JP2009193259A - Management system and management program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To manage access by efficiently and accurately searching information files to be protected. <P>SOLUTION: A management system includes a determination means for determining whether or not a user's terminal satisfies a predetermined management condition; an electronic education control means for making the terminal execute electronic education based on the determination of the determination means; a peripheral equipment operation control means for controlling writing or transmitting of electronic files to peripheral equipment; and a transmission control means for controlling in externally writing or transmitting the files and for controlling the terminal, which has determined not to satisfy the management condition and not to complete the education, so as not to externally write or transmit the files in a specified protocol not through the operation control means. <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

  The present invention relates to a management system and a management program that take into account the outflow of information from a computer.

  In recent years, with an increase in awareness of protection of personal information, it has been desired to reliably prevent inadvertent leakage and leakage of personal information and unauthorized use of personal information. In addition, along with the enforcement of the Personal Information Protection Law, a business operator handling personal information receives a request for disclosure or correction of personal information from each individual while preventing the leakage, leakage or unauthorized use of personal information. It is obliged to disclose and correct personal information.

  Here, the personal information is information that can identify a specific individual by itself or in combination, and includes, for example, name, date of birth, contact information (address, address, telephone number, e-mail address). Customer information, business partner information, etc. stored and handled in various companies often fall under the category of personal information, and in the future, companies that handle a lot of such personal information will be obligated as above as a personal information handling business operator. Must be fulfilled.

  In order to fulfill the obligations described above, it is essential to centralize personal information by introducing a central management system for personal information. However, in reality, personal information such as customer information and business partner information is dispersed in a company's personal computer (hereinafter sometimes abbreviated as PC) and servers in each department. Often exists. More specifically, individual employees store their personal information (customer information, etc.) on their PCs for their own work, or a central database or a subset of personal information collected by each employee. It exists in various PCs.

  For this reason, when constructing the centralized management system or attempting to fulfill the above obligations in a distributed state, the administrator must first separate the personal information that is scattered within the company. It is necessary to identify where and what kind of personal information exists in the company. It will be carried out with the cooperation of the department.

  For example, in Patent Document 1 below, in accordance with the enforcement of the Personal Information Protection Law, a technology for providing a personal information protection service that prevents personal information from being leaked or leaked or being used illegally is “processing of a personal information protection service business. Method and apparatus "have been proposed and disclosed. However, the following Patent Document 1 does not disclose any technique related to the identification of personal information as described above.

  In addition, Patent Document 2 includes a technique for restricting output in order to prevent the important information from being inadvertently printed and displayed when information related to privacy is included as a conventional technique, and printing prohibition information. Thus, it is described that there is a technique for controlling printing and display of a document and a copy thereof.

  Patent Document 3 and Patent Document 4 disclose a client / server type personal information management system, which describes searching for a personal information file in a client terminal.

Japanese Patent Application Laid-Open No. 2004-151561 describes a technique for prohibiting printing by hooking a print command from a predetermined application.
Patent Document 6 describes that printing is performed with a specific portion invisible by inking or the like.

In general, in an information processing system (internal system) constructed in a company or the like, a user terminal (information processing apparatus; hereinafter simply “terminal”) such as a PC (Personal Computer) operated and used by each employee Are connected to each other via a local area network (LAN) so that they can communicate with each other, and each user terminal has a proxy server connected to the LAN. It can be connected to an external communication network such as the Internet via the Internet, and can receive services provided by various servers on the Internet (see, for example, Patent Document 8 below).

  By the way, in recent years, security awareness of information processing systems (internal systems) built in the company has increased, and in large companies, information leakage countermeasures and security measures have been implemented in the company systems (each terminal). If you are getting more.

  In addition, even in the small and medium-sized enterprises that do not have a system administrator, the number of terminals has increased in recent years, and there are many cases where an internal system as described above is constructed by connecting terminals via a LAN. In many cases, security awareness is not as high as in large corporations, and there is a case in which connection to an external communication network such as the Internet is possible without taking any security measures.

Therefore, for example, the techniques disclosed in Patent Document 9 and Patent Document 10 below may be applied to internal systems of large companies and small and medium businesses as security measures.
Patent Document 9 below relates to a business management technology for safely performing business processing, and diagnoses the safety level against computer viruses of a plurality of business processing devices in a plurality of stages (three stages in Patent Document 9), and obtains the diagnosis result. It is disclosed that a given safety level is notified to a plurality of business processing devices.

  Patent Document 10 below relates to a technology that enables a person who does not have advanced skills to efficiently and effectively perform security management by using a system that standardizes know-how of security management. It is disclosed that a question is presented, an answer to the question from the terminal is evaluated, an education plan is created based on the evaluation result, and the user receives education based on the plan.

  Further, the technology disclosed in Patent Document 11 below relates to a method and system for monitoring the configuration and use status of resources of each information device in a network, and a centralized monitoring device arranged outside the network. The purpose is to solve the problem of unauthorized access to information resources in the network and countermeasures against unauthorized connection to the network. For example, in claim 3 and claim 5 in this patent document 11, if information on resource configuration and usage status of information equipment collected by an agent is acquired via the Internet and unauthorized use or unauthorized connection is detected, It is disclosed to notify the administrator.

  The technology disclosed in Patent Document 12 relates to a security education method and a security education support computer that can be preferably used for information security education, management, and auditing. It is described that a security education attendance procedure is performed by sending and receiving security-related educational content in response to a request from a client computer.

The technique disclosed in Patent Document 13 relates to a business management system for safely performing business processing, and aims to easily and effectively implement security measures without the user performing business processing being conscious. Yes. In Patent Document 13, for example, Claim 3 describes that the safety level of each business processing device against a computer virus is diagnosed based on security information received from each business processing device. No. 4 describes diagnosing the safety level of a plurality of business processing devices against computer viruses based on the safety level of each business processing device against computer viruses.

  Further, the technology disclosed in Non-Patent Document 8 below relates to the creation of a standard (standard document) related to security operation. In “Point 4” on the left column of page 107 of Non-Patent Document 8, a security violator For this, it is described that security re-education will be implemented. In this case, it is considered that the same education is performed again.

  In recent years, along with the heightened awareness of protection of personal information, it has been desired to reliably prevent inadvertent leakage / leakage of personal information and unauthorized use of personal information. In particular, with the enforcement of the Personal Information Protection Law, there is a need for businesses that handle personal information to more reliably prevent the leakage or leakage of personal information and unauthorized use. Here, personal information is information that can identify a specific individual by itself or in combination, and includes, for example, name, date of birth, contact information (address, address, telephone number, e-mail address, etc.). . Customer information, business partner information, etc. stored and handled in various companies often correspond to personal information.

  Naturally, such personal information corresponds to confidential information with high confidentiality for companies, but as confidential information for companies, in addition to personal information, new products before publication, technology before patent application, Information related to management strategies, etc. According to the Institute of Systems Audits, confidential information is defined as information that may impair the value of management resources when disclosed to anyone other than the authorized person or used for other purposes. Has been.

  In order to reliably prevent the outflow / leakage and unauthorized use of personal information and confidential information as described above, it is desirable to introduce a centralized management system and centrally manage such personal information and confidential information. However, in reality, personal information such as customer information and business partner information in a company includes a plurality of user terminals [personal computers (hereinafter sometimes abbreviated as PCs)] used by individual employees, In many cases, they are distributed and stored in department servers. More specifically, individual employees store their personal information (customer information, etc.) on their PCs for their own work, or a central database or a subset of personal information collected by each employee. It exists in various places on the PC.

  For this reason, when constructing the above centralized management system, the administrator first identifies personal information and confidential information that are scattered in the company, and what kind of personal information and confidential information is located in the company. It is necessary to grasp whether it exists, but personal information and confidential information are identified by the manager instructing each employee and with the cooperation of the entire company and all departments in person-to-person relations. .

For example, in Patent Document 14 below, with the enforcement of the Personal Information Protection Law, a technique for providing a personal information protection service that prevents personal information from being leaked or leaked or being illegally used is “a method for processing a personal information protection service business. And device "have been proposed and disclosed. In this patent document 14, a technique for identifying and warning a company that has acquired personal information inappropriately, and for preventing personal information from being illegally leaked from a company that has acquired it appropriately. However, it does not disclose how to deal with the case where personal information is distributed in the company as described above.
JP 2002-183367 A JP 2006-338147 A Japanese Patent No. 3840529 Japanese Patent No. 3840647 JP 2006-092566 A JP 2006-155279 A JP 2006-155283 A Republished patent WO2003 / 038634 JP 2005-202620 A JP 2002-279057 A JP 2002-149435 A JP 2004-302585 A JP 2005-202620 A JP 2002-183367 A CS-ND-2004-00109-011, Come with Don, who develops while looking at the sample! , Information security policy making “standards” of final security measures 7, N + I NETWORK, Japan, Softbank Publishing Co., Ltd., Yoshihiro Sato et al., January 1, 2003, Vol. 3, No. 1, p.104-p.109

  However, when personal information is identified with human cooperation such as reporting from each employee, not only is it time-consuming, but it is difficult to reliably identify all personal information without omission. In particular, when personal information is increasingly distributed, it is extremely difficult to identify personal information.

  In addition, if there is an omission in the identification of personal information, not only the above obligations can be fulfilled, but the status of the personal information cannot be managed, and there is a risk of inadvertent leakage or leakage of personal information or unauthorized use of personal information. is there.

Accordingly, it is desired to reliably search and manage all personal information files distributed and distributed in a large number of terminals in the company.
Further, in order to reliably identify a personal information file newly created / added in each terminal, for example, it is necessary to periodically search the personal information file. However, if the above-described periodic search is performed on all data in each terminal, a great amount of processing time is required for each search. For this reason, it is also desired that the personal information file can be efficiently searched by a search method corresponding to each terminal.

  Further, even if the personal information file of each PC is grasped by a server and managed so that it cannot be copied to other PCs, there is a possibility that personal information may leak from the output (paper) printed out from each PC There is. Therefore, in addition to managing the personal information file of each PC, it is necessary to manage the act of printing. However, there is currently no system that considers printing from each PC.

  That is, in the above Patent Documents 1-7, although various individual techniques are disclosed, they are not in a state where they can be used effectively for information outflow as they are. Moreover, even if the above Patent Documents 1-7 are collected, it is not always possible to reliably prevent information leakage.

However, in Patent Document 9 described above, only the safety level of a plurality of business processing devices is diagnosed and the diagnosis result is notified to the business processing device. Processing to ensure thoroughness (for example, electronic education) is not performed. Moreover, in the said patent document 10, the education plan is created based on the answer with respect to the question regarding security, and only the reference by the user of each terminal is referred, and the actual situation (actual state) in each terminal is shown. Since it is not possible to refer to it, it is difficult to say that appropriate security education according to the actual situation can be executed unless the user gives an honest answer.

  For this reason, regardless of the size of the enterprise such as large enterprises and small and medium enterprises, in order to ensure security in the information processing system, the information processing system is provided to users (employees, employees) who use the information processing system. In addition to making it possible to conduct electronic education to ensure security in accordance with the actual conditions of each user terminal, it is also possible to grasp the security status of the information processing system extremely accurately and easily. Is desired.

  Further, in the above Patent Documents 8-13 and Non-Patent Document 8, it is not possible to take measures against violations that are likely to have been intentionally performed by a user after electronic education about security in general. . Therefore, thorough user education (employee education) is not sufficient, and it cannot be said that it contributes to securing and maintaining a safe environment.

  In addition, in relation to security, it is desired that information such as personal information files distributed in a large number of terminals in a company is reliably searched and managed. Here, in order to reliably identify a personal information file newly created / added in each terminal, for example, it is necessary to periodically search the personal information file. Even if the personal information file of each PC is grasped and managed by a server or the like, a storage medium (FD, CD-R (RW), DVD-R (RW), semiconductor memory) written from each terminal, electronic Personal information may be leaked from email or file transfer software.

  Therefore, in addition to managing the personal information file of each PC, it is also necessary to manage the act of writing the electronic file to an external storage medium or transmitting it to another computer. However, there is currently no system that considers information diffusion by writing or transmitting personal information from each terminal.

  In addition, as described above in Patent Document 14, if personal information and confidential information are identified with human cooperation such as reporting from each employee as described above, not only is it time-consuming, but all personal information is also collected. It is difficult to ensure that confidential information is clearly identified without omission. In particular, when personal information and confidential information are being distributed, it is extremely difficult to identify personal information and confidential information. In addition, if there is a leak in identifying personal information or confidential information, the state of the personal information or confidential information cannot be managed, and there is a risk of inadvertent outflow / leakage or unauthorized use.

Accordingly, it has been desired to be able to efficiently and effectively prevent personal information and confidential information (hereinafter collectively referred to as “protection target information”) from being leaked.
In recent years, a protocol for peripheral devices that can be used without using a device driver in a terminal has been proposed. In this case, since file transfer is executed without using a device driver, there is a possibility that information diffusion cannot be prevented by a conventional method.

  The present invention was devised in view of such a situation. For example, a protection target information file that exists in a distributed manner in a company or the like without obtaining human cooperation and applying a special load to a person in charge. The purpose of this is to ensure that the information subject to protection is managed and placed in a manageable state, so that inadvertent leakage or leakage of the information subject to protection and unauthorized use of the information subject to protection are prevented. In addition, an object of the present invention is to reliably prevent display, printing, inadvertent outflow / leakage of protection target information to peripheral devices, and unauthorized use of the protection target information.

In order to achieve the above object, the present invention is configured as follows.
(1) The invention described in claim 1 is based on the determination means for determining whether or not the user terminal satisfies a predetermined predetermined management condition, and the electronic education is used based on the determination result by the determination means. Electronic education control means to be executed by a user terminal, peripheral device operation control means for controlling writing or transmission of an electronic file to a peripheral device, control when writing or transmitting an electronic file to the outside, and the management Control is performed so that the electronic file is not written or transmitted to the outside by a specific protocol not via the peripheral device operation control means at the user terminal that is determined not to satisfy the conditions and the electronic education is not completed. And a control means that is configured to provide a management system.

  (2) The invention described in claim 2 is a plurality of user terminals, a management server connected to the plurality of user terminals so as to communicate with each other, and managing the plurality of user terminals, and the plurality of uses Electronic education that includes environmental information collecting means for collecting environmental information in each user terminal from each user terminal to the management server, wherein the management server performs electronic education on security on the plurality of user terminals Control means, and judgment means for judging management conditions of each user terminal based on the environmental information in each user terminal collected by the environmental information collecting means after the electronic education by the electronic education control means Each of the plurality of user terminals is configured such that each of the plurality of user terminals controls peripheral device operation control means for controlling writing or transmission of the electronic file to the peripheral device, and writing the electronic file to the outside. A specific protocol that performs control at the time of transmission and does not pass through the peripheral device operation control means in the user terminal determined by the management server that the management conditions are not satisfied and the electronic education is not completed. And a control means for controlling the electronic file not to be written out or transmitted to the outside.

  (3) The invention according to claim 3 is a plurality of user terminals, a management server connected to the plurality of user terminals so as to be able to communicate with each other, and managing the plurality of user terminals, and the plurality of uses Environment information collecting means for collecting environment information in each of the user terminals from each user terminal to the management server, and the management server causes the plurality of user terminals to execute electronic education on overall security. Whether each user terminal satisfies the management conditions based on the environmental information in each user terminal collected by the environmental information collecting means after the electronic education by the electronic education control means and the first electronic education control means A determination means for determining whether or not a second electronic instruction is executed on a user terminal that is determined not to satisfy the management condition by the determination means for matters relating to the management condition; A plurality of user terminals, each of the plurality of user terminals writing a peripheral file operation control means for controlling the writing or transmission of the electronic file to the peripheral device, and writing the electronic file to the outside or In addition to performing control at the time of transmission, the user terminal determined by the management server that the detailed electronic education is not completed because the management condition is not satisfied, the specific operation not via the peripheral device operation control means And a control unit configured to control the electronic file so that the electronic file is not written or transmitted to the outside by a protocol.

