yet a determination target is selected and read out from all data of the user terminal 10 as a determination target file (step S102), and extraction means (text extraction) is selected from the determination target file. Text data is extracted by the engine 111 (step S103).

  From the text extracted in this way, the character section delimited by the delimiter described above is extracted by the extraction means 112 and sequentially written in a buffer (not shown) as a determination target / collation target (step S104). When cutting out a character section, as described above, the cutting means 112 removes symbols other than alphanumeric characters, katakana, hiragana, kanji characters, such as hyphens, underbars, and parenthesis symbols, from the character section. .

  Whether or not the character string (hereinafter simply referred to as a character string) in the character section from which the symbol character has been removed by the cutting means 112 corresponds to any one of a telephone number, an e-mail address, and an address. Are sequentially determined by the telephone number determination means 113a, the e-mail address determination means 113b, and the address determination means 113c (steps S105, S107, S109).

  First, the telephone number determination unit 113a determines whether or not the character string corresponds to a telephone number (step S105). At that time, if the character string satisfies the telephone number determination condition set in the quarantine table 10c, that is, if the character string includes 9 to 15 digits, the character string is converted to the telephone number. (YES route in step S105), the fact is notified to the second determination means 116, and the second determination means 116 increments the count value corresponding to the number of appearances of the telephone number by one. (Step S106), the process proceeds to Step S114.

  If it is determined that the character string does not correspond to a telephone number (NO route of step S105), the e-mail address determination means 113b determines whether or not the character string corresponds to a telephone mail address (step S107). ). At that time, if the character string satisfies the e-mail address determination condition set in the quarantine table 10c, that is, “one or more ASCII” + “@” + “one or more ASCII” + If the character string “.” + “ASCII of one or more characters” is included, it is determined that the character string corresponds to the e-mail address (YES route in step S107), and that is the second determination means. 116, the second determination means 116 increments the count value corresponding to the number of appearances of the e-mail address by 1 (step S108), and the process proceeds to step S114.

  When it is determined that the character string does not correspond to an e-mail address (NO route in step S107), the address determination unit 113c determines whether the character string corresponds to an address (location) (step S109). ). At that time, if the character string satisfies the address determination condition set in the quarantine table 10c, that is, “one or more double-byte characters” + “city” or “city” or “county” + If a character string that is “one or more double-byte characters” is included, it is determined that the character string corresponds to an address (YES route of step S109), and that is notified to the second determination means 116, In this second determination means 116, the count value corresponding to the number of appearances of the address (residence) is incremented by 1 (step S110), and the process proceeds to step S114.

  When it is determined that the character string does not correspond to an address (NO route in step S109), that is, the first determination unit 113 determines that the character string does not correspond to any of a telephone number, an e-mail address, and an address. If the character determination unit 114 determines that the character string satisfies the character determination condition (the number of characters is 1 or more and 6 or less and all characters are kanji characters) set in the quarantine table 10c. Determination is made (step S111). When this character determination condition is not satisfied (NO route in step S111), the process proceeds to step S114.

  On the other hand, if this character determination condition is satisfied (YES route in step S111), the collation means 115 determines whether or not there is a character / character string included in the character section (the character string) and the name set in the quarantine table 10c. The appropriate character / inappropriate character string is collated, and it is determined whether or not the character section includes an inappropriate character / inappropriate character string (step S112). If there is at least one character / character string that matches the inappropriate character / inappropriate character string in the character section (YES route in step S112), matching with the inappropriate character / inappropriate character string at that time The process is immediately terminated, and the process proceeds to step S114.

  If the character section does not include an inappropriate character / unsuitable character string (NO route in step S112), the result of the collation determination is notified to the second determination means 116. In the second determination means 116, The character section is considered to correspond to the name, and the count value corresponding to the number of appearances of the name is incremented by 1 (step S113), and the process proceeds to step S114.

  In step S114, it is determined whether or not there is a character section that has not yet been extracted from the text data extracted from the determination target file. If there is a character segment (YES route), the process returns to step S104, and the same processing as described above (steps S104 to S104). S113) is repeatedly executed. In this way, when all character sections are cut out from the text data and the determination processing, collation processing, counting processing, etc. for all character sections are completed (NO route in step S114), the second determination means 116 uses the telephone number, electronic Based on the count values for each of the mail address, address, and name, the above-described determination value is calculated (step S115).

  Then, the second determination means 116 determines whether or not the determination target file is a personal information file based on the determination value calculated in step S115, and ranks the P mark. (In the present embodiment, four of "P1" to "P4") are performed (step S116).

  Thereafter, it is determined whether or not the personal information has been searched for all the electronic files in the user terminal 10 (step S117). If there is still an unsearched electronic file (NO route of step S117), step S102 is performed. Returning to the above, the same processing as described above is executed, but when the search is completed for all the electronic files (YES route in step S117), the determination result of the personal information file and the ranking result of the P mark in step S116 are the search results. The result is output (step S118). After completing the process in step S118, the personal information file search operation is terminated.

[2-3] Operation of Personal Information Management Server Next, the operation of the personal information management server 20 of this embodiment will be described with reference to FIGS.
First, the main operation of the personal information management server 20 of the present embodiment will be described with reference to the flowchart shown in FIG. 8 (steps S201 to S215).

  In the personal information management server 20, whether or not the collection timing by the user information collection means 21 has come (step S201), and whether or not the search result by the search means 11 has been received from each user terminal 10 (NO in step S201). Whether the access log collection timing comes from the route (step S206) or not (step S210 to NO in step S206) is constantly monitored.

  When the system 1 is started up, when it is detected that the user terminal 10 is connected to the network 30, or when a predetermined collection period has elapsed, it is detected as a collection timing by the user information collection means 21. Then (YES route of step S201), the user information (host information) of each user terminal 10 is collected by the user information collecting means 21, and the program (for example, for the above-described user terminal) in each user terminal 10 is collected. In addition to the program, the installation status of the user terminal 10 that functions as the external storage medium driver 14 and the encryption unit / registration unit 15 is collected by the user information collection unit 21 (step S202). The collected installation status (presence / absence of each program) is registered / saved in the database 20b in association with each user terminal 10.

  When there is a user terminal 10 in which the user terminal program is not installed (YES route in step S203), the installation means 22 sends the user terminal 10 to the user terminal 10 via the transmission / reception means 27 and the network 30. The terminal program is installed, and the user terminal 10 is made to execute the user terminal program to search for a management target file in the storage unit 10b of the user terminal 10 (step S204).

  After installing the user terminal program in the user terminal 10 as described above, or when there is no user terminal 10 in which the user terminal program is not installed (NO route in step S203), each use Installation status of the external storage medium driver 14 in the user terminal 10 and the setting status of the encryption means / registration means 15, that is, a program that causes the user terminal 10 to function as the external storage medium driver 14 and encryption means / registration means 15. The security level for each user terminal 10 is set by the management means 25 in accordance with the presence or absence of (step S205).

  At this time, the management unit 25 sets a high security level for the user terminal 10 for which the function as the encryption unit / registration unit 15 is not set according to the security level setting standard described in the item (3) described above. While restricting access restrictions on files, the user terminal 10 with the encryption function set has a low security level to release or relax access restrictions on files. For the user terminal 10 in which the external storage medium driver 14 is installed in accordance with the security level setting standard described in (1)), the security level is set high to tighten access restrictions on files, while the external storage medium driver User terminal 1 in which 14 is not installed For releasing or relaxing the access restrictions for files by setting lower security level.

  Further, when a search result by the search means 11 is received from each user terminal 10 (YES route in step S206), the search result (file name, link destination information, determination value, P mark, etc. of the personal information file) The collecting unit 23 registers and saves the data in the database 20b in association with each user terminal 10 (step S207). Further, the collecting means 23 grasps the personal information file in each user terminal 10 based on the search result, and the grasped personal information file is registered as an access log collection target by the collecting means 23 (step S208). .

  Thereafter, according to the search result of the personal information file from each user terminal 10, the security level for each user terminal 10 is set by the management means 25 (step S209). At this time, in accordance with the security level setting criteria described in the item (2) described above, the management unit 25 sets a high security level for the user terminal 10 that has the personal information file in the storage unit 10b and sets the file. On the other hand, for the user terminal 10 that does not have the personal information file in the storage unit 10b, the security level is set low to cancel or relax the access restriction on the file.

