JP2008158867A - Image processor, information management device and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To appropriately treat secret information at occurrence of a disaster. <P>SOLUTION: The image processor 10 comprises a user interface part (UI part) 15 for providing a user interface (UI) of the device 10; an external IF (interface) 11 for performing transmitting and receiving of various pieces of information with a server or the like; a security policy storage part 17 for storing a security policy definition rule for treatment of security information; a disaster information acquisition part 12 for acquiring information for a disaster input from the UI part 15 or the external IF 11; and a security policy change part 13 for reading discrimination information from a discrimination information storage part 14, determining a stage of the disaster by collation with the information for the disaster, and changing the security policy based on the stage of the disaster and a security policy change definition stored in a change definition storage part 16. <P>COPYRIGHT: (C)2008,JPO&INPIT

Description

  The present invention relates to an image processing apparatus, an information processing apparatus, and a program.

  In recent years, the necessity of crisis management for disasters has been strongly screamed. Examples of disasters include fires, meteorological disasters (heavy rain, thunder, snow, etc.), major disasters such as earthquakes, eruptions, tsunamis, and typhoons. For example, various devices such as an image processing apparatus for processing an image to be output to a recording medium have been studied for dealing with such disasters.

  Here, conventionally, there is a measure for ensuring safety as a countermeasure when a disaster occurs in an image processing apparatus. As a conventional technique described in the publication, for example, a technique for confirming an earthquake or a fall of the apparatus from the fluctuation of the voltage or period of the apparatus through the abnormal vibration determination function means and forcibly stopping the power supply of the fixing heater (For example, refer to Patent Document 1).

  As another technology described in the publication, a copier or printer connected to a network or a telephone line has a function of receiving a disaster signal from a signal source, and when the disaster signal is received, the disaster data is printed on a sheet. There is a technique for outputting a printout and then shutting off the power (see, for example, Patent Document 2).

By the way, the functions of the image processing apparatus have been diversified today, and products equipped with a function for storing document information inside the apparatus and a function for accessing an external system through the apparatus as an entrance have appeared. On the other hand, with the enforcement of the Personal Information Protection Law, interest in information security is increasing. In order to realize each function securely in the image processing apparatus, security functions such as access control including user authentication using an IC card or biometrics have been strengthened. However, the access level and security level set by using the security function are effective in normal times, but may be problematic under special circumstances such as when a disaster occurs.
As a prior art described in the gazette regarding security in such an unforeseen situation such as a disaster, when a privileged person such as an ambulance crew notifies his / her own ID with the portable terminal device of the party, the privileged person ID is authenticated and the possession of the corresponding portable terminal device There is a technique for returning personal information of a user to an access source mobile phone device (see, for example, Patent Document 3).

JP-A-11-184327 JP 2001-023060 A JP 2004-341738 A

There are various ways of thinking about security, such as what should be completely blocked when a disaster occurs, and what should be free access, but in the past, so that confidential information can be handled appropriately when a disaster occurs. I couldn't.
An object of the present invention is to appropriately handle confidential information when a disaster occurs.

The invention described in claim 1
Storage means for storing a correspondence relationship between a function possessed by the apparatus and at least one of a user permitted to use the function and information permitted to be processed using the function;
An acquisition means for acquiring information on the occurrence of a disaster;
An image processing apparatus comprising: a changing unit that changes the correspondence stored in the storage unit in response to acquisition of information related to the occurrence of the disaster by the acquiring unit.
The invention described in claim 2
The image processing apparatus according to claim 1, wherein the changing unit determines a disaster stage based on the disaster-related information acquired by the acquiring unit, and changes the correspondence according to the stage.
The invention described in claim 3
Storage means for storing internal information held in the apparatus as a result of image processing or for use in processing related to image processing;
An acquisition means for acquiring information on the occurrence of a disaster;
An image processing apparatus comprising: processing means for performing processing for preventing loss or leakage of the internal information stored in the storage means in response to acquisition of information related to the occurrence of the disaster by the acquisition means It is.
The invention according to claim 4
The image processing apparatus according to claim 3, wherein the processing unit performs a process of outputting the internal information stored in the storage unit to the outside.
The invention described in claim 5
Before the processing unit outputs the internal information to another device, the processing unit further includes a diagnosis unit that diagnoses a state of a storage unit included in the other device and a communication unit between the other device. The image processing apparatus according to claim 4.
The invention described in claim 6
The image processing apparatus according to claim 3, wherein the processing unit performs a process of deleting the internal information stored in the storage unit.
The invention described in claim 7
An access means for accessing an external system;
An acquisition means for acquiring information on the occurrence of a disaster;
An image processing apparatus comprising: a restriction unit that restricts access to the external system by the access unit in response to acquisition of information related to the occurrence of the disaster by the acquisition unit.
The invention according to claim 8 provides:
Storage means for storing a security policy that defines rules for handling confidential information;
An acquisition means for acquiring information on the occurrence of a disaster;
An information management apparatus comprising: a changing unit that changes the security policy stored in the storage unit in response to acquisition of information related to the occurrence of the disaster by the acquiring unit.
The invention according to claim 9 is:
On the computer,
A function of storing a correspondence relationship between a function of the apparatus and at least one of a user permitted to use the function and information permitted to be processed using the function in the storage unit;
The ability to obtain information about the occurrence of a disaster,
And a function for changing the correspondence stored in the storage unit in response to acquisition of information relating to the occurrence of the disaster.
The invention according to claim 10 is:
On the computer,
A function of storing internal information held in the apparatus as a result of the image processing or in processing related to the image processing in a storage unit;
The ability to obtain information about the occurrence of a disaster,
And a function of performing processing for preventing the loss or leakage of the internal information stored in the storage unit in response to acquisition of information related to the occurrence of the disaster.
The invention according to claim 11
On the computer,
The ability to access external systems,
The ability to obtain information about the occurrence of a disaster,
And a function for restricting access to the external system in accordance with acquisition of information related to the occurrence of the disaster.

