JP2007323511A - Method for protecting personal information and system therefor - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To solve the problem that in a conventional information protection program, no consideration is taken into account with confidentiality of information and retrievability of the information important in protecting a personal information file and validity of to what extent personal information be protected is open to improvement. <P>SOLUTION: An information protection system is provided with: a personal information dictionary matching means for evaluating whether or not a keyword in a personal information dictionary is included in a target file so as to evaluate a protection level of the target file; a personal identification evaluating means for evaluating whether or not it is possible to identify an individual; a confidentiality evaluating means for quantifying the level of confidentiality; a retrievability evaluating means for quantifying the retrievable level; and a protection level evaluating means for determining a total protection level of the target file on the basis of the result of the personal information dictionary matching means, the result of the confidentiality evaluating means, and the result of the retrievability evaluating means. <P>COPYRIGHT: (C)2008,JPO&INPIT

Description

  The present invention relates to an information protection method, an information protection system, and an information protection program that can prevent leakage of confidentiality.

  With the diversification and expansion of network systems that link a plurality of terminals in recent years, the risk of inadvertent leakage of specific personal information (hereinafter referred to as personal information) or unauthorized use is increasing. Therefore, an information protection system for protecting personal information more reliably is desired. For example, in the “Act on the Protection of Personal Information”, business operators handling personal information are obliged to prevent the leakage and unauthorized use of personal information, and requests for disclosure or correction requests from parties to personal information. Is obliged to comply. According to the “Personal Information Protection Act”, the definition of “Personal Information” provided in Article 2 (1) is “Information about living individuals, including name, date of birth included in the information. It can be used to identify a specific individual based on the date or other description. "

  Therefore, an information protection system that can appropriately protect personal information needs to be unified by a centralized management system that centrally manages personal information. However, if the location and content of personal information contained in each terminal is selected in advance by a party or a person who has the right to handle the personal information and management methods are determined, it will be a heavy burden, Personal information may not be protected. Therefore, there can be considered a means for automatically identifying or determining specific personal information by means of a program for protecting information (hereinafter referred to as an information protection program).

As such an information protection program, it is determined how many phone numbers, e-mail addresses, addresses, and names exist in a certain target file, and based on the counting result, a target file containing personal information (hereinafter referred to as a personal file) It is conceivable to determine whether the file is called an information file. Here, as a means for determining whether or not the file is a personal information file, it is determined whether or not a determination value such as the sum of “number of telephone numbers, number of e-mail addresses, number of addresses, number of names” exceeds a threshold value. Prior art has been disclosed (for example, Patent Document 1).
Patent No. 3705439

  However, the information protection program according to Patent Document 1 described above has a problem that even a file composed of only publicly known telephone numbers is determined as personal information if the number exceeds the threshold.

  Furthermore, in the information protection program according to Patent Document 1, the confidentiality of information and the searchability of information, which are important for protecting personal information files, are not considered, and the appropriateness of the degree to which personal information should be protected There is room for improvement.

  In order to solve these problems, the present invention automatically determines whether a certain data file corresponds to personal data defined as a target of safety management measures in the “Personal Information Protection Law”. Provide a system that can automatically determine the level of protection.

  A first personal information evaluation system according to the present invention includes one or more terminals, a server capable of managing a list of target files for data units that can be held in the terminals, and security measures for the target files. The security countermeasure execution apparatus is implemented, and is configured by connecting the terminal, the server, and the security countermeasure execution apparatus to the network. A personal information dictionary is stored in the terminal or server. More specifically, in order to define the protection level of the personal information file from the target file, first, the personal information dictionary matching means includes at least one keyword in the personal information dictionary in the target file. Evaluate whether or not. Then, the personal identification evaluation means evaluates whether or not an individual can be specified based on the combination of keywords that are included in the target file by the personal information dictionary matching means. Then, it is assumed that the confidentiality evaluation means increases the coefficient given in advance to the keyword included in the target file, evaluates whether or not it contains a highly confidential keyword, and increases the confidentiality. The level of confidentiality is quantified based on the evaluation of whether or not it includes a combination of keywords. Further, the searchability evaluation means can perform a search based on the evaluation of the number of detected keywords included in the personal information dictionary having the same attribute and the evaluation of whether the target file is easily searchable. Measure. Finally, the protection level evaluation unit determines the total protection level of the target file based on the result of the personal information dictionary matching unit, the result of the confidentiality evaluation unit, and the result of the searchability evaluation unit. As a result, it is determined whether or not an individual can be identified for the data or file, the confidentiality of the content, the searchability, the degree of the number of data items are evaluated, and the protection level is determined.

  In order to make the personal information evaluation system as described above function, each terminal is used as a personal identification evaluation means, a personal identification evaluation means, a confidentiality evaluation means, a searchability evaluation means, and a protection level evaluation means. If there is a program to make it function, it can be realized. In addition, by recording such a program on a recording medium, an information protection system can be configured via the recording medium.

  According to the present invention, it is possible to suitably determine whether or not the personal information is to be protected by providing the information protection system with means for specifying an individual from data or a file.

  Further, according to the present invention, the confidentiality of information is not limited to a telephone number, an e-mail address, an address, and a name, but a dictionary of personal information such as career, medical history, bank account number, credit card number, income information, etc. is defined. By doing so, it becomes possible to determine whether or not a highly confidential attribute is included, and a more suitable information protection system can be realized.

  Furthermore, according to the present invention, it is possible to determine whether or not the personal information file is systematically configured so that the personal information file can be searched as information searchability, and a more suitable information protection system Can be realized.

  First, an information protection system according to the present invention will be described.

  FIG. 1 is a diagram showing a configuration example of an information protection system according to the present invention. According to FIG. 1, each terminal 102 to 104 having personal information evaluation means, a server 101 capable of managing a list of personal information files held by each terminal, and a result evaluated by the personal information evaluation means, The network includes a security measure execution device 80 that implements security measures for personal information files, and a network that connects the terminals 102 to 104, the server 101, and the security measure execution device 80. Here, the server 101 can include personal information file totaling means for each terminal. The security countermeasure execution device 80 includes an access control means for controlling access to the server 101, an encryption device for encrypting personal information, a quarantine network device for quarantining leakage of personal information on the network, and the like. Including an asset management device capable of managing asset information (not shown). Further, the terminal having the personal information evaluation means may be any one of the terminals 102 to 104, and the number of terminals having the personal information evaluation means is not the subject of the present invention. Therefore, hereinafter, a terminal having personal information evaluation means will be described as a terminal 100 as a representative.