  Further, when an active access log notification of each user terminal 10 or an access log transmission request from the personal information management server 20 (collection means 23) is detected as an access log collection timing (in step S210) YES route), an access log (an access log for the personal information file recorded by the access detection unit 12 and an access log for a browsing-inhibited site) is collected from each user terminal 10 by the collection unit 23 (step S211). The access log (file name of personal information file, PC name, owner name, access type, number of times of access, number of times of access to browsing prohibited site) is associated with each user terminal 10 / personal information file by collection means 23. Registered and stored in the database 20b (step Flop S212).

  Then, the search result by each user terminal 10 by the management means 25, the access log collected and recorded by the collection means 23, and the investigation result collected and recorded by the user information collection means 21 (the user terminal 10 Based on the presence / absence of a program that functions as the external storage medium driver 14), the public information regarding the access status to each personal information file and the external storage medium driver 14 are installed to manage each user terminal 10. The public information regarding the created user terminal 10 is created (step S213), and the created public information is displayed on the display unit 20c via the display control unit 26, or all the user terminals 10 via the network 30. To all user terminals 10 via the network 30 by e-mail or the like. Or it is notified Te (step S214).

  Further, the security level for each user terminal 10 is set by the management unit 25 in accordance with the access log collected and recorded by the collection unit 23 (including the access log for the browsing prohibition log) (step S215). At this time, the management means 25 performs processing / operation related to the personal information file (some access to the personal information file in the own terminal 10 / other terminals / servers) in accordance with the security level setting criteria described in the item (1) described above. For the executed user terminal 10, the security level is set high to tighten access restrictions on files (including not only personal information files but also ordinary files), while processing / operations related to personal information files are performed over a predetermined period. For the user terminal 10 that has not been executed at all, the security level is set low to release or relax the access restriction on the file, and further, according to the security level setting criteria described in the item (5) above, to the browsing prohibited site Users who are accessing For the terminal 10, the security level is set high to tighten the access restriction on the file, while for the user terminal 10 that does not access when the browsing is prohibited, the security level is set low to restrict the access to the file. Release or relax.

[2-4] Specific Example of Public Information A specific example of public information created in step S213 and disclosed in step S214 will be described with reference to FIGS. 12 to 19 are diagrams showing specific examples of public information (screens and lists displayed on the display of the user terminal 10 and the management server 20) created and released by the management unit 25.

  FIG. 12 shows a screen 101 for displaying the number of personal information files and the number of personal information possessed by the month as a bar graph on the display, and “number of cases” (here, “1000 to 100,000”) from this screen 101. A list 102 that is drilled down and displayed on the display, a screen (bar graph display for each department) 103 that is drilled down on the display from the screen 101 and displayed on the display, and a department name from this screen 103 A list 104 that is drilled down (here “Sales Department”) and displayed on the display is shown. In the lists 102 and 104, for each personal information file, the file name, the number of personal information included in the personal information file (for example, the number of personal information elements), and the possession of the user terminal 10 that owns the personal information file. The user name, the PC name of the user terminal 10, and the department name and job to which the user terminal 10 belongs are displayed.

  FIG. 13 shows a screen 105 for displaying the number of accesses to the personal information file (personal information access records) aggregated for each department / access type on the display as a bar graph, and from this screen 105, “Department name” and “Access Lists 106 and 107 drilled down by “type” and displayed on the display are shown. The list 106 is drilled down for “Sales Department” and “Save File”, and the list 107 is drilled down for “Sales Department” and “USB”. In these lists 106 and 107, For each owner name of the accessing user terminal 10, the PC name of the user terminal 10, the access date and time, the file name of the accessed personal information file, the document path / document operation / printer name / FTP server / FTP command and the like are displayed. In the figure, the access type “FTP” is upload / download to / from the FTP server, “USB” is access to the external storage medium (USB memory), “change” is rename, and “save” is file overwriting save. That is. With such lists 106 and 107, it is possible to record and grasp access to personal information files that may lead to personal information leakage.

  FIG. 14 shows a simplified example of the screen 105 shown in FIG. 13. In FIG. 14, the number of accesses to the personal information file (personal information access records) aggregated for each department is displayed on a display as a bar graph. A screen 108 to be displayed and a list 109 that is drilled down from the screen 108 with a “department name” (here “sales department”) and displayed on the display are shown. In the list 109, for each owner name of the user terminal 10 in the selected department, the PC name of the user terminal 10, the access date and time, the file name of the accessed personal information file, the document path, and the operation The contents are displayed. Such a list 109 makes it possible to grasp user operations that may cause personal information leakage.

  FIG. 15 shows a screen 110 for displaying on a display the number of target PCs that have a personal information file and installed a large-capacity storage device (external storage medium driver 14) as a bar graph. A list 111 that is drilled down from the screen 110 with “Department name” (here “Sales Department”) and displayed on the display is shown. In the list 111, for each owner name of the user terminal 10 that has accessed, the PC name of the user terminal 10, the file name of the personal information file held by the user terminal 10, the document path, and the operation contents Is displayed. With such a list 111, it is possible to grasp user operations that may leak personal information.

  FIG. 16 shows a screen 112 for displaying the number of times the personal information file is written to the external medium (external storage medium 40), which is aggregated for each department, on the display as a bar graph. A list 113 that is drilled down by "Sales Department") and displayed on the display is shown. In the list 113, for each owner name of the user terminal 10 in the selected department, the PC name of the user terminal 10, the date and time of writing, the file name of the personal information file to be written, the document path, and Operation details are displayed. With such a list 113, it is possible to grasp user operations that may cause personal information leakage.

  FIG. 17 shows a screen 114 displaying the number of FTP transfers of the personal information file aggregated for each department on the display as a bar graph, and drilled down from this screen 114 with “Department name” (here “Sales Department”). A list 115 displayed on the display is shown. In the list 115, for each owner name of the user terminal 10 in the selected department, the PC name of the user terminal 10, the FTP transfer date and time, the file name of the personal information file to be transferred, the FTP server Name and FTP command are displayed. With such a list 115, it is possible to grasp user operations that may cause personal information leakage.

  FIG. 18 shows a screen 116 that displays the number of renames of the personal information file as a bar graph on the display, and is drilled down from this screen 116 with “Department name” (here “Sales Department”). A list 117 displayed on the display is shown. In the list 117, for each owner name of the user terminal 10 in the selected department, the PC name of the user terminal 10, the renaming date and time, the file name and document path of the personal information file to be renamed, Is displayed. With such a list 117, it is possible to grasp user operations that may leak personal information.

  In FIG. 19, a screen 118 that displays the number of accesses counted for each prohibited browsing site as a bar graph on the display, and drilled down from this screen 118 with “site name” (here “file service”) is displayed on the display. A list 119 to be played is shown. In the list 119, for each owner name of the user terminal 10 that has accessed the selected site, the PC name of the user terminal 10 and the access time are displayed. With such a list 119, access to the browsing prohibited site can be monitored.

[2-5] Management Operation of Personal Information Management Server Based on P Mark Next, the management operation of the personal information management server 20 (management unit 25) based on the P mark obtained as a search result by the search unit 11 will be described with reference to FIG. It demonstrates according to the flowchart (step S20-S29) shown.

  The management means 25 refers to the determination result (P mark table) of the personal information file in the database 20b, and determines the presence or absence of the personal information file (file to which the P mark is assigned) (step S20). If a personal information file exists (YES route in step S21), management / operation for each personal information file is performed by the management means 25 according to the search result of the personal information file [here, P mark level (rank)]. (Steps S21 to S29).

  First, it is determined whether or not there is a personal information file of P mark level “P1” (step S21). If there is a personal information file of P mark level “P1” (YES route of step S21), the personal information file is monitored for access. It is set and registered as a target (access log recording target) (step S22). In addition, since the process of step S22 overlaps with the process same as step S208 of FIG. 8, you may abbreviate | omit step S21 and S22.

  When there is no personal information file of P mark level “P1” (NO route of step S21), or after registration in step S22, it is determined whether or not there is a personal information file of P mark level “P2” (step S23). If there is a personal information file of the P mark level “P2” (YES route in step S23), the personal information file is set and registered as an access monitoring target, and the user of the personal information file is cautioned Attention information by pop-up display is notified (step S24).