The invention according to claim 1 has an effect that, when a disaster occurs, it is possible to change a user who can use the function or information permitted to be a target of processing using the function.
According to the second aspect of the present invention, there is an effect that information that is permitted to be a user who can use the function or a process using the function can be made according to the stage of the disaster.
The invention of claim 3 has an effect that it is possible to prevent the loss or leakage of internal information held inside the apparatus when a disaster occurs.
The invention according to claim 4 has an effect that, when a disaster occurs, the internal information held in the apparatus can be saved without being lost.
The invention according to claim 5 has an effect that the internal information held in the apparatus can be saved after confirming in advance whether the information can be saved.
The invention of claim 6 has an effect that internal information held inside the apparatus does not leak when a disaster occurs.
The invention of claim 7 has an effect that it is possible to restrict access to an external system when a disaster occurs.
The invention of claim 8 has an effect that it becomes possible to appropriately handle confidential information when a disaster occurs, as compared with the case where this configuration is not provided.
The invention according to claim 9 has an effect that, when a disaster occurs, it is possible to change a user who can use the function or information permitted to be a target of processing using the function.
The invention of claim 10 has the effect of preventing the loss or leakage of internal information held inside the apparatus when a disaster occurs.
The invention of claim 11 has an effect that it is possible to restrict access to an external system when a disaster occurs.

Embodiments of the present invention will be described below in detail with reference to the accompanying drawings.
FIG. 1 is a functional block diagram illustrating a configuration example of an image processing apparatus 10 to which the exemplary embodiment is applied. The image processing apparatus 10 includes a computer apparatus such as an embedded computer integrated with an image forming apparatus functioning as a printer, a facsimile machine, a copier, etc., a computer apparatus such as a personal computer externally connected to the image forming apparatus, or a scanner. It is realized by a computer device such as an embedded computer integrated with an image input device functioning as a computer device or a computer device such as a personal computer externally connected to the image input device. The image processing apparatus 10 is installed, for example, in a so-called convenience store that is a retail store that handles a large number of varieties in a small space. The image processing apparatus 10 installed in a so-called convenience store or the like is used as a printer, a facsimile machine, a copying machine, a scanner, or an apparatus for printing out a photograph taken with a digital camera during normal operation. There is.

  In addition, the image processing apparatus 10 includes an external IF (interface) 11 that executes communication with the outside, such as acquiring various types of information from a server. The external IF 11 is connected to, for example, an in-house network, the Internet, a dedicated line for connecting to a server, a VPN (virtual private network), or the like. In addition, the image processing apparatus 10 includes a disaster information acquisition unit 12 that acquires disaster information (information about disasters), and a security policy (rules for handling confidential information) based on the disaster information acquired from the disaster information acquisition unit 12. And a security policy changing unit 13 to be changed. Furthermore, the security policy changing unit 13 includes a distinction information storage unit 14 which is a memory in which various types of information when a disaster type determination and a disaster level (disaster stage) determination described later are performed.

  In addition, the image processing apparatus 10 receives a user operation from a position pointing device such as a mouse and a touch panel or an input device such as a keyboard, and a user interface unit (UI unit) 15 that specifies an instruction related to image processing based on the received operation. It has. In addition to providing the UI unit 15 in the image processing apparatus 10 itself, for example, an information processing apparatus such as a mobile phone, a PDA (personal digital assistance), an electronic notebook, or a personal computer may be connected by wire or wirelessly. In addition, information input from a user such as disaster information may be recognized using various input functions.