  Next, Embodiment 1 of the information protection system according to the present invention as a personal information evaluation system will be described.

(Example 1)
FIG. 2 shows a block diagram of a terminal in an example of a personal information evaluation system according to the present invention. The terminal 100 includes, for example, a central processing unit (hereinafter referred to as CPU) 113 and a storage unit 114. The storage unit 114 includes setting information 115 such as evaluation parameters for each keyword in the personal information dictionary, and a personal information file list 116 including files such as a target file and a list of target files (personal information files) including personal information. Or can be memorized. Specifically, the storage unit 114 may be a ROM, a RAM, or a computer-readable recording medium. The CPU 113 includes a personal information evaluation unit 110 described later, a transmission / reception unit 111 that enables transmission / reception of information via a network, and a security measure unit 112 that performs information security. Here, the security countermeasure execution device 80 (see FIG. 1) is controlled based on the security countermeasure means 112 provided in the terminal 100. Here, the target file or personal information dictionary is stored in the storage unit 114 of any terminal or stored in the server 101.

  The personal information evaluation unit 110 inputs and evaluates the content of the personal information from the setting information 115 by means or a method described later, and outputs the protection level to the personal information file list 116. The personal information file list 116 holds a protection level corresponding to the personal information file. Separately, the personal information evaluation means 110 inputs and evaluates the protection level corresponding to the personal information file from the personal information file list 116 and corrects the content of the personal information in the setting information 115 by means or methods described later. Can also be output.

  In addition, the evaluation result by the personal information evaluation means 110 can be output to the security countermeasure means 112 and the transmission / reception means 111. The transmission / reception output means 111 receives information as a security measure based on the evaluation result by the personal information evaluation means 110. The personal information file list 116 and the setting information held in the storage unit 114 can be output to the security countermeasure execution apparatus 80 or the server 101 connected via the network via the transmission / reception means 111.

  FIG. 3 shows a block diagram of the personal information evaluation means according to the present invention. In the first embodiment, the personal information evaluation unit 110 includes a personal information dictionary matching unit 117, a personal identification evaluation unit 118, a confidentiality evaluation unit 119, a searchability evaluation unit 120, and a protection level evaluation unit 121. ing.

  FIG. 4 shows an overall flowchart in an example of a personal information evaluation system according to the present invention.

  With reference to FIG. 3 and FIG. 4, the outline of each means in the personal information evaluation means 110 will be described first. 3 and 4, the personal information dictionary matching means 117 evaluates how many keywords registered in the preset personal information dictionary are included in the target file (step S101 shown in FIG. 4). ). The personal identification evaluation means 118 evaluates the presence / absence of individual identification from a combination of keywords described later registered in the personal information dictionary (steps S102 and S103 shown in FIG. 4). The confidentiality evaluation means 119 evaluates how much highly confidential information is included in the target file that is identified as having personal identification (hereinafter referred to as “present”) (step S104 shown in FIG. 4). . The searchability evaluation means 120 determines the searchable level based on the evaluation of the number of detected keywords included in the personal information dictionary with the same attribute and the evaluation of whether the target file is easily searchable. The measurement is performed (step S105 shown in FIG. 4). The protection level evaluation means 121 is the number of personal information hit by the dictionary matching means 117 for the target file determined as the file to be protected by the personal identification evaluation means 118, and the evaluation calculated by the functionality evaluation means 119. As a result, based on the evaluation result calculated by the searchability evaluation means 120, the protection level by the security measure is determined (step S106 shown in FIG. 4). Then, the protection level evaluation means 121 ends the personal information evaluation by outputting the personal information file list 116 (see FIG. 3). Note that the personal information evaluation is also terminated when it is determined in step S103 shown in FIG. 4 that there is no individual identifiability according to the keyword registered in the personal information dictionary.

  FIG. 5 shows a flowchart of the personal information dictionary matching process in the personal information evaluation system example according to the present invention. First, in step S110, the target file is subjected to character string extraction processing based on keywords and parameters (hereinafter referred to as coefficients) in the personal information dictionary. For example, as shown in FIG. A, as a keyword in the personal information dictionary, “Dictionary 1” has a name dictionary (coefficient 1 = 1.0), “Dictionary 2” has an address dictionary (coefficient 2 = 2.0), and the like. Yes. Here, the coefficient 1 or 2 represents the importance of confidentiality possessed by the “dictionary 1” or “dictionary 2”, and is a coefficient used for confidentiality evaluation described later. Next, in step S111, matching processing is performed between the target file and a keyword in the personal information dictionary. That is, the presence / absence of data matching the keyword in the personal information dictionary and the number of matching data are searched for in the target file. Next, in step S112, the matching result obtained in step S111 is held in the storage unit 114 (see FIG. 2). For example, as shown in B in the figure, the number of matching keywords in “Dictionary 1” that is each dictionary is “100”, the number of matching keywords in “Dictionary 2” is 200, and so on. “Number of records” is stored as a matching result. Thereafter, the personal information dictionary matching processing sequence is terminated. The personal information dictionary matching process may be considered to function as the personal information dictionary matching means 117. Therefore, the result of the personal information dictionary matching process is output to the personal identification evaluation result 118 (see FIG. 3).

