JP2008112284A - Resource management method, resource management system and computer program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To improve the efficiency of the task of a whole organization while securing the security of an information system. <P>SOLUTION: A security management server 10 for managing resources in a task system is provided with a log-in user authority data generation part 103 for generating a log-in user authority data DC showing the authority of a user relating to the use of resources on the basis of the content of an event relating to security which has been caused by a user in the past or has arisen in the user; and a log-in user authority data transmission part 104 for transmitting the log-in user authority data DC to each device having the resources in order to restrict the use of the resources by the user on the basis of the generated log-in user authority data DC. <P>COPYRIGHT: (C)2008,JPO&INPIT

Description

  The present invention relates to a method and system for supporting security management.

  In recent years, many government offices or organizations such as companies have introduced information systems in which various devices are linked through communication lines. According to the information system, members of the organization can share various data, use groupware, and use an e-mail transmission / reception service by an e-mail server. That is, various resources such as hardware resources, software resources, and data resources can be shared.

  However, if such information systems are made freely available to members, there are security issues such as confidential information being accidentally leaked outside the company or taken outside the company without permission. May occur.

  Therefore, in order to avoid such a problem, it is necessary to define rules regarding the use of information system resources. Thereby, for example, the transmission of the e-mail addressed to the outside is prohibited for the member of the job type who does not need to transmit the e-mail addressed to the outside. In addition, members other than a specific department are prohibited from accessing confidential information.

In general, such rules are based on the security policy of the organization. As a method for constructing this security policy, for example, a method as disclosed in Patent Document 1 has been proposed.
JP 2002-56176 A

  By the way, if the above-mentioned rules are strictly determined with emphasis on security, that is, if the use of the information system is severely limited, the usability of the information system may be deteriorated and the efficiency of work may be reduced. This will be a big loss for the organization. Therefore, it may be possible to loosen the restrictions, but this time, this leads to a decrease in security.

  The present invention has been made in view of such problems, and it is an object of the present invention to improve the efficiency of business of the entire organization while ensuring the security of the information system.

  The resource management system according to the present invention is a resource management system for managing resources in an information system, and recording means for recording the contents of events that have occurred in the past or related to security in the user, The authorization authority determining means for determining the authority regarding the use of the resource to be given to the user based on the contents of the event related to the security of the user recorded in the recording means, and the use of the resource by the user, Resource use restricting means for restricting based on the authority given to the user determined by the grant authority determining means.

  Or, the posture evaluation deriving means for deriving posture evaluation, which is an evaluation of the posture of the user with respect to security, based on the contents of the event that the user has caused in the past or has occurred in the user, and is given to the user. An authority for determining the use of the resource is determined based on the attitude evaluation of the user derived by the attitude evaluation deriving means, and an authority for determining the use of the resource by the user is determined by the authority for determining the authority. Resource use restricting means for restricting based on the authority given to the user.

  According to the present invention, it is possible to improve the efficiency of operations of the entire organization while ensuring the security of the information system.

  1 is a diagram illustrating an example of the overall configuration of the business system 1, FIG. 2 is a diagram illustrating an example of a functional configuration of the user terminal 2, and FIG. 3 is a diagram illustrating an example of a functional configuration of the security management server 10. FIG. 4 is a diagram illustrating an example of a functional configuration of the function server.

  The business system 1 is an information processing system used for business in an organization such as a government office or a company, and is installed in an office of the organization. As shown in FIG. 1, the business system 1 includes a security management server 10, user terminals 2a, 2b,..., An authentication server 3, an education server 4, a personnel information management server 5, a virus management server 6, a file server 7A, a document It is configured by hardware resources such as a management server 7B, a mail server 7C, a department business server 7D, a proxy server 7P, a basic data management terminal 8A, and a control information management terminal 8B. These devices are connected to each other via a communication line TK. LAN or WAN is used as the communication line TK. Hereinafter, a case where the business system 1 is used in the “company X” will be described.

  User terminals 2a, 2b,... Are terminal devices used by employees of company X. Hereinafter, the user terminals 2a, 2b,... May be collectively referred to as “user terminal 2”. One user terminal 2 is given to each employee of the company X. Hereinafter, an employee of company X may be referred to as a “user”.

  The user operates the user terminal 2 to obtain the hardware resources of the business system 1 and the software resources and data resources installed in each device within the scope of authority given to the business system 1. Businesses can be performed using various services provided by these devices. Each user is given a unique user number.

  Computer virus vaccine software is installed in the user terminal 2. Each update of the pattern file (pattern file update) of the vaccine software is performed by the user. Further, the user appropriately checks the release status (engine check) in order to update the virus search engine of the vaccine software.

  In addition, the user terminal 2 implements the authentication data input reception unit 201, the user number transmission unit 202, the login user authority data reception unit 211, the service restriction processing unit 212, the user authentication request unit 213, and the like illustrated in FIG. Software is installed for. This software is used for login of the user to the business system 1 and restriction of user operations.

  The basic data management terminal 8A is a terminal device for registering, updating, and deleting data in the security management database DB1 described later.

  The control information management terminal 8B is a terminal device for registering, updating, and deleting data in the policy link database DB2 and the access policy database DB3 described later.

  The file server 7A is a server that stores electronic files of various documents of the company X. The user can access the file server 7A using the user terminal 2 to refer to and edit the electronic file.

  The document management server 7B is a server for supporting management of electronic data (that is, electronic documents) of various documents of the company X. For example, groupware software for document management is installed in the document management server 7B, thereby managing electronic documents. The user can access the document management server 7B using the user terminal 2 to refer to and edit the electronic document.

  The mail server 7C is a server for sending and receiving electronic mail. The mail server 7C performs various check processes when sending an e-mail. In the present embodiment, transmission of an e-mail addressed to the outside by a user who is not authorized to transmit e-mail outside the company (transmission of authority violation), transmission of an e-mail not related to work (transmission outside work), and Checks for violations such as transmission of an e-mail that includes contents (deterrence keyword) indicating contents that should not be leaked outside the company (leakage should be suppressed) to the outside (transmission of suppression keywords). The deterrence keyword is determined according to the total security evaluation, department, and job type of the user, and is registered in advance in the mail server 7C in association with them.