Furthermore, the image processing apparatus 10 includes a change definition storage unit 16 that stores a change definition that is set by the UI unit 15 and defines a security policy change rule by the security policy change unit 13. In addition, a security policy storage unit 17 that stores a security policy to be changed by the security policy changing unit 13 is provided.
Here, the security policy is a rule regarding the handling of confidential information. As a typical example, there is information on the authority to use functions of the apparatus. For example, information on which user can use which function. This may be determined in the form of a correspondence relationship between the function of the apparatus and the user who is permitted to use the function. Alternatively, information on which information can be used for which information can be considered. In this case, what is necessary is just to define in the format of the correspondence between the function which an apparatus has, and the information permitted to be made into the process target using the function.
Further, the security policy may be a rule regarding the handling of internal information (described later) held inside the apparatus. Alternatively, it may be a rule whether to permit access to an external system in order to maintain confidentiality of internal information.

  Further, the image processing apparatus 10 includes a diagnosis execution unit 18 that performs diagnosis of the apparatus main body or diagnosis of an external communication network such as an Internet line or a telephone line. In the diagnosis execution unit 18, the main body is usually diagnosed when the image processing apparatus 10 is powered on. In the present embodiment, in addition to this, the diagnosis content is changed based on the disaster information output from the disaster information acquisition unit 12. That is, a plurality of diagnosis sequences (predetermined order of operations for diagnosis) are prepared, and the sequences are determined according to the type of disaster, the distance from the disaster occurrence location, and the degree of influence of the disaster. For example, in the case of water damage, it is diagnosed whether or not paper feeding is possible for all the paper trays. In addition, for example, when a large-scale power outage has occurred, the stability of the power supply is confirmed and the network is diagnosed in time to determine whether communication with an external server is possible. In this way, in order to better realize, for example, appropriate diagnosis and / or faster diagnosis, self-diagnosis and network environment diagnosis are performed in accordance with the acquired information on the disaster. In other words, for example, diagnosis execution corresponding to information related to disasters is realized, such as diagnosis location pickup, prioritization of diagnosis locations, and diagnosis of specific locations not performed in diagnosis in the normal mode. Furthermore, in the present embodiment, the diagnosis execution unit 18 also exchanges information on diagnosis results with similar functions in other devices.

  Further, the image processing apparatus 10 includes an apparatus control unit 20 that controls the entire apparatus. Furthermore, as various functions involved in image processing, for example, an image acquisition unit 21 that acquires image data to be processed from a computer such as a scanner, a telephone line, or an externally connected PC (personal computer), and the acquired image An image processing unit 22 that processes data and an image forming unit 23 that outputs processed image data are provided. Here, the image forming unit 23 employs, for example, an image forming system that forms a toner image on a sheet by an electrophotographic system, or an ink jet system that forms an image by ejecting ink onto a sheet, for example. Should be included. Note that the image forming unit 23 does not execute until an image is actually formed on a sheet, but may be configured to output image data to an image forming apparatus connected via a predetermined line. Good.

  Furthermore, the image processing apparatus 10 includes a user authentication unit 24 that authenticates a user who uses the apparatus. For example, by inserting an IC card distributed in advance or inputting a user ID assigned in advance, the user conveys information (user information) identifying the user to the inside of the apparatus. Then, the user authentication unit 24 verifies whether or not the user information is registered, and if registered, permits the use of the device and stores the user information in the memory. If not registered, Deny use of the device. For example, when the user requests the use of the function from the UI unit 15, the user can query the security policy stored in the security policy storage unit 17 using the user information stored in the memory, and the user can Determine whether the function can be used. Alternatively, when information about which information can be used as a target as a security policy is stored as a security policy, although not illustrated, by using the information for specifying the target information, the security policy is inquired, It is also conceivable to provide another authentication unit that determines whether or not the function can be used for the information.

  Furthermore, the image processing apparatus 10 includes an internal information storage unit 25 that stores internal information. Here, the internal information refers to highly confidential information held inside the image processing apparatus 10. For example, information held as a result of image processing and information held for use in processing related to image processing correspond to this. As the former information, for example, there is information (image log) related to an image obtained as a result of image processing. As the latter information, there are a FAX number, a mail address and the like used when an image obtained as a result of image processing is transmitted to the outside.

In addition, the image processing apparatus 10 includes a communication control unit 26 that performs control of access to an external system, external output of internal information at the time of a disaster, and the like. The communication control unit 26 controls communication based on the security policy stored in the security policy storage unit 17.
For example, if it is defined in the security policy that the internal information is output to the outside, the communication control unit 26 performs a process of outputting the internal information to the outside. In this case, the communication control unit 26 is an example of a processing unit that performs processing for preventing loss or leakage of internal information.
If the security policy defines that access to the external system is permitted, the connection operation to the external system is performed in response to the external system cooperation service request from the user. On the other hand, if it is defined in the security policy that access to the external system is not permitted, the connection with the external system is blocked. In this case, the communication control unit 26 is an example of an access unit that accesses an external system and a restriction unit that restricts access to the external system.
The external system here is a basic system such as a business system or a document management system, and is connected to the image processing apparatus 10 via a communication line. The external system cooperation service is a service that provides the user with various services prepared by the external system in cooperation with the external system using the image processing apparatus 10 as an entrance (portal).