  FIG. 6 shows a flowchart of personal identification evaluation processing in an example of a personal information evaluation system according to the present invention. The personal identifiability evaluation process is a process for evaluating the presence / absence of individual identities from combinations of keywords registered in the personal information dictionary. First, in step S120, it is checked whether or not the target file can be identified by only the detected character string. For example, as shown in FIG. C, a character string detected in a personal information dictionary for mail (hereinafter referred to as a mail dictionary) included in a “detected character string” included in the target file is “name @ corporate domain name”. It is determined whether or not it is configured to identify an individual. If the individual can be identified only by the detected character string in the target file, the individual identification is set to “Yes” in step S125, and the individual identification evaluation processing sequence is terminated. If the individual cannot be identified only by the detected character string in the target file, the process proceeds to step S122. In step S122, based on the result of the personal information dictionary matching process, “true” or “false” is checked according to the conditional expression of the distinguishability evaluation policy that is set in the storage unit 114 in advance. For example, as shown in the figure D, it is set to “true” when the conditional expression “policy 1” satisfies “one or more dictionaries 1 and one or more dictionaries 2”, or the conditional expression of “policy 2” “True” is satisfied when “dictionary 1 is 1 or more and dictionary 3 is 1 or more” is satisfied. If none of the conditional expressions of the policy is satisfied, “false” is set. Such a conditional expression of the policy can be arbitrarily determined according to the information protection system to be used. In step S122, when the distinctiveness evaluation policy is “true”, the process proceeds to step S123, where the personal distinguishability is “present”, and when the distinguishable evaluation policy is “false”, the process proceeds to step S124. In step 124, all the numbers of dictionaries (eg, “dictionary 1” and “dictionary 2”) included in the conditional expression of each policy (eg, policy 1 in FIG. D) are checked. Further, when there is no information whose personal identification is “present” in policy 1 as shown in FIG. D, policy 2 is examined next. If any of the policies has a personal identification of “present”, step 124 is terminated. Further, the step 124 is ended also when there is no information whose personal identification is “present” for all policies. Thereafter, the personal identification evaluation process is terminated. The personal identification evaluation process may be considered to function as the personal identification evaluation means 118. Therefore, the result of the personal identification evaluation process is output as the confidentiality evaluation result 119 (see FIG. 3).

  FIG. 7 shows a flowchart of confidentiality evaluation processing in an example of a personal information evaluation system according to the present invention. First, in step S130, the confidentiality score is calculated for the target file from the coefficient set in advance for each dictionary and the number of cases (see B in the above figure) based on the result of the personal information dictionary matching process for each dictionary described above. To do. For example, as shown in the figure E, since the coefficient of the dictionary 1 is 1.0, the detection result of the dictionary 2 is “100” when the detection result of the dictionary 1 is 100, and the coefficient of the dictionary 2 is 2.0. If the number of 200 is 2.0 x 200 and "400", the sum "500" is the ratio of the total number of detected cases to 300, and the confidentiality score is 500/300 ≒ 1.7 points. it can. Next, in step S131, it is checked whether or not the confidentiality relevance conditional expression is satisfied from the result of the personal information matching process. For example, as shown in FIG. F, whether or not the confidentiality relevance conditional expression “dictionary 1 is 10 or more and dictionary 2 is 10 or more” is satisfied. When the confidentiality relevance conditional expression “dictionary 1 is 10 or more and dictionary 2 is 10 or more” is satisfied, a predetermined confidentiality relevance coefficient is added to the confidentiality score in step S134. For example, in accordance with the example described above, the confidentiality relevance coefficient is 1.2 as shown in F in the figure. Therefore, by multiplying the confidentiality score 1.7 points in the above example by the confidentiality relevance coefficient 1.2, a new A confidentiality score of 2.0 is obtained, and the process proceeds to step S132. For example, when the confidentiality relevance conditional expression is defined as “dictionary 1 is 10 or more and dictionary 2 is 10 or more”, if the conditional expression is not satisfied, the process goes to step S132 without going through step S134. move on. Next, in step 132, it is checked whether or not the target file name includes a keyword indicating the importance of information. For example, as shown in G in the figure, if the target file name keyword is defined as the condition example “important and limited to related parties”, and if the condition is satisfied, in step S135, the file with a predetermined confidentiality score is set. Add name keyword coefficient. For example, in the figure G, the file name keyword coefficient is 1.2, so the confidentiality score of 2.0 in the above example is multiplied by the confidentiality relevance coefficient of 1.2 to obtain a new confidentiality score of 2.4. The process proceeds to step S133. If the target file name keyword does not satisfy the condition example “important and limited to related parties”, the process proceeds to step S133 without going through step S135. Next, in step 133, it is checked whether or not the target file includes a keyword indicating the importance of information. For example, as shown in FIG. 5H, when the condition example “limited to important and related parties” is satisfied for the keyword in the target file, a predetermined keyword coefficient in the file is added to the confidentiality score in step S136. For example, the file name keyword coefficient is 1.2 in the figure H, so the confidentiality score of 2.4 in the above example is multiplied by the confidentiality relevance coefficient of 1.2 to obtain a new confidentiality score of 2.9. The confidentiality evaluation process is terminated. If the keyword in the target file does not satisfy the condition example “only important and related parties”, the confidentiality evaluation process is terminated without going through step S136. The confidentiality evaluation process may be considered to function as the confidentiality evaluation means 119. Accordingly, the result of the confidentiality evaluation process is output to the searchability evaluation means 120 (see FIG. 3).

  FIG. 8 shows a flowchart of searchability evaluation processing in an example of a personal information evaluation system according to the present invention. First, in step S141, a searchability condition (for example, the target file is determined from the coefficient set in advance for each dictionary and the number of cases (see B in the above-mentioned figure) based on the result of the personal information dictionary matching process for each dictionary described above). Whether the condition I) is satisfied is examined, and the searchability score is calculated. For example, the reference score of the searchability score is 1.0. Next, when the target file satisfies the searchability condition, the process proceeds to step S145. In step 145, for example, as shown in FIG. I, when the searchability conditional expression “10 or more in dictionary 1 and 10 or more in dictionary 2” is satisfied, the searchability score is 1.0. 1.0 points at 1.0 x 1.0 points. If the searchability coefficient is 1.2, the searchability score is determined as 1.2 × 1.0 × 1.2, and the process proceeds to step S142. In step S141, if the target file does not satisfy the searchability condition (for example, I in the figure), the process proceeds to step S142 without going through step S145 (in this case, the searchability score is 1.0 in the above example). Is). Next, in step S142, it is checked whether or not the target file name includes a keyword indicating the ease of searching for information. For example, as shown in J in the figure, when “list, list” is satisfied as the keyword of the target file name, a predetermined file name keyword coefficient for searchability is added to the searchability score in step S146. For example, as shown in the figure J, the file name keyword coefficient for searchability is 1.2. Therefore, a new search is performed by multiplying the searchability score 1.2 points in the above example by the file name keyword coefficient 1.2 for searchability. 1.4 points are obtained and the process proceeds to step S143. If the target file name does not include a keyword indicating the ease of searching for information, the process proceeds to step S143 without going through step S146. Next, in step 143, it is checked whether or not the target file includes a keyword indicating the information searchability. For example, as shown in K in the figure, when the keyword in the target file satisfies “list, list”, in step S147, a predetermined keyword coefficient in the file for searchability is added to the searchability score. For example, in the illustrated K, since the keyword coefficient for searchability in the file is 1.2, the searchability score of 1.4 in the above example is multiplied by the keyword coefficient 1.2 in the searchability file to obtain a new search. Obtain a sex score of 1.7 and go to step S144. If the target file does not include a keyword indicating the ease of searching for information, the process proceeds to step S144 without going through step S147. Next, in step S144, it is checked whether or not the target file includes a searchable extension. For example, as illustrated in L in the figure, if the extension of the target file is “xls” or “csv”, the target file is assumed to include a searchability extension, and the process proceeds to step S148. In step S148, for example, the extension coefficient for searchability is 1.2 at L shown in the figure. Therefore, the searchability score of 1.7 in the above example is multiplied by the extension coefficient 1.2 for searchability to obtain a new extension coefficient. The searchability score of 2.0 is obtained and the searchability evaluation process is terminated. If the target file does not include a searchability extension, the searchability evaluation process is terminated without going through step S148. The searchability evaluation process may be considered to function as the searchability evaluation means 120. Accordingly, the result of the searchability evaluation process is output to the protection level evaluation means 121 (see FIG. 3).