  When there is no personal information file of P mark level “P2” (NO route of step S23), or after the notice information is notified in step S24, it is determined whether or not there is a personal information file of P mark level “P3” (step S25). ), If there is a personal information file of P mark level “P3” (YES route of step S25), the personal information file is set and registered as an access monitoring target, and the user who stores the personal information file is The fact that it exists is notified to the system administrator by e-mail or the like as warning information, and the user is instructed to return the personal information file (step S26).

  If there is no personal information file of P mark level “P3” (NO route of step S25), or whether or not there is a personal information file of P mark level “P4” after issuing alarm information notification and return instruction in step S26 If there is a personal information file of P mark level “P4” (YES route of step S27), the personal information file is forcibly captured and collected from the client terminal 10 (step S28). The personal information file is placed under the management of the file access management server 20, and the file access management server 20 manages the access to the personal information file (step S29). When there is no personal information file of the P mark level “P4” (NO route in step S27), or after the processing in step S29 is completed, the management operation is terminated.

  As described above, with respect to the personal information file of the P mark level “P4”, the personal information file is forcibly prohibited from being output from the user terminal 10 to the outside, or the personal information file is only for the administrator. May be stored in an accessible folder. Further, when a personal information file having a P mark level “P3” is left for a predetermined number of days, the same processing as that for a personal information file having a P mark level “P4” may be executed. Furthermore, all of the personal information files of the P mark levels “P1” to “P4” may be placed under the management of the file access management server 20.

[2-6] Operation of File Access Management Server Next, the operation of the file access management server 20 will be described with reference to FIGS. 10 and 11.
First, the file conversion operation by the file access management server 20 of this embodiment will be described with reference to the flowchart shown in FIG. 10 (steps S31 to S34).

  In the file access management server 20, when a file to be managed is received by the personal information file receiving means 27a from each user terminal 10 via the network 30 so as to be registered as a management target by the file access management server 20 (step S31). The YES route) is converted into a PDF file by the encryption means 28 (step S32), and further, encryption processing (keying processing) is performed using a predetermined encryption key (step S33). Then, the encrypted file is transmitted to the user terminal 10 via the network 30 by the encrypted file transmission unit 27b (step S34).

Next, an authentication operation performed by the file access management server 20 according to the present embodiment will be described with reference to the flowchart shown in FIG. 11 (steps S41 to S45).
When the user of the user terminal 10 tries to view the contents of the encrypted file, authentication information is input by the user and transmitted to the file access management server 20. When the authentication information is received by the authentication information receiving unit 27c via the network 30 (YES route in step S41), the determination unit 29 searches the database 20b with the user ID included in the authentication information, and the user ID Is read from the database 20b, the password included in the authentication information is compared with the registered password read from the database 20b, and a determination is made as to whether these passwords match (user authentication; step S42) is performed.

  When these passwords match and it is authenticated that the user of the user terminal 10 is a legitimate registrant (legitimate transmission destination) (YES route in step S43), the decryption key transmission means 27d performs encryption. A decryption key for decrypting the file is read from the database 20b and transmitted to the user terminal 10 via the network 30 (step S44).

  Then, when the decryption key is received at the user terminal 10, the encrypted file is decrypted using the decryption key, the original file is restored, and the file is subjected to access authority given in advance. Access is performed. For example, as described above, when only the browsing authority is given as the access authority, the user can browse the contents of the restored file, but the access other than the browsing, for example, the print output by the printer or other Access to a recording medium, copy of a screen (screen capture), and saving as another name cannot be performed at all.

  On the other hand, if the determination unit 29 of the file access management server 20 determines that the passwords do not match, or if the registered password corresponding to the user ID is not registered in the database 20b, the user is valid. It is determined that the user is not a registrant (authorized transmission destination) (NO route in step S43), and an error notification is sent from the file access management server 20 to the user terminal 10 via the network 30 (step S45).

[3] Effects of the personal information management system of the present embodiment As described above, according to the management system 1 and the management server 20 as an embodiment of the present invention, the personal information file is searched for in each user terminal 10, and the management server The user terminal 10 is managed by 20 (management means 25) based on the search result and the access log for the management target file. Thereby, even if personal information is distributed and stored in a plurality of user terminals 10, the state of the personal information file is managed without obtaining human cooperation and without applying a special load to the person in charge. It is possible to reliably prevent inadvertent leakage / leakage or unauthorized use of personal information.

  At this time, as shown in FIGS. 12 to 19, for example, the access status to the personal information file (for example, the personal information file name, PC name, owner name, total number of personal information files, personal information) (Such as the results of counting the number of accesses to the file) will be open to provide an environment in which the user will not voluntarily access the personal information file. Outflow / leakage and unauthorized use can be more reliably prevented.

  Information about the user terminal 10 in which the external storage medium driver 14 is installed (for example, the PC name of the user terminal, the owner name of the user terminal, the file name of the personal information file, the name of the personal information file) (Such as the number of times of writing) is released, so that the user will not voluntarily install the external storage medium driver 14, or even if it is installed, the personal information file is written using the driver 14. An environment in which personal information is no longer used is provided, and it is possible to more reliably prevent inadvertent outflow / leakage or unauthorized use of personal information.

  Further, the user terminal 10 (for example, the user terminal 10 that has executed the processing / operation related to the personal information file or the storage unit 10b that is likely to cause an inadvertent leakage / leakage or unauthorized use of the personal information file) A user terminal 10 that has a personal information file, a user terminal 10 that is not set to function as an encryption unit / registration unit 15, a user terminal 10 that has an external storage medium driver 14 installed, and the like) If the above possibility is low by setting a high security level to tighten access restrictions while setting a low security level for user terminals that are not likely to do so, or releasing or relaxing access restrictions Will provide an environment in which the user terminal 10 can be used efficiently. The terminal 10 would be shifting to a low state of the above possibilities, such as inadvertent outflow, loss and unauthorized use of personal information and confidential information can be more reliably prevented.

  In particular, in the present embodiment, the management means 25 performs security level setting (setting of access restriction for files) in accordance with the criteria described in the above items (1) to (5). User terminal 10 that is unlikely to have a prepared outflow / leakage or unauthorized use. Specifically, the personal information file has not been accessed for a predetermined period of time, and the personal information file is held. A user who has no function to encrypt an externally sent file, does not have the external storage medium driver 14 installed, and does not access any browsing-prohibited site The terminal 10 is provided with an environment in which the user terminal 10 can be used efficiently by releasing or relaxing access restrictions.

  When the user terminal 10 having no function as the search means 11 for searching the personal information file and the access detection means 12 is connected to the network, the personal information management server 20 implements the function. The user terminal program is installed, its functions are automatically introduced into the user terminal 10, and the exploration means 11 determines whether or not there is a personal information file in the user terminal 10, so that a new user Even when the terminal 10 is connected to the network 30, the personal information file in the user terminal 10 can be surely searched, identified, and placed in a manageable state, and personal information is inadvertently leaked or leaked. And unauthorized use of personal information can be reliably prevented.

  Further, in this embodiment, a personal information file having a predetermined number or more of personal information elements that can identify a specific individual is set as a management target file, and any of a telephone number, an e-mail address, and an address in the search means 11 Is not applicable to any personal information, but is not a phone number, e-mail address or address, and inappropriate characters / Character sections that do not contain inappropriate character strings are considered to be related to names.

  Therefore, for the character section determined to correspond to any one of the telephone number, the e-mail address, and the address by the first determination means 113, the determination process is terminated when the determination is made, and the telephone number, the e-mail Only the character section determined not to correspond to either the address or the address is collated with the inappropriate character / inappropriate character string by the matching means 115, and further, the inappropriate character / inappropriate character string is unified. Since it is possible to terminate the matching process when it is determined that it is included in any one character section, the name matching process is faster than the method of matching with all name strings included in the name list. In other words, the personal information file search process can be performed at high speed.

  In addition, since all character sections that do not contain inappropriate characters / inappropriate character strings are considered to correspond to names, there is a possibility of including files that do not contain inappropriate characters / inappropriate character strings for names, ie, name information. Therefore, it is possible to surely search for a file having a high possibility of being a personal information file. That is, the number of files that are determined to be personal information files by the search means 11 of the present embodiment increases, and files that are highly likely to be personal information files (suspicious files) can be reliably identified.