  When the mail server 7C detects a violation by this check process, the mail server 7C stops the transmission of the electronic mail related to the violation and saves a record (log) about the detected violation as mail violation log data DR4. This mail violation log data DR4 indicates the user number of the user who attempted to send the e-mail, the content of the violation (such as authority violation transmission, out-of-business transmission, or deterrence keyword transmission), and the date and time of detection thereof. .

  The department business server 7D is a server used for specific work of each department of the company X, such as salary management or attendance management. The department business server 7D performs a check process as to whether or not the work the user is trying to perform is a work within the authority of the user. If this check process detects an out-of-authority operation (authorization violation business operation), the user is notified that the operation is out-of-authority operation, and the log of the operation is violated. Save as log data DR6. This work work violation log data DR6 shows the user number of the user who performed the work, the contents of the work, the date and time when the work was attempted, and the like.

  The authentication server 3 performs user authentication of a user who intends to log in to the business system 1. When the user inputs his / her user number and password to the user terminal 2 at the time of login, they are transmitted to the authentication server 3. The authentication server 3 has a database in which the user number of each user and the password corresponding to the user are associated with each other, and performs user authentication by comparing the transmitted user number and password with those. And if it can authenticate that it is a regular user, while permitting the login to the business system 1, it transmits the result to the user terminal 2. If authentication fails, the user's login is refused. In this case, the user cannot use the services provided by the file servers 7A and 7B, the mail server 7C, the department business server 7D, and the like.

  When the authentication server 3 detects an error such as a password mismatch (authentication error detection) in the user authentication process, the authentication server 3 stores the log as authentication error log data DR1. This authentication error log data DR1 indicates the user number of a user who could not be authenticated due to an error, the date and time when the authentication processing was performed, and the like.

  Further, every time the user updates a password (password update), the authentication server 3 stores password update log data DR2 indicating the log. The password update log data DR2 indicates the user number of the user and the date and time of password update.

  The educational server 4 is a server for conducting security education (security education) for employees of the company X. Software for e-learning is installed in a storage device such as a hard disk of the educational server 4. In the present embodiment, a security test, which is a test related to security, is performed in order to check the proficiency level of this security education. Each user must access the education server 4 using his / her user terminal 2 and take a security test periodically or in response to an instruction from a person in charge of education.

  When the user takes a security test, the scoring is performed in the educational server 4, and the result (test score) and the test date (test test date) are transmitted to the security management server 10. Then, it is registered in the user security data DUS of the user in the user security data management table TLS described later.

  The personnel information management server 5 is a system for managing various data related to personnel of the company X. For each user, a user number for identifying the user, a user name (user name), a department, a job type, and Manages data such as email addresses.

  In addition, the personnel information management server 5 records a log of penalties when an employee conducts an act subject to penal provisions (such as submission of a prosecution form or refusal), such as a violation of a work rule. Save as data DR3. The penalty log data DR3 indicates the user number of the employee, the content of the penalty, the date on which the penalty was applied, and the like.

  The virus management server 6 is a server used for virus countermeasures in the company X. In particular, when the user performs an operation related to virus countermeasures such as updating the pattern file of the vaccine software of the user terminal 2 or engine check, the virus management server 6 sets a log of the operation as virus countermeasure log data DR7. save. This anti-virus log data DR7 shows the user number of the user, the contents of the operation, the date and time of the operation, and the like.

  Further, when a user terminal 2 infected with a virus (virus infection) is detected, the virus management server 6 stores a log regarding the virus infection as virus infection log data DR8. The virus infection log data DR8 indicates the user number of the user having the user terminal 2, the type of virus, the date and time of detection, and the like.

  The proxy server 7P is a server for connecting to the Internet in place of each device constituting the business system 1. Access to the Internet from within the business system 1 can be centrally managed, and only a specific type of connection can be permitted or unauthorized access from outside can be blocked.

  The proxy server 7P is installed with software for realizing a content file tally function. With this function, the proxy server 7P checks the contents of the Web site that the user is trying to access in advance, and rejects (or blocks) the access if it is determined to be unrelated to the business.

  When the access is denied (access denied) by content filtering, the proxy server 7P stores the log as external access violation log data DR5. This external access violation log data DR5 shows the user number of the user who attempted access, the URL of the Web site to be accessed, the date and time of access denial, and the like.

  Hereinafter, the above-described authentication error log data DR1 or anti-virus log data DR7 may be collectively referred to as “log data DR”.

  As shown in FIG. 3, the security management server 10 includes a security management database DB1, a policy link database DB2, an access policy database DB3, a user number reception unit 101, a total security evaluation determination unit 102, a login user authority data generation unit 103, a login The user authority data transmission unit 104 and the security score update processing unit 114 are configured.

  With such a configuration, the security management server 10 performs a process for managing the security of the entire business system 1.

  Hereinafter, servers other than the security management server 10 and the education server 4 among the servers provided in the business system 1 may be collectively referred to as “function servers”. In each function server, in addition to hardware and software for realizing each specific function, in order to perform processing related to user authority management in cooperation with the security management server 10, as shown in FIG. A login user authority data reception unit 301, a service etc. restriction processing unit 302, a log data generation unit 312, a log data storage unit 313, a security score update request unit 314, a total data provision unit 322, and the like are provided.

  As the user terminal 2, the basic data management terminal 8A, and the control information management terminal 8B, a personal computer or a workstation is used. A so-called server machine, workstation, personal computer, or the like is used as the security management server 10 and each function server.

  Next, the functions of each part of the security management server 10 shown in FIG. 3, each part of the function server shown in FIG. 4, and each part of the user terminal 2 shown in FIG. A function for performing processing, a function for controlling the use of each service by the user, and a function for updating or resetting the security score will be broadly described.