  FIG. 9 shows a flowchart of the protection level evaluation process in the example of the personal information evaluation system according to the present invention. In the protection level evaluation process, based on the result of the personal information dictionary matching process (see FIG. 5), the result of the confidentiality evaluation process (see FIG. 7), and the result of the searchability evaluation process (see FIG. 8), for example, As shown in M in the figure, according to the protection level conditional expression, the protection levels are selected as “high”, “medium”, and “low”. For example, in the figure M, the protection level “high” indicates that the conditional expression “(1000 or more detections by personal information dictionary matching process) or (confidentiality score ≧ 2.0 or more by the result of confidentiality evaluation process) or (searchability evaluation process) The searchability score of the result of <2.0>) ”is satisfied. In addition, the protection level “medium” is a conditional expression “(100 or more detected by personal information dictionary matching process) or (confidentiality score ≧ 1.2 by the result of confidentiality evaluation process) or (search by the result of searchability evaluation process) When the number of sex points> 1.2) ”is satisfied. Further, the protection level “low” is assumed to satisfy the conditional expression “not protection level“ high ”and protection level“ not medium ””. In step S151, it is evaluated whether or not the conditional expression of the protection level “high” is satisfied for the target file. If satisfied, the process proceeds to step S152, and the protection level of the target file is set to “high”. If it is determined in step S151 that the conditional expression for the protection level “high” is not satisfied for the target file, the process proceeds to step S153. In step S153, it is evaluated whether or not the conditional expression of the protection level “medium” is satisfied for the target file. If satisfied, the process proceeds to step S154, and the protection level of the target file is set to “medium”. If it is determined in step S153 that the conditional expression for the protection level “medium” is not satisfied for the target file, the process proceeds to step S155. All the target files that proceed to step S155 have the protection level set to “low”. After steps S152, S154, and S155, the protection level evaluation process is terminated. The protection level evaluation process may be considered to function as the protection level evaluation means 121. Therefore, the result of the protection level evaluation process is output to the personal information file list 116 (see FIG. 3).

  With the information protection system shown in the first embodiment, it is possible to suitably determine whether or not the personal information is to be protected by having a function of specifying an individual from a target file such as data or a file. Become. In addition, the confidentiality of information is not limited to phone numbers, e-mail addresses, addresses, and names, but it can be determined whether or not it contains highly confidential attributes such as career, medical history, bank account number, credit card number, income information, etc. Thus, a more suitable information protection system can be realized. Furthermore, as a searchability of information, it is possible to determine whether or not the personal information file is systematically configured so that a personal information file can be searched, and a more suitable information protection system can be realized. .

  Moreover, a sufficient information protection system can be realized only by detecting keywords in the target file, determining whether the number of detected keywords is equal to or greater than a predetermined number, and further including personal information. Can not. That is, in the conventional information protection system, since the target file including keywords with various importance levels is determined as a personal information file, whether or not the user of the personal information file includes personal information to be truly protected. This will create a need for manual confirmation. Therefore, as in this embodiment, a protection level evaluation unit is provided, and the target file is comprehensively determined based on the results of personal information matching unit, confidentiality evaluation unit, searchability evaluation unit, etc. A good and practical information protection system can be realized.

  In the present embodiment, the contents defined in the personal information dictionary, various specific numerical values of quantification, conditional expressions, or condition examples have been described, but the present invention is not limited to this. Needless to say.

  As a further application example of the first embodiment, FIG. 10 shows a block diagram of still another terminal in the example of the personal information evaluation system according to the present invention. 10, the same elements as those in FIG. 2 are denoted by the same reference numerals, and the description of the same components as those described above is omitted. The terminal 100 shown in FIG. 10 newly includes attribute evaluation means 131, protection level correction means 132, and protection level learning means 133.

  The attribute evaluation means 100 evaluates whether or not the keyword included in the target file has personal information of employees, corporate customers, and individual customers. A new protection level can be set by taking into account the result of the protection level evaluation means described in FIG. 3 and FIG. 9 and the result of the attribute evaluation means 100. Thus, for example, when the keyword of an individual customer is regarded as important, the protection level can be set to “high” even if the protection level of the personal information evaluation means 100 is “medium” or “low”. It becomes.

  The protection level correction unit 132 is a unit that allows the protection level evaluation result by the personal information evaluation unit 100 to be manually corrected. Further, the protection level learning unit 133 is a unit that retains and manages the correction history by the protection level correction unit 132 and can optimize the conditional expression (M shown in FIG. 9) used for the protection level evaluation. . By providing such means, for example, the information of the target file can be corrected later, and in such a case, the protection level may be changed. Therefore, a better information protection system can be realized by maintaining and managing the correction history and learning conditions used for more suitable protection level evaluation. Note that the attribute evaluation unit 131, the protection level correction unit 132, and the protection level learning unit 133 added as an application of the first embodiment can also function independently.