  Further, the character determination means 114 determines whether or not the number of characters in the character section is within a predetermined range and all the characters in the character section are kanji characters, and only character sections that satisfy this character determination condition are targeted for verification. Therefore, the character section to be collated is narrowed down to the character section having a higher possibility of name, so that the name collation accuracy can be improved and the name collation process can be performed at high speed. In addition, since a long character section whose number of characters exceeds the predetermined range is excluded from the object to be collated, it contributes to further speeding up the name collating process, that is, further speeding up the personal information file search process.

  Then, the management unit 25 of the personal information management server 20 manages the electronic file determined to be a personal information file according to the counting result (determination value level) obtained by the second determination unit 116. For each personal information file, a management method corresponding to the judgment value level (high possibility of being a personal information file / the number of personal information elements) can be selected and executed. Even if a large number of terminals exist and personal information files are distributed and stored, these personal information files can be managed centrally, and a system for centrally managing personal information files is easily constructed and introduced. It becomes possible.

  On the other hand, by converting a file sent to the outside from the user terminal 10 into an encrypted file in the user terminal 10 or the file access management server 20, the file to be externally sent is converted into an encrypted file. So that the file can be prevented from being taken out from each terminal 10 in a state where everyone can refer to it, and personal information and confidential information can be prevented from being inadvertently leaked or leaked or illegally used. Can be prevented.

  At this time, if the authorized user of the encrypted file is authenticated by the file access management server 20 as being authorized, the encrypted file is decrypted with the decryption key received from the file access management server 20. The content of the encrypted file can be accessed, but other users cannot decrypt the encrypted file and cannot access the content. In other words, the file is sent to the outside after being converted into an encrypted file that can be accessed only by legitimate users. As described above, inadvertent leakage / leakage of personal information or confidential information, unauthorized use, etc. Access to a legitimate user is possible while ensuring prevention, so the convenience of the legitimate user is not impaired.

  At this time, since the original of the file is stored and encrypted in the complete document file, the original of the file remains as it is, that is, in a state where everyone can refer to the user terminal 10. Therefore, it is possible to more reliably prevent inadvertent leakage / leakage and unauthorized use of personal information and confidential information.

[4] Modifications of the Embodiments The present invention is not limited to the above-described embodiments, and various modifications can be made without departing from the spirit of the present invention.
For example, in the above-described embodiment, the case where the management target file is a personal information file has been described. However, the present invention is not limited to this, and a confidential information file including confidential information other than personal information is managed. It may be a file. In this case, the predetermined condition for determining the confidential information file is that a predetermined number or more of records (sensitive information elements) including the confidential information are held, and the confidential information element includes, for example, a new product before the announcement, It is a character string used in technology and management strategy before patent application. Note that such a confidential information file can also be searched by the searching means 11 in the same manner as the personal information file, and the same effect as the above-described embodiment can be obtained.

In the above-described embodiment, the case where the function as the exploration means 11 is provided in the user terminal 10 has been described. However, this function can communicate with the user terminal 10 instead of the user terminal 10. The personal information management server (management server) 20 connected to may be provided.
However, in this case, the file in the storage unit 10b of the user terminal 10 is once taken up by the personal information management server 20, and the file is subjected to search processing by the function as the search means 11 on the management server 20 side. It will be. Thereby, when the user requests non-resident of the program for realizing the exploration means 11 due to a memory capacity in the user terminal 10 or a problem of compatibility with other programs, it responds to the request. It is possible to improve convenience.

[5] Others The functions (all or a part of the functions of each means) as the exploration means 11, access detection means 12, user information collection means 21, installation means 22, collection means 23, and management means 25 described above are computers. This is realized by executing a predetermined application program (management program) (including a CPU, an information processing apparatus, and various terminals).

  The program is, for example, a computer such as a flexible disk, CD (CD-ROM, CD-R, CD-RW, etc.), DVD (DVD-ROM, DVD-RAM, DVD-R, DVD-RW, DVD + R, DVD + RW, etc.). It is provided in a form recorded on a readable recording medium. In this case, the computer reads the management program from the recording medium, transfers it to the internal storage device or the external storage device, stores it, and uses it. Further, the program may be recorded in a storage device (recording medium) such as a magnetic disk, an optical disk, or a magneto-optical disk, and provided from the storage device to a computer via a communication line.

  Here, the computer is a concept including hardware and an OS (operating system), and means hardware operating under the control of the OS. Further, when the OS is unnecessary and the hardware is operated by the application program alone, the hardware itself corresponds to the computer. The hardware includes at least a microprocessor such as a CPU and means for reading a program recorded on a recording medium. The application program as the management program is a program that causes the computer as described above to realize the functions as the exploration means 11, the access detection means 12, the user information collection means 21, the installation means 22, the collection means 23, and the management means 25. Contains code. Also, some of the functions may be realized by the OS instead of the application program.

  Furthermore, as a recording medium in the present embodiment, in addition to the flexible disk, CD, DVD, magnetic disk, optical disk, and magneto-optical disk described above, an IC card, ROM cartridge, magnetic tape, punch card, computer internal storage device (RAM) In addition, various computer-readable media such as an external storage device or a printed matter on which a code such as a barcode is printed can be used.

[6] Appendix (Appendix 1)
A user terminal having a storage unit for holding data including electronic files;
A management server that is communicably connected to the user terminal via a network, and that manages a management target file in the user terminal that satisfies a predetermined condition;
The user terminal is
Exploration means for identifying and exploring a management target file that satisfies the predetermined condition from the data in the storage unit;
A transmission unit configured to transmit a result of the search by the search unit to the management server via the network;
The management server
Log collection means for grasping the management target file in the user terminal based on the search result transmitted from the user terminal, and collecting and recording an access log for the management target file from the user terminal When,
Management means for managing the user terminal based on the result of the search and the access log for the management target file collected and recorded by the log collection means. Management system.

(Appendix 2)
The management means accesses the management target file based on the search result transmitted from the user terminal and the access log for the management target file collected and recorded by the log collection means. The management system according to appendix 1, wherein public information regarding the situation is created and the created public information is made public.

(Appendix 3)
The public information includes a file name of the management target file, information that can specify the user terminal that has accessed the management target file, and information that can specify the owner of the user terminal. The management system according to appendix 2, characterized in that
(Appendix 4)
The management system according to Supplementary Note 2 or Supplementary Note 3, wherein the public information includes a count result of the number of management target files.

(Appendix 5)
The management system according to any one of appendix 2 to appendix 4, wherein the public information includes a result of counting the number of accesses to the management target file.
(Appendix 6)
The management server is further configured with investigating means for investigating whether or not a driver for an external storage medium is installed in the user terminal;
Based on the result of the search transmitted from the user terminal, the access log for the management target file collected and recorded by the log collection unit, and the result of the investigation by the investigation unit The management system according to any one of appendix 1 to appendix 5, wherein the user terminal is managed.

(Appendix 7)
Based on the result of the search transmitted from the user terminal, the access log for the management target file collected and recorded by the log collection unit, and the result of the investigation by the investigation unit The management system according to appendix 6, wherein public information relating to a user terminal in which the driver for the external storage medium is installed is created, and the created public information is made public.

(Appendix 8)
As the public information, information that can identify the user terminal that holds the management target file and installs the driver for the external storage medium, information that can identify the owner of the user terminal, The management system according to appendix 7, wherein the file name of the management target file held in the user terminal is included.
(Appendix 9)
9. The management system according to appendix 8, wherein the public information includes the number of times the management target file has been written to the external storage medium executed by the user terminal.

(Appendix 10)
Based on the result of the search transmitted from the user terminal and the access log for the management target file collected and recorded by the log collecting means, the management means receives information from the user terminal. Changing or setting a security level in the user terminal for preventing outflow of the management target file, and changing a restriction on access to the file in the user terminal according to the security level; The management system according to any one of Appendix 1 to Appendix 9.

(Appendix 11)
For the user terminal that has executed the processing / operation related to the management target file, the management means sets the security level high to tighten the restriction on the access to the file, while the processing / operation related to the management target file. 11. The management system according to appendix 10, wherein for a user terminal that has not been executed for a predetermined period of time, the security level is set low to release or relax access restrictions on files.

