JP2009146402A - Information processing system, information processor, its control method, communication apparatus, its control method and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To relieve a load of an approver concerning approval when information is written in a removable storage medium. <P>SOLUTION: A management server acquires an approval rule (a step S4001), compares temporary permission application with approval conditions of the approval rule, when the temporary permission application matches to the approval conditions, retrieves approval history of data applicable to data whose writing request is accepted (a step S4003), and approves output of the data whose writing request is accepted to a storage device based on the retrieved approval history of the data (a step S4006). <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

  The present invention relates to a technique for performing an approval process for a data write request to a storage device.

  In recent years, leakage of personal information and confidential information has been affecting corporate trust. Information leakage may occur due to unauthorized access from the outside, but most are caused by carelessness of people inside the company.

  Further, information may be taken out by a removable storage medium and information leakage may occur. Since the Personal Information Protection Law was enforced in 2005, it has become an urgent task for companies to take measures against information leakage.

  Therefore, by installing a program that controls a device such as a removable storage medium (CD-RW, USB memory, etc.) in a computer terminal and managing the settings of the program from a dedicated server, information leakage from the device can be prevented. The prevention mechanism has become common.

  In such a system, when it is desired to use a device temporarily, the administrator must make a setting to permit the use of the specified device, and after the use of the device is finished, the process of returning the setting again. It was necessary to perform etc., and the administrator was very burdened.

  In view of this point, in the invention as disclosed in Patent Document 1, the user who temporarily uses the device manages the temporary use of the device by applying to the administrator, thereby reducing the load on the administrator. It is mitigating.

JP 2006-309296 A

  However, in the invention disclosed in Patent Document 1, it is necessary for the administrator to determine the contents of each piece of information that is taken out to the outside and determine whether the information may be taken out. For this reason, when a large amount of text, image data, or the like is to be taken out, it is necessary to read through each file and make a determination, which is a heavy burden.

  Conventionally, when data that has been permitted to be taken out in the past is to be taken out again, it is necessary to check the contents of the file again in order to determine whether the data to be taken out is the same as the data that has been allowed to be taken out in the past.

Furthermore, in the past, when data that was taken out in the past was partially changed and tried to be taken out again, it was difficult to understand where the data was changed, so the administrator took time to check the contents of the data and increased the burden. ing. In addition, in the conventional mechanism that allows the device to be used temporarily within the time permitted by the administrator, data different from the data permitted to be written can be written to the device, information leakage, etc. There was a security problem.
Conventionally, data that has been temporarily allowed to be written can be output after the data has been allowed to be changed and output, so there is a risk that data such as confidential information will be added and output. .

  Therefore, an object of the present invention is to reduce the burden on the approver for approval.

  Another object of the present invention is to prevent leakage of information by permitting output of only data that is temporarily permitted to be written to a device.

The information processing system according to the present invention is an information processing system in which an information processing apparatus that approves output of data requested to be written to a storage device and a communication apparatus that requests data writing to the storage device are connected via a communication line. The information processing apparatus includes: a receiving unit that receives a data write request from the communication device; a search unit that searches for an approval history of data corresponding to the data for which the write request has been received by the receiving unit; And an approval unit that approves the output of the data received by the receiving unit to the storage device based on the approval history of the data searched by the search unit.
The information processing apparatus of the present invention is an information processing apparatus that is communicable with a communication device that makes a data write request to a storage device, and that approves output of the write-requested data to the storage device, the communication device A receiving unit that receives a data write request from the device, a search unit that searches for an approval history of data corresponding to the data for which the write request has been received by the receiving unit, and an approval history of the data searched by the search unit And approval means for approving output of the data received by the receiving means to the storage device.
An information processing apparatus control method according to the present invention is a method for controlling an information processing apparatus that approves output of data requested to be written to a storage device, and includes a reception step for receiving a data write request, and writing by the reception step. A search step for searching for an approval history of data corresponding to the data for which the request has been received, and the data to which the write request has been received by the reception step based on the approval history for the data searched by the search step. And an approval step for approving the output.
A program according to the present invention is a program for causing a computer to execute a control method of an information processing apparatus that approves output of data requested to be written to a storage device, a reception step for receiving a data write request, and the reception A search step for searching for an approval history of data corresponding to the data for which the write request has been received in the step, and the storage of the data for which the write request has been received by the receiving step based on the approval history of the data searched for by the searching step An approval step for approving output to a device is executed by a computer.
The communication apparatus of the present invention can communicate with an information processing apparatus that holds a temporary data write policy in which a condition for temporarily permitting data write is defined, and determines whether or not the write-requested data can be output to a device. A communication device for controlling, requesting means for requesting the information processing device for temporary write-out including identification information for uniquely identifying the data requested to be written, and the information processing device in response to a request by the requesting device An acquisition means for acquiring a temporary write policy in which identification information capable of uniquely specifying data that is temporarily allowed to be written is specified; a receiving means for receiving a data write instruction to the device; and the receiving means When receiving a write instruction, the identification information defined in the temporary write policy acquired by the acquisition means Obtained by the obtaining means by the data judging means for judging whether the data that is temporarily permitted to be written and the data instructed to be written by the accepting means are the same. When it is determined that the data temporarily permitted to be written by the temporary write policy is the same as the data instructed to be written by the receiving means, the output of the data to the write driver corresponding to the device is performed. Output permission means for permitting.
The communication apparatus control method according to the present invention is capable of communicating with an information processing apparatus having a temporary data write policy in which conditions for temporarily permitting data write are defined, and writing data requested to be written to a device. A method for controlling a communication device that controls whether output is possible, a request step for requesting the information processing device for a temporary write request including identification information that can uniquely identify data requested to be written, and a request by the request step An acquisition step of acquiring a temporary write policy in which identification information capable of uniquely specifying data that is temporarily allowed to be written is specified from the information processing apparatus; and a reception step of receiving a data write instruction to the device And the temporary document obtained in the obtaining step when receiving the writing instruction in the accepting step. A data determining step for determining whether the data that is temporarily permitted to be written specified by the identification information defined in the output policy is the same as the data instructed to be written in the receiving step; and the data Corresponding to the device when it is determined in the determination step that the data temporarily written by the temporary write policy acquired in the acquisition step is the same as the data instructed to be written in the reception step An output permission step for permitting the output of the data to the write driver.
The program of the present invention can communicate with an information processing apparatus having a temporary data write policy in which a condition for temporarily permitting data write is defined, and controls whether or not write requested data can be output to a device. A program for causing a computer to execute a control method for a communication device, a request step for requesting the information processing device for a temporary write request including identification information capable of uniquely identifying data requested to be written, and the request step In response to a request by the information processing apparatus, an acquisition step for acquiring a temporary write policy in which identification information capable of uniquely identifying data that is temporarily allowed to be written is specified from the information processing apparatus, and a data write instruction to the device Receiving step, and when receiving a writing instruction in the receiving step It is determined whether the data that is temporarily permitted to be written specified by the identification information specified in the temporary writing policy acquired in the acquiring step is the same as the data that is instructed to be written in the receiving step. In the data determination step and the data determination step, it is determined that the data temporarily permitted to be written by the temporary write policy acquired in the acquisition step and the data instructed to be written in the reception step are the same. In this case, the output permission step for allowing the output of the data to the write driver corresponding to the device is executed by the computer.

  In the present invention, the output of the data is automatically approved based on the approval history of the data corresponding to the data for which the write request has been accepted. Therefore, according to the present invention, it is not necessary for the administrator to approve data one by one, and the burden on the approver related to the approval can be reduced.

  In addition, according to another feature of the present invention, it is possible to prevent leakage of information by permitting output of only data that is temporarily permitted to be written to a device.

  Hereinafter, embodiments of the present invention will be described with reference to the accompanying drawings.

  FIG. 1 is a diagram schematically showing a device restriction system configuration according to an embodiment of the present invention. As shown in FIG. 1, the device restriction system according to the present embodiment enables a client terminal 101, an administrator terminal 102, and a management server 103 to communicate with each other via a network (communication line) 104 such as a LAN. It is a connected configuration. The client terminal 101, the administrator terminal 102, and the management server 103 are configured by an information processing apparatus such as a computer. The client terminal 101 is a configuration example of the communication apparatus of the present invention, and the management server 103 is a configuration example of the information processing apparatus of the present invention. The device restriction system shown in FIG. 1 is a configuration example of the information processing system of the present invention.

  The client terminal 101 is a terminal used by a user. In this client terminal 101, an agent program and a filter driver are installed. The client terminal 101 has a function of controlling a device (hard disk, USB memory, etc.) connected to the terminal and a function of transmitting an operation log to the management server 103 according to a monitoring policy distributed from the management server 103. .

  The administrator terminal 102 is a terminal used by the administrator. This administrator terminal 102 is connected to the management server 103 through a WEB browser installed in the terminal, and has a function of operating and browsing system settings and states.

  The management server 103 is a management server that holds system information such as client information and monitoring policies. The management server 103 has a function of providing a system setting screen to the administrator terminal 102, a function of receiving an operation log from the client terminal 101, and a function of distributing a monitoring policy.

  The present invention is not applicable to the system configuration shown in FIG. 1, and there may be a plurality of client terminals 101, administrator terminals 102, and management servers 103.

  FIG. 2 is a block diagram schematically showing a hardware configuration of the information processing apparatuses of the client terminal 101, the administrator terminal 102, and the management server 103 in FIG.

  In FIG. 2, reference numeral 201 denotes a CPU that comprehensively controls each device and controller connected to the system bus 204.

  Further, the ROM 202 or the external memory 211 is necessary for realizing a function executed by a basic input / output system (BIOS) or an operating system program (hereinafter referred to as an OS), which is a control program of the CPU 201, or a server or each client. Various programs to be described later are stored.

  The RAM 203 functions as a main memory, work area, and the like for the CPU 201. The CPU 201 implements various operations by loading a program necessary for execution of processing into the RAM 203 and executing the program.

  An input controller (input C) 205 controls input from a pointing device such as a keyboard 209 or a mouse (not shown).

  A video controller (VC) 206 controls display on the display 210. The display may be a CRT display or a liquid crystal display.

  The memory controller (MC) 207 is a hard disk (HD), floppy disk (registered trademark) (FD), or PCMCIA that stores a boot program, browser software, various applications, font data, user files, editing files, various data, and the like. Controls access to an external memory 211 such as a compact flash memory connected to the card slot via an adapter.

  A communication I / F controller (communication I / FC) 208 is connected to and communicates with an external device via the network 105, and executes communication control processing in the network. For example, Internet communication using TCP / IP is possible.

  Note that the CPU 201 enables display on the display 201 by, for example, implementing outline font rasterization processing on the display information area in the RAM 203. Further, the CPU 201 can be instructed by a user with a mouse cursor (not shown) on the display 210.

  A program for realizing the present invention is recorded in the external memory 211 and is executed by the CPU 201 by being loaded into the RAM 202 as necessary. Further, various data and various tables used by the program according to the present invention are stored in the external memory 211, and detailed description thereof will be described later.

  FIG. 3 is a block diagram schematically showing the module configuration of the client terminal 101 in FIG.

  First, the client terminal 101 includes an operating system 308 and programs operating on the operating system, such as a setting program 301, a temporary writing program 302, a control / communication service program 303, a print monitoring module 310, and a filter driver (file system) 304. , A filter driver (CD-RW / DVD writing) 305, a file system driver 306, a CD-RW / DVD writing driver 307, a printer driver 313, a device 309, and a printer 314.