[Function to save data]
5 is a diagram showing an example of a user security data management table TLS, FIG. 6 is a diagram showing an example of a policy link table TLL, FIG. 7 is a diagram showing an example of an authority definition table TLP, and FIG. 8 is an item-specific security level definition table. FIG. 9 is a diagram illustrating an example of a relative evaluation score definition table TLT, FIG. 10 is a diagram illustrating an example of a relative evaluation score management table TLA, and FIG. 11 is a diagram illustrating an example of a reset score definition table TLR. It is.

  In FIG. 3, the security management database DB1 of the security management server 10 stores and manages data on actions related to security of each user. Specifically, a user security data management table TLS and a relative evaluation score management table TLA are stored and managed.

  The policy link database DB2 stores and manages data relating to rules for determining the authority of a user who has logged into the business system 1. Specifically, the policy link table TLL, the security level definition table TLK for each item, the relative evaluation score definition table TLT, and the reset score definition table TLR are stored and managed.

  The access policy database DB3 stores and manages data relating to standard (default) authority for each department and occupation. Specifically, an authority definition table TLP is stored and managed for each combination of department and job type.

  Here, each table managed in each database of the security management database DB1, the policy link database DB2, and the access policy database DB3 will be described.

  The user security data management table TLS stores user security data DUS for each user as shown in FIG.

  “User number”, “department”, and “job type” of the user security data DUS indicate the user number of the user, the department to which the user security data DUS belongs, and the job type to be engaged, respectively.

  The “security score” is a score determined in accordance with the user's attitude toward security, such as measures against viruses or compliance with rules. The higher this score, the worse the security posture of the user. The security score is calculated based on the results of operations related to security. A method for calculating the security score will be described later.

  The “moral level” is a level that indicates whether the user's morals are good or bad, and is determined by the user's boss or the like based on the daily behavior of the user. This moral level is registered from the basic data management terminal 8A. When the boss of the user inputs the moral level of the user to the basic data management terminal 8A, the moral level and the user number of the user are notified to the security management server 10, and the moral level of the user security data DUS corresponding to the user number Is updated. In the present embodiment, a value from “0.8” to “1.2” is set as the moral level. The better the user's morality, the smaller the user's moral level is set.

  The “test score” and “test test date” indicate the score (hereinafter sometimes referred to as “test score”) as a result of the security test performed by the user last time and the test date. These data are transmitted from the educational server 4 every time the user takes a security test. If both fields are blank, it means that the user has never undergone a security test.

  In the user security data management table TLS, user security data DUS for all employees of the company X is registered in advance. When a new employee joins the company, the user security data DUS of the employee is registered. When the employee retires, the user security data DUS of the employee is deleted.

  As shown in FIG. 6, the policy link table TLL defines a total security evaluation that is a comprehensive evaluation of the user's attitude toward security. In the policy link table TLL, as shown in FIG. 6, total security evaluation of three levels of “High”, “Middle”, and “Low” is defined by the value of “weighted security score”. It can be said that a user with a higher total security evaluation is a user with a better attitude toward security.

  The “weighted security score” of a user is obtained by multiplying the security score indicated in the user security data DUS (see FIG. 3) of the user by the moral level. In other words, the weighted security score refers to the objective score of the user's attitude toward security, called the “security score,” and the moral level, which is a somewhat subjective evaluation by the supervisor regarding the user's attitude toward security. Based on this, it can be said that it has been corrected.

  In the authority definition table TLP, as shown in FIG. 7, authority data DP for each work that can be performed by the user using the hardware or software of the business system 1 is stored.

  In the authority data DP, information on restrictions on the user for the work is shown. “Work content” indicates the content of the work. This is also used to distinguish the work from other work. “High”, “Middle”, and “Low” indicate the authority for the work for the user whose total security evaluation is “High”, the user who is “Middle”, and the user who is “Low”, respectively. . “Target device” indicates the name of a device in charge of processing related to the work.

  Further, the authority definition table TLP stores examination frequency data DT relating to the frequency of taking the security test. “High”, “Middle”, and “Low” of the examination frequency data DT indicate the frequency of the user whose total security evaluation is “High”, the user who is “Middle”, and the user who is “Low”, respectively. Shows whether you must take a security test.

  The authority definition table TLP is prepared for each combination of departments and occupations in the company X as described above, and the contents are different for each. Each authority definition table TLP is associated with an identification number of a department and job type related to the combination. Note that the authority definition table TLP shown in FIG. 7 is an authority definition table TLP for the occupation type “engineer” of the department “development department”.

  The authority definition table TLP corresponding to his / her department and occupation is applied to the user. Therefore, even if users have the same total security evaluation, if the department or job type is different, the work that can be performed by each person may be different or the frequency of taking the security test may be different.

  In the item-specific security level definition table TLK, as shown in FIG. 8, criteria for determining the user level for each action or event related to various items regarding security are defined. Hereinafter, individual items regarding security are referred to as “security-related items”, and the user level regarding security-related items is referred to as “security level by item”. In the present embodiment, three levels of “level 1” to “level 3” are defined for each security-related item. In the order of “level 3”, “level 2”, and “level 1”, it is shown that the security level according to the item of the user regarding the security related item is good.

  In the security level definition table TLK for each item, one record is prepared for each action such as authority violation transmission, out-of-business transmission, and deterrence keyword transmission and for each event such as access denial, authentication error detection, and virus infection. Yes.

  The “item number” included in the record is a number for identifying the security-related item related to the record from other security-related items. “Level 1”, “Level 2”, and “Level 3” are respectively Level 1, Level 2 when the user performs the action or how often the user encounters the event. , And level 3 are defined. These frequencies are obtained based on the log data DR, which will be described later.

  “Category” indicates a device (function server or terminal) related to the security-related items of the record. This represents that the device has log data DR that is used to determine the frequency of actions or events of the security related matter.