  Next, Embodiment 2 of the information protection system according to the present invention will be described as a personal information search and detection system.

(Example 2)
FIG. 11 shows a block diagram of a terminal in an example of a personal information search detection system according to the present invention. The personal search detection system can be used in the network system shown in FIG. 1 and includes each means for causing the personal information evaluation system of the first embodiment to function. In FIG. 11, the same elements as those in FIG. 10 are denoted by the same reference numerals, and the description of the same components as those described above is omitted. The terminal 100 shown in FIG. 11 monitors personal information search means 140 for searching whether or not a personal information file is included in at least one or more designated areas of the terminal and the server, and an event occurring in the terminal. The personal information detected or detected by at least one of the personal information detecting means 141 that detects the target file including the personal information with the occurrence of the event and issues a warning, the information searching means and the personal information detecting means Personal information list management means 142 that manages a list of target files including information and enables the list to be displayed on a display screen of the terminal. Further, a file open means 151, a file delete means 152, a file move means 153, a progress status display means 154, and a performance control means 155 can be provided.

  The personal information search means 140 is a means for searching whether or not a personal information file is included in a designated area of the recording medium. The “designated area of the recording medium” means a terminal or server that can be used in the network system shown in FIG. The personal information detection unit 141 is a unit that monitors events such as input, output, and deletion of personal information files that occur in the terminal, for example, detects a protection target file when the event occurs, and issues a warning. The personal information list management unit 142 is a unit that manages, displays, and outputs a list of searched and detected personal information files. In FIG. 11, the personal information search means 140, the personal information detection means 141, and the personal information list management means 142 are shown to function on the personal information file list 100 of the terminal 100 of the self. 1 includes a terminal or a server that can be used in the network system shown in FIG. 1 for convenience of explanation.

  The progress status display means 154 is a means for displaying the search progress status in order not to give stress to the user who uses the terminal 100. The performance control means 155 is a means for adjusting the priority so as to lower the priority when the CPU load of the terminal is high when other tasks other than the search are simultaneously executed during the search. Thereby, the usability of those who use functions such as personal information file search can be improved.

  The personal information search means 140, the personal information detection means 141, the personal information list management means 142, the progress status display means 154, and the performance control means 155 can also function independently.

  The file opening means 151 is a means for enabling file opening of information (target file) stored in the terminal or server. The file deletion unit 152 is a unit that enables file deletion of information (target file) stored in the terminal or the server. The file moving unit 153 is a unit that enables file movement of information (target file) stored in the terminal or the server. The file opening means 151, the file deleting means 152, and the file moving means 153 are means for realizing the file management authority of the personal information holder, for example.

  Such a personal information search and detection system can reduce the search burden for those who hold or use personal information while having the advantages described in the first embodiment.

  Next, Embodiment 3 of the information protection system according to the present invention will be described as a personal information protection level setting inspection system.

(Example 3)
FIG. 12 shows a block diagram of a terminal in the setting inspection system example according to the present invention. The setting inspection system can be used in the network system shown in FIG. 1 and includes each means for causing the personal information evaluation system of the first embodiment to function. Each means for causing the personal information search and detection system of the second embodiment to function can be included. 12, the same elements as those in FIG. 11 are denoted by the same reference numerals, and the description of the same components as those described above is omitted. The terminal 100 shown in FIG. 12 newly has a setting grasping means 156 for grasping the setting of the security measures for the target file including personal information, and the security setting is an appropriate setting compared with the result of the protection level evaluation means. Setting validity evaluation means 157 for evaluating whether or not

  The setting grasping means 156 is a means for grasping the security control settings such as the access control setting of the personal information file and the presence / absence of encryption. The setting validity evaluation means 157 is a means for evaluating whether or not the security setting is an appropriate setting as compared with the protection level evaluation result. In FIG. 12, it is shown that the setting grasping means 156 and the setting validity evaluating means 157 are made to function for the personal information evaluating means 110 of the terminal 100 of its own, but it can be used in the network system shown in FIG. For convenience of explanation.

  The setting grasping means 156 and the setting validity evaluation means 157 can also function independently of each other.

  Such a setting inspection system can improve the reliability of the personal information protection level for the person who owns or uses the personal information while having the advantages described in the first embodiment or the second embodiment. .

   In the information protection system shown in Examples 1 to 3, for those who hold or use personal information, in order to reduce the burden of pre-selecting and setting management means, etc. In addition to identifying or determining personal information, information management can be performed under a more reliable protection level setting.

  Next, Embodiment 4 of the information protection system according to the present invention as a personal information history management system will be described.

  FIG. 13 shows a block diagram of a terminal in the personal information history management system example according to the present invention. The personal information history management system can be used in the network system shown in FIG. 1 and includes various means for causing the personal information evaluation system of the first embodiment to function. In addition, each means for causing the personal information search and detection system of the second embodiment and / or the setting inspection system of the third embodiment to function can be included. 13, elements similar to those in FIG. 12 are denoted by the same reference numerals, and description of the same components as those described above is omitted. The terminal 100 shown in FIG. 13 newly includes a change inspection unit 163 that inspects whether or not the status of the target file including personal information has changed, and personal information that manages the status in time series and records it in the terminal It includes status management means 161 and warning means 162 that issues a warning when there is a change in status.

  The change checking means 163 is a means for checking whether the status of the personal information file, the access date / time, the update date / time, etc. has changed. The personal information status management means 161 is a means for managing and recording the status of the personal information file in chronological order so that the status before and after taking out the recording medium can be compared. The warning means 162 is a means for issuing a warning when the status changes. In FIG. 13, the change inspection means 163, the personal information status management means 161, and the warning means 162 are shown to function on the personal information file list 116 of the terminal 100 of FIG. It includes a terminal or server available in the network system shown and is for convenience of explanation only.

  The change inspection unit 163, the personal information status management unit 161, and the warning unit 162 can function independently of each other.

  Such a setting inspection system can improve the reliability of the personal information protection level for the person who holds or uses the personal information while having the advantages described in the first to third embodiments.

  In the information protection system shown in the fourth embodiment, the status of the personal information file can be managed in time series or the setting of the personal information file can be inspected for the person who owns or uses the personal information. Information management can be performed under a high protection level setting.