  The setting program 301 provides user operation screens such as an agent program stop screen and an application screen.

  The temporary writing program 302 provides a function of writing a file to a device connected to the client terminal 101 when the temporary use of the device is permitted by the temporary writing function.

  The control / communication service program 303 operates as a resident program, sets operation for the filter driver (file system) 304 and the filter driver (CD-RW / DVD writing) 305, and functions and operations for acquiring a monitoring policy from the management server 103 Provide a function to send logs.

  The print monitoring module 310 is a module called in the control / communication service program 303 and provides a function for controlling execution of printing.

  A filter driver (file system) 304 monitors file operations on devices such as a hard disk, a USB memory, a floppy (registered trademark) disk drive, and a shared folder. The filter driver (file system) 304 provides a function for prohibiting operations based on the operating conditions set by the control / communication service program 303.

  A filter driver (CD-RW / DVD writing) 305 monitors an operation on an optical disk such as a CD-R, CD-RW, or DVD, and prohibits the operation based on an operating condition set by the control / communication service program 303. Provide the function to do.

  The file system driver 306 provides a function for the operating system 308 to control the external memory 211.

  The CD-RW / DVD writing driver 307 provides a function for the operating system 308 to control an optical disc such as a CD-R, CD-RW, or DVD.

  The printer driver 313 provides a function for the operating system 308 to control the printer 314.

  The printer 314 is a device that prints character data, image data, graphic data, and the like on paper, an OHP sheet, and the like.

  The device 309 means a device built in the client terminal 101 such as a built-in hard disk, a shared folder connected on the network, or a removable storage medium such as a USB memory, a floppy (registered trademark) disk, or an optical disk. To do.

  FIG. 4 is a block diagram schematically showing the module configuration of the administrator terminal 102 in FIG.

  The administrator terminal 102 includes an operating system 403, a WEB browser application 401 that is a program operating on the operating system 403, and an e-mail receiving application 402, and is stored in the external memory 211 of FIG.

  An administrator uses the WEB browser application 401 to connect to the management server 103 and provides a function for setting and browsing system information. The e-mail receiving application 402 provides a function of receiving e-mail from the management server 103.

  FIG. 5 is a block diagram schematically showing the module configuration of the management server 103 in FIG.

  The management server 103 includes an operating system 505, a log reception program 501 that is a program operating on the operating system 505, a WEB server 502, a management WEB application 503, and a database 504. These are stored in the external memory 211 shown in FIG.

  The log reception program 501 provides a function of receiving an operation log from the client terminal 101 and storing it in a database.

  The management WEB application 503 operates on the WEB server 502, and functions and clients that provide a setting screen, system information, and operation log information in response to a request from the WEB browser application 401 installed in the administrator terminal 102 A function of distributing a monitoring policy in response to a monitoring policy acquisition request from the terminal 101 is provided.

  Next, the database 313 provides a function of saving the set system information or saving the operation log transmitted from the client terminal 101. Note that the module is stored in the external memory 211 of FIG.

  FIG. 6 is a flowchart illustrating an example of a processing procedure of the device restriction system in the present embodiment.

  First, an apparatus for executing each step shown in FIG. 6 will be described. First, in steps S601 to S611 shown in FIG. 6, the CPU 201 of the client terminal 101 executes the control / communication service program 303, the setting program 301, and the print monitoring module 310 stored in the storage unit such as the external memory 211. This is realized by loading the program into the RAM 203 and executing it.

  Next, the processing of steps S621 to S625 shown in FIG. 6 is realized by the CPU 201 of the management server 103 loading the management WEB application 503 stored in the storage means such as the external memory 211 into the RAM 203 and executing it. Is done.

  6 is realized by the CPU 201 of the management server 103 loading the log reception program 501 stored in the storage unit such as the external memory 211 into the RAM 203 and executing it. .

  Finally, in steps S651 to S653 shown in FIG. 6, the CPU 201 of the administrator terminal 102 loads the WEB browser application 401 and the e-mail receiving application 402 stored in the storage means such as the external memory 211 into the RAM 203. It is realized by executing. The above is the apparatus for executing each step shown in FIG.

Next, each step of the flowchart shown in FIG. 6 will be described.
First, the monitoring policy creation process in steps S651, S652, S621, and S622 will be described.

  First, the CPU 201 of the administrator terminal 102 activates the WEB browser application 401 based on a screen operation by the administrator.

  Then, the WEB browser application 401 of the administrator terminal 102 connects to the management WEB application 503 of the management server 103, and transmits approval information (user ID and password) (step S651).

  Next, the management WEB application 503 of the management server 103 receives the authentication information transmitted from the administrator terminal 102 and executes authentication processing (step S621). The authentication process here means authentication by ID and password, or authentication by an authentication device such as a smart card.

  When the authentication process is successful, the WEB browser application 401 of the administrator terminal 102 displays a monitoring policy setting screen (FIG. 9) for inputting the monitoring policy (FIG. 10). On the other hand, if the authentication process fails, the CPU 201 of the administrator terminal 102 displays an error message (not shown) indicating that the authorization has failed on the WEB browser application 401.

  In the monitoring policy setting screen, as shown in FIG. 9, monitoring policy name setting (0901), monitoring policy description (0902), floppy disk access control and operation log setting (0903) , Removable disk access control and operation log setting (0904), local hard disk access control and operation log setting (0905), access control to optical disk by packet writing and operation log setting (0906), optical disk by writing software Access control and operation log setting (0907), print control and operation log setting (0908), shared folder access control and operation log setting (0909) are displayed.

  In addition, as shown in FIG. 10, the monitoring policy prohibits a read command, a write command, a file name change command, and a delete command for a floppy (registered trademark) disk, a removable disk, a local hard disk, an optical disk, and a network drive. This is information that defines whether or not to set a print command for a printer and whether to record the command as a log.

  Next, when the administrator inputs the monitoring policy (FIG. 10) using the monitoring policy setting screen (FIG. 9) and presses the create monitoring policy button (0910), the WEB browser application 401 of the administrator terminal 102 is displayed. Transmits the input monitoring policy, monitoring policy name, and description of the monitoring policy to the management server 103 (step S652).

  Next, the management WEB application 503 of the management server 103 receives the monitoring policy, the monitoring policy name, and the description of the monitoring policy (step S622), and stores them in the monitoring policy table (FIG. 11) (step S623).

  Here, as shown in FIG. 11, the monitoring policy table stores a monitoring policy ID, a monitoring policy name, a monitoring policy description, a monitoring policy creation time, and a monitoring policy for specifying the monitoring policy.

  When the monitoring policy is stored in the monitoring policy table, it is converted into a character string, and the following information is stored in each property. That is, the access control setting of the floppy (registered trademark) disk is stored in the FD_CTRL property. The FD_LOG property stores the operation log setting of the floppy (registered trademark) disk. The RM_CTRL property stores access control settings for removable disks. The operation log setting of the removable disk is stored in the RM_LOG property. The HD_CTRL property stores the local hard disk access control settings. The HD_LOG property stores the operation log settings for the local hard disk. The PCD_CTRL property stores access control settings for the optical disk by packet writing. The PCD_LOG property stores the operation log settings for the optical disk by packet writing. The WCD_CTRL property stores the access control setting for the optical disc by the writing software. The WCD_LOG property stores the operation log setting of the optical disc by the writing software. Print control settings are stored in the PRT_CTRL property. The operation log setting for printing is stored in the PRT_LOG property. The NET_CTRL property stores the access control settings for the network drive. The operation log setting of the network drive is stored in the NET_LOG property.

  With the above processing, the monitoring policy creation processing in step S651, step S652, step S621, and step S622 is completed.

  Next, the installation process in step S601, step S602, and step S623 will be described.

  First, the CPU 201 of the client terminal 101 installs the agent program 311 and the filter driver 312 in the client terminal 101 based on the administrator's screen operation (step S601).

  Here, the agent program 311 means the setting program 301, the temporary writing program 302, the control / communication service program 303, and the print monitoring module 310 shown in FIG.

  The filter driver 312 means the filter driver (file system) 304 and the filter driver (CD-RW / DVD writing) 305 shown in FIG.

  Next, when the installation is completed, the CPU 201 of the client terminal 101 activates the setting program 301 and displays a screen (not shown) for setting network information such as the IP address of the management server 103.

  When the administrator inputs network information using the screen, the setting program 301 of the client terminal 101 notifies the control / communication service program 303 of the input network information.

  Next, the control / communication service program 303, which is a resident program of the client terminal 101, transmits the notified client information (FIG. 7) to the management WEB application 503 of the management server 103 (step 602).

  Here, as shown in FIG. 7, the client information is the name of the domain (domain name) to which the client terminal 101 is connected, the user name set and registered in the client terminal 101, and the IP address of the client terminal 101. , Information including the computer name of the client terminal 101. This client information is used to acquire a monitoring policy ID from the client information table in the monitoring policy acquisition process in step S624.

  Then, the management web application 503 of the management server 103 receives the client information and stores the client information in the client information table (FIG. 8) (step S621).

  Here, as shown in FIG. 8, the client information table includes an agent ID for identifying the agent program 311, a domain name of the client terminal 101, a computer name and an IP address, and a user name logged in to the client terminal 101. And the ID of the monitoring policy to be applied to the client terminal 101 (monitoring policy ID) is stored.

  The monitoring policy ID stores the monitoring policy ID created in step S622. Thereby, the management server 103 can know the monitoring policy applied to the client terminal 101 by referring to the monitoring policy ID in the client information table.

  In the above embodiment, the monitoring policy is applied to the client terminal 101. However, it is also possible to apply the monitoring policy to a user who logs in to the client terminal 101. It is also possible to apply and manage monitoring policies in groups by grouping client terminals and users.

  With the above processing, the installation processing in step S601, step S602, and step S623 is completed.

  In the above embodiment, the agent program 311 and the filter driver 312 are installed based on the screen operation of the administrator. However, the agent program 311 and the filter driver 312 can be automatically installed using a directory service.

  Next, the monitoring policy application process in steps S603, S604, and S624 will be described.

  First, the control / communication service program 303, which is a resident program of the client terminal 101, transmits a monitoring policy acquisition request (FIG. 23) to the management server 103 (step S603).

  Here, as shown in FIG. 23, the monitoring policy acquisition request is the name of the domain (domain name) to which the client terminal 101 is connected, the computer name of the client terminal 101, the user name of the client terminal 101, the inquiry Information including an inquiry type ID for identifying the contents of the agent and an agent ID for identifying the agent program.

  Also, the monitoring policy acquisition request transmission processing in step S603 is executed by the control / communication service program 303 of the client terminal 101 based on the screen operation of the administrator, or the control / communication service program 303 is preset. Run regularly at intervals.

  Next, the management WEB application 503 of the management server 103 receives the monitoring policy acquisition request, refers to the client information table (FIG. 8) using the agent ID, domain name, user name, and computer name as keys, and monitors the monitoring policy. Get an ID.

  Further, the management WEB application 503 of the management server 103 refers to the monitoring policy table (FIG. 11) using the acquired monitoring policy ID as a key, and acquires the monitoring policy (1101). Then, the management WEB application 503 of the management server 103 returns the monitoring policy to the control / communication service program 303 of the client terminal 101 (step S624).

  Next, the control / communication service program 303 of the client terminal 101 that has received the monitoring policy executes a monitoring policy application process (FIG. 12) (step S604).