  As shown in FIG. 9, a record is prepared for each security-related item shown in FIG. 8 in the relative evaluation score definition table TLT. In the “level 1” to “level 3” field of the record, the relative evaluation score of the security-related items related to the record when the security level by item is “level 1” to “level 3”, respectively, is shown. ing.

  Incidentally, as described above, the item-specific security level definition table TLK defines the item-specific security level according to the frequency of the action or the event for each security-related item. However, some security issues are very important and some are not. Therefore, even if the security level for each of the plurality of security-related items is the same, the significance of security management may differ. Therefore, it is desirable to use a value that reflects the importance of each security-related item rather than using these security levels for each item as they are.

  In view of the importance of each security-related item, the relative evaluation score definition table TLT defines values representing the relative evaluation of each level 1 to 3 as “relative evaluation score”. Yes.

  The relative evaluation score management table TLA is prepared for each user. The user's user number is associated with the user's relative evaluation score management table TLA. As shown in FIG. 10, the relative evaluation score management table TLA shows the relative evaluation score for each security-related item of the user corresponding to it.

  These relative evaluation scores are determined based on the actual action of the user or an event actually occurring in the user. The relative evaluation score management table TLA is used for calculating the security score. A method for calculating the relative evaluation score and a method for using the relative evaluation score management table TLA will be described later.

  The reset score definition table TLR is used to reset each relative evaluation score of the user's relative evaluation score management table TLA according to the result of the security test taken by the user, that is, the test score.

  As shown in FIG. 11, the reset point definition table TLR is provided with a record including fields of “40 points or more”, “60 points or more”, and “80 points or more” for each security-related matter. In these three fields of each security-related matter record, the relative score of each security-related matter when the test score is 40 points or more and less than 60 points, 60 points or more and less than 80 points, and 80 points or more, respectively. Indicated. A method of using the reset point definition table TLR will be described later.

[Function to perform processing at user login]
FIG. 12 is a diagram showing an example of login user authority data DC.

  In FIG. 2, the authentication data input receiving unit 201 of the user terminal 2 performs a process of receiving a user number and password of a user who intends to log in to the business system 1 as follows.

  When the user inputs a predetermined command or the user terminal 2 is turned on, the authentication data input receiving unit 201 displays a screen for inputting a user number and a password. Here, the user inputs his user number and password. The authentication data input receiving unit 201 receives the user number and password.

  The user number transmission unit 202 notifies the security management server 10 that the user of the user number is about to log in by transmitting the user number received by the authentication data input reception unit 201.

  In the security management server 10 of FIG. 3, the user number receiving unit 101 receives the user number transmitted from the user terminal 2.

  Then, the total security evaluation determination unit 102, the login user authority data generation unit 103, and the login user authority data transmission unit 104 of the security management server 10 determine the authority to be given to the user with the user number, and each device of the business system 1 The process for applying to is executed as follows.

  The total security evaluation determination unit 102 performs processing for determining the total security evaluation (overall evaluation of the user's attitude toward security) for the user of the user number received by the user number receiving unit 101 as follows. .

  First, the user security data DUS corresponding to the user number is called from the user security data management table TLS (see FIG. 5) of the security management database DB1.

  The weighted security score is obtained by calculating the product of the security score indicated by the user security data DUS and the moral level. Then, based on the policy link table TLL (see FIG. 6) of the policy link database DB2, a total security evaluation corresponding to the calculated weighted security score is obtained. This total security evaluation is the total security evaluation of the user.

  For example, when the user security data management table TLS and the policy link table TLL have the contents shown in FIGS. 5 and 6, respectively, the total security evaluation of the user whose user number is “0001” is “weighted security score = 15 × Since “0.8 = 12”, “High” is obtained.

  The login user authority data generation unit 103 generates data indicating what service use or operation is permitted or prohibited for the user (the user who logs in to the business system 1 this time). That is, data indicating the authority (access right) of the user is generated. Hereinafter, such data is referred to as “login user authority data DC”. The login user authority data DC is generated for each function server and the user terminal 2 of the user based on the total security evaluation of the user determined by the total security evaluation determination unit 102 as follows.

  The authority definition table TLP (see FIG. 7) associated with the combination of department and job type indicated in the user security data DUS of the user is called from the access policy database DB3.

  Attention is paid to the “target device” of each authority data DP stored in the authority definition table TLP. These authority data DP are grouped by those having the same device name shown in “target device”.

  For each group, the “work contents” information of each authority data DP classified into the group and authority information corresponding to the total security evaluation (for example, if the total security evaluation is “Middle”, the “Middle” field indicates Information). Then, by collecting the extracted information, the login user authority data DC of the device related to the group is generated.

  For example, when the authority definition table TLP has the contents shown in FIG. 7 and the total security evaluation of the user is “Middle”, the authority data DP4 and the login user authority data DC for the file server 7A are Based on DP5 and the like, login user authority data DC as shown in FIG. 12 is generated.

  Each login user authority data DC generated by the login user authority data generation unit 103 is associated with the user number of the user.

  The login user authority data transmission unit 104 sorts and transmits login user authority data DC generated for each function server and user terminal 2 to each device. Thereby, in each function server and the user terminal 2, preparation for dealing with a request for use of a service from the user is completed.

  In the user terminal 2, when the login user authority data DC of the user who is logging in is transmitted from the security management server 10, the user authentication request unit 213 receives the authentication data input reception unit 201 from the authentication server 3. Request the user to authenticate by sending the user number and password of the user.

  Then, the authentication server 3 performs processing for determining whether or not the user is a regular user, that is, user authentication, using the transmitted user number and password as usual. Then, the result is returned to the user terminal 2. When a result indicating that the user terminal 2 is a legitimate user is obtained, the user terminal 2 allows the user to log in to the business system 1. If a result indicating that the user is not a regular user is obtained, login is rejected.