(4) The invention described in claim 4 is a plurality of user terminals, a management server connected to the plurality of user terminals so as to be able to communicate with each other, and managing the plurality of user terminals, and the plurality of uses Environmental information collecting means for collecting environmental information in each user terminal from each user terminal to the management server, and the management server causes the plurality of user terminals to perform general electronic education on security in general. Based on the environmental information in each user terminal collected by the first electronic education control means and the environmental information collection means after the electronic education by the first electronic education control means, each user terminal satisfies the management condition A determination means for determining whether or not a user terminal that has been determined by the determination means as not satisfying the management condition is to execute detailed electronic education on matters relating to the management condition Two electronic education control means, and each of the plurality of user terminals writes peripheral device operation control means for controlling writing or transmission of the electronic file to the peripheral device, and writing the electronic file to the outside. Alternatively, it is determined that the file is a protection target information file in the user terminal that is controlled by the management server and is determined by the management server that the control condition is not satisfied and the detailed electronic education is not completed. And a control unit configured to control the electronic file so that the electronic file is not written or transmitted to the outside by a specific protocol not via the peripheral device operation control unit.

  (5) In the invention according to claim 5, the control means writes out or transmits the electronic file after encrypting the electronic file at the user terminal determined that the management conditions are not satisfied and the electronic education is not completed. The management system according to claim 1, wherein the management system is a management system.

(6) The invention according to claim 6 is the management system according to any one of claims 1 to 5, wherein the peripheral device operation control means is a device driver.
(7) The management according to any one of claims 1 to 6, wherein the specific protocol is either a picture transfer protocol or a media transfer protocol. System.

  (8) The invention according to claim 8 is a management program for causing a computer to function as a user terminal, the judging means for judging whether or not the user terminal satisfies a predetermined predetermined management condition, the judgment Based on the determination result by the means, electronic education control means for causing the user terminal to execute electronic education, peripheral device operation control means for controlling writing or transmission of the electronic file to the peripheral device, writing the electronic file to the outside or In the user terminal that performs control at the time of transmission and determines that the electronic education is not completed because the management condition is not satisfied, the electronic file is transmitted with a specific protocol not via the peripheral device operation control means. Is a management program characterized by causing a computer to function as a control means for controlling to prevent writing or sending to the outside. That.

  (9) The invention according to claim 9 is a management system in which a plurality of user terminals and a management server are communicably connected to each other, and manages the plurality of user terminals. A management program for causing a computer of a management server to function, the environmental information collecting means for collecting environmental information in each of the plurality of user terminals from each user terminal to the management server, and the electronic education on security. The electronic education control means to be executed by the user terminal, and based on the environmental information in each user terminal collected by the environmental information collection means after the electronic education by the electronic education control means, the management conditions of each user terminal are determined Judgment means for judging, peripheral device operation control means for controlling writing or sending of electronic files to / from peripheral devices, electronic files to the outside In the user terminal that is controlled by the management server to perform control at the time of transmission or transmission, and the management server determines that the management conditions are not satisfied and the electronic education is not completed, the peripheral device operation control means is not specified. A management program for causing a computer to function as a control means for controlling the electronic file not to be written or transmitted to the outside using the above protocol.

  (10) In the invention according to claim 10, the use of electronic education based on a judgment means for judging whether or not the user terminal satisfies a predetermined predetermined management condition and a judgment result by the judgment means The electronic education control means to be executed by the person terminal and the function of transmitting the contents of the electronic file to the printer in response to the print instruction of the electronic file, and the management conditions are not satisfied and the electronic education is not completed. The determined terminal is a management system comprising control means for controlling to execute printing of the electronic file with at least a part thereof being restricted.

(11) The invention as set forth in claim 11 is a judging means for judging whether or not the user terminal satisfies a predetermined predetermined management condition, and based on a judgment result by the judging means, the electronic education is given to the user. It is determined that the electronic education control means to be executed by the terminal has a function of transmitting the contents of the electronic file to the printer in accordance with the print instruction of the electronic file, and does not satisfy the management condition and has not been completed. The terminal is a management program that causes a computer to function as a control unit that controls to execute printing of the electronic file with at least a part thereof being restricted.

According to the present invention, the following effects can be obtained.
(1) In the invention described in claim 1, it is determined whether or not the user terminal satisfies a predetermined predetermined management condition, and based on the determination result, electronic education is executed by the user terminal, and the management is performed. The user terminal that is determined not to satisfy the conditions and has not completed the electronic education is controlled so that the electronic file is not written or transmitted to the outside by a specific protocol not via the peripheral device operation control means.

  As a result, transfer of electronic files by a specific protocol without using a device driver is restricted. As a result, it is possible to reliably search and manage protected information files that exist in a distributed manner, for example, within a company, without obtaining human cooperation and without placing a special burden on the person in charge. Thus, it is possible to reliably prevent inadvertent leakage / leakage of protected information and unauthorized use of protected information. In addition to this, it is possible to reliably prevent display, printing, inadvertent leakage or leakage of information to be protected to peripheral devices, and unauthorized use of the information to be protected.

  (2) In the invention described in claim 2, it is determined whether or not the user terminal satisfies a predetermined management condition determined in advance, and based on the determination result, the electronic education is executed by the user terminal, and the management is performed. Controls the user terminal that is determined by the management server that the conditions are not met and the electronic education is not completed, so that the electronic file is not written or transmitted to the outside by a specific protocol without using the peripheral device operation control means. To do.

  As a result, transfer of electronic files by a specific protocol without using a device driver is restricted. As a result, it is possible to reliably search and manage protected information files that exist in a distributed manner, for example, within a company, without obtaining human cooperation and without placing a special burden on the person in charge. Thus, it is possible to reliably prevent inadvertent leakage / leakage of protected information and unauthorized use of protected information. In addition to this, it is possible to reliably prevent display, printing, inadvertent leakage or leakage of information to be protected to peripheral devices, and unauthorized use of the information to be protected.

  (3) In the invention according to claim 3, the management server causes the plurality of user terminals to perform electronic education about security in general, and based on the environmental information in each user terminal collected after the general electronic education, It is determined whether each user terminal satisfies the management condition, and the user terminal that is determined not to satisfy the management condition is caused to execute detailed electronic education on matters related to the management condition, and the management condition is set. The user terminal that has been determined by the management server that the detailed electronic education has not been completed and that the detailed electronic education has not been completed is controlled so that the electronic file is not written or transmitted to the outside by a specific protocol not via the peripheral device operation control means. .

As a result, transfer of electronic files by a specific protocol without using a device driver is restricted. As a result, it is possible to reliably search and manage protected information files that exist in a distributed manner, for example, within a company, without obtaining human cooperation and without placing a special burden on the person in charge. Thus, it is possible to reliably prevent inadvertent leakage / leakage of protected information and unauthorized use of protected information. In addition to this, it is possible to reliably prevent display, printing, inadvertent leakage or leakage of information to be protected to peripheral devices, and unauthorized use of the information to be protected.

  (4) In the invention according to claim 4, the management server causes the plurality of user terminals to perform electronic education about security in general, and based on the environmental information in each user terminal collected after the general electronic education, It is determined whether each user terminal satisfies the management condition, and the user terminal that is determined not to satisfy the management condition is caused to execute detailed electronic education on matters related to the management condition, and the management condition is set. For user terminals that have been determined by the management server that they do not meet the requirements and detailed electronic education has not been completed, an electronic file that is determined to be a protection target information file is externalized with a specific protocol that does not go through peripheral device operation control means. Control not to write to or send to.

  As a result, transfer of electronic files by a specific protocol without using a device driver is restricted. As a result, it is possible to reliably search and manage protected information files that exist in a distributed manner, for example, within a company, without obtaining human cooperation and without placing a special burden on the person in charge. Thus, it is possible to reliably prevent inadvertent leakage / leakage of protected information and unauthorized use of protected information. In addition to this, it is possible to reliably prevent display, printing, inadvertent leakage or leakage of information to be protected to peripheral devices, and unauthorized use of the information to be protected.

  (5) In the invention described in claim 5, the control means encrypts the electronic file and sends out or transmits it at the user terminal determined that the management conditions are not satisfied and the electronic education is not completed. Thus, it is possible to more reliably prevent inadvertent outflow / leakage of information information and unauthorized use of information to be protected.

(6) In the invention described in claim 6, the peripheral device operation control means is a device driver, and data leakage due to a specific protocol not via the device driver can be effectively prevented.
(7) In the invention described in claim 7, the specific protocol is either a picture transfer protocol or a media transfer protocol, and data leakage by these specific protocols can be effectively prevented.

  (8) In the invention described in claim 8, it is determined whether or not the user terminal satisfies a predetermined predetermined management condition, and based on the determination result, the electronic education is executed by the user terminal, and the management is performed. The user terminal that is determined not to satisfy the conditions and has not completed the electronic education is controlled so that the electronic file is not written or transmitted to the outside by a specific protocol not via the peripheral device operation control means.

  As a result, transfer of electronic files by a specific protocol without using a device driver is restricted. As a result, it is possible to reliably search and manage protected information files that exist in a distributed manner, for example, within a company, without obtaining human cooperation and without placing a special burden on the person in charge. Thus, it is possible to reliably prevent inadvertent leakage / leakage of protected information and unauthorized use of protected information. In addition to this, it is possible to reliably prevent display, printing, inadvertent leakage or leakage of information to be protected to peripheral devices, and unauthorized use of the information to be protected.

  (9) In the invention according to claim 9, it is determined whether or not the user terminal satisfies a predetermined predetermined management condition, and based on the determination result, the electronic education is executed by the user terminal, and the management is performed. Controls the user terminal that is determined by the management server that the conditions are not met and the electronic education is not completed, so that the electronic file is not written or transmitted to the outside by a specific protocol without using the peripheral device operation control means. To do.

  As a result, transfer of electronic files by a specific protocol without using a device driver is restricted. As a result, it is possible to reliably search and manage protected information files that exist in a distributed manner, for example, within a company, without obtaining human cooperation and without placing a special burden on the person in charge. Thus, it is possible to reliably prevent inadvertent leakage / leakage of protected information and unauthorized use of protected information. In addition to this, it is possible to reliably prevent display, printing, inadvertent leakage or leakage of information to be protected to peripheral devices, and unauthorized use of the information to be protected.

  (10) In the invention of the management system according to claim 10, it is determined whether or not the terminal satisfies a predetermined management condition set in advance, and based on the determination result, the electronic instruction is executed by the user terminal, In a terminal that does not satisfy the management conditions and has not completed the electronic education, the electronic file is printed with at least a part thereof being restricted.

  As a result, it is possible to reliably search and manage protected information files that exist in a distributed manner, for example, within a company, without obtaining human cooperation and without placing a special burden on the person in charge. Thus, it is possible to reliably prevent inadvertent leakage / leakage of protected information and unauthorized use of protected information.

  (11) In the invention of the management program according to claim 11, it is determined whether or not the terminal satisfies a predetermined predetermined management condition, and based on the determination result, the electronic instruction is executed by the user terminal, In a terminal that does not satisfy the management conditions and has not completed the electronic education, the electronic file is printed with at least a part thereof being restricted.

  As a result, it is possible to reliably search and manage protected information files that exist in a distributed manner, for example, within a company, without obtaining human cooperation and without placing a special burden on the person in charge. Thus, it is possible to reliably prevent inadvertent leakage / leakage of protected information and unauthorized use of protected information.

  Embodiments of the present invention will be described below with reference to the drawings. Information to be protected, such as personal information and confidential information, is collectively referred to as protection target information. In the following embodiments, personal information is described as a specific example of protection target information.

[A] First embodiment:
[A1] Outline of the management system of the first embodiment:
FIG. 1 is a block diagram showing the configuration of a management system as a first embodiment of the present invention. As shown in FIG. 1, the management system 1 of this embodiment includes an information management server in addition to a plurality of client terminals 10. 20 and file access management server 30, and these terminals 10 and servers 20, 30 are connected to each other via a network [for example, an in-house LAN (Local Area Network)] 40.

  Each client terminal 10 is configured by a terminal device such as a personal computer (PC) used by each employee (user) in the company or the like, and the internal configuration will be described later in the second embodiment. To do.

If the client terminal 10 is a portable terminal device such as a notebook type, it may be used not only inside the company but also outside the company.
The client terminal 10 is configured to be able to save various electronic files and various programs in an external memory 70 as a storage device such as a hard disk device or a non-volatile memory. The file may exist.

  Similarly, the mobile terminal 80 can be connected to various mobile terminals 80 such as a mobile phone device, a PDA, and a music information reproducing device. Similarly, the printer 60 (60B) can be connected to the client terminal 10.

  Note that the storage device 70 ′ such as a hard disk device may be directly connected to the network 40. Similarly, the mobile terminal 80 may be directly connected to the network 40. Similarly, the printer 60 (60A) can be directly connected to the network 40.

  The information management server 20 is connected to a plurality of client terminals 10 and the file access management server 30 via the network 40 so as to be able to communicate with each other, and manages personal information files and their diffusion prevention in each client terminal 10. The contents will be described later in the second / third embodiment.

  The file access management server 30 is connected to the plurality of client terminals 10 and the information management server 20 through the network 40 so as to be able to communicate with each other, and accesses the electronic file (personal information file in the present embodiment) serving as protection target information. The contents will be described later in the second / third embodiment.

First, in the present system 1, it is determined whether or not the client terminal 10 satisfies the management condition, and electronic education is executed according to the determination result (step S1001 in FIG. 2).
Here, the management condition mentioned above means a desirable use condition or use state regarding the security measures on the user terminal side determined by the administrator side. Details and specific examples of the management conditions will be described in detail in the second embodiment.

  This management condition and electronic education will be described in detail in a second embodiment to be described later. Here, general electronic education on security (first electronic education) is executed in each client terminal 10 and the electronic education is performed. After execution, it is determined whether each client terminal 10 satisfies the management condition, and detailed electronic education (second electronic education) related to security is applied to the client terminal 10 that does not satisfy the management condition.

  In the client terminal 10, when data is exchanged with various devices (peripheral devices) such as the printer 60, the external memory 70, and the portable terminal 80, a device driver or a device driver that is easy for each device is used. Generally, it is performed through a similar means (in this embodiment, “peripheral device operation control means”).

  Here, the peripheral device means various external devices that can be connected to the client terminal 10 via wire, wireless, light, or the like, or various devices that exchange signals with the client terminal 10. Here, at least an electronic file is transferred between the client terminal 10 and the peripheral device.

  The peripheral devices include auxiliary storage devices using various storage media, input devices such as keyboards and scanners, output devices such as printers and displays, and communication devices such as modems and routers.

In addition, the peripheral device side is PTP (Picture Transfer Protocol) established as ISO 15740.
: Picture Transfer Protocol) and MTP (Media Transfer Protocol) proposed by Microsoft Corporation, and the client terminal 10 uses the program corresponding to PTP and MTP to Communication is possible using the protocol without using the device driver.

[A2] Operation of the management system of the first embodiment:
Here, it is assumed that a command (send command) for writing or transmitting an electronic file to a peripheral device (printer 60, external memory 70, portable terminal 80, etc.) is generated in any of the client terminals 10 (FIG. 2). Middle step S1002).

  Note that sending (writing or sending) is not only sent from the client terminal 10 to the peripheral device in the form of an electronic file, but also sent after being converted in format, such as image data for printing. Including.