  Hereinafter, the monitoring policy application process will be described with reference to FIG. The processing in steps S1201 to S1203 in FIG. 12 is realized by the CPU 201 of the client terminal 101 loading the control / communication service program 303 stored in the storage unit such as the external memory 211 into the RAM 203 and executing it. .

  First, the control / communication service program 303, which is a resident program of the client terminal 101, stores the received monitoring policy in the file format in the external memory 211 of the client terminal 101 (step S1201).

  The file saved here is called a monitoring policy file (FIG. 13), and each property in the file has the same value as the monitoring policy (1101) in the monitoring policy table described above, as shown in FIG. Means.

  Next, the control / communication service program 303 of the client terminal 101 refers to the monitoring policy file (FIG. 13) stored in the external memory 211, and defines information that defines whether to execute or reject the printing process. Set in the print monitoring module 310. Then, the print monitoring module 310 monitors the execution of the printing process (step S1202).

  Further, the control / communication service program 303 of the client terminal 101 refers to the monitoring policy file (FIG. 13) stored in the external memory 211, and filters the device paths prohibited by the monitoring policy and the prohibited file operations. The rejection condition (FIG. 21) held by the driver 312 is set (step S1203).

  Here, as shown in FIG. 21, the rejection condition includes a file path for which the filter driver 312 performs access control, and a read command, a write command, a file name change command, and a delete command executed on the file. Of these, information defining which instructions are prohibited is stored.

  Specifically, when the access control is set to read only (only read operation is permitted) as in the floppy disk access control 909 on the monitoring policy setting screen (FIG. 9), the rejection condition includes , A floppy disk drive path and a write command, a file name change command, and a delete command prohibition for the path are registered. As a result, when a write command is executed from an arbitrary program to a file stored in a floppy (registered trademark) disk, the operation can be prohibited by the filter driver 312.

  This rejection condition is set for each floppy (registered trademark) disk, removable disk, local hard disk, CD / DVD drive, and network drive, and uses wildcard characters such as * (asterisk) to mean all character strings. It is also possible to set the file path.

  FIG. 22 shows prohibition instructions corresponding to the items of access control (none, read-only, all prohibition).

  The file driver 312 holds permission conditions (FIG. 20) in addition to the rejection conditions. The permission condition is a file path for which the filter driver 312 performs access control, and which command is permitted among a read command, a write command, a file name change command, and a delete command executed on the file. Stores defined information.

  The permission condition can also control a file operation command executed by the process by registering a process ID instead of a file path.

  Specifically, when the process ID of the control / communication service program 303 is registered in the permission condition as in step S1404 in FIG. 14, the file operation command executed from the control / communication service program 303 is a rejection condition. Execution is always permitted for folders and files registered in. With the above processing, the monitoring policy application processing shown in FIG. 12 is completed.

  As a result, when the file operation prohibited by the monitoring policy is executed in the client terminal 101, the filter driver 312 can interrupt the file operation.

  Note that the monitoring policy file saved in step S1201 is stored in the same folder as the agent program 311 is stored. Access to this folder from programs other than the agent program 311 is prohibited by the filter driver (file system) 304 of the client terminal 101. For this reason, it is not possible to browse files in a folder or write information from other programs.

  Hereinafter, the access control processing of the folder (agent program folder) in which the agent program 311 is stored will be described with reference to FIG. 14 is realized by the CPU 201 of the client terminal 101 loading the control / communication service program 303 stored in the storage unit such as the external memory 211 into the RAM 203 and executing it. .

  First, the control / communication service program 303, which is a resident program of the client terminal 101, acquires the path of the folder in which the agent program 311 is stored (step S1401).

  Then, the control / communication service program 303 sets the path of the agent program 311 acquired in step S1401, the read command, the write command, and the file for the denial condition (FIG. 21) held by the filter driver (file system) 304. The prohibition of the name change command and the delete command is set (step S1402).

  Next, the control / communication service program 303 of the client terminal 101 acquires its own process ID (step S1403).

  Then, the control / communication service program 303 includes the process ID acquired in step S1403, the read command, the write command, the file name change command, and the delete command for the process in the permission conditions held by the filter driver (file system) 304. The permission is set (step S1404).

  With the above processing, the agent program folder access control processing shown in FIG. 14 is completed. As a result, other programs cannot operate the monitoring policy file and the agent program 311.

  With the above processing, the monitoring policy application processing in steps S603, S604, and S624 is completed.

  Next, processing when the device operation in step S606 is performed will be described.

  First, the CPU 201 of the client terminal 101 executes an access command to a device such as a file or a printer by a user screen operation (step S606). If the executed command is a printer operation, the print monitoring module 310 of the client terminal 101 executes access control for the printer operation (FIG. 15). On the other hand, when the executed instruction is a file operation, the filter driver 312 executes access control for the file operation (FIG. 16).

  First, processing when a printer operation is executed will be described with reference to FIG. 15 is executed by the CPU 201 of the client terminal 101 by loading the control / communication service program 303 and the print monitoring module 301 stored in the storage unit such as the external memory 211 into the RAM 203. Is realized.

  First, the print monitoring module 301 of the client terminal 101 detects a printing operation and notifies the control / communication service program 303 (step S1501).

  Next, the control / communication service program 303, which is a resident program of the client terminal 101, receives a notification from the print monitoring module 301, refers to the monitoring policy stored in the external memory 211, and is prohibited from executing printing. Is determined (step S1502).

  If printing is not prohibited, the control / communication service program 303 notifies the print monitoring module 301 of a print operation permission command. Then, the print monitoring module 301 passes the process to the operating system 308 and executes the print process (step S1503).

  Conversely, when printing is prohibited, the control / communication service program 303 notifies the print monitoring module 301 of a print operation prohibition command. The print monitoring module 301 does not pass the print execution command to the operating system 308, but transmits the print failure information to the program that executed the print, and interrupts the print (step S1504). The above processing is processing when printing is executed.

  Next, processing when a file operation is executed will be described with reference to FIG. Note that the processing in steps S1601 to S1607 in FIG. 16 is realized by the CPU 201 of the client terminal 101 loading the filter driver 312 stored in the storage unit such as the external memory 211 into the RAM 203 and executing it.

  As mentioned in the description of step S601, the filter driver 312 here means the filter driver (file system) 304 and the filter driver (CD-RW / DVD writing) 305 shown in FIG. A filter driver (CD-RW / DVD writing) 305 controls file operations on the optical disc. On the other hand, the filter driver (file system) 304 controls file operations for a floppy (registered trademark) disk, a removable disk, a local hard disk, and a network drive.

  The filter driver (file system) 304 and the filter driver (CD-RW / DVD writing) 305 perform the same processing except that the devices to be controlled are different.

  First, the filter driver 312 of the client terminal 101 detects that a file operation has been executed (step S1601).

  Next, the filter driver 312 of the client terminal 101 determines whether the executed file operation matches the permission condition held by itself (steps S1602 and S1603). Specifically, it is determined whether the operation target file or process is the same as the file or process registered in the permission condition. If the file or process registered under the permission condition is the same, a determination is made by comparing whether the file operation instruction is a command permitted under the permission condition. Next, when the permission conditions are met, the filter driver 312 of the client terminal 101 transmits the information to the lower driver without stopping the operation and completes the processing (step S1607).

  On the other hand, if it does not match the permission condition, the filter driver 312 of the client terminal 101 checks whether the content of the file operation matches the rejection condition (FIG. 21) (S1604). Specifically, it is determined whether the operation target file is the same as the file registered in the rejection condition. When the file is the same as the file registered under the rejection condition, a determination is made by comparing whether the file operation instruction is an instruction prohibited by the rejection condition. Next, when the rejection condition is not met, the filter driver 312 of the client terminal 101 transmits information to the lower driver and completes the process (step S1607).

  On the other hand, if the rejection condition is met in step S1605, the filter driver of the client terminal 101 interrupts the detected file operation (step S1606). The above processing is processing when a file operation is executed.

  Next, an operation log recording process in steps S608, S609, S626, and S627 will be described.

  First, the control / communication service program 303, which is a resident program of the client terminal 101, refers to the monitoring policy file stored in the external memory 211 and determines whether to record an operation log (step S608).

  When recording the operation log, the control / communication service program 303 of the client terminal 101 transmits the operation log (FIG. 17) to the log reception program 501 of the management server 103 (step S609).

  Here, as shown in FIG. 17, the operation log is an agent ID for identifying an agent program, an operation log occurrence time, a computer name, a domain name, an IP address, a MAC address, and an operation of the client terminal 101 where the operation log is generated. Event ID that identifies the type of log, detailed event ID that indicates whether the operation is permitted or prohibited, device ID that stores device information on which the operation was executed, file name of the operation target file, file size, output This means information including the destination file path, execution process name, number of print pages, print execution time, print execution printer name, print execution printer port number, and print file name.

  The number of print pages, print execution time, print execution printer name, print execution printer port number, and print file name in the operation log are recorded only when printing is executed. On the other hand, the file name, file size, and output file path of the operation log are recorded only when the file operation is executed.

  Next, the log reception program 501 of the management server 103 receives the operation log (FIG. 17) (step S626). Then, the log reception program 501 stores the operation log in the operation log table (FIG. 18) (step S627).

  On the other hand, when the operation log is not transmitted, the control / communication service program 303 of the client terminal 101 does not execute the process of step S609 and proceeds to the next step.

  With the above processing, the operation log recording processing of Step S608, Step S609 and Step S626, Step S627 is completed.

  Note that the processing in steps 603 to 610 is executed until the operating system 308 ends or the CPU 201 of the client terminal 101 stops the agent program based on the user's screen operation.

  Next, the agent program stop process in step S611 will be described. First, the setting program 301 of the client terminal 101 executes an agent program stop process when an agent program stop command is executed based on a user operation (step S611).

  Hereinafter, the stop processing of the agent program will be described with reference to FIG. The process of step S1901 in FIG. 19 is realized by the CPU 201 of the client terminal 101 loading and executing the setting program 301 stored in the storage unit such as the external memory 211 on the RAM 203.

  19 is realized by the CPU 201 of the client terminal 101 loading the control / communication service program 303 stored in the storage unit such as the external memory 211 into the RAM 203 and executing it. The

  First, the setting program 301 of the client terminal 101 displays a password input screen (not shown) (step S1901).

  Then, the setting program 301 of the client terminal 101 notifies the stop command of the agent program and the password to the control / communication service program 303 which is a resident program after the password is input by the user using the password input screen. (Step S1902).

  Next, the control / communication service program 303 compares whether the predetermined password matches the password notified from the setting program 301 (step S1903).

  If they match, the control / communication service program 303 transmits a stop command to the filter driver 312 and the print control program 310 (step S1904).

  Further, the control / communication service program 303 terminates its own program and completes the stop processing of the agent program (step S1905).

  With the above processing, the agent program stop processing in step S511 is completed. The authentication process using the password is to prevent the agent program from being stopped intentionally and disabling the device restriction function.

  Finally, the monitoring log browsing process in steps S625 and S653 will be described. In FIG. 6, first, the CPU 201 of the administrator terminal 102 activates the WEB browser application 401 and displays a search screen (not shown) on the WEB browser application 401.

  When the search condition is input by the user's screen operation, the WEB browser application 401 of the administrator terminal 102 transmits the search condition to the management WEB application 503 of the management server 103 (step S653).

  Next, the management WEB application 503 of the management server 103 refers to the operation log table (FIG. 18), acquires an operation log that matches the search condition, and transmits it to the administrator terminal 102 (step S625).