  Next, Embodiment 5 of the information protection system according to the present invention will be described as an information leakage countermeasure system.

(Example 5)
FIG. 14 shows a block diagram of a terminal in the information leakage countermeasure system example according to the present invention. The information leakage countermeasure system can be used in the network system shown in FIG. 1, and includes each means for causing the personal information evaluation system of the first embodiment to function. Further, each means for causing the personal information search and detection system of the second embodiment and / or the setting inspection system of the third embodiment and / or the personal information history management system of the fourth embodiment to function can be included. 14, elements similar to those in FIG. 13 are denoted by the same reference numerals, and description of the same components as those described above is omitted. The terminal 100 shown in FIG. 14 newly includes at least one of an access control optimization unit 166 that sets access control of a terminal based on the result of the protection level evaluation unit, and the information search unit and the personal information detection unit described above. At least at least one of the encryption means 165 for encrypting the target file including personal information searched or detected by the information search means and the personal information detection means, and stored in the terminal. First, the target file found or detected is moved from the terminal to the server, the central management means 167 for centrally managing the target file including all personal information by the server, and the shortcut setting means 168 for leaving the shortcut serving as link information on the terminal. With.

  The access control optimizing means 166 is a means for setting access control based on the result of the protection level evaluation means for the searched and detected personal information file. The access control here may be considered as a control means for limiting the access right of personal information according to the automatically evaluated protection level. The encryption means 165 is a means for encrypting the searched and detected personal information file. When the encryption unit 165 encrypts the personal information file by moving it to the encryption folder, the shortcut setting unit 168 functions to leave a shortcut serving as link information representing the storage location of the server on the terminal. be able to. The aggregation management unit 167 is a unit that moves from the terminal to the server at the timing when the retrieved and detected personal information file is retrieved and detected, aggregates and manages all the personal information files on the server, and does not store the personal information file on the terminal. is there. When the personal information file searched and detected by the aggregation management unit 167 is searched and detected, the shortcut setting unit 168 provides a shortcut serving as link information indicating the storage location of the server. Can be left to function. By leaving the shortcut on the terminal in this way, the personal information file is not saved on the terminal, but the personal information file is saved on the server, so that the use on the terminal is not restricted while reducing the burden on the terminal. be able to.

  The access control optimization unit 166, the encryption unit 165, the aggregation management unit 167, and the shortcut setting unit 168 can also function independently of each other.

  If it is such an information leakage countermeasure system, it has the advantages described in the first to fourth embodiments, and more easily owns or manages personal information files for those who own or use personal information. Can do.

  With the information leakage countermeasure system shown in the fifth embodiment, it is possible to increase the degree of use as an information protection system while maintaining the maintainability of the personal information for those who hold or use the personal information.

  Next, Embodiment 6 of the information protection system according to the present invention will be described as a personal information evaluation system.

(Example 6)
FIG. 15 shows a block diagram of still another terminal in the personal information evaluation system example according to the present invention. The personal information evaluation system of the sixth embodiment can be used in the network system shown in FIG. 1 and can include each means for causing the personal information evaluation system of the first embodiment to function. In FIG. 15, the same elements as those described in the first embodiment are denoted by the same reference numerals, and the description of the same components described above is omitted. The terminal 100 shown in FIG. 15 newly has a trade secret evaluation means 134 for evaluating the trade secret by matching with a dictionary for evaluating the trade secret provided in at least one of the terminal and the server. Prepare.

  In addition to the personal information evaluation means of the first embodiment, the trade secret evaluation means 134 matches keywords (e.g. M & A, investment, executive meeting materials, sales manual, manufacturing manual) with a dictionary for evaluating trade confidentiality. Matching with a trade secret dictionary that includes or is labeled by an information category (ie, a label) defined in an internal security policy such as “Strict”, “Secret”, “Externally Confidential” or “Externally Confidential” A trade secret evaluation means for evaluating the trade secret based on the result of matching with the trade secret classification dictionary. Evaluation by the trade confidentiality evaluation unit is added to the result of the protection level evaluation unit of the first embodiment, thereby making it possible to determine the overall protection level of the target file. “Trade secrets” are defined in Article 2, paragraph 6 of the Unfair Competition Prevention Act as “technical or business information useful for production methods, sales methods and other business activities managed as secrets, It is synonymous with something that is not publicly known. By determining the protection level of information in consideration of not only personal information but also business confidentiality, it is easier for those who hold or use personal information while having the advantages described in the first embodiment. Personal information files can be held or managed. In addition, the person who holds or uses personal information should evaluate the importance of the personal information file automatically, taking into account legal requirements of trade secrets, without opening the personal information file individually on the terminal. Can do.

  In the information protection system shown in the first to sixth embodiments, it is possible to suitably determine whether or not the personal information is to be protected by having a function of specifying an individual from a target file such as data or a file. It becomes possible. In addition, it is possible to determine whether or not a highly confidential attribute is included, and a more suitable information protection system can be realized. Furthermore, as a searchability of information, it is possible to determine whether or not the personal information file is structured in a systematic manner so that the personal information file can be searched, and a more suitable information protection system is realized. Can do.

  In the information protection system shown in Examples 1 to 6, even when an auditor uses such a personal information system to check the handling status of personal information, automatic judgment is performed within a limited audit period. Personal information files can be checked in descending order of importance. Therefore, according to the present invention, an information protection system that is extremely effective in improving audit efficiency can be configured.

  The information protection systems shown in Examples 1 to 6 are respectively a personal information evaluation system (Example 1), a personal information search detection system (Example 2), a setting inspection system (Example 3), and a personal information history management system (implemented). Example 4), an information leakage countermeasure system (Example 5), and an internal information evaluation system (Example 6) have been described, but for such a system, a program for causing a terminal to function, or a computer recording the program It can also be realized as a readable recording medium or a method for protecting personal information. For example, according to the present invention, the following applications can be considered.