The image processing apparatus 10 shown in FIG. 1 has several modes when acquiring information related to a disaster.
First, the disaster information acquisition unit 12 acquires information related to a disaster from the UI unit 15. For example, a function for inputting an emergency state may be provided in the UI unit 15 of the image processing apparatus 10, and information relating to a disaster may be acquired by recognizing what is input by this function. Examples include emergency buttons (switches) and emergency command settings. When this disaster information is acquired by the disaster information acquisition unit 12, the security policy change unit 13 changes the security policy stored in the security policy storage unit 17 from the normal policy based on the acquired disaster information. Change to a compatible policy.

  Second, there is an aspect in which the disaster information acquisition unit 12 functions as a disaster recognition unit and autonomously determines information related to a disaster (disaster information). For example, it has a seismometer and vibration detection function to recognize disasters. As the seismometer, for example, a method of detecting the initial tremor (P wave) of an earthquake, detecting the magnitude and position of the earthquake, and recognizing the degree of earthquake influence on the image processing apparatus 10 can be considered. As in the first mode, the security policy changing unit 13 changes the security policy in the security policy storage unit 17 from a normal policy to a disaster response policy.

  Furthermore, as a third aspect, there is an aspect in which information relating to disaster (disaster information) is received via a network. For example, the external IF (interface) 11 acquires information relating to a disaster from a server computer via the Internet, which is a network using a TCP / IP communication protocol. Examples of information relating to disasters via this network include information provided by government agencies and local governments, and information provided by external organizations such as companies. Then, as in the first and second aspects, the security policy changing unit 13 changes the security policy in the security policy storage unit 17 from the normal policy to the disaster response policy.

  Furthermore, as a fourth aspect, there is an aspect in which an inquiry is made to a server via a network, and information relating to a disaster is acquired by a so-called pull method (a method in which a user pulls expected content). In the fourth aspect, the disaster information acquisition unit 12 outputs inquiry information to the external IF 11, and the external IF 11 accesses an external server computer via the Internet, for example, based on the inquiry information. To get information about disasters. Then, as in the first to third aspects, the security policy changing unit 13 changes the security policy in the security policy storage unit 17 from a normal policy to a disaster response policy.

  Although the case where the image processing apparatus 10 changes the security policy based on disaster information has been described here, for example, a physical that detects a suspicious person in an office or the like separately from or in addition to disaster information. Intruder information may be acquired from the security system. And it is good also as a structure which outputs this intruder information to the security policy change part 13 similarly to disaster information, and changes a security policy based on this intruder information.

  FIG. 2 is a diagram illustrating an example of disaster information acquired by the disaster information acquisition unit 12 and used for security policy change processing by the security policy change unit 13. Information relating to a disaster (disaster information) is created, for example, in an XML file. In the example shown in FIG. 2, the disaster information includes various information used for determining the disaster level such as the location of the image processing device, the disaster type, the seismic intensity, the epicenter, the magnitude, and the image processing device neighboring information. As the “disaster type”, an example of “earthquake” is shown in FIG. Depending on the type of disaster level (stage of disaster), items such as seismic intensity, epicenter, and magnitude are determined (described later).

Next, the distinction information storage unit 14 will be described. The distinction information storage unit 14 formed on a storage medium such as a hard disk drive (HDD) is read / written by the security policy changing unit 13 that is a function of software executed by a CPU (described later). .
FIG. 3 is a diagram illustrating an example of the level determination table stored in the distinction information storage unit 14. The level determination table is read by a CPU that executes a processing program, and temporarily stored in, for example, a work memory (described later) for the work of the CPU. As shown in FIG. 3, this level judgment table is set so that an evaluation item (judgment item) and its degree are determined for each disaster type, thereby determining the disaster level (stage of disaster). Yes. The disaster types include earthquake disaster, storm and flood disaster, volcanic disaster, nuclear disaster, snow disaster, accident disaster, and other disasters. In FIG. 3, an earthquake disaster is selected.