  Then, the WEB browser application 401 of the administrator terminal 102 displays the contents of the operation log. With the above processing, the monitoring log browsing processing in step S625 and step 653 is completed. The above is the processing procedure of the device restriction system in the present embodiment.

  FIG. 24 is a flowchart showing an example of processing of the automatic approval function and the summary report creation function of the device restriction system in the present embodiment.

  First, an apparatus that executes each step of the flowchart shown in FIG. 24 will be described. First, in steps S2401 to S2415 shown in FIG. 24, the CPU 201 of the client terminal 101 loads the control / communication service program 303 and the setting program 301 stored in the storage means such as the external memory 211 into the RAM 203. It is realized by executing.

  Next, the processing from step S2441 to step S2451 shown in FIG. 24 is realized by the CPU 201 of the management server 103 loading the management web application 503 stored in the storage means such as the external memory 211 into the RAM 203 and executing it. Is done.

  24 is realized by the CPU 201 of the management server 103 loading the log reception program 501 stored in the storage unit such as the external memory 211 into the RAM 203 and executing it. .

  Finally, in steps S2471 to S2474 shown in FIG. 24, the CPU 201 of the administrator terminal 102 loads the WEB browser application 401 and the e-mail receiving application 402 stored in the storage means such as the external memory 211 into the RAM 203. It is realized by executing. The above is the processing apparatus that executes each step of the flowchart shown in FIG.

  Next, each step of the flowchart shown in FIG. 24 will be described. First, the approval rule setting process in steps S2441 and S2471 will be described.

  First, the CPU 201 of the administrator terminal 102 activates the WEB browser application 401 based on the screen operation of the administrator, and connects to the management WEB application 503 of the management server 103. Then, the WEB browser application 402 of the administrator terminal 102 displays an approval rule list screen (FIG. 25) that displays a list of approval rules. Here, the approval rule means information including an approval condition, an approval operation, and an approval rule name.

  27 can be set as the approval condition of the approval rule, and the contents (file, applicant, past application result, etc.) of the temporary permission application applied in step S2401 are shown in FIG. If it matches the conditions shown, automatic processing is executed. Step S2401 is an example of processing of the accepting means and requesting means of the present invention.

  In addition, the approval operation (FIG. 28) is information that defines an operation to be executed when the above-described approval conditions are met. The temporary permission application is automatically permitted and rejected, or the administrator performs a temporary permission application. It is possible to set operations such as browsing and manually executing approval processing.

  In this embodiment, the approval condition is the condition shown in FIG. However, if you specify the file name, path, extension, file size, character string, owner, etc. of the temporarily applied file as a condition, or if a specific character string containing personal information is included in the applied file, It is also possible to specify that it is included in the search condition.

  Similarly, in this embodiment, the approval operation is the operation shown in FIG. However, it is also possible to set the approval operation to execute an arbitrary program when the approval conditions are met.

  Next, the WEB browser application 401 of the administrator terminal 102 uses the screen to input an approval rule name, an approval condition, and an approval operation when the administrator presses the add approval rule button (2501). The rule setting screen (FIG. 26) is displayed.

  Then, using the screen, the administrator inputs an approval rule name (2601), an approval condition (2602), and an operation condition (2603), and presses an approval rule creation button (2604). Then, the WEB browser application 401 of the administrator terminal 102 transmits the approval rule name, the approval condition, and the operation condition to the management WEB application 503 of the management server 103 (step S2471).

  Then, the WEB browser application 401 of the management server 103 receives the approval rule name, the approval condition, and the operation condition, and stores them in the approval rule table (FIG. 29) and the approval condition table (FIG. 30) (step S2441).

  Here, in the approval rule table, as shown in FIG. 29, an ID for identifying the approval rule, a rule name of the approval rule, a date when the approval rule is updated, a valid flag indicating whether the approval rule is valid, and The approval operation is stored.

  Further, in the approval condition table, as shown in FIG. 30, an ID for identifying the approval condition, an approval rule ID of the related approval rule table, a creation date of the approval rule, an approval condition, a value of the approval condition, other approval conditions A logical code representing an association (AND, OR) with the table is stored.

  With the above processing, the approval rule setting processing in steps S2441 and S2471 is completed.

  Next, the file analysis setting process in steps S2442 and S2472 will be described. The file analysis process is a process for setting a value used in the file analysis process in step S2447.

  First, the CPU 201 of the administrator terminal 102 activates the WEB browser application 401 based on the screen operation of the administrator, and connects to the management WEB application 503 of the management server 103.

  Then, the WEB browser application 401 of the administrator terminal 102 displays a file analysis setting screen (FIG. 39).

  Here, in the file analysis setting screen, “number of characters to be acquired” (3901) for setting the number of characters to be acquired from the beginning of the file for which temporary permission is applied, and the search character string in the file for which temporary permission has been applied are displayed. A “character string to be searched” (3902) to be set and a “graphic / image to be acquired” (3903) to set what type of graphic or image in the file for which the temporary permission application has been applied are displayed.

  Next, when the above value is input by the screen operation of the administrator and the apply button (3904) is pressed, the WEB browser application 401 transmits the set value to the management WEB application 503 of the management server 103 (step S3). S2472).

  Then, the management WEB application 503 of the management server 103 stores the value in the file analysis setting table (FIG. 54) (step S2442).

  Here, the file analysis setting table includes the number of characters to be acquired used in step S3801 in FIG. 38, the search character string used in step S3803, the bitmap, JPG, GIF, graph, and graphic object values used in step S3804. Stored.

  With the above processing, the file analysis setting processing in steps S2442 and S2472 is completed.

  Next, the temporary permission application process in step S2401 will be described. The setting program 301 and the control / communication service program 303 of the client terminal 101 execute a temporary permission application process (FIG. 31) (step S2401).

  Hereinafter, the temporary permission application process will be described with reference to FIG. 31, the CPU 201 of the client terminal 101 loads the control / communication service program 303 and the setting program 301 stored in the storage unit such as the external memory 211 into the RAM 203. In the processing of steps S2471 to S2473 shown in FIG. It is realized by executing.

  First, the CPU 201 of the client terminal 101 activates the setting program 301 based on an administrator's screen operation. Then, the setting program 301 displays a temporary permission application screen (FIG. 33) for inputting temporary permission application information (FIG. 32).

  Here, the temporary permission application information includes an agent ID for identifying the agent program, the name of the domain to which the client terminal 101 belongs (domain name), the computer name of the client terminal 101, the name of the user who is logged in to the client terminal 101, Applicant's name, applicant's e-mail address, reason for application, output file list that describes the absolute path of the file to be stored on the device, path of the device that outputs the file, inquiry type ID that identifies the type of inquiry, file The information includes the type of the device that outputs the file, the volume serial ID of the device that outputs the file, the product name of the device that outputs the file, the vendor ID, the product ID, and the serial ID of the device that outputs the file. However, the device type that outputs the file included in the temporary permission application information, the volume serial ID of the device that outputs the file, the product name of the device that outputs the file, the vendor ID, product ID, and serial ID of the device that outputs the file Is obtained based on the path of the device that outputs the file in step S3101, and is not displayed or input from the temporary permission application screen (FIG. 33). For example, when the output device is a USB memory, the type of device that outputs the file included in the temporary permission application information, the volume serial ID of the device that outputs the file, and the device that outputs the file from the storage means in the USB memory The product name, the vendor ID, product ID, and serial ID of the device that outputs the file are acquired.

  Next, using the screen, the applicant's name (3301), the applicant's e-mail address (3302), the path of the device that outputs the file (3303), and the file to be output to the device are described by the applicant. When the output file list (3304), application reason (3305) is input, and the application button (3306) is pressed, the setting program 301 of the client terminal 101 is input from the temporary permission application screen (FIG. 33). Based on the information and the path (3303) of the device that outputs the file input from the temporary permission application screen (FIG. 33), the type of the device that outputs the file, the volume serial ID of the device that outputs the file, and the file Product name of device to output, vendor ID, product ID, serial of device to output file To get the ID, and stored in the temporary permission application information. Then, the control / communication service program 303 is notified (step S3101). However, if the device that outputs the file is not a USB memory, no value is set because the vendor ID, product ID, and serial ID of the device that outputs the file cannot be acquired.

  Next, the control / communication service program 303 of the client terminal 101 that has received the notification acquires the domain name, computer name, login user, and agent ID of the client terminal 101 and stores them in the temporary permission application information. Then, the file attribute information (FIG. 34) is acquired from the file registered in the output file list of the temporary permission application information (step S3102). Here, the “file hash value” in the file attribute information (FIG. 34) requests the OS to calculate the hash value of the file, and the OS obtains the file's hash value. A hash value is acquired from the OS.

  Here, the file attribute information is information including the absolute path of the file, the creation date and time, the update date and time, the hash value and the size of the file.

  Further, the control / communication service program 303 of the client terminal 101 copies the file registered in the output file list to a predetermined area of the external memory 211 of the management server 103 (step S3103).

  Next, the control / communication service program 303 of the client terminal 101 transmits temporary permission application information and file attribute information to the management WEB application 503 of the management server 103 (step S3104).

  Then, the control / communication service program 303 of the client terminal 101 displays a message (not shown) indicating that the temporary permission application has been completed on the temporary permission application screen (step S3105). With the above processing, the temporary permission application processing in step S2401 is completed.

  Next, the temporary permission application information storing process in step S2446 will be described. First, the management WEB application 503 of the management server 103 to which the temporary permission application information and the file attribute information are transmitted in step S2401 executes a temporary permission application information storage process (FIG. 35) (step S2446).

  Hereinafter, with reference to FIG. 35, the temporary permission application information storage processing will be described. The processing in steps S3501 and S3502 shown in FIG. 35 is realized by the CPU 201 of the management server 103 loading the management web application 503 stored in the storage unit such as the external memory 211 into the RAM 203 and executing it. The

  First, the management WEB application 503 of the management server 103 checks whether the file copied in step S3103 is copied to a predetermined area in the external memory 211 of the management server 103 (step S3501).

  Next, the management WEB application 503 of the management server 103 stores the temporary permission application information transmitted in step S3104 in the temporary permission application table (FIG. 36).

  Here, in the temporary permission application table, the temporary permission application ID for identifying the temporary permission application, the ID for identifying the agent program, the processing status of the temporary permission application, the name of the user who executed the temporary permission application, and the temporary permission application are executed. Computer name, domain (domain name) to which the computer for which temporary permission application was executed belongs, name and e-mail address of the applicant, reason for application, device to output the file for temporary permission application, approver ID, temporary permission Reason for application approval, validity period when temporary permission application is permitted, number of times of use of temporary writing program 302, path of device outputting file, type of device outputting file, volume serial ID of device outputting file , Product name of the device that outputs the file, device that outputs the file Vendor ID, product ID, it is possible to store information including the serial ID.

  Next, the management WEB application 503 of the management server 103 stores the file attribute information in the file attribute table (FIG. 37) (step S3502).

  Here, the file attribute table includes a file attribute ID for identifying a record of the file attribute table, a temporary permission application ID of the related temporary permission application table, an absolute path of the file applied, a creation date, an update date, a hash value File size, header character string, footer character string, first character string acquired in step S3801, the number of specific character strings acquired in step S3803, figure / image data acquired in step S3804, personal information acquired in step S3805 As a result of the presence / absence, content analysis acquired in step S3806, information including the score value acquired in step S3807 can be stored.

  With the above processing, the temporary permission application information storage processing in step S2446 is completed.

  Next, the file analysis process in step S2447 will be described. First, the management WEB application 503 of the management server 103 executes analysis processing (FIG. 38) on the file copied in step S3103.