  When the user can log in, until the user logs out, the user can use and operate the service of each device in the business system 1 within the range indicated by the login user authority data DC as described below. it can. When the login is rejected, the service and operation of each device cannot be performed regardless of the contents of the login user authority data DC.

[Functions for controlling the use of each service by the user]
In FIG. 4, the login user authority data receiving unit 301 of the function server receives the login user authority data DC from the security management server 10.

  Then, based on the login user authority data DC, the service restriction processing unit 302 restricts the use and operation of the service by the user associated therewith.

  Based on the login user authority data DC received by the login user authority data receiving unit 301, the service etc. restriction processing unit 302 restricts the use and operation of the service indicated by the user shown in the login user authority data DC. In other words, when the user tries to use or operate the service of the function server, it is determined whether to permit or reject it based on the login user authority data DC. Then, only when permission is granted, each part of the function server is controlled so that processing for using or operating the service is executed.

  For example, when the login user authority data receiving unit 301 receives the login user authority data DC as shown in FIG. 12, the service etc. restriction processing unit 302 of the file server 7A determines that the user related to the login user authority data DC is the customer. If an attempt is made to refer to the list file, it is permitted, and each part of the file server 7A is controlled so that the customer list file is read or transferred to the user terminal 2. However, if an attempt is made to edit the customer list file, it is rejected.

  On the other hand, in the user terminal 2, when the login user authority data receiving unit 211 receives the login user authority data DC, the service restriction processing unit 212, like the service server restriction processing unit 302 of the function server, has its login user authority. The use of the service of the user terminal 2 or the operation of the user related to the data DC is restricted. That is, when the user tries to use or operate the service, it is determined whether to permit or reject the service based on the login user authority data DC. And only when it permits, it controls each part of the user terminal 2 so that the process for using or operating the service is executed.

  Note that the security score used to calculate the total security evaluation may vary depending on the user's attitude toward security or the result of a security test. Therefore, the contents of the user login user authority data DC change, and the user may be permitted different services and operations each time he logs in.

[Function for updating security score]
FIG. 13 is a flowchart for explaining the flow of the security score update process.

  Various things occur when a user conducts business on a daily basis while operating the user terminal 2 or using services of each device of the business system 1.

  In FIG. 4, the log data generation unit 312 of each function server generates log data DR related to each predetermined action or event. Then, the log data DR is stored in the log data storage unit 313.

  Specifically, as described above, when an authentication error is detected when the user logs in to the business system 1, the log data generation unit 312 of the authentication server 3 generates the authentication error log data DR1 and logs The data is stored in the data storage unit 313.

  Alternatively, when the user attempts to perform authority violation transmission, out-of-business transmission, or deterrence keyword transmission when sending an e-mail, the log data generation unit 312 of the mail server 7C generates mail violation log data DR4 and saves the log data The data is stored in the unit 313.

  Alternatively, if the user is trying to access a prohibited site while checking with a Web browser, the log data generation unit 312 of the proxy server 7P generates external access violation log data DR5 and sends it to the log data storage unit 313. Save.

  Alternatively, when the user performs anti-virus measures such as pattern file update or engine check, the log data generation unit 312 of the virus management server 6 generates anti-virus log data DR7 and stores it in the log data storage unit 313. When virus infection is detected, virus infection log data DR8 is generated and stored in the log data storage unit 313.

  In addition, when the password is updated, password update log data DR2 is generated and stored in the authentication server 3. When the user tries to perform work outside the scope of his / her business, the work work violation log data DR6 is generated and stored in the department work server 7D. When the user performs a penalty violation action, the personnel information management server 5 generates and stores the penalty log data DR3.

  The aggregate data providing unit 322 generates and provides aggregate data DLA in accordance with a request from the security management server 10.

  The aggregated data DLA is data obtained by aggregating a predetermined action of the user or the number of predetermined events that have occurred to the user, and is used by the security management server 10 to update the security score.

  For example, when the security management server 10 requests aggregate data DLA for the user with the user number “0001” from the security management server 10, the aggregate data providing unit 322 of the mail server 7 </ b> C receives the user's past week The number of times of each of the three events of authority violation transmission, out-of-business transmission, and deterrence keyword transmission shown in the mail violation log data DR4 generated in the above is totaled, and total data DLA indicating the total result is generated. Then, the aggregated data DLA is transmitted to the security management server 10 in association with the user number. Hereinafter, the total data DLA generated based on the mail violation log data DR4 is referred to as “mail violation total data DLA4”.

  Similarly, the aggregate data providing unit 322 of the other function server generates aggregate data DLA by aggregating the contents of the log data DR in accordance with a request from the security management server 10 and transmits it to the security management server 10.

  That is, the total data providing unit 322 of the authentication server 3 generates the total data DLA called the authentication error total data DLA1 by totaling the number of authentication error detections indicated in the authentication error log data DR1, and transmits it to the security management server 10. To do. Further, the total number of times of password update indicated in the password update log data DR2 is totaled to generate total data DLA called password update total data DLA2.

  The aggregated data providing unit 322 of the personnel information management server 5 generates aggregated data DLA called penalty aggregated data DLA3 by aggregating the number of penalties subject violations indicated in the penalty log data DR3.

  The aggregate data providing unit 322 of the virus management server 6 generates aggregate data DLA called anti-virus aggregate data DLA7 by aggregating the number of times each of the pattern file update and engine check indicated in the anti-virus log data DR7. Further, by counting the number of virus infections indicated in the virus infection log data DR8, total data DLA called virus infection total data DLA8 is generated.

  The aggregated data providing unit 322 of the proxy server 7P generates aggregated data DLA called access denied aggregated data DLA5 by aggregating the number of access denials indicated in the external access violation log data DR5.

  The total data providing unit 322 of the department business server 7D generates total data DLA called business work violation total data DLA6 by totaling the number of authority violation business work indicated in the business work violation log data DR6.