  In FIG. 3, the seismic intensity of the own device, the distance from the own device to the epicenter, the magnitude of the epicenter, neighborhood information, and elapsed time are listed as evaluation items for the earthquake disaster. FIG. 3 also shows the disaster level LV1 as the first disaster level, the disaster level LV2 as the second disaster level, and the disaster level LV3 as the third disaster level as the determined disaster levels. . Regarding the seismic intensity of the own device, which is an evaluation item, for example, the standard value is the disaster level LV1 from seismic intensity 5 weak, the disaster level LV2 from seismic intensity 5 to seismic intensity 7, and the disaster level LV3 from seismic intensity 8 or higher.

  Similarly, the distance from the own device to the epicenter is, for example, a disaster level LV1 when it is more than 50 km as a reference value, a disaster level LV2 when it is 50 km to 20 km, and a disaster level LV3 when it is closer than 20 km. Yes. As for the magnitude of the epicenter, for example, the disaster level LV1 when the reference value is smaller than the magnitude 4.0, the disaster level LV2 when the magnitude is 4.1 to 7.0, and the disaster level LV3 when the magnitude exceeds 7.1. It is said that.

  Further, as the neighborhood information, for example, “rescue required” is a disaster level LV2, and “sound communication failure” is a disaster level LV3. Furthermore, the elapsed time is set as a reference value, for example, disaster level LV1 within one week or more, disaster level LV2 within 4 days, disaster level LV3 within 2 days. The security policy changing unit 13 reads the level determination table as shown in FIG. 3 from the HDD, sets it in the memory, and collates it with disaster information as shown in FIG. 2, for example. Then, the disaster level LV1 to the disaster level LV3 are determined by this collation, and the disaster level is set in the memory.

  As described above, the disaster level serving as a guideline for determining the security policy is determined from the matching between the level determination table determined for each disaster type and the acquired disaster information. In the level determination table, a reference value corresponding to the disaster level is determined for each evaluation item. By observing the matching between the level determination table and the disaster information, a preferable disaster level can be obtained for each evaluation item. The determination of the disaster level may be performed using, for example, the highest level among the evaluation items of the disaster information. For example, an average level may be determined as the disaster level. Furthermore, the level may be determined for each evaluation item, and the security policy may be changed for each item.

Next, the security policy change definition stored in the change definition storage unit 16 will be described.
FIG. 4 shows a UI for setting a security policy change definition, and information displayed on the UI is also stored in the memory.
This UI is for setting a security policy change definition for copy, fax, print, image log, and external system linkage service. In the figure, the change definition for the copy is shown. Here, it is defined how the authority to use the copy function should be changed according to the disaster level. For example, during normal times, the copy function can be used only by registered users and administrators, and cannot be used by guests. However, the security policy is set to be changed when the disaster level is LV2 or higher. That is, if the disaster level is LV2 or higher, it is an emergency, so the guest is allowed to use the copy function.
Further, although not shown in the drawing, how to change the authority to use each function according to the disaster level is similarly defined for FAX and print.

On the other hand, as a change definition related to the image log, for example, in normal times, the image log is stored inside the apparatus, and in the event of a disaster, the image log is output to storage means in a region where no disaster has occurred. It is possible. Even if there is no problem at the time of the disaster, the image log may disappear due to fire or flooding over time. In such a case, the network is evacuated to a safe place while the network at the initial stage of the disaster is normal.
In addition, as a change definition for external system linkage services, for example, during normal times, access to external systems is permitted, but in the event of a disaster, connection with external systems is blocked in order to prevent leakage of confidential information. It can be considered that.

Next, processing executed by the image processing apparatus 10 shown in FIG. 1 will be described using a flowchart.
FIG. 5 is a flowchart illustrating processing executed by the disaster information acquisition unit 12 and the security policy change unit 13 of the image processing apparatus 10. The disaster information acquisition unit 12 of the image processing apparatus 10 acquires disaster information by a predetermined method (step 101). This predetermined method obtains information about a disaster from the UI unit 15 in the first aspect described above. In the first aspect, for example, when a predetermined input related to the occurrence of a disaster is input from the user in the UI unit 15, for example, a predetermined command is output from the UI unit 15 to the disaster information acquisition unit 12. The disaster information acquisition unit 12 determines the disaster type, the disaster level, and the like from this command, and the disaster information as shown in FIG. Output.

In step 101, in the case of the above-described second mode, the disaster information acquisition unit 12 autonomously determines and acquires information about the disaster (disaster information), and the disaster information acquisition unit 12 Disaster information as shown in FIG. 2 is output to the security policy changing unit 13 as contents that can be determined by the policy changing unit 13.
In the case of the third aspect described above, information on disaster (disaster information) is received via the network by the external IF (interface) 11. Thereafter, the disaster information acquisition unit 12 converts the received disaster information into disaster information as shown in FIG. 2 and outputs it to the security policy change unit 13 as contents that can be determined by the security policy change unit 13.
Further, in the fourth aspect described above, the disaster information acquisition unit 12 outputs inquiry information to the external IF (interface) 11, and the external IF (interface) 11 sends the inquiry information to the server via the network. Output to computer. And the disaster information acquisition part 12 acquires the information (disaster information) regarding a disaster via the external IF (interface) 11 as a reply of this inquiry. Thereafter, the disaster information acquisition unit 12 converts the acquired information about the disaster into disaster information as shown in FIG. 2 and outputs the disaster information to the security policy change unit 13.