  The file analysis process will be described below with reference to FIG. Note that the processing of steps S3801 to S3809 shown in FIG. 38 is realized by the CPU 201 of the management server 103 loading the management WEB application 503 stored in the storage unit such as the external memory 211 into the RAM 203 and executing it. The Further, the processing shown in FIG. 38 is an example of processing by the analyzing means of the present invention.

  First, the management WEB application 503 of the management server 103 analyzes the file registered in the output file list of the temporary permission application information, and acquires the first character string included in the file (step S3801). Further, the number of characters acquired by the above processing is acquired from the character number sequence acquired in the file analysis setting table.

  Next, the management WEB application 503 of the management server 103 analyzes the file registered in the output file list of the temporary permission application information, and acquires the header character string and footer character string of the file (step S3802).

  Further, the management WEB application 503 of the management server 103 analyzes the file registered in the output file list of the temporary permission application information, and the character string set in the file analysis setting screen (FIG. 39) is included in the file. It is searched (step S3803). Specifically, the management WEB application 503 of the management server 103 acquires the value of the search character string in the file analysis setting table, searches whether the character string is included in the file, and the appearance of the corresponding character string. Record the number of times.

  Next, the management WEB application 503 of the management server 103 analyzes the file registered in the output file list of the temporary permission application information, and the image / image in the format (3903) set on the file analysis setting screen (FIG. 39). It is determined whether graphic data is embedded in the file. If it is included, the management WEB application 503 of the management server 103 acquires the image / graphic data (step S3804).

  Furthermore, the management WEB application 503 of the management server 103 analyzes the file registered in the output file list of the temporary permission application information and determines whether personal information is included in the file. Specifically, words such as names, addresses, and telephone numbers included in the file are searched, and it is determined whether personal information is included depending on whether the number of hits reaches a preset criterion (step S3805). ). The management WEB application 503 of the management server 103 simultaneously records the number of corresponding words.

  Next, the management WEB application 503 of the management server 103 analyzes the file registered in the output file list of the temporary permission application information, and determines the category of the file content. Specifically, the word contained in the file is acquired and classified into a predefined category (business, private, financial, education, image data, etc.) according to the meaning and the number of appearances of the word. (Step S3806).

  Next, the management WEB application 503 of the management server 103 executes scoring processing (step S3807). Specifically, a score and a threshold value are set in advance for each analysis process from step S3801 to step S3807, and when the processing result exceeds the threshold value, the score of the process is added to obtain a total score (score). To get.

  Next, the management WEB application 503 of the management server 103 determines whether analysis processing has been executed for all files registered in the output file list of temporary permission application information (step S3808).

  If there is a file that has not been analyzed, the management WEB application 503 of the management server 103 returns to step S3801 and executes the analysis again. Further, the management WEB application 503 of the management server 103 stores the analysis result acquired in steps S3101 to S3108 in the file attribute table (FIG. 37) (step S3809). With the above processing, the file analysis processing in step S2447 is completed.

  Next, the automatic approval process in step S2448 will be described. First, the management WEB application 503 of the management server 103 executes an automatic approval process (FIG. 40) for a temporary permission application (step S2448).

  Hereinafter, the automatic approval process will be described with reference to FIG. Note that the processing from step S4001 to step S4006 shown in FIG. 40 is realized by the CPU 201 of the management server 103 loading the management web application 503 stored in the storage means such as the external memory 211 into the RAM 203 and executing it. The

  First, the management WEB application 503 of the management server 103 acquires the approval rule stored in the approval rule table (FIG. 29) (step S4001).

  Next, the management WEB application 503 of the management server 103 compares the approval condition of the first approval rule with the contents of the temporary permission application information stored in step S2446, and determines whether the values match (step S4003). . Specifically, when “approved temporary permission file has been permitted in the past” shown in FIG. 27 is set in the approval condition, the same absolute path and hash value as the temporary permission applied file Is already in the file attribute table.

  Next, when there is a corresponding record, the management WEB application 503 of the management server 103 searches the temporary permission application table using the temporary permission application ID of the record as a key, and acquires the application status column of the corresponding record. .

  Then, if the value of the application status column is a value for which approval is permitted, the management WEB application 503 of the management server 103 determines that the file has been granted a temporary permission application in the past. As described above, it is determined whether the approval conditions are met using the past temporary application information. Step S4003 is an example of processing of the search means of the present invention.

  Next, when the approval rule matches, the management WEB application 503 of the management server 103 determines whether the approval operation of the matched approval rule is “permit the temporary permission application based on the judgment of the administrator” (step S4005).

  If the approval operation of the matched approval rule is “permit the temporary permission application based on the judgment of the administrator”, the process proceeds to step S4004. On the other hand, when the approval operation of the matched approval rule is other than “permit the temporary permission application based on the judgment of the administrator”, the temporary permission application approval process (FIG. 41) is executed (step S4006). The procedure of the temporary permission application approval process will be described in step S2451. Step S4006 is an example of processing of the approval unit of the present invention.

  On the other hand, if it does not match the approval rule, the management WEB application 503 of the management server 103 executes the process of step S4003 for the next approval rule. The above process is repeatedly executed for all the approval rules created in step S2471 (step S4002).

  Next, when all the approval rules are not matched, the management WEB application 503 of the management server 103 determines that the approval operation is approved based on the determination of the administrator, and proceeds to the next step (step S4004). With the above processing, the automatic approval processing in step S2448 is completed.

  Next, the process from step S2449 to step S2451 and the approval process of the temporary permission application by the administrator in steps S2473 and S2474 will be described.

  First, the management WEB application 503 of the management server 103 determines whether or not it is determined by the automatic approval processing in step S2448 that “temporary permission application is approved by the administrator” (step S2449).

  If it is not determined that “temporary permission application is approved based on administrator's judgment”, the management web application 503 of the management server 103 determines that the temporary permission application is automatically approved in step S2448, and performs processing. finish.

  On the other hand, when it is determined that “the approval process for the temporary permission application is performed based on the administrator's determination”, the management WEB application 503 of the management server 103 transmits an email to the administrator's email address (step S2450). . As a result, the administrator is notified that the temporary permission application has been made.

  In the above embodiment, the administrator is notified that the temporary permission application has been made by sending an e-mail. However, the notification of the temporary permission application can be realized by displaying a notification screen on the screen of the administrator terminal 102 or by executing an arbitrary program.

  Next, the CPU 201 of the administrator terminal 102 activates the e-mail receiving application 402 stored in the external memory 221 of the administrator terminal 102 based on the screen operation of the administrator, and receives the e-mail (step S2473). .

  Then, the CPU 201 of the administrator terminal 102 starts the WEB browser application 401 stored in the external memory 221 of the administrator terminal 102 based on the administrator's screen operation, and connects to the management WEB application 503 of the management server 103. To do.

  Furthermore, the WEB browser application 401 of the administrator terminal 102 displays a temporary permission application approval screen (FIG. 42) for approval processing of the temporary permission application, and includes whether or not the temporary permission application is approved by the administrator, the validity period, and the reason for approval. It waits for the approval information to be input (step S2474).

Here, the temporary permission application approval screen will be described below with reference to FIG.
First, in 4201 of FIG. 42, the application time of the temporary permission application applied in step S2401, the state of the temporary permission application (unapproved, permitted, rejected), the computer name of the client terminal 101 that executed the temporary permission application, and Domain (domain name) to which it belongs, user name, device information (device type, output destination path, device product name, volume serial ID, vendor ID, product ID, serial ID), and reason for application indicate.

  4220 in FIG. 42 includes a score of the entire file for which the temporary permission application has been made, a file name and a score of each file for which the temporary permission application has been applied, a result of personal information determination, a result of specific character string determination, a result of file content analysis, Displays the analysis result information of the file including the presence / absence of graphics and image data in the file and the presence / absence of past applications.

  Reference numeral 4203 in FIG. 42 displays items for inputting the period during which file writing is permitted, the number of times the file can be written, and the reason for approval. The above is the temporary permission application approval screen shown in FIG.

  When the detail button 4204 in FIG. 42 is pressed, the web browser application 401 of the administrator terminal 102 displays the file analysis result screen shown in FIG. This analysis result screen is an example of the analysis result information of the present invention, and the process in which the management server 103 transmits the analysis result screen to the administrator terminal 102 is an example of the processing of the transmission unit of the present invention.

  The file analysis result screen is a screen for displaying in detail the analysis result of each file for which a temporary permission application has been made. On this screen, the analysis result of the file is displayed, and the administrator can easily determine the content of the file applied for the temporary permission application.

Hereinafter, the file analysis result screen will be described with reference to FIG.
First, in 4301 in FIG. 43, the file name, creation date, update date, size, hash value, and character string from the beginning of the file, header character string, and footer character string are displayed.

  432, the file content category analysis result, the score value acquired in step S3807, the file content analysis result analyzed in step S3806, the presence or absence of personal information analyzed in step S3805, and the file are included in the file. The number of appearances of a word meaning personal information, the number of appearances of the specific character string analyzed in step S3103, and the number of appearances are displayed.

  In FIG. 43, 4303 displays a list of graphics and image data included in the file acquired in step S3804.

  Then, in 4304 of FIG. 43, when the same file as the file for which the temporary permission application has been applied has been applied in the past, the past approval history is displayed.

  43, when the detail button 4305 in FIG. 43 is pressed, the WEB browser application 401 of the administrator terminal 102 acquires the difference between the file for which temporary permission is applied and the file for which temporary permission has been applied in the past, and displays the difference on the screen. (FIG. 44). The process in which the management server 103 calculates the difference information is an example process of the calculation unit of the present invention.

  To obtain a file for which a temporary permission application has been executed in the past, obtain the hash value and absolute path stored in the file attribute table and compare them with the value of the file for which the temporary permission application has been applied. To do. The above is the file analysis result screen shown in FIG.

  Next, using the temporary permission application approval screen, the validity period (4205), the number of times writing can be executed (4206), the reason for approval (4207) are entered, and the “permit temporary permission application” button (4208), or The “Reject Temporary Permission Application” button (4209) is pressed by the administrator. Then, the WEB browser application 401 of the administrator terminal 102 transmits temporary permission application information to the management WEB application 503 of the management server 103 (step S2474).

  Next, the management WEB application 503 of the management server 103 receives the temporary permission application and executes an approval process (FIG. 41) (step S2451). The process of receiving this temporary permission application is an example of the process of the receiving means of the present invention.

  Hereinafter, with reference to FIG. 41, the temporary permission application approval process will be described. 41 is realized when the CPU 201 of the management server 103 loads the management web application 503 stored in the storage unit such as the external memory 211 into the RAM 203 and executes it. The

  First, the management WEB application 503 of the management server 103 updates the processing status, reason for approval, valid period, and number of records stored in the temporary permission application table based on the approval information (step S4101).

  Next, the management WEB application 503 of the management server 103 creates a temporary policy based on the approval information acquired in step S2473 and the information on the temporary permission application table, and stores the temporary policy in the temporary policy table (FIG. 45) (step 45). S4102).

  Here, in the temporary policy table, in FIG. 45, the agent ID for identifying the agent program, the creation time of the temporary policy table, the validity period of the temporary permission application, the name of the computer that executed the temporary permission application, the user name, and the temporary permission application The domain (domain name) to which the computer that executed the command belongs and temporary policy data are stored.