(Appendix 12)
The management means sets a high security level for a user terminal that holds the management target file in the storage unit to tighten access restrictions on the file, while the management unit stores the management target file in the storage unit. 12. The management system according to appendix 10 or appendix 11, wherein for a user terminal that does not have a password, the security level is set low to release or relax access restrictions on files.

(Appendix 13)
For the user terminal that is not set to an encryption function for automatically encrypting a file to be sent to the outside, the management means sets the security level to be high and tightens restrictions on access to the file, 13. The user terminal having the encryption function set according to any one of appendix 10 to appendix 12, wherein the security level is set low to cancel or relax access restrictions on files. Management system.

(Appendix 14)
The management server is further provided with an installation unit that installs a program that causes a computer to function as the search unit in the user terminal,
Any one of appendix 1 to appendix 13 characterized in that the function as the exploration means in the user terminal is realized by executing the program installed in the user terminal by the installation means. The management system described in the section.

(Appendix 15)
When the installation means of the management server detects that a user terminal not installed with the program is connected to the network, the program is installed on the user terminal and the program is executed on the user terminal. 15. The management system according to appendix 14, wherein the management file is searched for.

(Appendix 16)
The predetermined condition is that a predetermined number or more of personal information elements that can identify a specific individual are held, and the search means manages a file to be managed, that is, an individual that satisfies the predetermined condition from the data in the storage unit The management system according to any one of Supplementary Note 1 to Supplementary Note 15, wherein an information file is specified and searched.

(Appendix 17)
The exploration means is
Extraction means for extracting text data contained in the determination target file;
Cutting out means for cutting out character sections delimited by delimiters from the text data extracted by the extracting unit;
By determining whether or not the character string in the character section cut by the cutting means satisfies any one of the preset telephone number determination condition, e-mail address determination condition, and address determination condition, First determination means for determining whether or not any one of a telephone number, an e-mail address, and an address, which is a personal information element other than a name,
Whether or not the number of characters in the character section determined not to correspond to any of the telephone number, the e-mail address, and the address by the first determination means is within a predetermined range, and whether or not the character in the character section is a Chinese character Character determining means for determining;
A character section that is determined by the character determining means to be within the predetermined range and to be a kanji character is a character or character string included in the character section and a kanji or kanji character string that is not set in advance in the name. Collating means for collating appropriate characters or inappropriate character strings to determine whether the character section includes the inappropriate characters or inappropriate character strings;
The number of character sections determined to correspond to any one of a telephone number, an e-mail address, and an address by the first determination means and the inappropriate character or inappropriate character string is not included by the matching means. The number of character sections determined is counted, and based on the count result, the second determination means for determining whether the determination target file is a personal information file is provided. The management system according to supplementary note 16, wherein the management system is characterized.

(Appendix 18)
A management server that is connected to a user terminal via a network so as to be able to communicate with each other, and manages a management target file in the user terminal that satisfies a predetermined condition,
Based on the search result of the management target file that satisfies the predetermined condition, searched by the search means from the data in the storage unit of the user terminal, the management target file in the user terminal is grasped, and the management Log collection means for collecting and recording an access log for the target file from the user terminal;
Management means for managing the user terminal based on the result of the search by the search means and the access log for the management target file collected and recorded by the log collection means. A management server characterized by that.

(Appendix 19)
The management means creates and creates public information on the access status of the management target file based on the result of the search and the access log for the management target file collected and recorded by the log collection means. 19. The management server according to appendix 18, wherein the published information is made public.

(Appendix 20)
The public information includes a file name of the management target file, information that can specify the user terminal that has accessed the management target file, and information that can specify the owner of the user terminal. 20. The management server according to appendix 19, wherein

(Appendix 21)
The management server according to appendix 19 or appendix 20, wherein the public information includes a count result of the number of the management target files.
(Appendix 22)
The management server according to any one of appendix 19 to appendix 21, wherein the public information includes a count result of the number of accesses to the management target file.

(Appendix 23)
The user terminal is further provided with an investigation means for investigating whether or not a driver for an external storage medium is installed;
The management means manages the user terminal based on the access log for the management target file collected and recorded by the log collection means as a result of the search, and the result of the investigation by the investigation means. The management server according to any one of Supplementary Note 18 to Supplementary Note 22, wherein

(Appendix 24)
The management means is a driver for the external storage medium based on the access log for the management target file collected and recorded by the log collection means as a result of the search, and the investigation result by the investigation means 24. The management server according to appendix 23, wherein public information relating to a user terminal on which is installed is created and the created public information is made public.

(Appendix 25)
As the public information, information that can identify the user terminal that holds the management target file and installs the driver for the external storage medium, information that can identify the owner of the user terminal, 25. The management server according to appendix 24, including a file name of the management target file held in the user terminal.
(Appendix 26)
26. The management server according to appendix 25, wherein the public information includes the number of times the management target file has been written to the external storage medium executed by the user terminal.

(Appendix 27)
The management unit prevents outflow of the management target file from the user terminal based on the search result and the access log for the management target file collected and recorded by the log collection unit. Any one of appendix 18 to appendix 26, wherein the security level in the user terminal is changed / set, and the restriction on access to the file in the user terminal is changed according to the security level. The management server according to one item.

(Appendix 28)
For the user terminal that has executed the processing / operation related to the management target file, the management means sets the security level high to tighten the restriction on the access to the file, while the processing / operation related to the management target file. 28. The management server according to appendix 27, wherein for a user terminal that has not been executed for a predetermined period of time, the security level is set low to release or relax access restrictions on files.

(Appendix 29)
The management means sets a high security level for a user terminal that holds the management target file in the storage unit to tighten access restrictions on the file, while the management unit stores the management target file in the storage unit. 29. The management server according to appendix 27 or appendix 28, wherein the security level is set low for a user terminal that does not have a password, and the restriction on access to the file is released or relaxed.

(Appendix 30)
For the user terminal that is not set to an encryption function for automatically encrypting a file to be sent to the outside, the management means sets the security level to be high and tightens restrictions on access to the file, 30. The user terminal according to any one of appendix 27 to appendix 29, wherein for the user terminal set with the encryption function, the security level is set low to release or relax access restrictions on the file. Management server.

(Appendix 31)
31. The management server according to any one of appendix 18 to appendix 30, further comprising installation means for installing a program for causing a computer to function as the exploration means in the user terminal.

(Appendix 32)
When the installation means detects that a user terminal not installed with the program is connected to the network, the program is installed on the user terminal, and the program is executed on the user terminal for management. The management server according to attachment 31, wherein the presence / absence of the target file is determined.

(Appendix 33)
A program that causes a computer to function as a management server that manages a management target file that satisfies a predetermined condition in user terminals that are connected to be able to communicate with each other via a network,
Based on the search result of the management target file that satisfies the predetermined condition, searched by the search means from the data in the storage unit of the user terminal, the management target file in the user terminal is grasped, and the management Log collection means for collecting and recording an access log for the target file from the user terminal; and
Causing the computer to function as a management unit for managing the user terminal based on a result of the search by the search unit and the access log for the management target file collected and recorded by the log collection unit. A management program characterized by

(Appendix 34)
The management means creates and creates public information on the access status of the management target file based on the result of the search and the access log for the management target file collected and recorded by the log collection means. 34. The management program according to appendix 33, wherein the computer is caused to function so as to make the published information public.

(Appendix 35)
The public information includes a file name of the management target file, information that can specify the user terminal that has accessed the management target file, and information that can specify the owner of the user terminal. 34. The management program according to appendix 34, wherein

(Appendix 36)
36. The management program according to appendix 34 or appendix 35, wherein the public information includes a count result of the number of files to be managed.
(Appendix 37)
37. The management program according to any one of appendix 34 to appendix 36, wherein the public information includes a count result of the number of accesses to the management target file.

(Appendix 38)
As an investigation means for investigating whether or not a driver for an external storage medium is installed in the user terminal, the computer is caused to function,
The management means manages the user terminal based on the access log for the management target file collected and recorded by the log collection means as a result of the search, and the result of the investigation by the investigation means. Thus, the management program according to any one of appendix 33 to appendix 37, which causes the computer to function.