Therefore, even when a print command is generated in the client terminal 10, it corresponds to the generation of the above transmission command.
In this case, when this transmission command is generated, if it is determined that the user terminal satisfies the management condition based on whether or not the above-described management condition is satisfied (step in FIG. 2). When YES in S1003, the designated electronic file is sent to the peripheral device (step S1006 in FIG. 2).

  Further, in this case, when this transmission command is generated, when it is determined that the user terminal does not satisfy the management condition on the basis of whether or not the above-described management condition is satisfied (in FIG. 2). NO in step S1003), it is checked whether or not the above-described detailed electronic education has been completed in the client terminal 10.

  Here, even when it is determined that the user terminal does not satisfy the management conditions described above (NO in step S1003 in FIG. 2), the attendance of the detailed electronic education described above is the client terminal. If the process is completed at 10 (YES in step S1004 in FIG. 2), the designated electronic file is sent to the peripheral device (step S1006 in FIG. 2).

  On the other hand, when it is determined that the user terminal does not satisfy the management condition described above (NO in step S1003 in FIG. 2), the above-described detailed electronic education is received at the client terminal 10. If not completed (NO in step S1004 in FIG. 2), it is checked whether or not the electronic file is sent to the peripheral device via the device driver.

  Here, it is determined that the user terminal does not satisfy the management conditions described above (NO in step S1003 in FIG. 2), and the attendance of the detailed electronic education described above is not completed in the client terminal 10 (FIG. 2), if the electronic file is sent to the peripheral device via a device driver (YES in step S1005 in FIG. 2), as shown in a third embodiment to be described later. Then, the transmission of the designated electronic file to the peripheral device is executed with a predetermined restriction (stopped, partly stopped, partly invisible, etc.) (step S1007 in FIG. 2). In this case, a predetermined attached electronic file is sent out by the peripheral device operation control means as a device driver.

Here, it is determined that the user terminal does not satisfy the management condition described above (NO in step S1003 in FIG. 2), and the attendance of the detailed electronic education described above is not completed in the client terminal 10. (NO in step S1004 in FIG. 2), if the electronic file is not sent to the peripheral device via the device driver (step S in FIG. 2)
(No in 1005), because various information may be inadvertently spread by performing communication with a predetermined protocol without using a device driver. Therefore, it is specified from the control means (CPU) of the client terminal 10 or the like. The transmission of the electronic file to the peripheral device is prohibited (step S1008 in FIG. 2).

  Here, the printer 60, the external memory 70, and the portable terminal 80 connected to the client terminal 10 will be described as peripheral devices, but the same applies to the storage device 70 ′ and the portable terminal 80 existing on the network. Do. Further, various peripheral devices not shown, for example, an external display (projector) that performs display may be performed in the same manner as described above.

  This restricts transfer of electronic files by a specific protocol that does not go through device drivers such as PTP and MTP. As a result, it is possible to reliably search and manage protected information files that exist in a distributed manner, for example, within a company, without obtaining human cooperation and without placing a special burden on the person in charge. Thus, it is possible to reliably prevent inadvertent leakage / leakage of protected information and unauthorized use of protected information. In addition to this, it is possible to reliably prevent display, printing, inadvertent leakage or leakage of information to be protected to peripheral devices, and unauthorized use of the information to be protected.

  Note that the above-mentioned unrestricted transmission (step S1006 in FIG. 2), partially limited transmission (step S1007 in FIG. 2), and transmission prohibition (step S1008 in FIG. 2) satisfy the management conditions and detailed electronic information. It was sorted according to whether or not the education was completed (steps S1003 and S1004 in FIG. 2). In addition to this, monitoring whether or not protection information such as personal information is included in the electronic file further restricts the operation. May be executed.

  The relationship between the management conditions and the electronic education will be described in a second embodiment described later, and the electronic file transmission with partial restriction and the transmission restriction depending on the presence or absence of personal information will be described in the following third embodiment.

Note that the above management condition determination and electronic education may be performed by the client terminal 10 itself or by the management server 20.
[B] Second embodiment:
[B1] Configuration of the second embodiment:
FIG. 3 is a block diagram showing the configuration of a management system (management server and user terminal) as a second embodiment of the present invention. As shown in FIG. 3, the management system (providing a security evaluation service) of the second embodiment The system 1 receives a request from an administrator (system administrator, manager of the company, etc.) of the in-company system 1A, and the security evaluation of the in-company system 1A that is an evaluation object (management object) by the management server 20 described later In addition, a service (security evaluation service) for providing electronic education and preventing information leakage is provided to the in-company system 1A.

  Therefore, in the system 1 of the second embodiment, as shown in FIG. 3, a plurality of in-company systems 1A that can be evaluated and a plurality of user terminals 10 belonging to each in-company system 1A to provide the service. And a management server (security evaluation service providing server) 20 that can manage each other via an external communication network (network) 40 so that they can communicate with each other. Here, the external communication network 40 includes the Internet, a public line network, and the like.

In the second embodiment, the client terminal 10 is referred to as a user terminal 10.
In an in-company system (internal system) 1A, a plurality of user terminals 10 are connected to be communicable with each other via a LAN 40A, which is a common local area network, and a proxy server 13 and a printer 60 are connected to the LAN 40A. It is connected.

  Each user terminal 10 is connected to the external communication network 40 via the LAN 40A and the proxy server 13, and is configured to be able to communicate with various external servers (including the management server 20). That is, each user terminal 10 and the management server 20 are configured to be communicably connected to each other via the LAN 40A, the proxy server 13, and the external communication network 40.

  Each user terminal 10 belonging to the in-company system 1A is a personal computer or the like used / carried by a user who is an employee of the company, and includes a storage unit (not shown) such as a hard disk and an agent file described later. A processing unit (CPU) 110 that can function as execution means 111, 112, 113, and 119 described later by executing various programs is provided.

  Further, the management server 20 is connected to each user terminal 10 belonging to a plurality of in-company systems 1A that can be evaluated as described above so as to be able to communicate with each other. Provides an evaluation service, and includes an environment information collection agent file transmission means 21, an environment information reception means 22, an evaluation means 23, an evaluation result notification means 24, a first electronic education control means 25, a judgment means 26, a warning means 27, a first It functions as the two-electronic education control means 28 and the transmission control means 29.

  The functions of these means 21 to 29 are realized by executing a management program (security evaluation service providing program) installed in advance by a processing unit (CPU; not shown) constituting the management server 20. .

  The environment information collection agent file transmission means 21 transmits the environment information collection agent file to each of the plurality of user terminals 10 in the system 1A to be evaluated, for example, by attaching it to an e-mail. At this time, information (email address or the like) related to each user terminal 10 of the transmission destination is received together with a security evaluation request from the administrator or the like of the in-company system 1A. The environment information collection agent file to be transmitted to each user terminal 10 is once transmitted by the environment information collection agent file transmission means 21 to a management terminal or the like (not shown) of the in-company system 1A. Or the like may be transmitted to each user terminal 10 through the LAN 40A.

  In the management server 20, a process (task) desired to be executed by each user terminal 10 is created in advance as an agent file, and the agent file is stored in the storage unit or the like. Here, the environment information collection agent file causes each user terminal 10 to execute a process of collecting environment information in each user terminal 10 and a process of notifying the collection result to the management server 20.

  The environment information collection agent file transmitted to each user terminal 10 is automatically or when the user performs a predetermined operation (for example, a double click operation with a mouse) on the file. It is executed by the processing unit 110. That is, the processing unit 110 functions as the environment information collection agent file execution unit 111, and the environment information in the user terminal 10 is collected along with the execution operation, and the collection result is the LAN 40A, the proxy server 13, and the external communication. The information is transmitted / notified to the management server 20 through the network 40.

Here, the environmental information collected at each user terminal 10 is information (asset information / inventory information / execution environment information) related to the operating environment at each user terminal 10, and an evaluation process by the evaluation means 23 as described later. Or information necessary for the determination process by the determination means 26 (information relating to the contents of management conditions described later; for example, information regarding all software installed in each user terminal 10) is sufficient. However, if necessary, it is also possible to collect the following information regarding hardware resources and software resources in the user terminal 10 as environmental information.

  As information about hardware resources, for example, computer name / OS / CPU / CPU speed / keyboard type / physical memory / available memory / video card / resolution / printer / swap size / domain name / logon user name / model name / Network card / MAC address / IP address / Net mask / Default gateway / DNS server / Socket version / Total capacity and free space for each local drive / BIOS version / BIOS manufacturer / machine manufacturer / machine name / machine serial machine UUID / motherboard manufacturer Information on name / motherboard name / CPU ID and the like.

  Information related to software resources includes information (for example, product name, detailed version, file size, file update date) related to software (various application programs) held in the user terminal 10. If the user terminal 10 has security patch update software (for example, “Windows (registered trademark) Update”) for repairing an OS security hole, the security patch update information (whether it is the latest one or not) Whether or not) is also collected. In addition, when the user terminal 10 has anti-virus software (for example, “Norton AntiVilus (registered trademark)” or the like), the update information of the virus definition file in the anti-virus software (whether it is the latest or not) Is also collected. In addition, when the user terminal 10 has security software such as security patch update software, anti-virus software, anti-spyware software, etc., the setting status (security setting; on / off status, etc.) is also included. Collected.

The environment information receiving unit 22 receives the environment information transmitted from each user terminal 10 and passes it to the evaluation unit 23 and the determination unit 26.
In the management system 1 of the second embodiment, the environment information collection agent file transmission means 21 and the environment information reception means 22 in the management server 20 and the environment information collection agent file execution means 111 in each user terminal 10 are used in a plurality of usages. Environment information collecting means for collecting environment information in each user terminal 10 from each user terminal 10 to the management server 20 is configured.

  The evaluation means 23 is based on the environment information in each user terminal 10 collected by the environment information collection means, that is, the environment information in the user terminal 10 written by the evaluation target system 1A received by the environment information reception means 22. By determining whether each user terminal 10 satisfies at least one management condition (described later) and quantifying the degree of safety for the plurality of user terminals 10, the security level of the entire in-company system 1A is determined. (Evaluation level of security status) is evaluated and determined.

  At that time, as will be described later with reference to FIG. 5, the evaluation means 23 is a ratio of the user terminals 10 that satisfy at least one management condition (described later) among the plurality of user terminals 10 in the evaluation target system 1A. The degree of safety may be quantified based on the above, or as described later with reference to FIGS. 6 and 7, the degree of safety may be quantified based on the ratio and the importance of management conditions (described later). Good.

Then, the evaluation means 23 of the second embodiment gradually evaluates the security level evaluation level (security level) of the evaluation target system 1A according to the result of quantifying the safety degree (the ratio P and the evaluation value V described later). ) To decide. For example, the evaluation level is set to 5 levels of 1 to 5, the evaluation level is “5” when the safety level of the evaluation target system 1A is the highest, and the evaluation level is “1” when the safety level of the evaluation target system 1A is the lowest. To do.

  Moreover, the management conditions mentioned above mean the desirable use conditions or use states of the user terminal determined by the administrator, and specifically include the following items (1) to (5). Any of the management conditions is such that when each user terminal 10 satisfies the management condition, the degree of safety is higher than when the user terminal 10 does not satisfy the management condition.

(1) The security software is installed on the user terminal 10 and is turned on.
(2) The security patch update information of the security patch update software as the security countermeasure software in the user terminal 10 is the latest.

(3) The update information of the virus definition file of the antivirus software as the security countermeasure software in the user terminal 10 is the latest.
(4) The dangerous software is not installed in the user terminal 10. Examples of dangerous software include virtual VPN software, P2P software, spyware, and file exchange software (for example, Winny).

(5) The user terminal 10 does not have an unauthorized copy of software or the like.
Alternatively, the management conditions include the following items (a) to (g) in addition to the above (1) to (5) as desirable usage conditions or usage states of the user terminal determined by the administrator. Any of the management conditions is such that when each user terminal 10 satisfies the management condition, the degree of safety is higher than when the user terminal 10 does not satisfy the management condition.

(a) No software other than licensed software is installed on the user terminal,
(b) No prohibited software is installed on the user terminal,
(c) No data for software other than licensed software is stored on the user terminal,
(d) No data for prohibited software is stored in the user terminal.
(e) No sharing settings that are not permitted to be used on the user terminal,
(e) No unauthorized folder has been created on the user terminal,
(f) Peripheral devices other than authorized peripheral devices are not connected to the user terminal,
(g) Peripheral devices that are prohibited for use are not connected to the user terminal.
In addition, this management condition satisfies which item among the above items (1) to (g), or how many items, as the desired use condition or use state of the user terminal determined by the administrator You may decide.

  In addition, the management condition may be set uniformly for a plurality of user terminals, may be set for each user terminal, or may be changed according to the situation. Also good.

  Here, “change according to the situation” means that more strict management conditions are set for user terminals that violate the management conditions, or more strict management conditions are set for user terminals that hold personal information. And, conversely, loosely setting management conditions for user terminals that do not have violations or possess personal information.

When the evaluation means 23 performs the evaluation process by the method shown in FIG. 5 or FIG. 6, all the management conditions of these items (1) to (5) or (1) to (5) and (a) to (g) are set. The evaluation level may be determined by calculating the proportion of the user terminals 10 that satisfy, or the management conditions of these items (1) to (5) or (1) to (5) and (a) to (g) An evaluation level may be determined by calculating a ratio of user terminals 10 that satisfy at least one of the above. When performing the evaluation process by the method shown in FIG. 6, as described later, item (1)
~ (5) or (1) ~ (5) and at least one of the management conditions of (a) ~ (g) shall be extremely important to ensure the safety of the evaluation target system 1A These are set in advance as important management conditions.

  When the evaluation process is performed by the method shown in FIG. 7, the safety of the internal system 1A with respect to each management condition (1) to (5) or (1) to (5) and (a) to (g) An importance level for ensuring the security level is set. In this case, the importance Mi (i = 1 to 5) as a weight used for calculating an evaluation value V to be described later with reference to FIG. 7 is the management condition (1) to (5) or (1). It is preset for each of (5) and (a) to (g). The importance Mi is set so as to increase as the necessity of satisfying the management conditions increases in order to ensure the safety of the internal system 1A.

  The evaluation result notifying means (notifying means) 24 sends the evaluation results (including the calculated ratio, table value, and evaluation level) obtained by the evaluating means 23 to each user terminal 10 or a terminal such as an administrator (not shown). ) To be displayed and notified to users and managers of the plurality of user terminals 10 (such as managers of the in-company system 1A).

  When a periodic evaluation is requested in the evaluation request of the evaluation target system 1A, in the management system 1 of the second embodiment, the environmental information of each user terminal 10 of the evaluation target system 1A is the environmental information collection means. The evaluation means 23 periodically determines the degree of safety (security level evaluation level / security level) for the plurality of user terminals 10 (evaluation target system 1A) based on the periodic collection results. Evaluation result notification means 24 notifies the periodic evaluation results to the managers and users of the plurality of user terminals 10 and displays them on the terminals of the managers and the user terminals 10.

  The first electronic education control means 25 is an electronic education (e-learning) on security including at least the matters relating to the management conditions (1) to (5) or (1) to (5) and (a) to (g). In other words, electronic education about security in general when using the in-company system 1A is executed by a plurality of user terminals 10 belonging to the in-company system 1A. The first electronic education agent file creating / holding means 251 and The first electronic education agent file transmission means 252 has a function.

  The first electronic education agent file creation / holding means 251 generates a first electronic education agent file that causes each of the plurality of user terminals 10 belonging to the evaluation target system 1A to perform electronic education on security in the company system 1A. Create or hold. As described above, in the management server 20, a process (task) desired to be executed by each user terminal 10 is created as an agent file.