  The temporary policy data stored in the temporary policy table includes the validity period of the temporary permission application (Expiredt property), the number of times the temporary writing program 302 can execute writing (Count property), and the agent ID (AgentID) that identifies the agent program Property), the domain name to which the client terminal 101 that executed the temporary permission application belongs (Domainname property), the computer name of the client terminal 101 that executed the temporary permission application (ComputerName property), and the user name that performed the temporary permission application (UserName property) ), The path and hash value of the file approved in step S2473 (HASHID property), the path of the device that outputs the file (OUTPUTPATH property), the type of device that outputs the file (DEVICETYPE property), and the product name (DEVICENAME property), volume serial ID (VOLUMSERIALID property), vendor ID (VENDERID property), product ID (PRODUCTID property), and information including serial ID (SERIALID property).

  Note that the HASHID property is created as many as the number of applied files, and is stored in a format in which the absolute path and hash value of the file are separated by comma characters. The VENDERID property, PRODUCTID property, and SERIALID property are not set unless the device that outputs the file is a USB memory.

  Finally, the management WEB application 503 of the management server 103 acquires the email address stored in the temporary permission application table, and notifies the completion of the approval process by email (step S4103).

In the above embodiment, the applicant is notified that the temporary permission application has been approved by sending an e-mail to the applicant. However, the approval notification of the temporary permission application can display a notification message on the applicant's screen or execute an arbitrary program.
With the above processing, the approval processing of the temporary permission application by the administrator is completed.

  Next, the approval status inquiry process for the temporary permission application in steps S2402, S2443, and S2444 will be described.

  First, the control / communication service program 303 of the client terminal 101 executes a temporary permission application processing status inquiry process (FIG. 46) for the management WEB application 503 of the management server 103, and temporarily permits the management WEB application 503. The processing status of the application is acquired (step S2402, step S2443).

  Hereinafter, with reference to FIG. 46, the processing status inquiry of the temporary permission application will be described. 46 is realized by the CPU 201 of the client terminal 101 loading the control / communication service program 303 stored in the storage means such as the external memory 211 into the RAM 203 and executing it. Is done.

  46 is realized by the CPU 201 of the management server 103 loading the management WEB application 503 stored in the storage unit such as the external memory 211 into the RAM 203 and executing it. The

  First, the control / communication service program 303 of the client terminal 101 transmits processing status inquiry information (FIG. 47) to the management WEB application 503 of the management server 103 (step S4601).

  Here, the processing status inquiry information includes an agent ID for identifying an agent program, an inquiry ID for identifying an inquiry type, a computer name and a user name that have executed a temporary permission application, and a domain to which a computer that has performed a temporary permission application belongs. (Domain name).

  Next, the management WEB application 503 of the management server 103 receives the processing status inquiry information (step S4604).

  Then, the management web application 503 of the management server 103 acquires the processing state of the temporary permission application from the temporary permission application table using the agent ID of the processing status inquiry information as a key (step S4605).

  Next, the management WEB application 503 of the management server 103 transmits the processing state of the temporary permission application to the client terminal 101 (step S4606).

  If the processing state of the temporary permission application is unapproved or rejected, the management WEB application 503 waits for the processing status inquiry information to be transmitted from the client terminal 101 again.

  On the other hand, if the processing state of the temporary permission application is permission, the process proceeds to step S2445 (step S2444).

  Next, the control / communication service program 303 of the client terminal 101 receives the processing state of the temporary permission application transmitted from the management WEB application 503 of the management server 103 (step S4602).

  Then, the control / communication service program 303 of the client terminal 101 displays the processing status of the received temporary permission application on the screen of the client terminal 101. FIG. 48 shows an example of a temporary permission application processing status result screen.

  With the above processing, the processing status inquiry processing of the temporary permission application in Step S2402, Step S2443, and Step S2444 is completed.

  Next, the temporary policy application process from step S2403 to step S2407 and step S2445 will be described.

  First, the control / communication service program 303 of the client terminal 101 determines whether the result of the temporary permission application processing status inquiry processing in step S2402 is permitted, rejected, or not yet approved (step S2402). Step S2403).

  If the temporary permission application has not been approved, the control / communication service program 303 of the client terminal 101 returns to step S2403 and executes the inquiry again.

  On the other hand, if the temporary permission application has been approved and the approval result is rejected, the control / communication service program 303 of the client terminal 101 invalidates the startup screen of the temporary writing program 302 (step S2415).

  Conversely, if the temporary permission application is approved and the approval result is permission, the control / communication service program 303 of the client terminal 101 executes a temporary policy acquisition process (FIG. 49) (step S2404, step S2404). S2445). Step S2404 is a processing example of the acquisition unit of the present invention.

  The temporary policy acquisition process will be described below with reference to FIG. 49 is realized by the CPU 201 of the client terminal 101 loading the control / communication service program 303 stored in the storage means such as the external memory 211 into the RAM 203 and executing it. Is done.

  49 is realized by the CPU 201 of the management server 103 loading the management WEB application 503 stored in the storage means such as the external memory 211 into the RAM 203 and executing it. The

  First, the control / communication service program 303 of the client terminal 101 transmits a temporary policy distribution request (FIG. 47) to the management WEB application 503 of the management server 103 (step S4901).

  As shown in FIG. 47, the temporary policy distribution request includes an agent ID for identifying an agent program, an inquiry ID for identifying the type of inquiry, a computer name and a user name that executed the temporary permission application, and a temporary permission application. This information includes the domain (domain name) to which the executed computer belongs.

  Next, the management WEB application 503 of the management server 103 receives the temporary policy distribution request (step S4903).

  Then, the management WEB application 503 refers to the temporary policy table using the agent ID acquired in the temporary policy distribution request as a key, and acquires temporary policy data (step S4904).

  Furthermore, the management WEB application 503 transmits temporary policy data to the client terminal 101 (step S4905).

  Next, the control / communication service program 303 of the client terminal 101 receives the temporary policy data (step S4902). With the above processing, the temporary policy acquisition processing is completed.

When the temporary policy acquisition process is completed, the control / communication service program 303 of the client terminal 101 stores the received temporary policy data in the external memory 221 of the client terminal 101 in a file format (FIG. 50) (step S2404). ). This file is called a temporary policy file.
The temporary policy file stores a hash value of a file that is permitted to be written and an output destination that is permitted to be written.

  Similarly to the process for protecting the monitoring policy file described with reference to FIG. 6 (FIG. 14), the temporary policy file is prohibited by the filter driver (file system) 304 from accessing the corresponding recording area from other than the agent program. ing. Therefore, the contents cannot be browsed or rewritten from other programs. This processing is an example of processing performed by the storage unit and the prohibition condition setting unit of the present invention.

  Next, the control / communication service program 303 of the client terminal 101 refers to the temporary policy file created in step S2405, and determines whether the current time is within the validity period defined by the Expiredt property of the temporary policy file. (Step S2406). Step S2406 is a processing example of the period determination means of the present invention.

  If the expiration date has expired, the control / communication service program 303 of the client terminal 101 invalidates the startup screen of the temporary writing program 302 (step S2415).

  On the other hand, if it is within the expiration date, the control / communication service program 303 of the client terminal 101 enables the startup screen of the temporary writing program 302 (step S2407).

  With the above processing, the temporary policy application processing from step S2403 to step S2407 and step S2445 is completed.

  Next, the temporary writing process from step S2408 to step S2412 will be described.

  First, the CPU 201 of the client terminal 101 activates the temporary writing program 302 and displays a temporary writing setting screen (FIG. 51) by the applicant's screen operation. The temporary write setting screen displays the file approved in the temporary permission application, the type and product name of the device that outputs the file, the path of the device that outputs the file, the volume serial ID, vendor ID, and product ID of the device that outputs the file , Serial ID, and write conditions are displayed.

  When the write button 5101 is pressed by the applicant (step S2408), the temporary write program 302 of the client terminal 101 executes a write condition determination process (step S2409).

  Here, the write condition is information including a period and the number of times file writing input on the temporary permission application approval screen (FIG. 42), a path and a hash value of the file applied for the temporary permission application. The temporary write program 302 refers to the above value when copying a file to the device, and copies the file to the device only when the output file satisfies the write condition value.

  The write condition determination process will be described below with reference to FIG. 52 is realized when the CPU 201 of the client terminal 101 loads the temporary write program 302 stored in the storage unit such as the external memory 211 to the RAM 203 and executes it. .

  First, the temporary writing program 302 of the client terminal 101 refers to the Expiredt property of the temporary policy file stored in the external memory 211 of the client terminal 101. Then, the temporary writing program 302 of the client terminal 101 determines whether or not the current time is within the expiration date set in the temporary policy file (step S5201).

  If the current time has passed the expiration date set in the temporary policy file, the temporary writing program 302 determines that the writing conditions do not match (step S5208).

  On the other hand, when the current time has not passed the expiration date set in the temporary policy file, the temporary writing program 302 refers to the Count property of the temporary policy file stored in the external memory 211 of the client terminal 101. Then, the temporary writing program 302 determines whether the number of times that the writing process can be performed is 1 or more (step S5202).

  If the number of times that the write process can be performed is less than 1, the temporary write program 302 determines that the write condition does not match (step S5208). On the other hand, if the number of write processes that can be performed is 1 or more, the temporary write program 302 executes an output destination device confirmation process (step S5203). If it is determined in the output destination device confirmation process that the device that outputs the file is the same device as when applying, the process proceeds to the next step (step S5204). On the other hand, if it is determined in the output destination device confirmation process that the device that outputs the file is not the same device as when applying, the temporary writing program 302 determines that the writing condition does not match (step S5208). Step S5203 is a processing example of the device determination unit of the present invention.

  Next, the temporary writing program 302 acquires the hash value of the file instructed to write to the device via the screen of FIG. 51 from the OS, and the HASHID (HASHID included in the temporary policy file (FIG. 50) is absolute. Get the absolute path within the path and hash value). The absolute path acquired here is the absolute path where the file to be written was stored when the temporary write approval was requested. (Step S5205). Here, the hash value of the file instructed to be written via the screen of FIG. 51 can be acquired from the OS by the following processing. First, when the temporary write program 302 requests the OS to acquire the hash value of the file, the OS calculates and acquires the hash value of the file and passes it to the temporary write program 302. Thereby, the temporary writing program 302 can acquire the hash value of the file instructed to write via the screen of FIG. 51 from the OS.

Then, the temporary writing program 302 searches whether the HASHID property of the temporary policy file stored in the external memory 211 of the client terminal 101 includes the hash value and the absolute path acquired in step S5205 (step S5206). .
Specifically, the temporary policy file is searched, and it is determined whether the hash value of the file for which writing has been instructed via the screen of FIG. 51 is the same as the hash value in the temporary policy file.
Here, the hash value is identification information that can uniquely specify a file (data) to be written. Step S5206 is a processing example of the data determination unit of the present invention.

  If the HASHID property includes a hash value and an absolute path, that is, it is determined that the hash value of the file instructed to be written via the screen of FIG. 51 is the same as the hash value in the temporary policy file. In this case, the temporary writing program 302 of the client terminal 101 determines that the file is the same file as the file for which the temporary permission application has been made, and sets a determination flag if it matches the writing condition (step S5207). Step S5207 is a processing example of the output permission means of the present invention.

  Conversely, when the hash value is not included in the HASHID property, that is, when it is determined that the hash value of the file instructed to be written via the screen of FIG. 51 is different from the hash value in the temporary policy file, The temporary writing program 302 determines that it is not the same file as the file for which the temporary permission application has been made, and sets a determination flag if it does not match the writing condition (step S5208). With the above processing, the writing condition determination processing is completed. Note that the output device confirmation processing in step S5203 refers to the processing in FIG. Based on the above, it is possible to prevent information leakage by permitting only the device to output data that is temporarily allowed to be written to a device that is temporarily permitted to use. Become.