  In FIG. 3, the security score update processing unit 114 determines that a predetermined action has been performed, that a predetermined action has been attempted, or that a predetermined event has occurred in the function server. When the date / time of the date is reached, or when the user takes a security test, a process of updating the security score is executed.

  Here, the procedure of the security score update process will be described with reference to a flowchart.

  When the function server detects that the predetermined action has been performed, the predetermined action is about to be performed, or the predetermined event has occurred, the security score update processing unit 114 performs the flowchart of FIG. The security score is updated according to the procedure.

  When the log data DR is generated by the log data generation unit 312 in a certain function server (that is, when a predetermined action is performed, a predetermined action is about to be performed, or a predetermined event occurs), the function server The security score update request unit 314 requests the security management server 10 to update the user's security score related to the log data DR.

  Then, the security score update processing unit 114 of the security management server 10 requests each function server for the aggregated data DLA of the user for a predetermined period based on the item-specific security level definition table TLK (see FIG. 8). (# 101).

  For example, the mail server 7 </ b> C is requested for the mail violation total data DLA <b> 4 related to the user for the past one week based on the records having the item numbers “01” to “03”. Alternatively, for the virus management server 6, the anti-virus count data DLA7 for the past month and the anti-virus count data DLA7 for the past week and the virus infection count data DLA8 for the past year for the user. , Request.

  At this time, the aggregated data providing unit 322 of each function server generates aggregated data DLA and transmits it to the security management server 10 in accordance with a request from the security management server 10.

  When the security score update processing unit 114 acquires the authentication error total data DLA1 to the virus infection total data DLA8 of the user from each function server (# 102), the contents and the security level definition table TLK for each item are shown. By collating with the judgment criteria, the security level for each of the eleven security-related items of the user is obtained (# 103).

  In consideration of the importance of each security-related item, the security level for each item obtained for each security-related item is converted into a relative evaluation score based on the relative evaluation score definition table TLT (# 104).

  The relative evaluation score of each security-related item currently registered in the user's relative evaluation score management table TLA (see FIG. 10) is replaced with the relative evaluation score obtained in the process of step # 104 (# 105). Thereby, the relative evaluation score management table TLA is updated.

  The total score of each relative evaluation score indicated in the updated relative evaluation score management table TLA is calculated (# 106). This total score is the new security score for the user.

  Then, the security score currently indicated in the user security data DUS (see FIG. 5) of the user is replaced with the new security score calculated in step # 106 (# 107).

  When the predetermined date / time is reached, the security score update processing unit 114 updates the security score for each user whose user security data DUS is registered in the user security data management table TLS. In this case, the process described in FIG. 13 may be performed for each user.

  The update date and time may be determined by the administrator of the business system 1 according to the usage environment of the business system 1 and set in the security management server 10. For example, it is preferable to set the date and time at which the business system 1 is less likely to be used, such as at midnight on Sunday. The date and time for updating can be changed as appropriate.

  When the user takes a security test, the security score update processing unit 114 updates the security score as follows based on the result of the security test, that is, the test score, instead of the aggregated data DLA.

  As described above, when the user takes the security test, the test score is transmitted from the education server 4 to the security management server 10. And it is newly stored in the “test score” of the user security data DUS of the user. At this time, the test score of the security test previously taken is deleted.

  Based on the reset score definition table TLR (see FIG. 11), the security score update processing unit 114 calculates the relative evaluation score of each security-related item corresponding to the new test score. For example, when the test score is “50 points”, the value indicated in the “40 points or more” field of each record is set as the relative evaluation score of each security-related matter. Alternatively, in the case of “95 points”, the value indicated in the “80 points or more” field of each record is set as the relative evaluation score of each security-related item. If the score is 39 or less, update of the security score is stopped.

  The relative evaluation score of each security-related item currently registered in the relative evaluation score management table TLA (see FIG. 10) of the user is replaced with the relative evaluation score of each security-related item obtained this time.

  Then, the security score of the user is calculated by summing up the new relative evaluation scores of each security-related matter, and the security score currently indicated in the user security data DUS of the user is replaced with the new security score.

  As described above, according to the method of updating the security score based on the result of the security test, past violations of the user are not considered. Therefore, it can be said that the security score is substantially reset based on the result of the security test.

  Therefore, when a user's total security evaluation is demoted due to a violation or the like and a predetermined authority is deprived, the user may be instructed to take security education and take a security test. Then, the security score may be reset according to the result, the total security evaluation may be promoted, and the authority may be recovered by depriving.

  Alternatively, a newly added user may receive security education and take a security test, and the security score of the user may be determined according to the result.

  Alternatively, the security score may be updated by allowing each user to take security education and take a security test for each period shown in the examination frequency data DT (see FIG. 7) corresponding to the total security evaluation of each person.

  FIG. 14 is a diagram for explaining the flow of processing of each device at the time of login, FIG. 15 is a diagram for explaining the flow of processing of each device when a violation operation is performed, and FIG. It is a figure for demonstrating the flow of a process of each apparatus at the time of receiving a test.

  Next, an example of the case where the user U3 with the user number “0003” operates various user services of the business system 1 by operating his / her user terminal 2c is an example of the overall processing of each device of the business system 1. The flow will be described.

  When the user number and password of the user U3 are input (# 11), the user terminal 2c transmits the user number to the security management server 10, thereby notifying that the user U3 is about to log in to the business system 1. (# 12).

  The security management server 10 acquires the user security data DUS (that is, DUS3) indicating the transmitted user number from the user security data management table TLS of FIG. 5, and multiplies the security score and the moral level indicated thereby. Is used to calculate the weighted security score, and the total security evaluation is obtained based on the policy link table TLL of FIG. 6 (# 13). According to the example shown in FIGS. 5 and 6, “Middle” is obtained as the total security evaluation of the user U3.