  Here, the first electronic education agent file causes each user terminal 10 to execute electronic education about security in the in-company system 1A. If necessary, the first electronic education agent file creation / holding means 251 The first electronic education agent file for security in general in the company system 1A may be created in advance and held in the first electronic education agent file creation / holding means 251.

The first electronic education agent file transmission means 252 attaches the first electronic education agent file created or held by the first electronic education agent file creation / holding means 251 to an e-mail after creation or reading. Are transmitted to a plurality of user terminals 10 in the system 1A to be evaluated. At this time, as described above, information (email address or the like) regarding each user terminal 10 as the transmission destination is received together with a security evaluation request from the administrator or the like of the in-company system 1A. The first electronic education agent file to be transmitted to each user terminal 10 is once transmitted by the first electronic education agent file transmission means 252 to a management terminal or the like (not shown) of the in-company system 1A. You may transmit to each user terminal 10 via LAN40A from a management terminal.

  Note that the first electronic education control means 25 in the second embodiment uses the evaluation means 23 in addition to the functions described above (functions used in the processing of steps S107 and S108 in FIG. 4 as described later with reference to FIG. 4). It also has a function of causing a plurality of user terminals 10 belonging to the in-company system 1A to execute electronic education (e-learning) according to the obtained evaluation result (evaluation level or the like). As will be described later with reference to FIG. 4, this function is used in the processing in steps S118 and S119 in FIG. 4, but can also be used in the processing in steps S107 and S108 in FIG.

  In this case, the first electronic education agent file creation / holding means 251 is an electronic that causes each of the plurality of user terminals 10 belonging to the evaluation target system 1A to execute electronic education according to the evaluation result obtained by the evaluation means 23. Create or maintain educational agent files. This electronic education agent file causes each user terminal 10 to execute electronic education according to the evaluation result by the evaluation means 23. When the evaluation result is obtained, the first electronic education agent file creation / holding means 251 Alternatively, an electronic education agent file corresponding to the evaluation result may be created in advance for each evaluation result and held in the first electronic education agent file creation / holding means 251. The first electronic education agent file transmission means 252 then sends the electronic education agent file according to the evaluation result created or held by the first electronic education agent file creation / holding means 251 to the first electronic education agent described above. Similar to the transmission of a file, it is transmitted to a plurality of user terminals 10 in the system 1A to be evaluated by attaching it to an e-mail after creation or reading.

  The first electronic education agent file transmitted to each user terminal 10 or the electronic education agent file according to the evaluation result is automatically or a user performs a predetermined operation on the file (for example, double-clicking with a mouse). When the operation is performed, it is executed by the processing unit 110 on the user terminal 10. That is, the processing unit 110 functions as the first electronic education agent file execution unit 112, and in accordance with the execution operation, the electronic corresponding to the electronic education or the evaluation result of the overall security in the in-company system 1A at the user terminal 10 is performed. Education is executed for the user of the user terminal 10.

  At this time, the first electronic education agent file execution means 112 in each user terminal 10 manages information regarding whether or not the electronic education has been completed in each user terminal 10 through the LAN 40A, the proxy server 13, and the external communication network 40. The server 20 may be configured to transmit / notify the server 20 or notify the administrator of the evaluation target system 1A. As a result, the management server 20, the administrator, and the like can grasp the user (employee) who has performed electronic education / the user (employee) who has not performed electronic education, and can perform more thorough electronic education. .

  In addition, the electronic education is used so that the operation of the electronic education (electronic education about security in general or electronic education according to the evaluation result) is not terminated until the user completes and completes the electronic education at each user terminal 10. It may be configured to force the person to execute. Thereby, electronic education can be executed reliably and thoroughly regardless of the user's will and consciousness.

  Further, the user terminal 10 that has completed the electronic education displays a completed desktop stamp indicating that the electronic education has been completed on the desktop, while the user terminal 10 that has not completed the electronic education displays the desktop. In addition, an incomplete desktop stamp indicating that the electronic education has not been completed may be displayed in a stamped manner. This desktop stamp (bitmap image) cannot be deleted / moved on the user terminal 10 side, and is pasted on the desktop wallpaper. Therefore, the user can delete the desktop stamp by operating himself / herself. It cannot be moved, is always displayed on the desktop, and is exposed not only to the user but also to others. Therefore, by displaying the completed desktop stamp and the incomplete desktop stamp on the desktop, it is possible to encourage the user's will and awareness to voluntarily execute the electronic education, and the electronic education (security E-education in general or e-education according to evaluation results) can be executed reliably and thoroughly.

  When all of the plurality of user terminals 10 belonging to the evaluation target system 1A satisfy the above management conditions, electronic education for each user terminal 10 (according to electronic education about security in general and evaluation results) However, even in such a case, it is preferable to conduct electronic education to confirm and re-recognize security.

  The determination means 26 is based on the environmental information in each user terminal 10 periodically collected by the environmental information collecting means described above after the first electronic education control means 25 performs electronic education on the plurality of user terminals 10. Whether each user terminal 10 satisfies at least the management conditions (1) to (5) or (1) to (5) and (a) to (g) (whether or not a management condition is violated) ).

  The warning unit 27 issues a warning to the user or administrator of the user terminal 10 that is determined not to satisfy the management condition by the determination unit 26, indicating that the management condition is violated. Is transmitted to the terminal of the violator's user terminal 10 or a terminal of the manager or the like and displayed, and a warning is given to the violator or the manager (such as the manager of the in-company system 1A).

  The second electronic education control means 28 causes the user terminal 10 determined not to satisfy the management conditions by the determination means 26 to execute electronic education on matters relating to the management conditions (violation management conditions). It has functions as second electronic education agent file creation / holding means 281 and second electronic education agent file transmission means 282.

  The second electronic education agent file creation / holding means 281 performs detailed electronic education on matters relating to management conditions (violation management conditions) determined not to be satisfied by the determination means 26 by the determination means 26. The second electronic education agent file to be executed by the user terminal 10 determined not to satisfy the above is created or held. As described above, in the management server 20, a process (task) desired to be executed by each user terminal 10 is created as an agent file.

  Here, the second electronic education agent file is used to cause the user terminal 10 that has made the violation to execute detailed electronic education on the matter relating to the violation management condition, and the determination means 26 determines that there is a violation. The second electronic education agent file creation / retention means 281 may be created at the time, or a second electronic education agent file creation / retention means is created in advance for the violator for each management condition. You may hold | maintain to 281.

The second electronic education agent file transmission means 282 attaches the second electronic education agent file created or held by the second electronic education agent file creation / holding means 281 to an e-mail after creation or reading. , It is transmitted to the user terminal 10 that has made the violation. At this time, information (e-mail address, etc.) regarding the user terminal 10 that has violated the transmission destination has already been received from the administrator of the in-company system 1A together with a security evaluation request and managed by the management server 20 as described above. It shall be. The second electronic education agent file to be transmitted to the user terminal 10 is once transmitted to the management terminal or the like (not shown) of the in-company system 1A by the second electronic education agent file transmission means 282, and the management is performed. It may be transmitted from the terminal or the like to the corresponding user terminal 10 through the LAN 40A.

  The second electronic education agent file transmitted to the user terminal 10 is automatically or on the user terminal 10 when the user performs a predetermined operation (for example, a double-click operation with a mouse) on the file. It is executed by the processing unit 110. That is, the processing unit 110 functions as the second electronic education agent file execution unit 113, and in accordance with the execution operation, detailed electronic education on matters relating to the violation management condition in the user terminal 10 is performed on the user terminal. It is executed for 10 users (management condition violators).

  At this time, the second electronic education agent file execution means 113 in the violator's user terminal 10 sends information regarding whether or not the electronic education has been completed in the user terminal 10 through the LAN 40A, the proxy server 13 and the external communication network 40. You may comprise so that it may be transmitted / notified to the management server 20 or notified to the administrator of the evaluation target system 1A. As a result, the management server 20, the administrator, and the like can grasp whether the violator has performed electronic education, and can perform more thorough electronic education.

  Also, do not terminate the operation of electronic education (detailed electronic education on matters related to violation management conditions) until the offender (user) completes and completes electronic education at the user terminal 10 of the offender. You may comprise so that a user may perform electronic education compulsorily. Thereby, regardless of the user's will and consciousness, detailed electronic education on matters related to violation management conditions can be executed reliably and thoroughly.

  Further, as in the case of completing the electronic education using the first electronic education agent file, the user terminal 10 that has completed the detailed electronic education on the matters related to the violation management conditions has completed the electronic education on the desktop. The user terminal 10 that has not completed the electronic education is displayed on the desktop with an incomplete desktop stamp indicating that the electronic education has not been completed. May be. As a result, completed desktop stamps and incomplete desktop stamps are stamped on the desktop, allowing users to work on their will and awareness to voluntarily execute electronic education. It is possible to ensure that detailed electronic education on matters related to is executed thoroughly and thoroughly.

  The sending control means 29 imposes a restriction on the user terminal 10 determined by the judging means 26 that the management condition is not satisfied, at the time of writing or transmitting the electronic file. The sending control agent file creating / holding means 291 and It has a function as a transmission restriction agent file transmission means 292.

Here, the transmission restriction agent file creation / holding means 291 suspends transmission (writing or transmission) of the electronic file or sends restricted transmission (writing or writing) when the determination means 26 determines that the condition is not satisfied. The transmission restriction agent file that causes the user terminal 10 that is determined not to satisfy the management conditions by the determination means 26 is created or held. As described above, the management server 20 creates a process (task) that each user terminal 10 desires to execute as an agent file.

  Here, the transmission restriction agent file is for causing the user terminal 10 which has violated the violation to stop writing or sending the electronic file or to write or send the restricted electronic file. It may be created by the transmission restriction agent file creation / holding means 291 when it is determined that there is a violation, or a transmission restriction agent file creation / holding means for a violator is created in advance for each management condition. You may hold | maintain to 291.

  The transmission restriction agent file transmission means 292 violates the transmission restriction agent file created or held by the transmission restriction agent file creation / holding means 291 by attaching it to an e-mail after creation or reading. It is transmitted to the user terminal 10.

  At this time, information (e-mail address, etc.) regarding the user terminal 10 that has violated the transmission destination has already been received from the administrator of the in-company system 1A together with a security evaluation request and managed by the management server 20 as described above. It shall be. The transmission restriction agent file to be transmitted to the user terminal 10 is once transmitted to the management terminal or the like (not shown) of the in-company system 1A by the transmission restriction agent file transmission means 292, and the LAN 40A is transmitted from the management terminal or the like. You may transmit to the corresponding user terminal 10 through.

  The transmission restriction agent file transmitted to the user terminal 10 is automatically or when the user performs a predetermined operation (for example, a double click operation with a mouse) on the file, the processing unit on the user terminal 10 Execution begins at 110. Then, the processing unit 110 functions as the transmission restriction agent file execution means 119, and with the execution operation and the writing of the electronic file or the issuing of the transmission command, the user terminal 10 cancels the writing or the transmission is stopped or restricted. Writing or sending of an attached electronic file is executed.

  In other words, the transmission control agent file execution unit 119 executes restriction on writing or transmission of an electronic file, and operates as a transmission control unit in the user terminal 10.

  Also, do not end the operation of electronic education (detailed electronic education on matters related to violation management conditions) until the offender (user) completes the second electronic education at the user terminal 10 of the infringer The second electronic education is configured to be forcibly executed by the user, and when the second electronic education is completed, sending of electronic files is restricted (writing or sending is stopped or restricted) May be canceled. Thereby, regardless of the user's will and consciousness, detailed electronic education on matters related to violation management conditions can be executed reliably and thoroughly.

  Furthermore, in the user terminal 10 that has not completed the electronic education, when the electronic file is written or transmitted, an explanatory text indicating that the electronic education has not been completed is attached to the electronic file, or the electronic education is performed. An explanatory text file indicating that the program has not been completed may be written or transmitted instead of the electronic file. As a result, the electronic education incompletion is informed to the surroundings, and as a result, the user can work on the will and awareness of the user to voluntarily execute the electronic education. Detailed electronic education about can be executed reliably and thoroughly.

[B2] Operation of the second embodiment:
Next, operation | movement of the management system 1 of 2nd embodiment comprised as mentioned above is demonstrated, referring FIG.

First, the operation of the management server 20 of the second embodiment will be described with reference to the flowchart shown in FIG. 4 (steps S101 to S125).
As shown in FIG. 4, the management server (security evaluation service providing server) 20 determines whether there is a new security evaluation request for the in-company system 1A connected via the external communication network 40, and periodically. Whether or not the evaluation timing has come is periodically monitored (every predetermined control cycle) (steps S101 and S111), and when a new security evaluation request is received from the administrator of the in-company system 1A (step S101) YES route), the environment information collection agent file is electronically converted by the environment information collection agent file transmission means 21 based on the information (email address etc.) regarding each user terminal 10 of the transmission destination sent together with the security evaluation request. Multiple attachments to the evaluation target system 1A by attaching it to an e-mail It is transmitted to each of the user terminal 10 (step S102).

  Here, according to the flowchart shown in FIG. 8 (steps S51 to S54), the environment information collecting operation of each user terminal 10 in the evaluation target system 1A of the second embodiment will be described. As shown in FIG. 8, each user terminal 10 monitors whether or not an environment information collection agent file has been received from the management server 20 (step S51), and upon receiving the environment information collection agent file (step S51). YES route of S51), or automatically or when the user performs a predetermined operation (for example, a double click operation with a mouse) on the file, the environment information collection agent file is processed by the processing unit 110 on the user terminal 10. (Step S52). Thereby, the environment information in the user terminal 10 (asset information / inventory information / execution environment information; information related to the contents of the management conditions; for example, information about all software installed in each user terminal 10; Information on peripheral devices such as an external storage medium connected to the user terminal 10 is collected (step S53), and the collection result is transmitted / notified to the management server 20 through the LAN 40A, the proxy server 13 and the external communication network 40. (Step S54).

  The management server 20 receives environment information from each user terminal 10 belonging to the evaluation target system 1A (step S103), and when environment information is received from all user terminals 10 belonging to the evaluation target system 1A (step S103). (YES route of S104), security evaluation by the evaluation means 23 is executed (step S105).

  In step S104, the security evaluation is performed when environment information is received from all user terminals 10 belonging to the evaluation target system 1A. When environment information cannot be received, security evaluation by the evaluation unit 23 may be performed based on environment information received at the time when the predetermined time has elapsed.

  In step S104, it is not determined whether environment information has been received from all the user terminals 10 as described above, but a predetermined number or more or a predetermined ratio of the user terminals 10 belonging to the evaluation target system 1A. It is determined whether or not environmental information has been received from the above user terminals 10, and evaluation is performed based on the received environmental information when environmental information is received from a predetermined number or more or a predetermined ratio of user terminals 10 Security evaluation by means 23 may be performed.

Next, first to third examples of the security evaluation technique performed by the evaluation unit 23 that can be executed in step S105 will be described with reference to FIGS.
FIG. 5 is a flowchart (steps S21 to S23) for explaining the operation of the evaluation unit 23 (first example of the security evaluation method) in the management server 20 of the second embodiment. As shown in FIG. In the first example of the evaluation method, for example, at least one of the management conditions (1) to (5) or (1) to (5) and (a) to (g) described above is set as the management condition in advance. Keep it.

  Then, the evaluation unit 23 refers to the environment information in each user terminal 10 of the evaluation target system 1A received by the environment information reception unit 22, and sets one unit for the plurality of user terminals 10 belonging to the evaluation target system 1A. It is determined whether or not all set management conditions are satisfied (step S21). When the management condition determination is completed for all the user terminals 10 that have received the environment information, the ratio (the ratio of the total number of user terminals 10 in the evaluation target system 1A) P that satisfies the management condition is calculated P (Step S22).