(Appendix 39)
The management means is a driver for the external storage medium based on the access log for the management target file collected and recorded by the log collection means as a result of the search, and the investigation result by the investigation means 39. The management program according to appendix 38, wherein public information relating to a user terminal on which is installed is created, and the computer is caused to function so as to publish the created public information.

(Appendix 40)
As the public information, information that can identify the user terminal that holds the management target file and installs the driver for the external storage medium, information that can identify the owner of the user terminal, 40. The management program according to appendix 39, including a file name of the management target file held in the user terminal.
(Appendix 41)
41. The management program according to appendix 40, wherein the public information includes the number of times the management target file has been written to the external storage medium executed by the user terminal.

(Appendix 42)
The management unit prevents outflow of the management target file from the user terminal based on the search result and the access log for the management target file collected and recorded by the log collection unit. And changing the security level in the user terminal, and causing the computer to function so as to change restrictions on access to the file in the user terminal according to the security level. 42. The management program according to any one of appendix 33 to appendix 41.

(Appendix 43)
For the user terminal that has executed the processing / operation related to the management target file, the management means sets the security level high to tighten the restriction on the access to the file, while the processing / operation related to the management target file. 42. The management according to appendix 42, wherein for a user terminal that has not been executed for a predetermined period of time, the computer is caused to function so as to release or relax restrictions on file access by setting the security level low. program.

(Appendix 44)
The management means sets a high security level for a user terminal that holds the management target file in the storage unit to tighten access restrictions on the file, while the management unit stores the management target file in the storage unit. 44. The computer according to appendix 42 or appendix 43, wherein the computer is caused to function so as to release or relax restrictions on access to a file by setting the security level low for a user terminal that does not have Management program.

(Appendix 45)
For the user terminal that is not set to an encryption function for automatically encrypting a file to be sent to the outside, the management means sets the security level to be high and tightens restrictions on access to the file, Supplementary notes 42 to Supplementary notes, wherein the user terminal set with the encryption function is caused to function so that the security level is set low and the access restriction on the file is released or relaxed. 45. The management program according to any one of 44.

(Appendix 46)
46. The management program according to any one of appendix 33 to appendix 45, wherein the computer is caused to function as an installation means for installing the program for causing the user terminal to function as the exploration means to the user terminal. .

(Appendix 47)
When the installation means detects that a user terminal not installed with the program is connected to the network, the program is installed on the user terminal, and the program is executed on the user terminal for management. 47. The management program according to appendix 46, which causes the computer to function so as to determine the presence or absence of a target file.

It is a block diagram which shows the structure of the personal information management system (management system) as one Embodiment of this invention. It is a block diagram which shows the function structure of the user terminal of this embodiment. It is a block diagram which shows the detailed functional structure of the search means in the user terminal of this embodiment. It is a block diagram which shows the function structure of the personal information management server (management server) of this embodiment. It is a block diagram which shows the function structure as a file access management server with which the personal information management server (management server) of this embodiment was equipped. It is a flowchart for demonstrating operation | movement of the user terminal of this embodiment. It is a flowchart for demonstrating operation | movement of the search means of this embodiment. It is a flowchart for demonstrating operation | movement of the personal information management server (management server) of this embodiment. It is a flowchart for demonstrating operation | movement of the personal information management server (management server) of this embodiment. It is a flowchart for demonstrating the authentication operation | movement by the function as a file access management server in the personal information management server (management server) of this embodiment. It is a flowchart for demonstrating the file conversion operation | movement by the function as a file access management server in the personal information management server (management server) of this embodiment. It is a figure which shows the specific example of the public information created and disclosed by the management means of the personal information management server (management server) of this embodiment. It is a figure which shows the specific example of the public information created and disclosed by the management means of the personal information management server (management server) of this embodiment. It is a figure which shows the specific example of the public information created and disclosed by the management means of the personal information management server (management server) of this embodiment. It is a figure which shows the specific example of the public information created and disclosed by the management means of the personal information management server (management server) of this embodiment. It is a figure which shows the specific example of the public information created and disclosed by the management means of the personal information management server (management server) of this embodiment. It is a figure which shows the specific example of the public information created and disclosed by the management means of the personal information management server (management server) of this embodiment. It is a figure which shows the specific example of the public information created and disclosed by the management means of the personal information management server (management server) of this embodiment. It is a figure which shows the specific example of the public information created and disclosed by the management means of the personal information management server (management server) of this embodiment.

Explanation of symbols

1 Personal information management system (management system)
10 User terminal 10a CPU
10b Storage section 10c Quarantine table 10d P mark table 11 Search means 111 Extraction means 112 Extraction means 113 First determination means 113a Telephone number determination means 113b Email address determination means 113c Address determination means 113c Address determination means 114 Character determination means 115 Collation means 116 Second Determination means 12 Access detection means 13 Transmission / reception means (transmission means)
14 External storage media driver (USB driver)
15 Encryption means / registration means (encryption function)
20 Personal Information Management Server (Management Server / File Access Management Server)
20a CPU
20b Database 20c Display unit 21 User information collection means (survey means)
22 Installation means 23 Collection means (log collection means)
24 management console 25 management means 26 display control means 27 transmission / reception means 27a file reception means 27b encrypted file transmission means 27c authentication information reception means 27d decryption key transmission means 28 encryption means 29 determination means 30 network (in-house LAN)
40 External storage media (USB memory)
101, 103, 105, 108, 110, 112, 114, 116, 118 screen (public information)
102, 104, 106, 107, 109, 111, 113, 115, 117, 119 list (public information)

In order to achieve the above object, the management system of the present invention (Claim 1) can communicate with a user terminal having a storage unit for storing data including an electronic file, and the user terminal via a network. And a management server that manages a management target file that satisfies the condition that the user terminal has a predetermined number or more of personal information elements or confidential information elements , and the user terminal includes the storage unit A search unit that specifies and searches for a management target file that satisfies the predetermined condition from data in the network, and a transmission unit that transmits a search result of the search unit to the management server via the network. And the management server grasps the management target file in the user terminal based on the search result transmitted from the user terminal. Log collecting means for collecting and recording an access log for the management target file from the user terminal; a result of the search; and the access log for the management target file collected and recorded by the log collection means And a management unit that manages the user terminal , and the management unit collects and records the search result transmitted from the user terminal and the log collection unit. Further, based on the access log for the management target file, the security level in the user terminal for preventing the management target file from being leaked from the user terminal is changed / set.
According to the security level, the access restriction on the file in the user terminal is changed .

Further , for the user terminal that has executed the processing / operation related to the management target file, the security level is set high to tighten access restrictions on the file, while the processing related to the management target file is performed. For user terminals that have not been operated for a predetermined period of time, the security level may be set low to release or relax access restrictions on files (claim 5 ). More specifically, the management means sets a high security level for the user terminal that holds the management target file in the storage unit to tighten access restrictions on the file while the storage unit stores the storage target file. For a user terminal that does not have the management target file in its part, the security level may be set low to release or relax access restrictions on the file (claim 6 ), or the management means may For user terminals that do not have an encryption function that automatically encrypts files sent to the network, the security level is set high to tighten access restrictions on the file, while the encryption function is set. For user terminals that have been set, the security level is set low to remove or relax restrictions on file access. (Claim 7 ).

In addition, the condition is that a predetermined number or more of personal information elements that can identify a specific individual are held, and the search unit is a management target file that satisfies the predetermined condition from data in the storage unit, that is, The personal information file may be specified and searched (claim 8 ). At this time, the search means extracts the text data included in the determination target file, and the extraction means extracts the text data. Cutting means for cutting out character sections delimited by a delimiter from the text data, and character strings in the character sections cut out by the cutting means are set in advance as phone number determination conditions and e-mail address determination conditions Phone number, e-mail, which is a personal information element other than name A first determination means for determining whether the address corresponds to one of an address and an address, and a character determined by the first determination means as not corresponding to any of a telephone number, an e-mail address, and an address; A character determining means for determining whether the number of characters in the section is within a predetermined range and whether the character in the character section is a kanji, and the character determining means determines that the number is within the predetermined range and is a kanji. By comparing a character or character string included in the character section with an inappropriate character or inappropriate character string preset as a kanji or character string that cannot appear in the name, Collating means for judging whether or not the inappropriate character or the inappropriate character string is included, and a telephone number, an e-mail address, and The number of character sections determined to correspond to any one of the locations and the number of character sections determined not to include the inappropriate character or inappropriate character string by the matching means, A second determination unit that determines whether the determination target file is a personal information file based on the count result may be included (claim 9 ).