Next, in step 101, the security policy changing unit 13 that has acquired the disaster information from the disaster information acquiring unit 12 performs a security policy changing process.
That is, first, the disaster type is determined (step 102). Then, the level determination table (see FIG. 3) stored in the distinction information storage unit 14 is read and written (set) in a working memory (described later) (step 103). Thereafter, the level judgment table is queried using the acquired disaster information (step 104). Then, the disaster level obtained as a result of referring to the level judgment table from the disaster information is written (set) in the working memory (step 105), and the security policy is changed to the security level corresponding to the disaster level (step 106). ).

  When the security policy related to the authority to use functions such as copying, faxing, and printing is changed by this process, the user authentication unit 24 uses the function according to the changed security policy in response to the function usage request from the user. It is determined whether or not it may be permitted. For example, during normal times, the user authentication unit 24 permitted copying only for copy requests from registered users or administrators, but at the time of a disaster at the disaster level LV2 or LV3, Also allow copying. However, when a disaster occurs, traceability information indicating when and on which machine the copy was made may be superimposed on all the copy images and printed. Such a process is realized by setting not only which user can use which function but also a process to be additionally performed when the function is used in the security policy.

  When the security policy regarding the image log and the external system cooperation service is changed, the communication control unit 26 of the image processing apparatus 10 performs the following operation. In this case, in the security policy after the change, it is defined that the image log is output to the outside and then discarded, and the external system linkage service is defined to block the connection with the external system. And

FIG. 6 is a flowchart detailing the operation of the communication control unit 26 at this time.
First, the communication control unit 26 acquires a diagnosis result from the diagnosis execution unit 18 (step 201). Here, in addition to the results of the self-diagnosis and the network diagnosis, the diagnosis results also include the results of diagnosis relating to the device exchanged with another device that has been determined in advance as the save destination of the image log. And the communication control part 26 determines whether the network is normal in the result of the diagnosis (step 202). If the network is normal, it is determined whether a storage device such as an HDD in the save destination device is normal (step 203). If the storage device is normal, the communication control unit 26 transmits the image log to the save destination device via the external IF 11 (step 204). Thereafter, the communication control unit 26 deletes (discards) the image log in order to prevent information leakage due to theft that was lost in the confusion at the time of disaster (step 205).

On the other hand, if it is determined in step 202 that the network is not normal, or if it is determined in step 203 that the storage device in the save destination apparatus is not normal, the image log is not transmitted or deleted.
Here, the image log is deleted after being saved to the outside, but may be deleted without being saved to the outside. This can also be realized by making such settings in the security policy.
Further, the communication control unit 26 blocks the connection to the external system in accordance with the changed security policy (step 206). At this time, in order to allow data transmission to the external system, access restriction such as blocking only data reception from the external system may be performed. This is also achieved by defining such a definition in the security policy.

  By the way, in the above description, the security policy is changed based only on the disaster information, and the result of self-diagnosis or network diagnosis is obtained when processing based on the changed security policy is performed as shown in the flowchart of FIG. I tried to take it into account. However, the timing for considering the result of self-diagnosis or network diagnosis is not necessarily limited to this. That is, the result of self-diagnosis or network diagnosis may be taken into account when changing the security policy. For example, if there is a problem with the diagnostic results of the charging unit, exposure unit, development unit, transfer unit, fixing unit, and paper feed unit, the copy function and print function, etc., should be set so that all users are denied use. It may be changed.

In addition, the configuration in which the image processing apparatus 10 stores and manages the security policy and changes the security policy according to the disaster occurrence state has been described so far, but the configuration is not limited thereto.
For example, a configuration may be adopted in which a policy server is provided outside the image processing apparatus 10 and this policy server collectively manages security policies of a plurality of image processing apparatuses 10 and other servers.
First, the configuration of the computer system in this case will be described.
FIG. 7 is a diagram showing the overall configuration of this computer system.
As shown in the figure, this computer system is configured by connecting image processing apparatuses 10a, 10b, and 10c, a policy server 30, a business system 40, and a document management system (DMS) 50 via a network. ing. In the figure, three image processing apparatuses 10 are shown, but the number of image processing apparatuses is not limited to this.