  The higher the ratio P of the user terminals 10 that satisfy the management conditions, the higher the percentage P of the user terminals 10 that may have some adverse effects on the evaluation target system 1A (causing a security problem, being infected with a virus, The ratio (number) of user terminals 10 that are likely to cause information leakage due to wear or the like and user terminals 10 that have performed illegal copying is low, and the safety level of the evaluation target system 1A is high. The security situation is considered good.

  Therefore, when the degree of safety (security status) of the evaluation target system 1A is evaluated, for example, in five stages (evaluation levels 1 to 5), the evaluation level “5” is set when the ratio P is 90 to 100%. Allocation, evaluation level “4” is allocated when the ratio P is 80 to 90%, evaluation level “3” is allocated when the ratio P is 70 to 80%, and evaluation level when the ratio P is 50 to 70% “2” is assigned, and an evaluation level “1” is assigned in advance when the ratio P is less than 50%. Based on such evaluation level setting, the evaluation means 23 determines an evaluation level corresponding to the ratio P calculated in step S22 for the evaluation target system 1A (step S23).

  In the first example of the security evaluation method shown in FIG. 5, the management condition is at least one of items (1) to (5) or (1) to (5) and (a) to (g). Although the case has been described, the present invention is not limited to this, and under these management conditions other than these items (1) to (5) or (1) to (5) and (a) to (g) The management conditions other than the items (1) to (5) or (1) to (5) and (a) to (g) may be included.

FIG. 6 is a flowchart (steps S31 to S36) for explaining the operation of the evaluation means 23 (second example of the security evaluation method) in the management server 20 of the second embodiment. As shown in FIG. In the second example of the evaluation method, for example, at least one of the management conditions (1) to (3) and (5) described above is set as the management condition in advance. The “having no dangerous software installed on the user terminal” is extremely important for ensuring the safety of the evaluation target system 1A, and is set as an important management condition.

Then, the evaluation unit 23 refers to the environment information in each user terminal 10 of the evaluation target system 1A received by the environment information reception unit 22, and first, for a plurality of user terminals 10 belonging to the evaluation target system 1A, It is determined one by one whether or not the management condition (4) set as the important management condition is satisfied (step S31). At this time, if there is at least one user terminal 10 that does not satisfy the management condition (4) (YES route in step S32), that is, if there is at least one user terminal 10 installed with dangerous software, Evaluation target system 1 to which such a user terminal 10 belongs without determining other management conditions.
A predetermined low evaluation level (for example, “1”) is determined as the evaluation level of A and is given to the evaluation target system 1A (step S33).

On the other hand, when there is no user terminal 10 that does not satisfy the management condition (4) (step S
32 NO route), that is, if there is no user terminal 10 installed with dangerous software, the same evaluation process as in the first example described with reference to FIG. 5 is performed.

That is, it is determined whether each of the plurality of user terminals 10 belonging to the evaluation target system 1A satisfies all the management conditions set excluding the management condition (4) (step S34). The ratio of user terminals 10 that satisfy the management condition at the time when the determination of the management conditions for all the user terminals 10 that received the environment information is completed (ratio to the total number of user terminals 10 in the evaluation target system 1A) P Is calculated (step S35). Based on the same evaluation level setting as in the first example, the evaluation unit 23 determines an evaluation level corresponding to the ratio P calculated in step S35 for the evaluation target system 1A (step S36).

In the second example of the security evaluation method shown in FIG. 6, the case where the important management condition is the management condition of the item (4) has been described, but the present invention is not limited to this, and other items The management conditions (1) to (3) and (5) may be set as important management conditions, or these items (1) to (5) or (1) to (5) and (a) to (a) Management conditions other than g) may be set as important management conditions, or a plurality of management conditions may be set as important management conditions.

  FIG. 7 is a flowchart (steps S41 to S48) for explaining the operation of the evaluation unit 23 (third example of the security evaluation method) in the management server 20 of the second embodiment. As shown in FIG. In the third example of the evaluation method, for example, the management conditions (1) to (5) or (1) to (5) and (a) to (g) described above are set as management conditions in advance. In the third example, the importance levels M1 to M5 as described above are set in advance.

  Then, the evaluation unit 23 refers to the environment information in each user terminal 10 of the evaluation target system 1A received by the environment information reception unit 22, and sets one unit for the plurality of user terminals 10 belonging to the evaluation target system 1A. It is determined whether each of the management conditions (1) to (5) or (1) to (5) and (a) to (g) is satisfied (step S41). When all the management conditions (1) to (5) or (1) to (5) and (a) to (g) have been determined for all the user terminals 10 that have received the environmental information, Ratio of user terminals 10 satisfying the conditions (1) to (5) or (1) to (5) and (a) to (g) (ratio to the total number of user terminals 10 in the evaluation target system 1A) P1 to P5 Are respectively calculated (steps S42 to S46).

  Thereafter, the evaluation unit 23 calculates an evaluation value V, which increases as the number (ratio) of the user terminals 10 that do not satisfy the management condition having a high importance Mi (i = 1 to 5) increases. Calculate (step S47).

Evaluation value V = Σ (100−Pi) × Mi,
Here, Σ means the sum of (100−Pi) × Mi calculated when i is 1, 2, 3, 4, 5 respectively.

This evaluation value V is determined by all user terminals 10 belonging to the evaluation target system 1A under the management condition (1)
When all of (5) or (1) to (5) and (a) to (g) are satisfied, the ratios P1 to P5 are all 100%, so the evaluation value V is 0. As the number (ratio) of user terminals 10 that do not satisfy the management conditions (1) to (5) or (1) to (5) and (a) to (g) increases, in particular, the importance Mi The evaluation value V increases as the number (ratio) of user terminals 10 that do not satisfy the management condition having a large value increases.

  That is, as the evaluation value V is smaller (closer to 0), the user terminal 10 that may have some adverse effect on the evaluation target system 1A (causes a security problem, is infected with a virus, or is a file exchange software) The ratio (number) of the user terminals 10 that are likely to cause information leakage due to, etc. or the user terminals 10 that have performed illegal copying is low, and the security level of the evaluation target system 1A is high. The situation is considered good.

  Alternatively, as the evaluation value V is smaller (closer to 0), the user terminal 10 that may have some adverse effects in the evaluation target system 1A (information leakage due to writing or transmission of an electronic file is more likely to occur). It is considered that the ratio (number) of the user terminals 10) is low and the reliability of the evaluation target system 1A is high, that is, the security situation is good.

  Therefore, when the degree of safety (security status) of the evaluation target system 1A is evaluated in, for example, five levels (evaluation levels 1 to 5) as described above, in the third example of the security evaluation method, the evaluation value V is 0 to K1. Is assigned an evaluation level “5”, assigned an evaluation level “4” when the evaluation value V is K1 to K2 (> K1), and assigned an evaluation level “4” when the evaluation value V is K2 to K3 (> K2). 3 ”is assigned, the evaluation level“ 2 ”is assigned when the evaluation value V is K3 to K4 (> K3), and the evaluation level“ 1 ”is assigned when the evaluation value V is K4 to K5 (> K4). , Set in advance. Based on such evaluation level setting, the evaluation means 23 determines an evaluation level corresponding to the evaluation value V calculated in step S47 for the evaluation target system 1A (step S48). Note that K5 which is the maximum value of the evaluation value V is the value of the evaluation value V when the ratios P1 to P5 are all 0%, that is, 100 × (M1 + M2 + M3 + M4 + M5).

  In the third example of the security evaluation method shown in FIG. 7, the case where the management conditions are items (1) to (5) or (1) to (5) and (a) to (g) has been described. The present invention is not limited thereto, and may be management conditions other than these items (1) to (5) or (1) to (5) and (a) to (g), Management conditions other than items (1) to (5) or (1) to (5) and (a) to (g) may be included.

  As described above, when the security evaluation result of the evaluation target system 1A is obtained in step S105 (any one of the security evaluation methods in FIGS. 5 to 7), the evaluation result notification unit 24 determines that the evaluation result is a plurality of evaluation results. The information is displayed on a terminal (not shown) of the user terminal 10 or an administrator (such as an administrator of the evaluation target system 1A) and notified to each user or administrator (step S106 in FIG. 4).

  At this time, the notified evaluation result includes at least the five evaluation levels obtained in step S105. In addition to this evaluation level, more detailed information, for example, calculated ratios P, P1 to P5, The evaluation value V may be included, or more detailed information, for example, information such as which user terminal 10 does not satisfy which management condition may be included. Note that what kind of information is notified as the evaluation result may be determined in advance in the management server 20, or may be determined in accordance with an instruction from an administrator who has requested the security evaluation.

And in the management server 20 of 2nd embodiment, the electronic education about security including the matter which concerns on the said management conditions (1)-(5) or (1)-(5) and (a)-(g) ( e-learning), that is, in order to execute electronic education about security in general when using the in-company system 1A to a plurality of user terminals 10 belonging to the in-company system 1A, the agent file for the electronic education ( The first electronic education agent file creation / holding means 251 is created or read from the first electronic education agent file creation / holding means 251 (step S107).

  Note that the first electronic education agent file may correspond to each of the above-described five evaluation levels, or performs electronic education related to environmental information that is particularly problematic based on the detailed information of the evaluation results. It may be a thing. If an agent file for executing the corresponding electronic education is held in the first electronic education agent file creation / holding means 251, the agent file is read out and held as the first electronic education agent file. If not, it is created by the first electronic education agent file creation / holding means 251.

  In this way, the agent file read from the first electronic education agent file creation / retention means 251 or the agent file created by the first electronic education agent file creation / retention means 251 is sent together with the security evaluation request. A plurality of users in the evaluation target system 1A, for example, attached to an e-mail by the first electronic education agent file transmission means 252 based on the received information (e-mail address, etc.) regarding each user terminal 10 at the destination. It is transmitted to each of the terminals 10 (step S108).

  Here, according to the flowchart (steps S61 to S64) shown in FIG. 9, the electronic education operation of each user terminal 10 in the evaluation target system 1A of the second embodiment will be described. As shown in FIG. 9, each user terminal 10 monitors whether or not the first electronic education agent file has been received from the management server 20 (step S61). (YES route of step S61) When the user performs a predetermined operation (for example, a double click operation with a mouse) on the file, the first electronic education agent file is stored on the user terminal 10. It is executed by the processing unit 110 (step S62). Thereby, the electronic education about the whole security is performed with respect to the user of the user terminal 10 in the user terminal 10 (step S63), and in the second embodiment, the electronic education result (for example, each use) Information regarding whether or not the electronic terminal has been completed at the person terminal 10) is transmitted / notified to the management server 20 through the LAN 40A, the proxy server 13 and the external communication network 40 (step S64).

  The management server 20 receives an electronic education result from each user terminal 10 belonging to the evaluation target system 1A (step S109), and the electronic education result is sent to the administrator of the evaluation target system 1A via the management server 20 or the like. And the user of each user terminal 10 is notified (step S110). The electronic education result may be notified directly from each user terminal 10 to the administrator of the evaluation target system 1A.

  On the other hand, when it becomes the regular evaluation timing for the in-company system 1A that has finished the processing of steps S102 to S110 (system evaluation / notification processing and electronic education processing for security in general) as described above (YES from the NO route of step S101 to step S111 YES). Route), the environment information collection agent file is sent by the environment information collection agent file transmission means 21 based on the information (email address, etc.) regarding each destination user terminal 10 sent at the time of the new security evaluation request. And is transmitted to each of the plurality of user terminals 10 in the evaluation target system 1A (step S112). At this time, the environment information collection operation executed by each user terminal 10 that has received the environment information collection agent file is the same as the procedure described above with reference to FIG.

The management server 20 receives environment information from each user terminal 10 belonging to the evaluation target system 1A (step S113), and when environment information is received from all user terminals 10 belonging to the evaluation target system 1A (step S113). (YES route of S114), security evaluation by the evaluation means 23 is executed (step S115).

  In step S114, security evaluation is performed when environment information is received from all user terminals 10 belonging to the evaluation target system 1A. When environment information cannot be received, security evaluation by the evaluation unit 23 may be performed based on environment information received at the time when the predetermined time has elapsed.

  In step S114, it is not determined whether the environment information has been received from all the user terminals 10 as described above, but a predetermined number or more or a predetermined ratio of the user terminals 10 belonging to the evaluation target system 1A. It is determined whether or not environmental information has been received from the above user terminals 10, and evaluation is performed based on the received environmental information when environmental information is received from a predetermined number or more or a predetermined ratio of user terminals 10 You may make it perform the security evaluation process (step S115) by the means 23, and the judgment process (step S120) by the judgment means 26. FIG.

  In step S115, when the security evaluation result of the evaluation target system 1A is obtained by the security evaluation method described above with reference to FIGS. 5 to 7, for example, the evaluation result is notified to the plurality of user terminals by the evaluation result notification unit 24. 10 or a manager (such as a manager of the evaluation target system 1A) (not shown) and notifies each user or manager (step S116 in FIG. 4).

  Further, the management server 20 determines whether or not it is necessary to perform common electronic education for all of the plurality of user terminals 10 belonging to the evaluation target system 1A based on the security evaluation result in step S115. (Step S117). For example, when all of the plurality of user terminals 10 belonging to the evaluation target system 1A satisfy the above management conditions, or when the current security evaluation result for the evaluation target system 1A is not different from the previous time or better than the previous time If it is, it is determined that the electronic education is unnecessary (NO route of step S117), and the process is ended (return to step S101).

  On the other hand, if this is not the case, that is, if the current security evaluation result for the evaluation target system 1A is worse than the previous time, it is determined that electronic education is necessary (YES route in step S117). The same electronic education on general security is performed, or the electronic education (e-learning) corresponding to the security evaluation result obtained in step S115 is performed. In the second embodiment, the latter electronic education, that is, electronic education corresponding to the security evaluation result obtained in step S115 is performed.

  At this time, in the management server 20 of the second embodiment, in accordance with the security evaluation result obtained in step S115, electronic education (e-learning) corresponding to the security evaluation result is given to a plurality of user terminals belonging to the in-company system 1A. 10, the electronic education agent file is created by the first electronic education agent file creation / holding means 251 or read from the first electronic education agent file creation / holding means 251. (Step S118).

Here, the electronic education agent file corresponding to the security evaluation result may correspond to each of the above-described five evaluation levels, or may be particularly problematic environmental information based on the detailed information of the evaluation result. Such electronic education may be performed. If the agent file for executing the corresponding electronic education is held in the first electronic education agent file creation / holding means 251, the agent file must be held while being read as the electronic education agent file. For example, the first electronic education agent file creation / holding means 251 creates the file.

  In this way, the agent file read from the first electronic education agent file creation / holding means 251 or the agent file created by the first electronic education agent file creation / holding means 251 is stored at the time of a new security evaluation request. Based on the information (email address etc.) relating to each user terminal 10 that has already been sent, the first electronic education agent file transmission means 252 attaches it to an e-mail, etc. Is transmitted to each of the user terminals 10 (step S119).

  At this time, the electronic education operation executed by each user terminal 10 that has received the electronic education agent file is the same as the procedure described above with reference to FIG. Thereafter, the management server 20 receives an electronic education result from each user terminal 10 belonging to the evaluation target system 1A (step S109), and the electronic education result is transmitted to the evaluation target system 1A via the management server 20. The administrator or the like or the user of each user terminal 10 is notified (step S110).

  In the second embodiment, it is determined in step S117 that electronic education is necessary when the current security evaluation result for the evaluation target system 1A is worse than the previous time. When all of the plurality of user terminals 10 belonging to 1A satisfy the above management conditions, or when the current security evaluation result for the evaluation target system 1A is not different from the previous time or better than the previous time Even in such a case, electronic education for each user terminal 10 (electronic education for security in general and electronic education according to the evaluation result) may be performed for confirmation and re-recognition of security.