  The security management server 10 calculates the total security evaluation obtained in step # 13 in the authority definition table TLP (see FIG. 7) corresponding to the combination of the department (“development department”) and the job type (“engineer”) of the user U3. That is, the authority indicated by “Middle” is determined as the authority to be given to the user U3 at the time of login this time. Login user authority data DC indicating the authority to be applied to each of the user terminal 2c and each function server is generated (# 14), and the generated login user authority data DC is sorted and transmitted (# 15).

  Upon receiving the login user authority data DC, the user terminal 2c and each function server apply the login user authority data DC, and thereafter execute a process related to a service requested by the user U3 or an operation performed by the user U3. It is determined whether or not it is acceptable based on the login user authority data DC (# 16, # 17, # 18).

  The user terminal 2c requests the authentication server 3 to perform user authentication of the user U3 by transmitting the user number and password input in step # 11 (# 19).

  Then, the authentication server 3 performs an authentication process based on the transmitted user number and password (# 20). Then, the authentication result is returned to the user terminal 2c (# 21).

  When the user terminal 2c receives the notification that the authentication has been completed, the user terminal 2c completes the login of the user U3 to the business system 1 (# 22).

  The user U3 can use and operate the service of each device of the business system 1 within the range indicated by the login user authority data DC after logging in to the business system 1 and before logging out.

  The user terminal 2c and each function server restrict the use and operation of the service of the user U3 based on the login user authority data DC.

  In addition, each function server logs a record (log) when the user U3 performs a predetermined action, when the user U3 tries to perform a predetermined action, or when a predetermined event occurs in the user U3. Save as data DR.

  Here, taking the mail server 7C as an example, the process flow of the function server while the user U3 is logging in will be described with reference to the flowchart of FIG.

  In FIG. 15, after the login is completed, when the user terminal 2c performs a process of transmitting an email according to the operation of the user U3 (# 30), the email is once received by the mail server 7C.

  The mail server 7C checks whether or not the suppression keyword corresponding to the total security evaluation, department, and job type of the user U3 is not included in the electronic mail (# 31). If it is included, it is determined that the transmission of the electronic mail is a violation of the suppression keyword transmission, and mail violation log data DR4 regarding the violation is generated and stored (# 32). Further, the security management server 10 is requested to update the security score of the user U3 (# 33).

  Then, the security management server 10 collects the total data DLA (authentication error total data DLA1 to virus infection total data DLA8) in which the log data DR (authentication error log data DR1 or virus countermeasure log data DR7) of the user U3 is collected. (# 34), the security score is updated based on this, and the total security evaluation is obtained again (# 35).

  Then, when the rank of the total security evaluation of the user U3 is demoted, the security management server 10 generates login user authority data DC corresponding to the new total security evaluation (# 36), and sends it to the user terminal 2c and each function server. Apply (# 37).

  Further, when the total security evaluation of the user U3 is demoted or the security score is lower than a predetermined score, a message prompting the user U3 to take security education and take a security test is notified to the user terminal 2c. (# 38).

  After the total security evaluation is demoted, the user U3 may not be able to use or operate a service that has been possible until now. If transmission of an e-mail addressed outside the company is prohibited, the e-mail addressed outside the company is transmitted to the user terminal 2c (# 39), but is rejected by the mail server 7C (# 40).

  In FIG. 15, the user U3 takes security education using the user terminal 2c. After taking the course, take a security test to measure your level of understanding. At this time, the user terminal 2c transmits the answer of the user U3 to the education server 4 (# 50).

  Then, the educational server 4 scores and transmits the result, that is, the test score to the security management server 10 (# 51).

  The security management server 10 updates the security score of the user U3 based on the test score (# 52), and recalculates the total security evaluation of the user U3 (# 53). If there is a change in the total security evaluation, login user authority data DC corresponding to the changed total security evaluation is generated (# 54), and the new login user authority data DC is transmitted to the user terminal 2c and each function server. And applied (# 55 to # 57).

  As a result, for example, if transmission of an e-mail addressed to the outside is permitted again, the user U3 causes the e-mail addressed to the outside to be transmitted to the user terminal 2c (# 58). (# 59).

  According to the present embodiment, the user's security awareness is evaluated based on the user's actions related to security. And the authority of the user is set based on the height of the evaluation. As a result, restrictions on using the functions of the business system 1 are relaxed for those who are highly conscious of security, and constrained to those who are less conscious. As a result, both security and improvement in business efficiency can be achieved.

  In addition, since each function server and user terminal 2 is automatically set so as to limit processing related to operations outside the user's authority, it does not take time and effort for the user. In addition, setting errors can be eliminated.

  Furthermore, it is possible to appropriately change the user's authority according to changes in the user's attitude toward security. That is, the security strength can be automatically changed to a more appropriate strength. As a result, the entire business system 1 can be maintained in a favorable state for security.

  Further, according to the present embodiment, the authority of a user who has obtained a good result in the security test is automatically recovered. Therefore, in particular, a user whose authority has been revoked due to a violation operation or the like is voluntarily subjected to a security test in order to recover it. This facilitates the implementation of security tests and increases the user's awareness of security. In addition, since security tests are promoted particularly for users who do not have a good attitude to security, security education can be performed efficiently.

  In the present embodiment, an example in which the log data DR is stored in the function server has been described. However, centralized management may be performed by storing the log data DR in the security management server 10.

  A mail filter server may be provided separately from the mail server 7C, and various check processes regarding electronic mail may be performed by the mail filter server.

  The obtained total security evaluation may be registered and used at the next login.

  In the relative evaluation score definition table TLT, the relative evaluation score may be defined according to the suppression keyword.

  In addition, the business system 1, the user terminal 2, the education server 4, the security management server 10, and the configuration of all or each function server, the configuration of each function, the configuration of the table, the content indicated by each data, the content or order of processing, etc. These can be appropriately changed in accordance with the spirit of the present invention.