  In this computer system, as described above, the image processing apparatus 10 is a computer apparatus such as an embedded computer integrated with an image forming apparatus functioning as a printer, a facsimile, a copying machine, etc., or a personal computer externally connected to the image forming apparatus. This is realized by a computer device such as a computer, a computer device such as an embedded computer integrated with an image input device functioning as a scanner, or a computer device such as a personal computer externally connected to the image input device. However, it does not have a function for managing a security policy or a function for changing this when a disaster occurs.

  The policy server 30 is a server computer that collectively manages security policies. For example, it may be realized using a personal computer, a workstation, or another computer. As described above, the function of managing the security policy and the function of changing the security policy in the event of a disaster have been removed from the image processing apparatus 10. In this computer system, the policy server 30 has the removed function. To do.

  Furthermore, the business system 40 and the document management system 50 are computer systems that function as external systems accessed by the image processing apparatus 10. Here, the business system 40 and the document management system 50 may be realized using, for example, a personal computer, a workstation, or another computer.

Next, the functional configuration of the policy server 30 will be described.
FIG. 8 is a functional block diagram illustrating a configuration example of the policy server 30 to which this exemplary embodiment is applied. The policy server 30 includes an external IF (interface) 31 that executes communication with the outside, for example, acquiring various information from the image processing apparatus 10. In addition, the policy server 30 changes the security policy (rules concerning handling of confidential information) based on the disaster information acquired from the disaster information acquisition unit 32 and the disaster information acquisition unit 32 that acquires disaster information (information about disaster). Security policy changing unit 33. Further, the security policy changing unit 33 includes a distinction information storage unit 34 that is a memory in which various types of information when a disaster type determination and a disaster level (disaster stage) determination described later are performed.

In addition, the policy server 30 receives a user operation by a position indicating device such as a mouse and a touch panel or an input device such as a keyboard, and a user interface unit (UI unit) 35 that specifies an image processing instruction based on the received operation. I have. Furthermore, a change definition storage unit 36 that stores a change definition that is set by the UI unit 35 and defines a security policy change rule by the security policy change unit 33, and a security policy that is to be changed by the security policy change unit 33 are displayed. And a security policy storage unit 37 for storing.
The external IF 31, the disaster information acquisition unit 32, the security policy change unit 33, the distinction information storage unit 34, the UI unit 35, the change definition storage unit 36, and the security policy storage unit 37 are the same as the external IF 11 of FIG. Since the acquisition unit 12, the security policy changing unit 13, the distinction information storage unit 14, the UI unit 15, the change definition storage unit 16, and the security policy storage unit 17 are the same, detailed description thereof is omitted.

Here, the policy server 30 functions as a server that provides a security policy in response to a request from the image processing apparatus 10. Accordingly, a security policy search unit 38 for searching for a security policy requested from the security policy storage unit 37 is provided.
The security policy changing operation by the policy server 30 is the same as that shown in FIG.

  By the way, when the user requests use of the function, the image processing apparatus 10 transmits user information to the policy server 30 to inquire about the security policy in order to authenticate the user. However, if the network is disconnected when a disaster occurs, it is possible that the user cannot be authenticated and necessary processing cannot be performed even in an emergency. In preparation for such a situation, a disaster security policy is also prepared in the image processing apparatus 10, and when the connection to the policy server 30 fails, the disaster security policy may be referred to. Good.

Finally, the hardware function of the policy server 30 and the part that functions as the computer of the image processing apparatus 10 will be described.
FIG. 9 is a diagram illustrating, for example, a part that functions as a computer of the image processing apparatus 10 and a hardware configuration in the policy server 30. The computer shown in FIG. 9 includes a CPU (Central Processing Unit) 901 which is a calculation means, a mother board (M / B) chipset 902, and a main memory 903 connected to the CPU 901 via a CPU bus. Further, a display interface 904 such as a video card and a display 910 are connected to the CPU 901 via the M / B chipset 902. In addition, for example, a magnetic disk device (HDD) 905 and a communication interface 906 connected to the M / B chipset 902 via a PCI (Peripheral Component Interconnect) bus or the like are provided. Further, a keyboard / pointing device 909 connected from the PCI bus to the M / B chipset 902 through a low-speed bus such as a bridge circuit 907 and an ISA (Industry Standard Architecture) bus is provided.

  Here, the CPU 901 executes various software such as an OS (Operating System) and an application to realize the various functions described above. The main memory 903 functioning as a working memory has a storage area for storing various software, data used for executing the software, and the like. Further, the magnetic disk device 905 is a memory having a storage area for storing input data for various software, output data from various software, and the like. In the present embodiment, it also functions as the discrimination information storage units 14 and 34. Instead of the magnetic disk device 905, a semiconductor memory typified by a flash memory may be used. In the present embodiment, the user interface units 15 and 35 provide a UI via the display 910 and the keyboard / pointing device 909. Further, the external IFs 11 and 31 are realized using the hardware of the communication interface 906.