  Now, in the management server 20, when environment information is received from all the user terminals 10 belonging to the evaluation target system 1A (YES route in step S114), the following is performed in parallel with steps S115 to S119 described above. Steps S120 to S124 are executed.

  That is, first, based on the environmental information in each user terminal 10 received in step S113 by the judging means 26, each user terminal 10 has at least the management conditions (1) to (5) or (1) to (5). ) And (a) to (g) are determined (whether the management condition is violated) (step S120).

  If there is no management condition violation (NO route of step S120), the process is terminated (return to step S101). On the other hand, if there is a violation of the management condition (YES route in step S120), the warning means 27 sends a warning indicating that the management condition has been violated to the user terminal 10 of the offender and the terminal of the administrator. Is displayed, and a warning is given to a violator, a manager or the like (a manager or the like of the in-company system 1A). The warning is given by a pop-up display or a warning sound on the terminal display unit.

  And in the management server 20 of 2nd embodiment, in order to make the electronic terminal (e-learning) about the matter which concerns on violation management conditions with respect to the user terminal 10 of a violation person, the agent file for electronic education ( (Second electronic education agent file) is created by the second electronic education agent file creation / holding means 281 or read from the second electronic education agent file creation / holding means 281 (step S123).

If the agent file for executing the corresponding electronic education is held in the second electronic education agent file creation / holding means 281, the agent file is read out as the second electronic education agent file and held. If not, it is created by the second electronic education agent file creation / holding means 281.

  In this way, the agent file read from the second electronic education agent file creation / retention means 281 or the agent file created by the second electronic education agent file creation / retention means 281 is already at the time of the security evaluation request. From the sent information (e-mail address, etc.) regarding each of the plurality of user terminals 10 belonging to the evaluation target system 1A, the e-mail address of the violator's user terminal 10 is searched and based on the e-mail address. Then, the second electronic education agent file transmission means 282 transmits it to the user terminal 10 of the violator of the management condition by attaching it to an electronic mail (step S124).

  At this time, the electronic education operation (detailed electronic education regarding the matter related to the violation management condition) executed on the user terminal 10 of the violator who has received the second electronic education agent file has been described above with reference to FIG. Since it is the same as the procedure, its description is omitted.

  And in the management server 20 of 2nd embodiment, while making electronic education (e-learning) about the matter which concerns on violation management conditions with respect to the user terminal 10 of a violator, the stop of the writing or transmission or A transmission restriction agent file for restriction is created by the transmission restriction agent file creation / holding means 291 or read from the transmission restriction agent file creation / holding means 291 (step S125).

  If an agent file for canceling or restricting writing or transmission of an electronic file is held in the sending restriction agent file creation / holding means 291, the agent file is read as a sending restriction agent file. If not held, it is created by the sending restriction agent file creating / holding means 291.

  In this way, the agent file read from the transmission restriction agent file creation / holding means 291 or the agent file created by the transmission restriction agent file creation / holding means 291 has already been sent at the time of the security evaluation request. Then, the mail address of the violator's user terminal 10 is searched from information (email address, etc.) related to each of the plurality of user terminals 10 belonging to the evaluation target system 1A, and based on the mail address, the transmission restriction agent The file transmission unit 292 transmits the file to the user terminal 10 of the violating management condition by attaching it to an e-mail (step S125). The second electronic education agent file and the transmission restriction agent file described above are sent to the same user terminal 10, but may be at the same timing or at different timings.

  FIG. 10 shows the electronic file writing or transmission restriction operation (stopping or restricting writing or transmission) executed at the user terminal 10 of the violator who has received the transmission restriction agent file at this time.

First, the execution unit 119 in the processing unit 110 of the user terminal 10 executes the execution unit 113 when a command for writing an electronic file to an external storage medium or a transmission command to another computer is generated (step S2001 in FIG. 10). Whether the second electronic education is being executed or whether the second electronic education has not been completed (step S2002 in FIG. 10). In this case, it is referred to whether the second electronic education agent file exists in the processing unit 110 or whether a report of completion is notified to the management server.

  If the second electronic education has already been completed (NO in step S2003 in FIG. 10), the electronic file is written to an external storage medium or transmitted to an external computer in a normal state without interruption or restriction. Is executed (step S2009 in FIG. 10).

  Here, if the second electronic education has not been completed (YES in step S2003 in FIG. 10), the contents of the set restrictions such as the electronic file writing stop or transmission stop or a partial restriction are displayed. Investigation is performed (step S2004 in FIG. 10).

  It should be noted that the content of the electronic file writing or transmission restriction may be set by a transmission restriction agent file, or may be set in a non-volatile memory (not shown) in the user terminal 10 or the like. Good.

  Further, the content of the restriction on writing or transmission may be the same for each user terminal, or may be different for each user terminal. Moreover, when it differs for every user terminal, you may change a restriction | limiting state according to the content, level, etc. of violation.

  When the electronic file writing stop or transmission stop is set, the execution unit 119 writes the electronic file to the external storage medium or the external computer regardless of the generation of the electronic file writing or transmission command. Control is performed so as to prohibit transmission of the electronic file to the server (step S2005 in FIG. 10). In this case, the writing or transmission of the electronic file may be completely prohibited, or a file with a message indicating that transmission of the electronic file is restricted due to the completion of the second electronic education may be written or transmitted.

  If an electronic file attached to an e-mail is sent, send the e-mail body with the attached electronic file part deleted, or both the e-mail body and the attached file. Any of transmission may be sufficient. In this case, it is desirable to inform the user that an electronic file or email is not sent.

  Also, as will be described later, it is detected whether or not the electronic file contains personal information, and if there is no personal information, no sending restriction is set, and if the electronic file contains personal information, sending restriction is executed. Also good.

  Further, in response to a separately set restriction (step S2006 in FIG. 10), the execution means 119 encrypts the electronic file based on a password that is determined in advance by the administrator and is unknown to the user. (Step S2007 in FIG. 10) Or the transmission destination of the electronic file is changed to the management server (Step S2008 in FIG. 10), and writing or transmission of the electronic file is executed (Step S2009 in FIG. 10). .

  It should be noted that the encryption program and password at the time of encryption may be included in the transmission restriction agent file by the administrator along with the designation to perform encryption as restrictions. In this case, the transmission restriction agent file execution unit 119 also serves as an encryption unit.

  When the electronic file is encrypted and written or transmitted, and the user terminal 10 satisfies the management conditions described above, the password required for the decryption from the management server side is the user terminal 10 or the electronic file. Sent to the destination.

Further, when changing the electronic file transmission destination to the management server, the mail address or IP address of the management server may be included in the transmission restriction agent file together with the designation of destination change.

  In addition, when the transmission destination is changed to the management server, the transmission restriction agent file includes a designation to delete the corresponding electronic file from the storage unit of the user terminal, thereby collecting the corresponding electronic file on the management server. It becomes possible to do.

  The cancellation, address change, and encryption described above may be determined according to the degree of management conditions, but may be determined according to whether or not personal information is included in the electronic file to be transmitted. Good.

  In this case, the transmission restriction agent file uses a table in which words that may correspond to personal information are stored in advance, and if there is a word that matches or is similar to this table, it determines that the information is personal information. The determination of whether or not personal information is included in the electronic file will be described later.

Further, when the user terminal 10 tries to send out a plurality of electronic files, it is possible to change the contents of restriction for each electronic file depending on the presence or absence of personal information.
In other words, when the user terminal 10 tries to send a plurality of electronic files, the electronic file having personal information can be sent, and the electronic file not having personal information can be sent.

  In addition, when the user terminal 10 tries to send a plurality of electronic files, the electronic file is limited in terms of sending (stop, encryption, destination change, destination change +) according to a Pr mark of personal information described later. It is also possible to determine (deletion).

[B3] Handling of personal information in the user terminal 10 of the second embodiment:
In the second embodiment, when executing the restriction of writing or sending an electronic file, all writing or sending in a user terminal that does not satisfy the management condition may be restricted, but the user terminal that does not satisfy the management condition The electronic file containing personal information may be restricted from being written or transmitted.

  Here, each user terminal 10 is constituted by a terminal device such as a personal computer (PC) used by each employee (user) in the company or the like, and will be described later with reference to FIGS. It has a functional configuration.

  In the second embodiment, as the plurality of user terminals 10, a personal information search program for executing a search for a personal information file in the user terminal 10 in connection with restrictions on writing or transmission of an electronic file. (Described later) is used. This personal information search program may be included in the transmission restriction agent file described above, or may be separately held by the user terminal 10.

[B3-1] Functional configuration of user terminal 10 of the second embodiment:
FIG. 11 is a block diagram showing a functional configuration of the user terminal 10 (personal information search program resident terminal) of the second embodiment.

  The configuration of the user terminal 10 shown in the block diagram of FIG. 11 is a functional block diagram realized by the transmission restriction agent file execution means 119 described above executing the transmission restriction agent file.

As shown in FIG. 11, the user terminal 10 of the second embodiment is a CP that executes various processes.
In addition to a U (Central Processin Unit) 110a and a storage unit 1110b that can hold an electronic file including personal information, a quarantine table 1110c provided from the management server 20 and an electronic file stored in the storage unit 1110b A Pr mark table 1110d holding a Pr mark (privacy level mark; a level indicating the high possibility of being a personal information file, and a level determined by a determination value to be described later), a display unit 1110e for displaying characters or images Is configured.

  As will be described later, a personal information search program for causing the processing unit (CPU) 110 to function as personal information search means 1100 described later is installed from the management server 20. The personal information search program may be included in the transmission control agent file.

  Here, the storage unit 1110b is a hard disk built into the user terminal 10 or a storage device connected to or externally attached to the user terminal 10, such as a flexible disk, CD (CD-ROM, CD-R, CD-RW). Etc.), DVD (DVD-ROM, DVD-RAM, DVD-R, DVD-RW, DVD + R, DVD + RW, etc.), magnetic disks, optical disks, magneto-optical disks, IC cards, ROM cartridges, magnetic tapes and other recording media This is a storage device to be used. Note that the quarantine table 1110c and the Pr mark table 1110d described above may be held in a RAM (Random Access Memory), a hard disk, or the like constituting the user terminal 10, or may be held in the storage unit 1110b.

  The processing unit (CPU) 110 executes the transmission control agent file, thereby executing the personal information search unit 1100, the detection unit 1200, the first control unit 1300, the access monitoring unit 1400, the transmission request monitoring unit 1600, the transmission / reception unit 1500, and the transmission. It functions as the control means 1800 and the display control means 1900. These functions are realized by the processing unit (CPU) 110 executing a personal information search program and a personal information management program included in a transmission control agent file installed from the management server 20 as described later. Shall.

  The personal information search unit 1100 executes a personal information search program installed from the management server 20, thereby functioning as a text extraction engine that converts an electronic file stored in the storage unit 1110b into a text file, and a quarantine table 1110c. It functions as an exploration engine for exploring a personal information file from data in the storage unit 1110b. That is, the personal information searching unit 1100 searches the personal information file by referring to various electronic files existing in the storage unit 1110b of the user terminal 10 according to the condition (quarantine table 1110c) instructed from the management server 20. An electronic file determined to be a personal information file is written in a log (local cache database). In the second embodiment, the Pr mark determined based on the determination result (determination value) obtained by the personal information searching unit 1100 is registered in the Pr mark table 1110d.

Details of the functional configuration of the personal information searching means 1100 will be described later with reference to FIG.
The detection unit 1200 detects a change to an electronic file already stored in the storage unit 1110b of the user terminal 10 and addition of a new electronic file to the storage unit 1110b.

The first control means 1300 makes the personal information search means 1100 first (when this management system 1 is started up / at the time of installation of the personal information search program / new of the user terminal 10) in the procedure described later with reference to FIG. Each time the personal information file is searched for all the data in the storage unit 1110b of the user terminal 10 at the time of connection), the detection unit 1200 detects the addition / change of the electronic file. The program is started, and the personal information searching means 1100 is caused to execute real-time search for determining whether the added / changed electronic file is a personal information file.

  The access monitoring unit 1400 monitors the electronic file (electronic file to which the Pr mark is assigned) that has been searched by the personal information searching unit 1100 and determined to be a personal information file, and accesses to the electronic file (for example, renaming, When data changes due to copying, erasing, moving, etc.), the fact is written as log information and notified to the management server 20 through the transmission / reception means 1500.

  The transmission / reception unit 1500 transmits / receives various types of information to / from the management server 20 (or the file access management server 30) via the network. The transmission / reception unit 1500 is a transmission unit that transmits the determination result by the personal information search unit 1100 to the management server 20. It functions. When the transmission / reception unit 1500 functions as the transmission unit, a difference between the determination result (link destination information and determination value of the personal information file) and the previously transmitted search result is obtained, and the difference is transmitted to the management server 20. In addition, the information to be transmitted may be encrypted.

  The transmission request monitoring unit 1600 monitors the electronic file (electronic file to which the Pr mark is given) searched by the personal information searching unit 1100 and determined to be a personal information file, and writes or accesses the electronic file as access. When a transmission request is generated, the fact is written out as log information, and a predetermined transmission restriction is executed through the transmission control means 1800 and the transmission / reception means 1500.

  When it is determined that the electronic file is a personal information file according to the designation of transmission restriction, the transmission control unit 1800 restricts writing or transmission of the personal information file (stopping or transmitting the entire personal information file) Canceling, or canceling writing or sending in the personal information part, encryption, address change, etc.).

  Further, the sending control means 1800 restricts writing or sending of the electronic file (writing stop or sending stop, even if it is not determined that the electronic file is a personal information file according to the designation of sending restriction) Encryption, destination change, etc.). In the second embodiment, the transmission control unit 1800 functions as a peripheral device operation control unit that controls writing or transmission of an electronic file to the peripheral device.

  The display control unit 1900 sends display data to the display unit 1110e, and the position of the user terminal 10 is determined depending on whether the electronic file is a personal information file or not according to the designation of transmission restriction. The control for restricting the transmission of display data to the display unit 1110e is performed according to the above. The display control unit 1900 acts as a peripheral device operation control unit that controls writing or transmission of an electronic file to the peripheral device (external display).

[B3-2] Detailed functional configuration of personal information search in user terminal:
FIG. 12 is a block diagram illustrating a detailed functional configuration of the personal information searching unit 1100 included in the processing unit (CPU) 110 in the user terminal 10 according to the second embodiment.

As shown in FIG. 12, the personal information searching unit 1100 according to the second embodiment includes an extracting unit 1110, a cutting unit 1120, a first determining unit 1130, a character determining unit 1140, a collating unit 1150, and a second determining unit 1160. These functions are also realized by the processing unit (CPU) 110 executing the personal information search program included in the transmission restriction agent file sent from the management server 20.

The extraction unit 1110 extracts text data (for example, CSV (Comma Separated Value) format data) of an electronic file (determination target file) in the storage unit 1110b, and functions as the text extraction engine.

  The cutout unit 1120 cuts out character sections delimited by delimiters from the text data extracted by the extraction unit 1110 and sequentially writes them as a determination target / collation target in a buffer (not shown). Here, the delimiter is, for example, a half-width space, a half-width comma (half-width comma + half-width space is also regarded as a half-width comma), a tab character (half-width), CR (Carrige Return), or LF (Line Feed).

  Further, symbols other than alphanumeric characters, katakana, hiragana, kanji characters, such as hyphens, underbars, parenthesis symbols, and the like are removed from the character section cut out by the cutting means 1120. In the second embodiment, it is assumed that the cutting means 1120 has a function of removing the symbol characters as described above.