  According to the present invention, the first information protection program includes one or more terminals, a server that can manage a list of target files that can be held in the terminals, and a security that implements security measures for the target files. In an information protection system comprising a countermeasure implementation device and configured by connecting the terminal, the server, and the security countermeasure implementation device to a network, in order to define a protection level of a personal information file from the target file, Whether or not the target file includes at least one keyword in a personal information dictionary stored in at least one or more designated areas of the terminal and the server in the target file. Personal information dictionary matching means for evaluating the object, and the object by the personal information dictionary matching means A personal identification evaluation means for evaluating whether or not an individual can be specified by a combination of the keywords included in the file, and the keyword included in the target file are given in advance. The level of confidentiality is determined based on the evaluation of the coefficient, the evaluation of whether or not a keyword with high confidentiality is included, and the evaluation of whether or not it includes a combination of the keywords assumed to be highly confidential. Search based on confidentiality evaluation means for quantification, evaluation of the number of detected keywords included in the personal information dictionary of the same attribute, and evaluation of whether the target file is in an easily searchable form Based on the searchability evaluation means for quantifying possible levels, the result of the personal information dictionary matching means, the result of the confidentiality evaluation means, and the result of the searchability evaluation means, It may be information protection program for functioning as a protection level evaluation means for determining the overall level of protection of the serial target file.

  Further, according to the present invention, the second information protection program includes, in addition to the first information protection program, the personal information evaluation means as keywords included in the target file, for example, employees, corporate customers, etc. And attribute evaluation means for evaluating whether or not there is personal information such as an individual customer, and the evaluation by the attribute evaluation means is added to the result of the protection level evaluation means to comprehensively protect the target file. It can be set as the program for information protection which can determine a level.

  Further, according to the present invention, the third information protection program is a protection level capable of manually correcting the protection level evaluation result of the computer constituting the terminal in addition to the first or second information protection program. The program may further include a correction unit and a program for managing the correction history and functioning as a protection level learning unit that optimizes the conditional expression used for the protection level evaluation.

  Further, according to the present invention, in addition to any one of the first to third information protection programs, the fourth information protection program is configured to add a computer constituting the terminal to a designated area of the recording medium. Personal information search means for searching whether or not an information file is included, for example, monitoring events such as input, output, and deletion of a personal information file occurring in the terminal, and the personal information file accompanying the occurrence of the event Personal information detecting means for detecting a warning and a list of the searched and detected personal information files are managed by a terminal, displayed on a display surface of the terminal, and output to a printer connected to the terminal It can be set as the program which further has a program for functioning as a personal information list management means.

  Further, according to the present invention, in addition to the fourth information protection program, the fifth information protection program displays the progress of the search so that the computer constituting the terminal does not stress the user. A program for functioning as a performance control means that adaptively adjusts to lower the priority when the CPU load is high when the progress status display means and other tasks other than the search are simultaneously executed at the time of the search Furthermore, it can be set as the program which has.

  Further, according to the present invention, the sixth information protection program includes, in addition to the fourth or fifth information protection program, a computer constituting the terminal, a file open means, a file delete means, a file move It can be set as the program which further has the program for functioning as a means.

  Furthermore, according to the present invention, in addition to any one of the first to sixth information protection programs, the seventh information protection program is used to set the access control setting and encryption of the personal information file in the computer constituting the terminal. For functioning as a setting validation means for grasping the setting of security measures such as the presence or absence of security, and as a setting validity assessment means for evaluating whether or not the security setting is appropriate compared to the protection level evaluation result The program may further include a program.

  Further, according to the present invention, in addition to any of the first to seventh information protection programs, the eighth information protection program is configured to update the computer constituting the terminal with the contents of the personal information file, access date and time, update Individuals who manage and record the status of personal information files in chronological order so that they can compare the status before and after taking out the recording medium with the change inspection means that checks whether the status such as date and time has changed. The program may further include an information status management means and a program for causing the information status management means to function as a warning means for issuing a warning when the status changes.

  Further, according to the present invention, in addition to any of the first to eighth information protection programs, the ninth information protection program encrypts the personal information file searched and detected by the computer constituting the terminal. And a program for causing the personal information file that has been moved to function as a shortcut setting means for leaving a shortcut serving as link information indicating the moving location on the terminal.

  Further, according to the present invention, in addition to any one of the first to ninth information protection programs, the tenth information protection program searches the personal information file searched and detected for the computer constituting the terminal, and At the detected timing, the terminal moves from the terminal to the server, and all personal information files are centrally managed by the server and the personal information file is not stored in the terminal. It can be set as the program which further has a program for functioning as a shortcut setting means which leaves the shortcut used as link information showing a preservation place in a terminal.

  Further, according to the present invention, the eleventh information protection program includes, in addition to any one of the first to tenth information protection programs, a protection level of the personal information file searched and detected for the computer constituting the terminal. The program may further include a program for causing it to function as an access control optimization unit that sets access control based on the result of the evaluation unit.

  Further, according to the present invention, the twelfth information protection program is a dictionary for evaluating the trade secret by the personal information evaluation means that causes the personal information evaluation means to function by either the first information protection program or the second information protection program. The method further includes a trade secret evaluation unit that evaluates the trade secret by matching, adds an evaluation by the trade secret evaluation unit to the result of the protection level evaluation unit, and sets the overall protection level of the target file. It can be set as the program which enables determination.

  According to the present invention, an information protection system can be realized via a computer-readable recording medium that records any one of the first to twelfth information protection programs.

  According to the present invention, each means of the first to twelfth information protection programs can be realized as each step executed by a program or the like, thereby providing a method for protecting information.

  As described above, the above-described embodiments have been described as typical examples, and it will be apparent to those skilled in the art that many changes and substitutions can be made within the spirit and scope of the present invention. Accordingly, the invention should not be construed as limited by the above-described examples or description, but only by the claims.

  According to the present invention, since the importance of a personal information file can be automatically evaluated in consideration of the legal requirements of trade secrets without opening the personal information file individually on the terminal, the information protection method It is useful for a recording medium on which an information protection system and an information protection program are recorded.