Hereinafter, the write condition determination process will be described with reference to FIG.
First, the temporary writing program 302 determines whether the path of the output destination device set in the OUTPUTPATH property of the temporary policy file stored in the external memory 211 of the client terminal 101 exists (step S5501). That is, the file write destination (output destination) (path of the output destination device) instructed to write via the screen of FIG. 51 and the write destination (output destination device of the output destination device) in the temporary policy file are permitted. Pass) is the same. If the path of the output destination device exists, that is, the writing destination (output destination) (path of the output destination device) of the file instructed via the screen of FIG. 51 and the writing in the temporary policy file are permitted. If it is determined that the output destination (path of the output destination device) to the specified device is the same, the process proceeds to the next step. On the other hand, if the path of the output destination device does not exist, the temporary writing program 302 determines that the device that outputs the file is different from the device at the time of application, and ends the processing (step S5508).

  Next, the temporary writing program 302 acquires the volume serial ID of the device that outputs the file, and determines whether it matches the VOLUMSERIALID property of the temporary policy file (step S5502). If it matches the value of the VOLUMSERIALID property, go to the next step. On the other hand, if it does not match the VOLUMSERIALID property of the temporary policy file, the temporary writing program 302 determines that the device that outputs the file is different from the device at the time of application, and ends the process (step S5508).

  Next, the temporary writing program 302 acquires the type of device that outputs the file, and determines whether it matches the DEVICETYPE property of the temporary policy file (step S5503). If it matches the DEVICETYPE property, go to the next step. On the other hand, if the device does not match the DEVICETYPE property of the temporary policy file, the temporary writing program 302 determines that the device that outputs the file is different from the device at the time of application, and ends the process (step S5508).

  Next, the temporary writing program 302 acquires the product name of the device that outputs the file, and determines whether it matches the DEVICENAME property of the temporary policy file (step S5504). If it matches the DEVICENAME property, go to the next step. On the other hand, if the device does not match the DEVICENAME property of the temporary policy file, the temporary writing program 302 determines that the device that outputs the file is different from the device at the time of application, and ends the processing (step S5508).

  Next, the temporary writing program 302 acquires the type of device from which the file is acquired, and determines whether it is a USB memory (step S5505). If it is not a USB memory, the temporary writing program 302 determines that the device that outputs the file is the same device as at the time of application (step S5507). On the other hand, in the case of a USB memory, the temporary writing program 302 acquires the vendor ID, serial ID, and product ID of the USB memory.

  Then, the temporary writing program 302 determines whether it matches the VENDERID property, PRODUCTID property, and SERIALID property of the temporary policy file (step S5506). If they match, the temporary writing program 302 determines that the device that outputs the file is the same device as at the time of application (step S5507). On the other hand, if they do not match, the temporary writing program 302 determines that the device that outputs the file is a device that is different from the application at the time of application (step S5508). The above is the output device confirmation process.

  Thereby, when the device that outputs the file is different from the device specified at the time of application, it is possible to prevent the file from being written to the device.

  Next, the temporary write program 302 of the client terminal 101 determines the result of the write condition determination process from the determination flag (step S2410). As a result, when it is determined that the write condition is not met, the temporary write program 302 invalidates the startup screen of the temporary write program 302 (step S2415).

  Conversely, if it is determined that the write condition is met, the temporary write program 302 executes a file write process (FIG. 53) (step S2411).

  The file writing process will be described below with reference to FIG. Note that the processing in steps S5301 to S5303 shown in FIG. 53 is realized by the CPU 201 of the client terminal 101 loading and executing the temporary write program 302 stored in the storage unit such as the external memory 211 on the RAM 203. .

  53 is executed by the CPU 201 of the client terminal 101 by loading the filter driver (file system) 304 stored in the storage means such as the external memory 211 into the RAM 203 and executing it. Realized.

  First, the temporary writing program 302 of the client terminal 101 acquires its own process ID and registers it in the permission conditions held by the filter driver (file system) 304 (step S5301).

  Here, as permission conditions, which one of a file path for which the filter driver 312 performs access control and a read command, a write command, a file name change command, and a delete command to be executed for the file are permitted. Stores information that defines If the value matches the value of the permission condition, the filter driver 312 does not perform the file prohibition operation.

  The permission condition can also control a file operation command executed by the process by registering a process ID instead of a file path.

  The filter driver 312 also holds a rejection condition in addition to the permission condition. The rejection condition defines the file path that the filter driver 312 performs access control, and which command is prohibited among the read command, write command, file name change command, and delete command executed on the file. Information is stored. If the rejection condition is met, the filter driver 312 prohibits the file operation.

  Next, the temporary writing program 302 of the client terminal 101 uses the operation system API to copy the file applied for the temporary permission application to the designated device (step S5302).

  The filter driver (file system) 304 of the client terminal 101 detects the file operation executed in step S5302 and executes hook processing (step S5304).

  Next, the filter driver (file system) 304 determines whether the file operation matches the permission condition (step S5305). Specifically, it is determined whether the operation target file or process is the same as the file or process (predetermined application) registered in the permission condition. If it is the same as the file or process registered under the permission condition, a determination is made by comparing whether the file operation command is a command permitted under the permission condition. This processing is a processing example of the permission setting means and application determination means of the present invention.

  If the permission conditions are met, the filter driver (file system) 304 of the client terminal 101 transmits information to the lower driver (step S5306).

  On the other hand, if the determination result matches the permission condition, the filter driver (file system) 304 of the client terminal 101 determines whether the file operation matches the rejection condition (step S5307). Specifically, it is determined whether the operation target file or process is the same as the file registered in the rejection condition. If the file is the same as the file registered under the permission condition, a determination is made by comparing whether the file operation command is a command permitted under the rejection condition.

  If the refusal condition is not met, the filter driver (file system) 304 of the client terminal 101 transmits information to the lower driver (step S5306).

  On the other hand, if the rejection condition is met, the filter driver (file system) 304 of the client terminal 101 interrupts the file operation and prohibits the file operation (step S5309). Thus, the file writing process is completed.

  Next, after the file writing process, the temporary writing program 302 of the client terminal 101 subtracts one value of the Count property of the temporary policy file stored in the external memory 211 of the client terminal 101 (step S5312).

  With the above processing, the temporary writing processing from step S2408 to step S2412 is completed.

  Next, the log transmission processing from step S2413 to step S2415, step S2431, and step S2432 will be described.

  First, the control / communication service program 303 of the client terminal 101 executes a process of transmitting the operation log (FIG. 17) of the file written in step S2411 to the management server 103 (step S2413).

  Next, the management WEB application 503 of the management server 103 receives the operation log (step S2431).

  Then, the management WEB application 503 stores the operation log in the operation log table (FIG. 18) (step S2432).

  Next, the control / communication service program 303 of the client terminal 101 refers to the Expiredt property of the temporary policy file stored in the external memory 211 of the client terminal 101. Then, the control / communication service program 303 of the client terminal 101 determines whether the current time has passed the validity period of the temporary policy (step S2414).

  When the current time has passed the expiration date of the temporary policy, the control / communication service program 303 of the client terminal 101 invalidates the startup screen of the temporary writing program 302.

  On the other hand, if the expiration date of the temporary policy has not passed, the control / communication service program 303 of the client terminal 101 waits for the agent program to be terminated based on the screen operation of the administrator, or returns to step S2408. , Wait for the file write processing to occur by the applicant's screen operation.

  With the above processing, the log transmission processing from step S2412 to step S2415, step S2431, and step S2432 is completed.

  The above is the processing procedure of the automatic approval function and summary report creation function of the device restriction system in this embodiment.

  As described above, in this embodiment, files stored in the device can be controlled in units of files, and automatic approval is performed using past approval history, thereby reducing the burden on the administrator. Can do. Furthermore, in the approval process of the administrator, the contents of the file applied are analyzed and displayed as a report, so the administrator can easily grasp the contents of the file and perform the approval process.

  As a result, it is possible to prevent information unintended by the administrator from being taken out and to greatly reduce the burden on the administrator.

  In addition, it is possible to prevent information leakage by permitting only the device to output data that is temporarily permitted to be written out to a device that is temporarily permitted to use.

  It should be noted that the configuration and contents of the various data described above are not limited to this, and it goes without saying that the various data and configurations are configured according to the application and purpose.

  Although one embodiment has been described above, the present invention can take an embodiment as a system, apparatus, method, program, recording medium, or the like. Specifically, the present invention may be applied to a system composed of a plurality of devices, or may be applied to an apparatus composed of a single device.

1 is a block diagram schematically showing a system configuration of an information processing system according to an embodiment of the present invention. FIG. 2 is a block diagram schematically showing a hardware configuration of the information processing apparatus in FIG. 1. It is a module block diagram which shows roughly the structure of the module with which the information processing apparatus (client terminal 101) in FIG. 1 is provided. It is a module block diagram which shows roughly the structure of the module with which the information processing apparatus (administrator terminal 102) in FIG. 1 is provided. It is a module block diagram which shows roughly the structure of the module with which the information processing apparatus (management server 103) in FIG. 1 is provided. It is a flowchart figure which shows the process sequence of a device restriction | limiting system. It is a figure which shows roughly the information handled by step S602 of FIG. It is a figure which shows roughly an example of the database table which stores the information handled by FIG.6 S623. It is a figure which shows an example of the screen displayed by step S652 of FIG. It is a figure which shows roughly the information handled by step S651 of FIG. It is a figure which shows roughly an example of the database table which stores the information handled by FIG.6 S622. 3 is a flowchart showing a procedure of monitoring policy application processing executed by the information processing apparatus (client terminal 101) in FIG. It is a figure which shows roughly an example of the monitoring policy file preserve | saved by step S1201 of FIG. It is a flowchart which shows the procedure of the monitoring policy preservation | save process performed by step S1201 of FIG. 2 is a flowchart showing a processing procedure during printing executed by the information processing apparatus (client terminal 101) in FIG. 2 is a flowchart showing a processing procedure when a file operation is executed by the information processing apparatus (client terminal 101) in FIG. It is a figure which shows roughly an example of the information handled by step S609 of FIG. It is a figure which shows roughly an example of the database table which stores the information handled by step S627 of FIG. 5 is a flowchart showing a procedure of an agent program stop process executed by the information processing apparatus (client terminal 101) in FIG. FIG. 2 is a diagram schematically showing an example of information held by a filter driver 312 in FIG. 1. FIG. 2 is a diagram schematically showing an example of information held by a filter driver 312 in FIG. 1. 10 is a correspondence table of prohibition instructions registered in the rejection condition of the filter driver 312 of FIG. 1 when the access control (0909) of FIG. 9 is set. It is a figure which shows roughly an example of the information handled by step S603 of FIG. It is a flowchart which shows the process sequence of an automatic approval function and a summary report creation function. It is a figure which shows an example of the approval rule setting screen displayed by step S2471 of FIG. It is a figure which shows an example of an approval rule setting screen. It is a figure which shows roughly an example of the information handled by step S2471 of FIG. It is a figure which shows roughly an example of the information handled by step S2471 of FIG. It is a figure which shows roughly an example of the database table which stores the information handled by FIG.24 S2441. It is a figure which shows roughly an example of the database table which stores the information handled by FIG.24 S2441. It is a flowchart figure which shows the procedure of the temporary permission application process which the information processing apparatus (client terminal 101) in FIG. 1 performs. It is a figure which shows roughly an example of the information handled by step S3101 of FIG. It is a figure which shows an example of the temporary permission application screen displayed by step S3101 of FIG. It is a figure which shows roughly an example of the information handled by step S3102 of FIG. It is a flowchart which shows the procedure of the temporary permission application information storage process which the information processing apparatus (management server 103) in FIG. 1 performs. It is a figure which shows roughly an example of the database table which stores the information handled by step S2446 of FIG. It is a figure which shows roughly an example of the database table which stores the information handled by step S2446 of FIG. 3 is a flowchart showing a procedure of file analysis processing executed by the information processing apparatus (management server 103) in FIG. It is a figure which shows an example of the analysis setting screen of the file displayed by step S2472 of FIG. 3 is a flowchart showing a procedure of automatic approval processing executed by the information processing apparatus (management server 103) in FIG. 3 is a flowchart showing a procedure of a temporary permission application approval process executed by the information processing apparatus (management server 103) in FIG. It is a figure which shows an example of the temporary permission application screen displayed by step S2474 of FIG. It is a figure which shows an example of the analysis result screen of the file displayed by step S2473 of FIG. It is a figure which shows an example of the difference information display screen displayed by step S2474 of FIG. It is a figure which shows roughly an example of the database table which stores the information handled by FIG.41 S4102. 3 is a flowchart showing a processing status inquiry processing procedure of a temporary permission application executed by the information processing apparatus (client terminal 101, management server 103) in FIG. It is a figure which shows roughly an example of the information handled by step S2402 and step S2404 of FIG. It is a figure which shows an example of the process status result screen of a temporary permission application displayed by step S4603 of FIG. 3 is a flowchart showing a temporary policy acquisition processing procedure executed by the information processing apparatus (client terminal 101, management server 103) in FIG. It is a figure which shows schematically the temporary policy file preserve | saved by step S2404 of FIG. FIG. 25 is a diagram showing an example of a temporary write setting screen displayed in step S2408 of FIG. 3 is a flowchart showing a write condition determination processing procedure of the information processing apparatus (client terminal 101) in FIG. 3 is a flowchart showing a file writing process procedure of the information processing apparatus (client terminal 101) in FIG. It is a figure which shows roughly an example of the database table which stores the information handled by FIG.24 S2442. It is a flowchart which shows the confirmation process of an output device.