  The first determination unit 1130 uses a personal information element (specifically, in the second embodiment) other than the name of a character string (hereinafter simply referred to as a character string) in the character section from which the symbol character has been removed by the cutout unit 1120. In order to determine whether or not any one of a telephone number, an e-mail address, and an address), a function as a telephone number determination unit 1130a, an e-mail address determination unit 1130b, and an address determination unit 1130c is provided. Yes. In the first determination unit 1130 of the second embodiment, the character string determination process is performed in the order from the lightest determination process load, that is, in the order of the telephone number, the e-mail address, and the address.

  The telephone number determination means 1130a determines whether or not the character string corresponds to a telephone number. If the character string satisfies the telephone number determination condition set in the quarantine table 1110c, the character string is a telephone number. It judges that it corresponds to a number, notifies that to the 2nd judgment means 1160, and terminates the judgment process by the 1st judgment means 1130 with respect to the said character string. In the second embodiment, the telephone number determination condition is that a 9 to 15 digit number is included in the character string.

  The e-mail address determination unit 1130b determines whether or not the character string corresponds to a telephone mail address when the telephone number determination unit 1130a determines that the character string does not correspond to a telephone number. If the character string satisfies the e-mail address determination condition set in the quarantine table 1110c, it is determined that the character string corresponds to the e-mail address, and that is notified to the second determination means 1160. The determination processing by the first determination means 1130 is terminated.

  In the second embodiment, the e-mail address determination condition includes “one or more ASCII (American Standard Code for Information Interchange)” + “@ (at sign)” + “one or more ASCII” + “. It is assumed that the character string “(dot)” + “ASCII of one or more characters” is included. In this case, the shortest e-mail address is “a@a.a”, for example.

The address determination unit 1130c determines whether or not the character string corresponds to an address (residence) when the e-mail address determination unit 1130b determines that the character string does not correspond to an e-mail address. When the character string satisfies the address determination condition set in the quarantine table 1110c, it is determined that the character string corresponds to an address, and the fact is notified to the second determination unit 1160. In the second embodiment, the address determination condition includes a character string of “one or more double-byte characters” + “city” or “city” or “county” + “one or more double-byte characters” in the character string. Suppose that At this time, if the processing capacity of the processing unit (CPU) 110 is sufficiently high, it may be added to the address determination condition that a 7-digit number corresponding to the postal code is included in addition to the character string. Good. In addition, the address determination condition is that the character string includes a 7-digit numeric string corresponding to the postal code or “3-digit numeric string” + “− (−” instead of the above-described conditions. Hyphens) ”+“ a digit string of four digits ”may be included.

  When the first determination unit 1130 determines that the character string does not correspond to any of a telephone number, an e-mail address, and an address, the character determination unit 1140 sets the character string in the quarantine table 1110c. Specifically, it is determined whether the number of characters in the character string is within a predetermined range and whether all the characters in the character string are kanji. In the second embodiment, as described above, the character determination condition is that the number of characters in the character string is within a predetermined range and all the characters in the character string are kanji characters. The range is set to a general (appropriate) number range, for example, 1 to 6 as the number of characters of the name (including only the last name and only the name).

  The collating unit 1150 is a character section determined by the first determining unit 1130 as not corresponding to any of a telephone number, an e-mail address, and an address, and is further within the predetermined range by the character determining unit 1140 and For a character section in which all characters are determined to be kanji, a character / character string included in the character section and an inappropriate character / inappropriate character string preset as a character / character string that cannot appear in the name Is checked to determine whether or not the character section includes an inappropriate character / unsuitable character string, and the verification determination result is notified to the second determination means 1160.

  Here, inappropriate characters / unsuitable character strings are set in advance in the quarantine table 1110c. For example, Tokyo, Osaka, Yokohama, Kyushu, Hokkaido, Kyoto, capital, private, school, store, stock, prefecture, university , Gakuin, Tokyo Stock Exchange, Research, Administration, General Affairs, Accounting, Sales, Administration, Pharmaceutical, Sales, School, Education, Specialty, Architecture, Machine, Corporation, Factory, Manufacturing, Technology, Commerce, Books, Unknown, Deputy Director, Public, Publication , Advertising, Broadcasting, Target, Wholesale, Retail, Planning, HR, Information, Department, President, Regulatory, General Manager, Section Manager, Section Manager, Officer, Head Office, Branch Office, Business, Business, Education, Precision, Oil, Transportation, Management, Strategy , Materials, engineer, electricity, production, tax, public relations, transportation, chief, computer, finance, office work, development, policy, production, economy, industry, finance, banking, research, English, quality, warranty, equipment, charge, chief , Supervisor, audit, support, design, insurance, safe, business, representative, transportation, first 2nd, 3rd, 4th, 5th, 6th, 7th, 8th, 9th, Special Sales, Facility, Name, Mail, Name, Name, City Hall, Affiliation, Characteristic, Childhood, Christianity, Association, Church , Union, cult, commerce, nationwide, branch, contact, assembly, life, consumption, promotion, city hall, ward office, synthesis, modification, function, overview, composition, company, organization, association, deletion, document, deadline, valid, A character / character string that cannot appear in a general name, that is, a character / character string that is inappropriate as a name.

  The second determination means (determination means) 116 is based on the determination result by the telephone number determination means 1130a, the e-mail address determination means 1130b and the address determination means 1130c in the first determination means 1130 and the verification determination result by the verification means 1150. It is determined whether or not the determination target file is a personal information file.

More specifically, the second determination unit 1160 receives notification of determination results from the telephone number determination unit 1130a, the e-mail address determination unit 1130b, and the address determination unit 1130c. The number of character sections deemed to be applicable is counted and the collation determination result from the collation means 1150 is received, and the collation means 11
The character section determined not to include an inappropriate character / unsuitable character string by 50 is regarded as corresponding to the name, and the number is counted.

  Then, the second determination means 1160 is based on the counting results (four count values; the number of telephone numbers, the number of e-mail addresses, the number of addresses, the number of names) for each of the telephone number, e-mail address, address, and name. A determination value that increases as these count values increase is calculated. For example, the second determination unit 1160 may calculate the sum of four count values as the determination value, or set a weighting factor in advance for each of the telephone number, e-mail address, address, and name. The sum of the multiplication results of the weighting coefficient and the count value for the personal information element may be calculated as the determination value, and various methods for calculating the determination value are conceivable.

  When the determination value as described above is calculated, the second determination unit 1160 determines whether the determination target file is a personal information file based on the determination value. Specifically, when the determination value exceeds a predetermined threshold, it is determined that the determination target file is a personal information file. When making such a determination, the second determination means 1160 further assigns a Pr mark (private level mark) according to the size of the determination value to the determination target file and sets it in the Pr mark table 1110d. Register and rank. As described above, the Pr mark is a level indicating the high possibility that the determination target file is a personal information file. The larger the determination value, the higher the Pr mark is set.

  For example, when the determination value is 10 or more, it is determined that the determination target file is a personal information file. When the determination value is 10 or more and less than 100, “Pr1” is assigned as the Pr mark, and when the determination value is 100 or more and less than 1000, “Pr2” is assigned as the Pr mark. When it is 1000 or more and less than 10,000, “Pr3” is assigned as the Pr mark, and when the determination value is 10000 or more, “Pr4” is assigned as the Pr mark. The predetermined threshold for determining the personal information file and the reference value for determining the Pr mark are set as appropriate from the management server 20 (a management console 24 described later). Here, the Pr mark is ranked into four “Pr1” to “Pr4”, but the number of ranks is not limited to this.

  The above is the general ranking of the Pr mark, but it can also be handled as follows. For example, character strings such as disease name (medical history), hospital name (visit history, hospitalization history), drug name (medicine history), annual income, occupation, criminal record (crime history) appear in general sentences regardless of personal information. However, if it is related to personal information such as an address, name, telephone number, or email address, it is considered that the personal information is not desired to be known to others. Must be set.

  In other words, disease name (medical history), hospital name (visiting history, hospitalization history), drug name (medicine history), annual income, occupation, criminal history (crime history), character strings, address, name, phone number, e-mail address, etc. If the personal information is associated as a character string, the Pr mark calculated by setting a particularly large weighting coefficient is assigned to the determination target file, set and registered in the Pr mark table 1110d, and ranked. Do.

  In addition, when it is determined that the electronic file is a personal information file as described above, the personal information of the electronic file is stored in the Pr mark table 1110d as a storage unit in a state associated with the above-described Pr mark information. (Corresponding to the address in the electronic file) is stored.

In accordance with the Pr mark (Pr mark table 1110d) assigned to the determination target file as described above, the electronic file writing or transmission restriction based on the presence or absence of the personal information is executed.

For example,
In Pr1, the corresponding electronic file is encrypted and written or transmitted, and when the management conditions described above are satisfied, a password necessary for decryption is transmitted from the management server side.
In Pr2, writing or transmission of the corresponding electronic file is stopped.
In Pr3, the transmission destination is changed to the management server when the corresponding electronic file is written or transmitted.
When Pr4 exists, the user terminal is prohibited from writing or transmitting including all electronic files not corresponding to Pr4, and the corresponding electronic file is deleted from the user terminal.
It is possible to limit the writing or sending of electronic files in stages.

  Here, in addition to imposing restrictions on writing or transmission in accordance with the Pr mark in this way, restrictions on writing or transmission are made depending on the sum or product of the safety evaluation level and the rank of the personal information Pr. It is also possible to change the contents of.

[B3-3] Other functional configuration of the management server:
In the above description, the user terminal 10 executes the electronic file writing or transmission restriction according to the degree of safety or the presence / absence of personal information, but the management server 20 manages the presence / absence of this personal information. May be.

FIG. 13 is a block diagram showing the functional configuration of the management server 20 of the second embodiment when managing the presence or absence of personal information on the management server side. As shown in FIG. 13, the management server of the second embodiment Reference numeral 20 denotes a CPU 20a that executes various processes, and a database (RDB: Relational DataBase) 20 that stores and saves log information, personal information files, and the like from each user terminal 10.
b and a display unit 20c for displaying various information including log information and personal information stored in the database 20b.

  The CPU 20a includes client information collection means 201, installation means 202, collection means 203, second personal information search means 204, difference extraction means 205, second control means 206, management console 207, personal information management means 208, display control means 209. These functions are realized by the CPU 20a executing a personal information management server program (including a personal information search program).

  The client information collection unit 201 sets the network and transmission / reception unit 210 when starting the search and management of the personal information file, such as when the management system 1 is started up or when a new user terminal 10 is connected to the network. Client information (host information) is collected from user terminals 10 that are communicably connected to each other, and the user terminal 10 that is the object of searching and managing personal information files is recognized. At this time, information on whether or not each user terminal 10 requests installation of the personal information search program described above (whether or not the personal information search program is desired to reside) is also collected.

  The installation unit 202 installs the personal information search program described above on the user terminal 10 connected to the network via the network and the transmission / reception unit 210 in response to a request from the user of the user terminal 10. Is.

The user terminal 10 in which the personal information search program is installed by the installation means 202 becomes the user terminal 10 (personal information search program resident terminal), and the user terminal 10 in which the personal information search program is not installed is the user terminal 10. (Personal information exploration program non-resident terminal).

  The collection unit 203 receives and collects the personal information file search results (link information, determination value, Pr mark, etc. of the personal information file) executed by the user terminal 10 via the network and the transmission / reception unit 210, In addition to fulfilling the function of storing in the database 20b, in order to search for the personal information file in the user terminal 10, a function of sucking up all files in the user terminal 10 via the network and transmission / reception means 210 at the time of the first search, A function of sucking up a difference file (described later) in the user terminal 10 via the network and the transmission / reception means 210 at the time of periodic exploration after the first exploration, or the latest file information at the user terminal 10 at the time of the first exploration or periodic exploration. (To be described later) via network and transmission / reception means 210 Gel functions are also intended to fulfill.

  The second personal information search means 204 searches the personal information file in the user terminal 10 via the network by executing the above-described personal information search program by the CPU 20a. In the second embodiment, the second personal information search means 204 is a collection means. The file sucked from the user terminal 10 is determined as a determination target, and it is determined whether or not the file is a personal information file.

  This second personal information search means 204 also functions as a text extraction engine that converts the determination target file into a text file, as well as the personal information search means 1100 described above, and also includes a quarantine table 20b-1 (user terminal described above) in the database 20b. 10 is the same as the quarantine table 1110c in FIG. 10) and functions as a search engine for searching for a personal information file from data in the storage unit 1110b of the user terminal 10. That is, the second personal information searching unit 204 searches for a personal information file by referring to various electronic files existing in the storage unit 1110b of the user terminal 10 according to the quarantine table 20b-1, and is a personal information file. The determined electronic file is written in a log. In the second embodiment, the Pr mark determined based on the determination result (determination value) obtained by the second personal information exploration means 204 is the Pr mark table 20b-2 in the database 20b (the above-mentioned user). The same as the Pr mark table 1110d in the terminal 10).

  The second personal information searching unit 204 has the same functional configuration as the personal information searching unit 1100 shown in FIG. 12, but in the second personal information searching unit 204, the extracting unit 1110 includes a storage unit 1110b. Instead, the collection means 203 is connected, and the quarantine table 20b-1 and the Pr mark table 20b-2 are used instead of the quarantine table 1110c and the Pr mark table 1110d. In addition, a transmission / reception unit 210 is connected to the second determination unit 1160 instead of the transmission / reception unit, and the determination result by the second personal information search unit 204 is notified to the user terminal 10.

  Then, the determination result notified to the user terminal 10 as described above and the data of the location corresponding to the personal information of the electronic file (address in the electronic file) are stored in the storage unit such as the storage unit 1110b. Is done.

  Here, in the database 20b of the management server 20, the same quarantine table 20b-1 as the quarantine table 1110c to be provided to the user terminal 10, the determination result (Pr mark) by the personal information exploration means 1100 of the user terminal 10, and A Pr mark table 20b-2 for holding a determination result (Pr mark) by the second personal information searching unit 204 and an electronic file information storage unit 20b-3 to be described later are provided.

  The file information storage means 20b-3 uses the second personal information exploration means 204 to store the latest file information that has been sucked up from the user terminal 10 by the collecting means 203 at the time of the first exploration or periodic exploration. The information is stored as information on the electronic file in the user terminal 10 at the time of the search. Here, as described above, the file information is information on all files in the user terminal 10 (storage unit 1110b), specifically, file creation / update date / time, file size, and file name.

  The difference extraction unit 205 performs the latest search on the electronic file (latest file information) in the user terminal 10 and the information stored in the file information storage unit 20b-3 (finally searches the personal information file at the time of the periodic search). And the electronic file added / changed between the time when the personal information file was last searched and the current time as a difference file, the network, transmission / reception means 410 and collection The information is periodically extracted from the user terminal 10 via the means 203.

  The second control means 206 sends the user to the second personal information exploration means 204 first (when the management system 1 is started up / when the user terminal 10 is newly connected) in the procedure described later with reference to FIG. The personal information file search is executed only once for all data in the storage unit 1110b of the terminal 10, and then the personal information search program is started whenever the periodic search timing is reached. The second personal information exploration means 204 is caused to execute a periodic exploration for determining whether or not the difference file extracted by the above is a personal information file.

  The management console 207 sets and manages personal information file determination conditions (the quarantine tables 1110c and 20b-1, the predetermined threshold necessary for determining the personal information file and the Pr mark, etc.). In the quarantine tables 1110c and 20b-1, the above-described telephone number determination conditions, e-mail address determination conditions, address determination conditions, character determination conditions (the predetermined range) and inappropriate characters / unsuitable character strings are set.