It is a figure which shows the example of a personal information evaluation system by this invention. It is a block diagram of a terminal in an example of a personal information evaluation system according to the present invention. It is a block diagram of the personal information evaluation means by this invention. It is the whole flowchart in the example of a personal information evaluation system by this invention. It is a flowchart of the personal information dictionary matching process in the example of the personal information evaluation system by this invention. It is a flowchart of the personal identification product evaluation process in the personal information evaluation system example by this invention. It is a flowchart of the confidentiality evaluation process in the example of the personal information evaluation system by this invention. It is a flowchart of the searchability evaluation process in the example of the personal information evaluation system by this invention. It is a flowchart of the protection level evaluation process in the example of a personal information evaluation system by this invention. It is a block diagram of another terminal in the personal information evaluation system example according to the present invention. It is a block diagram of a terminal in an example of a personal information search detection system according to the present invention. It is a block diagram of the terminal in the example of a setting inspection system by the present invention. It is a block diagram of a terminal in an example of a personal information history management system according to the present invention. It is a block diagram of the terminal in the information leakage countermeasure system example by this invention. It is a block diagram of another terminal in the personal information evaluation system example according to the present invention.

Explanation of symbols

80 Security measure enforcement device
100 terminals
101 servers
110 Personal information evaluation means
115 Setting information
116 Personal Information File List
117 Personal information dictionary matching means
118 Personal identification evaluation means
119 Confidentiality assessment means
120 Searchability evaluation means
121 Protection level assessment means
131 Attribute evaluation means
132 Protection level correction means
133 Protection Level Learning Means
134 Trade secret evaluation method
140 Personal information search means
141 Personal information detection means
142 Personal Information List Management Method
151 File open means
152 File deletion method
153 File moving means
154 Progress indicator
155 Performance control measures
156 Setting grasp method
157 Setting validity evaluation means
161 Personal information status management means
162 Warning means
163 Health checkup
165 Encryption means
166 Access control optimization means
167 Aggregation management method
168 Shortcut setting means

Claims (11)

One or more terminals, a server that can manage a list of target files that can be held in the terminal, and a security countermeasure execution device that performs security countermeasures for the target files, the terminal, the server, and the security In an information protection system configured by connecting a countermeasure implementation device to a network, in order to define a protection level of a personal information file from the target file, a computer constituting the terminal is
Personal information dictionary matching for evaluating whether or not the target file contains at least one keyword in a personal information dictionary stored in at least one or more designated areas of the terminal and the server Means,
Personal identification evaluation means for evaluating whether or not it is possible to specify an individual by a combination of the keywords that are included in the target file by the personal information dictionary matching means;
It includes a combination of a keyword that is preliminarily assigned to the keyword included in the target file, an evaluation of whether or not a keyword with high confidentiality is included, and the keyword that is assumed to have high confidentiality. A confidentiality assessment means for quantifying the level of confidentiality based on the assessment of whether or not
Searchability for quantifying the searchable level based on the evaluation of the number of detected keywords included in the personal information dictionary with the same attribute and the evaluation of whether or not the target file is in an easily searchable form An evaluation means;
Based on the result of the personal information dictionary matching means, the result of the confidentiality evaluation means, and the result of the searchability evaluation means, it functions as a protection level evaluation means for determining an overall protection level of the target file. Program for information protection. A computer constituting the terminal;
Personal information search means for searching whether or not the personal information file is included in at least one or more designated areas of the terminal and the server;
Personal information detection means for monitoring an event occurring in the terminal, detecting the personal information file with the occurrence of the event, and issuing a warning;
Personal information list management for managing a list of the personal information files searched or detected by at least one of the information search means and the personal information detection means and displaying the list on a display screen of the terminal 2. The information protection program according to claim 1, further comprising a program for causing it to function as a means. A computer constituting the terminal;
Setting grasping means for grasping the setting of security measures of the personal information file;
2. The program according to claim 1, further comprising a program for causing a security setting to function as a setting validity evaluation unit that evaluates whether or not the setting is appropriate compared with the result of the protection level evaluation unit. The information protection program described. A computer constituting the terminal;
Change inspection means for inspecting whether or not the status of the personal information file has changed,
Personal information status management means for managing the status in time series and recording it in the terminal;
2. The information protection program according to claim 1, further comprising a program for functioning as warning means for issuing a warning when the status changes.   2. The program for causing the computer configuring the terminal to function as an access control optimization unit that sets access control of the terminal based on a result of the protection level evaluation unit. Information protection program.   The personal information evaluation means further comprises a business confidentiality evaluation means for evaluating business confidentiality by matching with a dictionary for evaluating business confidentiality provided in at least one of the terminal and the server. 2. The information protection according to claim 1, wherein the result of the protection level evaluation unit is evaluated by the trade confidentiality evaluation unit to enable determination of an overall protection level of the target file. Program. A computer constituting the terminal;
3. The computer program product according to claim 2, further comprising a program for functioning as an encryption unit that encrypts the personal information file searched or detected by at least one of the information search unit and the personal information detection unit. Information protection program described in 1. A computer constituting the terminal;
The personal information file that has been searched or detected is moved from the terminal to the server without being stored in the terminal at the timing when it is searched or detected by at least one of the information search means and the personal information detection means. , An aggregation management means for centrally managing all the personal information files by the server;
3. The program according to claim 2, further comprising a program for causing the moved personal information file to function as a shortcut setting unit that leaves a shortcut serving as link information representing a storage location of the server in the terminal. Information protection program.   9. A computer-readable recording medium in which the information protection program according to claim 1 is recorded.   9. An information protection system capable of protecting personal information by causing the information protection program according to claim 1 to function. One or more terminals, a server that can manage a list of target files that can be held in the terminal, and a security countermeasure execution device that performs security countermeasures for the target files, the terminal, the server, and the security In an information protection system configured by connecting a countermeasure implementation apparatus to a network, a method for evaluating personal information by a computer constituting the terminal in order to define a protection level of the personal information file from the target file. ,
(a) evaluating whether or not the target file includes at least one keyword in a personal information dictionary stored in at least one or more designated areas of the terminal and the server When,
(b) evaluating whether it is possible to identify an individual by the combination of the keywords said to be included in the target file by the step (a);
(c) Evaluation of a coefficient given in advance to the keyword included in the target file, evaluation of whether or not a keyword with high confidentiality is included, and between the keywords assumed to have high confidentiality Quantifying the level of confidentiality based on an evaluation of whether or not it includes a combination of:
(d) The searchable level is quantified based on the evaluation of the number of detected keywords included in the personal information dictionary having the same attribute and the evaluation of whether or not the target file is in an easily searchable form. And steps to
(e) including a step of determining an overall protection level of the target file based on the result of the step (b), the result of the step (c), and the result of the step (d). A method characterized by.

Images