  As described above, the various processes shown in the present embodiment are realized by application programs executed by the CPU 901 using the main memory 903 which is a working memory. This application program is provided in a state installed in the apparatus when the image processing apparatus 10 which is a computer is provided to a customer (including a user), and the computer reads a program to be executed by the computer. You may provide with the storage medium etc. which memorize | stored possible. As this storage medium, for example, a CD-ROM medium or the like corresponds, and a program is read and executed by a CD-ROM reader (not shown) or the like. These programs may be provided via a communication interface 906 such as a network interface via communication means such as a network by a program transmission apparatus (not shown), for example. The program transmission apparatus includes, for example, a memory that stores a program and a program transmission unit that provides the program via a network, which is provided in a server computer on the host side.

It is a functional block diagram which shows the structural example of the image processing apparatus with which this Embodiment is applied. It is the figure which showed an example of the disaster information acquired in the disaster information acquisition part, and used for the change process of a security policy. It is the figure which showed the example of the level judgment table memorize | stored in a discrimination information storage part. It is the figure which showed the example of the change definition of a security policy. It is the flowchart which showed the process performed in the disaster information acquisition part and security policy change part of an image processing apparatus. It is the flowchart which showed the process of the communication control part when the security policy after a change is a specific setting. It is a figure showing an example of composition of a computer system to which this embodiment is applied. It is a functional block diagram which shows the structural example of the policy server to which this Embodiment is applied. For example, it is a diagram showing a hardware configuration of a computer that functions as an image processing apparatus.

Explanation of symbols

DESCRIPTION OF SYMBOLS 10 ... Image processing apparatus, 11 ... External IF (interface), 12 ... Disaster information acquisition part, 13 ... Security policy change part, 14 ... Discrimination information storage part, 15 ... User interface part (UI part), 16 ... Change definition storage , 17 ... Security policy storage unit, 18 ... Diagnosis execution unit, 20 ... Device control unit, 21 ... Image acquisition unit, 22 ... Image processing unit, 23 ... Image forming unit, 24 ... User authentication unit, 25 ... Internal information storage Part, 26 ... communication control part

Claims (11)

Storage means for storing a correspondence relationship between a function possessed by the apparatus and at least one of a user permitted to use the function and information permitted to be processed using the function;
An acquisition means for acquiring information on the occurrence of a disaster;
An image processing apparatus comprising: a changing unit that changes the correspondence stored in the storage unit in response to the acquisition of information related to the occurrence of the disaster by the acquiring unit.   The image processing apparatus according to claim 1, wherein the changing unit determines a disaster stage from the information about the disaster acquired by the acquiring unit, and changes the correspondence according to the stage. Storage means for storing internal information held in the apparatus as a result of image processing or for use in processing related to image processing;
An acquisition means for acquiring information on the occurrence of a disaster;
An image processing apparatus comprising: processing means for performing processing for preventing loss or leakage of the internal information stored in the storage means in response to acquisition of information related to the occurrence of the disaster by the acquisition means .   The image processing apparatus according to claim 3, wherein the processing unit performs a process of outputting the internal information stored in the storage unit to the outside.   Before the processing unit outputs the internal information to another device, the processing unit further includes a diagnosis unit that diagnoses the state of the storage unit included in the other device and the communication unit between the other device. The image processing apparatus according to claim 4.   The image processing apparatus according to claim 3, wherein the processing unit performs a process of deleting the internal information stored in the storage unit. An access means for accessing an external system;
An acquisition means for acquiring information on the occurrence of a disaster;
An image processing apparatus comprising: a restriction unit that restricts access to the external system by the access unit in response to acquisition of information related to the occurrence of the disaster by the acquisition unit. Storage means for storing a security policy that defines rules for handling confidential information;
An acquisition means for acquiring information on the occurrence of a disaster;
An information management apparatus comprising: a changing unit that changes the security policy stored in the storage unit in response to acquisition of information related to the occurrence of the disaster by the acquiring unit. On the computer,
A function of storing a correspondence relationship between a function of the apparatus and at least one of a user permitted to use the function and information permitted to be processed using the function in the storage unit;
The ability to obtain information about the occurrence of a disaster,
A program for realizing a function of changing the correspondence stored in the storage unit in response to acquisition of information relating to the occurrence of the disaster. On the computer,
A function of storing internal information held in the apparatus as a result of image processing or in processing related to image processing in a storage unit;
The ability to obtain information about the occurrence of a disaster,
A program for realizing a function of performing processing for preventing loss or leakage of the internal information stored in the storage unit in response to acquisition of information relating to the occurrence of the disaster. On the computer,
The ability to access external systems,
The ability to obtain information about the occurrence of a disaster,
A program for realizing a function of restricting access to the external system in response to acquisition of information related to the occurrence of the disaster.

Images