On the other hand, the management server of the present invention (0 according to claim 1), via the user terminal and the network are communicably connected to each other, in said user terminal, holds personal information element or secret information elements than the predetermined number A management target file that satisfies the condition that the management target file is searched for by the search means from the data in the storage unit of the user terminal. Based on the management target file in the user terminal, and collecting and recording an access log for the management target file from the user terminal, a result of the search by the search means, and the log A manager who manages the user terminal based on the access log for the management target file collected and recorded by the collecting means. Is configured to include bets, said management means, the results of the exploration, and were collected and recorded by the log collecting means, based on the access log for the management object file, the management from the user terminal It is characterized in that the security level in the user terminal for preventing the leakage of the target file is changed and set, and the access restriction on the file in the user terminal is changed according to the security level .

In the management server, based on the result of the search and the access log for the management target file collected and recorded by the log collection unit, the management unit discloses public information regarding the access status to the management target file. And the created public information may be disclosed (claim 1 1 ). The public information includes a file name of the management target file, information that can specify the user terminal that has accessed the management target file, and information that can specify the owner of the user terminal. It may be included, and may include a totaling result of the number of the management target files and a totaling result of the number of accesses to the management target file.

Further , for the user terminal that has executed the processing / operation related to the management target file, the security level is set high to tighten access restrictions on the file, while the processing related to the management target file is performed. For user terminals that have not been operated for a predetermined period of time, the security level may be set low to release or relax access restrictions on the file (claim 1 2 ). More specifically, the management means sets a high security level for the user terminal that holds the management target file in the storage unit to tighten access restrictions on the file while the storage unit stores the storage target file. For a user terminal that does not have the management target file, the security level may be set low to release or relax access restrictions on the file (claim 13) , or the management means may For user terminals that do not have an encryption function that automatically encrypts files sent to the network, the security level is set high to tighten access restrictions on the file, while the encryption function is set. For the user terminals that are used, the security level is set low to remove or relax the restrictions on file access. (Claim 14) .

The file management program of the present invention (claims 15 to 18) is a management server that manages files to be managed that satisfy predetermined conditions in user terminals connected to each other via a network. , it is one that causes a computer to function, in which each of realizing the function of the above-described management server (claim 1 0-1 3).

In order to achieve the above object, the management system of the present invention (Claim 1) can communicate with a user terminal having a storage unit for storing data including an electronic file, and the user terminal via a network. And a management server that manages a management target file that satisfies the condition that the user terminal has a predetermined number or more of personal information elements or confidential information elements, and the user terminal includes the storage unit A search unit that specifies and searches for a management target file that satisfies the predetermined condition from data in the network, and a transmission unit that transmits a search result of the search unit to the management server via the network. And the management server grasps the management target file in the user terminal based on the search result transmitted from the user terminal. Log collecting means for collecting and recording an access log for the management target file from the user terminal; a result of the search; and the access log for the management target file collected and recorded by the log collection means And a management unit that manages the user terminal, and the management unit collects and records the search result transmitted from the user terminal and the log collection unit. and, based on the access log for the management object file, and change and set the security level in the user terminal, in accordance with the security level to change the limit of access to the file in the user terminal, the utilization The management target file is prevented from being leaked from the user terminal .

Further, for the user terminal that has executed the processing / operation related to the management target file, the security level is set high to tighten access restrictions on the file, while the processing related to the management target file is performed. For user terminals that have not been operated for a predetermined period of time, the security level may be set low to release or relax access restrictions on files. More specifically, the management means sets a high security level for the user terminal that holds the management target file in the storage unit to tighten access restrictions on the file while the storage unit stores the storage target file. For a user terminal that does not have the management target file, the security level may be set low to release or relax access restrictions on the file (claim 6), or the management means may For user terminals that do not have an encryption function that automatically encrypts files sent to the network, the security level is set high to tighten access restrictions on the file, while the encryption function is set. For user terminals that have been set, the security level is set low to remove or relax restrictions on file access. May be (claim 7), whereas said management means, for tightening the access restriction on the file is set high the security level for the user terminal is performing access to the viewing prohibited site, viewing prohibited site For user terminals that are not accessing the file, the security level may be set low to release or relax access restrictions on the file (claim 8) .

In addition, the condition is that a predetermined number or more of personal information elements that can identify a specific individual are held, and the search unit is a management target file that satisfies the predetermined condition from data in the storage unit, that is, The personal information file may be specified and searched (Claim 8). At this time, the searching means extracts the text data included in the determination target file, and the extracting means extracts the text data. Cutting means for cutting out character sections delimited by a delimiter from the text data, and character strings in the character sections cut out by the cutting means are set in advance as phone number determination conditions and e-mail address determination conditions Phone number, e-mail, which is a personal information element other than name First determination means for determining whether the address corresponds to one of a dress and an address, and a character determined by the first determination means as not corresponding to any of a telephone number, an e-mail address, and an address A character determining means for determining whether the number of characters in the section is within a predetermined range and whether the character in the character section is a kanji, and the character determining means determines that the number is within the predetermined range and is a kanji. By comparing a character or character string included in the character section with an inappropriate character or inappropriate character string preset as a kanji or character string that cannot appear in the name, Collating means for judging whether or not the inappropriate character or the inappropriate character string is included, and a telephone number, an e-mail address, and The number of character sections determined to correspond to any one of the locations and the number of character sections determined not to include the inappropriate character or inappropriate character string by the matching means, It may be configured to include second determination means for determining whether the determination target file is a personal information file based on the counting result (claim 10 ).

On the other hand, the management server of the present invention is communicably connected to each other via the user terminal and the network, in the user terminal, the condition that the personal information element or confidential information element owns more than a predetermined number The management target file is managed, and the user is searched based on the search result of the management target file that satisfies the predetermined condition, searched by the searching means from the data in the storage unit of the user terminal. A log collection unit that grasps the management target file in the terminal and collects and records an access log for the management target file from the user terminal, a search result by the search unit, and a log collection unit Management means for managing the user terminal based on the recorded access log for the file to be managed is provided. And the management means detects outflow of the management target file from the user terminal based on the search result and the access log for the management target file collected and recorded by the log collection means. In order to prevent this, the security level in the user terminal is changed / set, and the access restriction on the file in the user terminal is changed according to the security level.

In the management server, based on the result of the search and the access log for the management target file collected and recorded by the log collection unit, the management unit discloses public information regarding the access status to the management target file. create a, but it may also be to publish the public information that has been created. The public information includes a file name of the management target file, information that can specify the user terminal that has accessed the management target file, and information that can specify the owner of the user terminal. It may be included, and may include a totaling result of the number of the management target files and a totaling result of the number of accesses to the management target file.

Further, for the user terminal that has executed the processing / operation related to the management target file, the security level is set high to tighten access restrictions on the file, while the processing related to the management target file is performed. / operation on the user terminal is not running for a predetermined period of time but it may also be released or relax the restriction of access to the file is set lower the security level. More specifically, the management means sets a high security level for the user terminal that holds the management target file in the storage unit to tighten access restrictions on the file while the storage unit stores the storage target file. file for user terminals that do not possess the managed file in parts may be canceled or relax the restriction of access to the file is set lower the security level, said management means, is sent to the outside For user terminals that do not have an encryption function that automatically encrypts files, the security level is set high to tighten restrictions on access to files, while users with the encryption function set but it may also be to release or relax the restriction of access to the file is set lower the security level for the terminal In addition, for the user terminal that is accessing the browsing prohibited site, the management means sets the security level high and tightens the access restriction on the file, while the management terminal does not access the browsing prohibited site. For the user terminal, the security level may be set low to cancel or relax the file access restriction .

In addition, the file management program of the present invention (claims 1 1 to 1 6 ) manages all files to be managed that satisfy a predetermined condition in user terminals connected to each other via a network. as a server, it is one that causes a computer to function, in which each of realizing functions of the management server described above.