In the embodiment described above, the following notes are also disclosed.
(Appendix 1)
A resource management system for managing resources in an information system,
A recording means for recording contents of security-related events that the user has caused or occurred in the past;
An authorization authority determining unit that determines an authority related to the use of the resource to be given to a user based on a content of an event related to the security of the user recorded in the recording unit;
Resource use restriction means for restricting use of the resource by a user based on the authority given to the user determined by the grant authority determination means;
A resource management system comprising:
(Appendix 2)
A resource management system for managing resources in an information system,
Posture evaluation deriving means for deriving posture evaluation, which is an evaluation of a user's posture toward security, based on the contents of security-related events that the user has caused or has occurred in the past;
An authority to determine the authority to be given to a user based on the attitude evaluation of the user derived by the attitude evaluation deriving means;
Resource use restriction means for restricting use of the resource by a user based on the authority given to the user determined by the grant authority determination means;
A resource management system comprising:
(Appendix 3)
The posture evaluation deriving means derives the posture evaluation of the user based on the evaluation of the user by the other person.
The resource management system according to attachment 2.
(Appendix 4)
The posture evaluation deriving means derives the posture evaluation of the user when the user logs into the information system or when there is a new event related to the user,
The grant authority determining means determines the authority to be given to a user based on the latest posture evaluation of the user.
The resource management system according to Supplementary Note 2 or Supplementary Note 3.
(Appendix 5)
The event is an attempt to perform a prohibited act,
The content of the event is the number of times the act was attempted,
The posture evaluation deriving means derives the posture evaluation lower as the number of times increases,
The grant authority determining means gives the authority to severely limit the use of the resource as the authority as the posture evaluation is lower.
The resource management system according to any one of appendix 2 to appendix 4.
(Appendix 6)
The event is an action for security measures,
The content of the event is the number of times the act has occurred,
The posture evaluation deriving means derives the posture evaluation lower as the number of times is smaller,
The grant authority determining means gives the authority to severely limit the use of the resource as the authority as the posture evaluation is lower.
The resource management system according to any one of appendix 2 to appendix 4.
(Appendix 7)
The event is that the terminal device used by the user is infected with a virus,
The content of the event is the number of times the terminal device has been infected with a virus,
The posture evaluation deriving means derives the posture evaluation lower as the number of times increases,
The grant authority determining means gives the authority to severely limit the use of the resource as the authority as the posture evaluation is lower.
The resource management system according to any one of appendix 2 to appendix 4.
(Appendix 8)
The event is a test taken to measure security comprehension,
The content of the event is the result of the test,
The posture evaluation deriving means derives the posture evaluation lower as the result is worse,
The grant authority determining means gives the authority to severely limit the use of the resource as the authority as the posture evaluation is lower.
The resource management system according to any one of appendix 2 to appendix 4.
(Appendix 9)
A resource management method for managing resources in an information system,
The authority to be given to the user regarding the use of the resource is determined based on the contents of the event that the user has caused in the past or related to the security,
Restricting the use of the resource by a user based on the authority determined to be given to the user;
A resource management method characterized by the above.
(Appendix 10)
A computer program used in a computer for managing resources in an information system,
In the computer,
A process of determining the authority regarding the use of the resource to be given to the user based on the contents of the event that the user has caused in the past or the security has occurred for the user;
Processing to restrict the use of the resource by a user based on the authority determined to be given to the user;
A computer program for executing

It is a figure which shows the example of the whole structure of a business system. It is a figure which shows the example of a functional structure of a user terminal. It is a figure which shows the example of a functional structure of a security management server. It is a figure which shows the example of a functional structure of a function server. It is a figure which shows the example of a user security data management table. It is a figure which shows the example of a policy link table. It is a figure which shows the example of an authority definition table. It is a figure which shows the example of the security level definition table classified by item. It is a figure which shows the example of a relative evaluation score definition table. It is a figure which shows the example of a relative evaluation score management table. It is a figure which shows the example of a reset score definition table. It is a figure which shows the example of login user authority data. It is a flowchart for demonstrating the flow of a security score update process. It is a figure for demonstrating the flow of a process of each apparatus in the case of login. It is a figure for demonstrating the flow of a process of each apparatus when violation operation is performed. It is a figure for demonstrating the flow of a process of each apparatus when a user receives a security test.

Explanation of symbols

1 Business system (information system)
10 Security management server (resource management system)
102 Total security evaluation determination unit (attitude evaluation deriving means)
103 Login user authority data generator (grant authority determining means)
104 Login user authority data transmission section (resource use restriction means)
313 Log data storage unit (recording means)

Claims (5)

A resource management method for managing resources in an information system,
The authority to be given to the user regarding the use of the resource is determined based on the contents of the event that the user has caused in the past or related to the security, and
Restricting the use of the resource by a user based on the authority determined to be given to the user;
A resource management method characterized by the above. A resource management system for managing resources in an information system,
A recording means for recording contents of security-related events that the user has caused or occurred in the past;
An authorization authority determining unit that determines an authority related to the use of the resource to be given to a user based on a content of an event related to the security of the user recorded in the recording unit;
Resource use restriction means for restricting use of the resource by a user based on the authority given to the user determined by the grant authority determination means;
A resource management system comprising: A resource management system for managing resources in an information system,
Posture evaluation deriving means for deriving posture evaluation, which is an evaluation of a user's posture toward security, based on the contents of security-related events that the user has caused or has occurred in the past;
An authority to determine the authority to be given to a user based on the attitude evaluation of the user derived by the attitude evaluation deriving means;
Resource use restriction means for restricting use of the resource by a user based on the authority given to the user determined by the grant authority determination means;
A resource management system comprising: The posture evaluation deriving means derives the posture evaluation of the user based on the evaluation of the user by the other person.
The resource management system according to claim 2. A computer program used in a computer for managing resources in an information system,
In the computer,
A process of determining the authority to use the resource to be given to the user based on the contents of the event that the user has caused in the past or the security has occurred to the user;
Processing to limit the use of the resource by a user based on the authority determined to be given to the user;
A computer program for executing