Explanation of symbols

101: Client terminal 102: Administrator terminal 103: Management server 104: Network 301: Setting program 302: Temporary writing program 303: Control / communication service program 304: Filter driver (file system)
305: Filter driver (CD-RW / DVD writing driver)
306: File system driver 307: CD-RW / DVD writing driver 308: Operating system 309: Device 310: Print monitoring program 311: Agent program 312: Filter driver 313: Printer driver 314: Printer 401: WEB browser application 402: E-mail Reception application 403: Operating system 501: Log reception program 502: WEB server 503: Web application for management 504: Database 505: Operating system

Claims (22)

An information processing system in which an information processing apparatus that approves output of data requested to be written to a storage device and a communication apparatus that requests data writing to the storage device are connected via a communication line,
The information processing apparatus includes:
Receiving means for receiving a data write request from the communication device;
Search means for searching for an approval history of data corresponding to data for which a write request has been received by the receiving means;
An information processing system comprising: an approval unit that approves the output of the data received by the reception unit to the storage device based on the approval history of the data searched by the search unit. An information processing apparatus capable of communicating with a communication device that makes a data write request to a storage device and approves output of the write-requested data to the storage device,
Receiving means for receiving a data write request from the communication device;
Search means for searching for an approval history of data corresponding to data for which a write request has been received by the receiving means;
An information processing apparatus comprising: an approval unit that approves the output of the data received by the reception unit to the storage device based on the approval history of the data searched by the search unit.   The approval unit approves the output of the data received by the reception unit to the storage device when the data retrieved by the search unit has been previously approved by the approval history. The information processing apparatus according to claim 2.   4. The search unit according to claim 2, wherein the search unit searches for an approval history of data in which at least one of the absolute path and the hash value is the same as the data received by the receiving unit. Information processing device. Analyzing means for analyzing the data received by the accepting means by the write request;
Transmitting means for transmitting analysis result information by the analyzing means to an external device;
5. The receiving apparatus according to claim 2, further comprising a receiving unit configured to receive, from the external device, approval result information on output of the data received by the receiving unit to the storage device. The information processing apparatus described in 1. A calculation unit that calculates a difference between the data received by the receiving unit and the data searched by the search unit;
The information processing apparatus according to claim 5, wherein the transmission unit transmits the difference information calculated by the calculation unit to the external device as one of the analysis result information. A method of controlling an information processing apparatus that approves output of data requested to be written to a storage device,
A reception step for receiving a data write request;
A search step of searching for an approval history of data corresponding to the data for which the write request has been received by the reception step;
An information processing apparatus control comprising: an approval step of approving the output of the data whose write request has been received by the receiving step to the storage device based on the approval history of the data searched by the searching step Method. A program for causing a computer to execute a control method of an information processing apparatus that approves output of data requested to be written to a storage device,
A reception step for receiving a data write request;
A search step of searching for an approval history of data corresponding to the data for which the write request has been received by the reception step;
A program for causing a computer to execute an approval step of approving the output of the data whose write request has been received by the receiving step to the storage device based on the approval history of the data searched by the searching step. A communication apparatus capable of communicating with an information processing apparatus that holds a temporary data write policy that defines conditions under which data write is temporarily permitted, and that controls whether or not write requested data can be output to a device. ,
Requesting means for requesting the information processing apparatus to make a temporary write request including identification information for uniquely identifying the data requested to be written;
In response to a request by the request means, an acquisition means for acquiring from the information processing apparatus a temporary write policy in which identification information capable of uniquely specifying data that is temporarily allowed to be written is specified;
Receiving means for receiving an instruction to write data to the device;
When the receiving means receives a writing instruction, the temporarily specified data specified by the identification information specified by the temporary writing policy acquired by the acquiring means and the writing instruction issued by the receiving means Data determination means for determining whether the received data is the same;
If the data determination unit determines that the data temporarily permitted to be written by the temporary write policy acquired by the acquisition unit is the same as the data instructed to be written by the reception unit, the device Output permission means for permitting output of the data to a write driver corresponding to the communication driver. The temporary write policy acquired by the acquisition means further defines a device that is temporarily allowed to write,
A device determination unit that determines whether a device that is temporarily permitted to be written by the temporary writing policy acquired by the acquiring unit is the same as a device that is instructed to be written by the receiving unit;
The output permitting unit further determines that the device determining unit determines that the device temporarily permitted to be written by the temporary writing policy is the same as the device instructed to be written by the receiving unit. The communication apparatus according to claim 9, wherein output of the data to a write driver corresponding to is permitted. The data determination means includes
The temporary writing policy acquired by the acquiring unit is determined by determining whether the identification information defined in the temporary writing policy acquired by the acquiring unit is the same as the identification information of the data instructed to be written by the receiving unit. 12. The communication apparatus according to claim 10 or 11, wherein it is determined whether the data that is temporarily permitted to be written in step 1 is the same as the data that has been instructed to be written out by the receiving means.   The identification information stipulated in the temporary write policy acquired by the acquisition unit is a hash value of data that is temporarily permitted to be written, and the identification information of the data instructed to be written by the reception unit is the reception information 12. The communication apparatus according to claim 9, wherein the communication apparatus is a hash value of data instructed to be written by the means. Permission setting means for setting permission of data writing by a predetermined application;
Application determining means for determining whether data is written to the device by the predetermined application set by the permission setting means,
The output permission unit further permits the output of the data to the write driver corresponding to the device when the application determination unit determines that the data is written to the device by a predetermined application. The communication device according to claim 9, wherein   The output permission means, when the device determination means determines that the device that is temporarily permitted to be written by the temporary write policy acquired by the acquisition means is different from the device that is instructed to be written by the reception means 14. The communication apparatus according to claim 9, further comprising: prohibiting output of the data to a write driver corresponding to a device instructed to be written by the accepting unit.   The output permission means, when the data determination means determines that the data temporarily permitted to be written by the temporary write policy acquired by the acquisition means is different from the data instructed to be written by the reception means The communication apparatus according to claim 9, further comprising: prohibiting output of the data to a write driver corresponding to a device instructed to be written by the accepting unit.   The output permission unit, when the application determination unit determines that the data writing to the device is not performed by the predetermined application, the output permission unit to the write driver corresponding to the device instructed to write by the reception unit The communication apparatus according to claim 13, wherein output of data is prohibited. Storage means for storing the temporary write policy acquired by the acquisition means;
A prohibition condition setting means for setting a rejection condition for prohibiting access to the storage area in which the temporary write policy is stored in the storage means,
The communication apparatus according to any one of claims 13 to 16, wherein the permission setting unit sets a permission condition for permitting access to the storage area.   18. The communication apparatus according to claim 17, wherein the permission condition is information indicating the predetermined application that permits access to the storage area.   19. The communication apparatus according to claim 17, wherein the rejection condition is a path of the storage area where the temporary write policy is stored. The temporary write policy includes a period during which data can be written to the device,
A period determining unit that determines whether the time when the data writing instruction is received by the receiving unit is within a period in which data writing is permitted by the temporary writing policy;
The output permission means, when it is determined by the period determination means that the time when the data write instruction is received by the reception means is within a period in which data writing is permitted by the temporary write policy. 20. The communication apparatus according to claim 9, wherein output of the data to a write driver corresponding to the device is permitted. Method for controlling communication apparatus capable of communicating with information processing apparatus holding temporary data write policy in which conditions for temporarily allowing data write are defined, and controlling whether write requested data is output to device Because
A requesting step for requesting the information processing apparatus to make a temporary write request including identification information for uniquely identifying the data requested to be written;
In response to a request by the request step, an acquisition step of acquiring a temporary write policy in which identification information capable of uniquely specifying data that is temporarily allowed to be written is specified from the information processing device;
A reception step of receiving an instruction to write data to the device;
When a write instruction is received in the reception step, data that is temporarily permitted to be written specified by the identification information defined in the temporary write policy acquired in the acquisition step, and a write instruction in the reception step A data determination step for determining whether the received data is the same;
When it is determined in the data determination step that the data temporarily permitted to be written by the temporary write policy acquired in the acquisition step and the data instructed to be written in the reception step are the same, the device An output permission step for permitting the output of the data to a write driver corresponding to the control method of the communication device. Method for controlling communication apparatus capable of communicating with information processing apparatus holding temporary data write policy in which conditions for temporarily allowing data write are defined, and controlling whether write requested data is output to device A program for causing a computer to execute
A requesting step for requesting the information processing apparatus to make a temporary write request including identification information for uniquely identifying the data requested to be written;
In response to a request by the request step, an acquisition step of acquiring a temporary write policy in which identification information capable of uniquely specifying data that is temporarily allowed to be written is specified from the information processing device;
A reception step of receiving an instruction to write data to the device;
When a write instruction is received in the reception step, data that is temporarily permitted to be written specified by the identification information defined in the temporary write policy acquired in the acquisition step, and a write instruction in the reception step A data determination step for determining whether the received data is the same;
When it is determined in the data determination step that the data temporarily permitted to be written by the temporary write policy acquired in the acquisition step and the data instructed to be written in the reception step are the same, the device A program for causing a computer to execute an output permission step for permitting the output of the data to a write driver corresponding to.

Images