In addition, a user terminal that is likely to cause an inadvertent leak / leakage or unauthorized use of a managed file (for example, a terminal that has executed a process / operation related to a managed file, or has a managed file in a storage unit) Devices that do not have an encryption function set, devices that access browsing-restricted sites, etc.) are set with a high security level to tighten access restrictions and are less likely By setting the security level low for user terminals and releasing or relaxing access restrictions, an environment where the terminal can be used efficiently is provided in the case where the above possibility is low. Voluntarily began to move my device to a state with a low possibility of inadvertently leaking or leaking personal or confidential information. It is possible to prevent use and more reliably.

(5) For the user terminal 10 that is accessing the browsing-prohibited site, the security level is set high to tighten the access restriction on the file, while the user terminal 10 that is not accessing the browsing-prohibited site . For, remove or relax access restrictions on files by setting a low security level.

Further, the security level for each user terminal 10 is set by the management unit 25 in accordance with the access log collected and recorded by the collection unit 23 (including the access log for the browsing prohibition log) (step S215). At this time, the management means 25 performs processing / operation related to the personal information file (some access to the personal information file in the own terminal 10 / other terminal / server) in accordance with the security level setting criteria described in the item (1) described above. For the executed user terminal 10, the security level is set high, and access restrictions on files (including not only personal information files but also ordinary files) are tightened, while processing / operations related to personal information files are performed over a predetermined period. For the user terminal 10 that has not been executed at all, the security level is set low to release or relax the access restriction on the file, and further, according to the security level setting criteria described in the item (5) described above, to the browsing prohibited site Users who are accessing While tightening the access restrictions on the file to set a high security level for the youngest 10, releasing the access restrictions on the file by setting a lower security level for the user terminal 10 that is not performing access to the viewing prohibited site Or relax.

Claims (18)

A user terminal having a storage unit for holding data including electronic files;
A management server that is communicably connected to the user terminal via a network, and that manages a management target file in the user terminal that satisfies a predetermined condition;
The user terminal is
Exploration means for identifying and exploring a management target file that satisfies the predetermined condition from the data in the storage unit;
A transmission unit configured to transmit a result of the search by the search unit to the management server via the network;
The management server
Log collection means for grasping the management target file in the user terminal based on the search result transmitted from the user terminal, and collecting and recording an access log for the management target file from the user terminal When,
Management means for managing the user terminal based on the result of the search and the access log for the management target file collected and recorded by the log collection means. Management system.   The management means accesses the management target file based on the search result transmitted from the user terminal and the access log for the management target file collected and recorded by the log collection means. 2. The management system according to claim 1, wherein public information relating to a situation is created, and the created public information is made public. The management server is further configured with investigating means for investigating whether or not a driver for an external storage medium is installed in the user terminal;
Based on the result of the search transmitted from the user terminal, the access log for the management target file collected and recorded by the log collection unit, and the result of the investigation by the investigation unit The management system according to claim 1 or 2, wherein the user terminal is managed.   Based on the result of the search transmitted from the user terminal, the access log for the management target file collected and recorded by the log collection unit, and the result of the investigation by the investigation unit 4. The management system according to claim 3, wherein public information relating to a user terminal in which the driver for the external storage medium is installed is created, and the created public information is made public.   Based on the result of the search transmitted from the user terminal and the access log for the management target file collected and recorded by the log collecting means, the management means receives information from the user terminal. Changing or setting a security level in the user terminal for preventing outflow of the management target file, and changing a restriction on access to the file in the user terminal according to the security level; The management system according to any one of claims 1 to 4.   For the user terminal that has executed the processing / operation related to the management target file, the management means sets the security level high to tighten the restriction on the access to the file, while the processing / operation related to the management target file. 6. The management system according to claim 5, wherein for a user terminal that has not been executed for a predetermined period of time, the security level is set low to release or relax access restrictions on files.   The management means sets a high security level for a user terminal that holds the management target file in the storage unit to tighten access restrictions on the file, while the management unit stores the management target file in the storage unit. 7. The management system according to claim 5, wherein the security level is set low for a user terminal that does not have a password, and the restriction on access to the file is released or relaxed. 8.   For the user terminal that is not set to an encryption function for automatically encrypting a file to be sent to the outside, the management means sets the security level to be high and tightens restrictions on access to the file, 8. The user terminal with the encryption function set, the security level is set low to release or relax access restrictions on files. Management system as described in.   The predetermined condition is that a predetermined number or more of personal information elements that can identify a specific individual are held, and the search means manages a file to be managed, that is, an individual that satisfies the predetermined condition from the data in the storage unit The management system according to any one of claims 1 to 8, wherein the information file is specified and searched. The exploration means is
Extraction means for extracting text data contained in the determination target file;
Cutting out means for cutting out character sections delimited by delimiters from the text data extracted by the extracting unit;
By determining whether or not the character string in the character section cut by the cutting means satisfies any one of the preset telephone number determination condition, e-mail address determination condition, and address determination condition, First determination means for determining whether or not any one of a telephone number, an e-mail address, and an address, which is a personal information element other than a name,
Whether or not the number of characters in the character section determined not to correspond to any of the telephone number, the e-mail address, and the address by the first determination means is within a predetermined range, and whether or not the character in the character section is a Chinese character Character determining means for determining;
A character section that is determined by the character determining means to be within the predetermined range and to be a kanji character is a character or character string included in the character section and a kanji or kanji character string that is not set in advance in the name. Collating means for collating appropriate characters or inappropriate character strings to determine whether the character section includes the inappropriate characters or inappropriate character strings;
The number of character sections determined to correspond to any one of a telephone number, an e-mail address, and an address by the first determination means and the inappropriate character or inappropriate character string is not included by the matching means. The number of character sections determined is counted, and based on the count result, the second determination means for determining whether the determination target file is a personal information file is provided. The management system according to claim 9, wherein the management system is characterized. A management server that is connected to a user terminal via a network so as to be able to communicate with each other, and manages a management target file in the user terminal that satisfies a predetermined condition,
Based on the search result of the management target file that satisfies the predetermined condition, searched by the search means from the data in the storage unit of the user terminal, the management target file in the user terminal is grasped, and the management Log collection means for collecting and recording an access log for the target file from the user terminal;
Management means for managing the user terminal based on the result of the search by the search means and the access log for the management target file collected and recorded by the log collection means. A management server characterized by that.   The management means creates and creates public information on the access status of the management target file based on the result of the search and the access log for the management target file collected and recorded by the log collection means. 12. The management server according to claim 11, wherein the published information is made public.   The management unit prevents outflow of the management target file from the user terminal based on the search result and the access log for the management target file collected and recorded by the log collection unit. The security level in the user terminal is changed / set, and the access restriction on the file in the user terminal is changed according to the security level. The management server described.   For the user terminal that has executed the processing / operation related to the management target file, the management means sets the security level high to tighten the restriction on the access to the file, while the processing / operation related to the management target file. 14. The management server according to claim 13, wherein for a user terminal that has not been executed for a predetermined period of time, the security level is set low to release or relax access restrictions on files. A program that causes a computer to function as a management server that manages a management target file that satisfies a predetermined condition in user terminals that are connected to be able to communicate with each other via a network,
Based on the search result of the management target file that satisfies the predetermined condition, searched by the search means from the data in the storage unit of the user terminal, the management target file in the user terminal is grasped, and the management Log collection means for collecting and recording an access log for the target file from the user terminal; and
Causing the computer to function as a management unit for managing the user terminal based on a result of the search by the search unit and the access log for the management target file collected and recorded by the log collection unit. A management program characterized by   The management means creates and creates public information on the access status of the management target file based on the result of the search and the access log for the management target file collected and recorded by the log collection means. The management program according to claim 15, wherein the computer is caused to function so as to publish the published information.   The management unit prevents outflow of the management target file from the user terminal based on the search result and the access log for the management target file collected and recorded by the log collection unit. And changing the security level in the user terminal, and causing the computer to function so as to change restrictions on access to the file in the user terminal according to the security level. The management program according to claim 15 or 16. For the user terminal that has executed the processing / operation related to the management target file, the management means sets the security level high to tighten the restriction on the access to the file, while the processing / operation related to the management target file. 18. The computer according to claim 17, wherein the user terminal is not executed for a predetermined period of time, and the computer is caused to function so as to release or relax restrictions on file access by setting the security level low. Management program.