  The personal information management means 208 manages personal information files in each user terminal 10 based on the search results collected by the collection means 203 and stored in the database 20b. An electronic file determined to be a file (an electronic file with a Pr mark; hereinafter referred to as a personal information file) is a management target.

  This personal information management means 208 gives attention information to the user (holder) of the personal information file according to the judgment value (or Pr mark) of the personal information file registered in the Pr mark table 20b-2 of the database 20b. / Notify warning information, forcibly capture and collect personal information files from the user terminal 10 storing the personal information file, or output the personal information file from the user terminal 10 to the outside The personal information file is stored in a folder (not shown) accessible only to the administrator, or the file access management server 30 manages access to the personal information file. is there.

For example, when the rank of the Pr mark is “Pr1”, the warning information is not recommended, but the presence of the personal information file “Pr1” is recorded as a log. When the rank of the Pr mark is “Pr2”, notice information in a pop-up display is notified in order to call attention to the user of the personal information file. If the rank of the Pr mark is “Pr3”, the system administrator is notified by e-mail as warning information that there is a user storing the personal information file, and the personal information file is returned. To the user. When the rank of the Pr mark is “Pr4”, the personal information file is forcibly captured and collected from the user terminal 10 or the personal information file is forcibly output from the user terminal 10 to the outside. It is prohibited, the personal information file is stored in a folder accessible only by the administrator, or the file access management server 30 manages the access to the personal information file. Even if the Pr mark rank is not “Pr4”, if the personal information file “Pr3” is left for a predetermined number of days, the rank of the Pr mark is “Pr4” for the personal information file. You may make it perform the treatment similar to the case.

  Further, the personal information management means 208 has a function for searching the personal information file stored in each user terminal 10 or the database 20b with various accuracy, and causes the display control means 26 to display the search result on the display unit 20c. It has a function.

  The display control unit 209 controls the display state of the display unit 20c so that various types of information are displayed on the display unit 20c. The transmission / reception unit 210 transmits various types of information to and from each user terminal 10 via the network. Send and receive.

  The digital signature unit 211 gives a digital signature to the personal information file searched by the personal information search unit 1100 or the second personal information search unit 204. Here, the digital signature is encrypted signature information attached to guarantee the authenticity of the digital document, and proves the creator of the digital document (here, the personal information file) by applying public key cryptography. And that the document has not been tampered with. The signer (administrator on the management server 20 side) adds a signature encrypted using his / her private key to the digital document and sends it. The recipient (the user on the user terminal 10 side) decrypts the signature using the signer's public key and confirms whether the content is correct. As a result, it can be used not only to prevent forgery by a third party but also to prove that the signer has created the digital document.

  Note that the personal information file of the user terminal 10 is transmitted from the user terminal 10 to the management server 20 via the network, is given a digital signature by the digital signature means 211, and is returned to the user terminal 10 to be digital. The original personal information file to which no signature is assigned is deleted. Further, the personal information file of the user terminal 10 is returned to the user terminal 10 after being given a digital signature by the digital signature means 211 after determination on the management server 20 side, and is an original individual to which no digital signature is given. The information file will be deleted.

  FIG. 14 is a block diagram showing a functional configuration of the file access management server 30 according to the second embodiment. As shown in FIG. 13, the file access management server 30 according to the second embodiment includes, for example, a management server 20 (personal information). A personal information file (a personal information file whose Pr mark rank is “Pr4”) designated by the management means 208) is to be managed, a CPU 30a that executes various processes, an encryption key, a decryption key, and the like as will be described later. And a storage unit 30b for storing the. In this example, the personal information file whose Pr mark rank is “Pr4” is a management target. However, regardless of the Pr mark rank, all of the personal information search means 11 and 204 determined to be personal information files. The electronic file may be managed by the file access management server 30.

The CPU 30a functions as a transmission / reception unit 31, a conversion unit 32, an encryption unit 33, and a determination unit 34, which will be described later. These functions are realized by the CPU 30a executing a program for a file access management server. Is done. Further, as will be described later, the storage unit 30b has an encryption key for encrypting the personal information file, a decryption key for decrypting the encrypted personal information file, and an access to the encrypted personal information file. Stores authority (to be described later) and user ID / password of a pre-registered user [registrant (employee) who is permitted to view encrypted files], and is configured by a hard disk or RAM, for example. .

  The transmission / reception means 31 is realized by a communication function originally possessed by the file access management server 30, and includes a personal information file reception means 31a, an encrypted file transmission means 31b, an authentication information reception means 31c and a decryption which will be described later. It functions as the key transmission means 31d.

The personal information file receiving means 31 a receives a personal information file to be managed from the management server 20 via the network 30.
The conversion unit 32 converts the personal information file to be managed received by the personal information file receiving unit 31a into a completed document file such as a PDF (Portable Document Format) file that is difficult to falsify. The conversion means 32 is realized by, for example, a PDF driver. By starting the PDF driver, the personal information file is converted to PDF, and a PDF file as a completed document file is generated.

The encryption unit 33 encrypts the PDF file obtained by the conversion unit 32 using a predetermined encryption key.
The encrypted file transmission unit 31b transmits a file encrypted (keyed) by the encryption unit 33 (hereinafter referred to as an encrypted file) to the management server 20 via the network.

  When managing by the file access management server 30, various access authorities (permissions such as browsing, writing or sending, copying, etc.) for each encrypted file are set according to policy settings when encryption is performed by the encryption unit 33 as described above. Is set for each user and each encrypted file. At that time, one type of policy is set in order to simplify the system operation, and the access right at each user terminal 10 for all encrypted files is set by the policy setting [for example, in-house where the present system 1 is installed. As the access authority of all employees / all users (all registered persons registered in the file access management server 30), only the viewing authority is set / granted automatically (forced), and access other than browsing, for example, documents It may be possible to prevent access such as output or transmission, copying, saving as another name, and screen capture (screen shot).

  The authentication information receiving unit 31c receives the authentication information transmitted from the user terminal 10 or the management server 20 via the network when the user terminal 10 or the management server 20 accesses the encrypted file. Here, the authentication information indicates that the user terminal 10 or the management server 20 who is trying to open the encrypted file is a file access management that the encrypted file is a valid transmission destination (user / registrant). This information is necessary for determination / authentication by the server 30 and includes a user ID and a password registered in advance in the file access management server 30 (storage unit 30b) for the user of the service by the file access management server 30. . These user ID and password are input by the user operating the keyboard and mouse when opening the encrypted file.

  Based on the authentication information received by the authentication information receiving unit 31c, the determining unit 34 determines whether or not the user terminal 10 / management server 20 that has transmitted the authentication information is a valid transmission destination of the encrypted file. In practice, it is determined whether or not the user ID and password input by the user match the user ID and password registered and stored in the storage unit 30b of the file access management server 30 in advance. Thus, it is determined and authenticated whether or not the user is a valid registrant.

  The decryption key transmission means 31d reads the decryption key for decrypting the encrypted file from the storage unit 30b when the determination means 34 authenticates that the user is a valid registrant, and reads the user terminal 10 Alternatively, it is transmitted to the management server 20 via the network.

  When receiving the decryption key from the file access management server 30, the user terminal 10 or the management server 20 decrypts the encrypted file using the decryption key and restores the original personal information file. The personal information file is accessed (for example, browsed) according to the given access authority.

[B3-4] Personal information management operation of the second embodiment:
Next, with reference to FIG. 15 and subsequent figures, the personal information handling operation when writing or sending is restricted in the second embodiment configured as described above will be described.

[B3-4-1] Operation of personal information exploration means:
In the personal information search means 1100 and 204 of the second embodiment, the appearance frequency of the telephone number, e-mail address, address and name is digitized as follows to specify and search the personal information file. At that time, if the character section cut out by the cutting means 1120 includes an inappropriate character / unsuitable character string preset as a character / character string that cannot appear in the personal information, the character section is As a character / character string that cannot be seen in the personal information in the character section cut out by the cutting means 1120 while being excluded because it is regarded as not corresponding to the personal information element (name in the second embodiment). If the preset inappropriate character / unsuitable character string is not included, the character section is regarded as corresponding to the personal information element forming the personal information, that is, the personal information element is regarded as appearing. It is done, and the number of appearances is counted up.

  A series of procedures of the first personal information file search operation executed by the personal information search means 1100 and 204 (personal information search program) described above in the user terminal 10 or the management server 20 of the second embodiment is shown in FIG. 15 will be described in accordance with the flowchart shown in FIG. 15 (steps S1802 to S1818).

  When constructing the management system 1 of the second embodiment, first, a personal information management server program is installed in a computer that should function as the management server 20, and the computer executes the personal information management server program. It fulfills the function as the management server 20. When the search / management of the personal information file is started, the management server 20 installs the personal information search program via the network to the user terminal 10 that wishes to reside in the personal information search program. By executing the personal information search program installed in this way by the processing unit (CPU) 110 of the user terminal 10, the processing unit (CPU) 110 causes the personal information search unit 1100, the detection unit 1200, and the first control unit 1300. , Access monitoring means 1400, transmission / reception means 1500, and transmission request monitoring means 1600. When the personal information search program is installed, the quarantine table 1110c is also transmitted. The personal information search program is included in advance in the personal information management server program. The personal information search program is installed in the user terminal 10 and the personal information search program is executed by the management server 20. Thus, the CPU 20a of the management server 20 fulfills the function as the second personal information search means.

FIG. 15 shows the first time executed by the personal information search means 1100 in the user terminal 10 when the management system 1 is started up / when the personal information search program is installed / when the user terminal 10 is newly connected. First personal information file executed by the second personal information searching means in the management server 20 when the personal information file is searched or when the management system 1 is started up or when the user terminal 10 is newly connected. The procedure of the exploration operation is shown.

  An electronic file that is not yet a determination target is selected and read out from all the data of the user terminal 10 as a determination target file (step S1802), and extraction means (text extraction engine) is selected from the determination target file. ) 111 extracts text data (step S1803).

  From the extracted text, the character section delimited by the delimiter described above is extracted by the extraction means 1120, and sequentially written in a buffer (not shown) as a determination target / collation target (step S1804). When cutting out a character section, as described above, the cutting means 1120 removes symbols other than alphanumeric characters, katakana, hiragana, kanji characters, such as hyphens, underbars, and parenthesis symbols, from the character section. .

  Whether or not the character string (hereinafter simply referred to as character string) in the character section from which the symbol character has been removed by the cutting means 1120 corresponds to any one of a telephone number, an e-mail address, and an address. Are sequentially determined by the telephone number determination unit 1130a, the e-mail address determination unit 1130b, and the address determination unit 1130c (steps S1805, S1807, S1809).

  First, the telephone number determination unit 1130a determines whether or not the character string corresponds to a telephone number (step S1805). At this time, if the character string satisfies the telephone number determination condition set in the quarantine table 1110c, that is, if the character string includes 9 to 15-digit numbers, the character string is converted into a telephone number. (YES route of step S1805), the fact is notified to the second determination means 1160, and the second determination means 1160 counts up the count value corresponding to the number of appearances of the telephone number by one. Then (step S1806), the process proceeds to step S1814.

  If it is determined that the character string does not correspond to a telephone number (NO route in step S1805), the e-mail address determination unit 1130b determines whether the character string corresponds to a telephone mail address (step S1807). ). At this time, if the character string satisfies the e-mail address determination condition set in the quarantine table 1110c, that is, “one or more ASCII” + “@” + “one or more ASCII” + If the character string “.” + “ASCII of one or more characters” is included, it is determined that the character string corresponds to the e-mail address (YES route of step S1807), and that is the second determination means. 1160 is notified, and in the second determination means 1160, the count value corresponding to the number of appearances of the e-mail address is incremented by 1 (step S1808), and the process proceeds to step S1814.

  If it is determined that the character string does not correspond to an e-mail address (NO route of step S1807), the address determination unit 1130c determines whether the character string corresponds to an address (location) (step S1809). ). At this time, if the character string satisfies the address determination condition set in the quarantine table 1110c, that is, “one or more double-byte characters” + “city” or “city” or “county” + If a character string that is “one or more double-byte characters” is included, it is determined that the character string corresponds to an address (YES route of step S1809), and that is notified to the second determination means 1160, In the second determination means 1160, the count value corresponding to the number of appearances of the address (residence) is incremented by 1 (step S1810), and the process proceeds to step S1814.

When it is determined that the character string does not correspond to an address (NO route in step S1809)
That is, when the first determination unit 1130 determines that the character string does not correspond to any of a telephone number, an e-mail address, and an address, the character determination unit 1140 sets the character string in the quarantine table 1110c. It is determined whether or not the character determination condition (the number of characters is 1 or more and 6 or less and all characters are kanji) is satisfied (step S1811). When this character determination condition is not satisfied (NO route in step S1811), the process proceeds to step S1814.

  On the other hand, if this character determination condition is satisfied (YES route in step S1811), the collation means 1150 determines whether the character / character string included in the character section (character string) and the name set in the quarantine table 1110c are incorrect. The appropriate character / unsuitable character string is collated, and it is determined whether or not the character section includes the inappropriate character / unsuitable character string (step S1812). If at least one character / character string that matches the inappropriate character / inappropriate character string exists in the character section (YES route in step S1812), matching with the inappropriate character / inappropriate character string at that time The process ends immediately, and the process proceeds to step S1814.

  If the character section does not include inappropriate characters / unsuitable character strings (NO route in step S1812), the collation determination result is notified to the second determination unit 1160. In the second determination unit 1160, The character section is considered to correspond to the name, and the count value corresponding to the number of appearances of the name is incremented by 1 (step S18130), and the process proceeds to step S1814.

  In step S1814, it is determined whether or not there is a character section that has not yet been extracted from the text data extracted from the determination target file. If there is a character section (YES route), the process returns to step S1804, and the same processing as described above (steps S1804 to S1804). S18130) is repeatedly executed. When all the character sections are cut out from the text data in this way and the determination processing, collation processing, counting processing, etc. for all the character sections are finished (NO route in step S1814), the second determination means 1160 uses the telephone number, electronic Based on the count values for each of the mail address, address, and name, the above-described determination value is calculated (step S1815).

  Then, in the second determination means 1160, based on the determination value calculated in step S1815, as described above, it is determined whether or not the determination target file is a personal information file, and the Pr mark is ranked. (In the second embodiment, four of "Pr1" to "Pr4") are performed (step S1816).

  Thereafter, it is determined whether or not the personal information has been searched for all the electronic files in the user terminal 10 (step S1817). If there is still an unsearched electronic file (NO route of step S1817), step S1802 is performed. Returning to FIG. 6, the same processing as described above is executed. On the other hand, when the search is completed for all the electronic files (YES route in step S1817), the personal information file determination result and the Pr mark ranking result in step S1816 are: The data is registered in the Pr mark table 1110d or 20b-2, transmitted to the management server 20 via the transmission / reception unit 1500 and the network, and registered and stored in the database 20b by the collection unit 203 in the management server 20 (step S1818). Further, the determination result of the user terminal 10 is registered and stored in the database 20b from the second personal information searching means on the management server 20 side (step S1818). After completing the process in step S1818, the personal information file search operation is terminated.

[B3-4-2] Operation of user terminal 10:
Next, the operation of the user terminal 10 will be described. More specifically, here, a real-time search operation and an access monitoring operation executed by the user terminal 10 after the first search for the personal information file described above will be described with reference to FIG.

  In the user terminal 10, the detection unit 1200 monitors changes to an electronic file already stored in the storage unit 1110b and addition of a new electronic file to the storage unit 1110b, and detects addition / change of the file. Each time, the personal information search program is immediately started by the first control unit 1300, and the personal information search unit 1100 determines the added / changed electronic file as a determination target file in steps S1803 to S1816 in FIG. Execute the process. Thereby, a real-time search for determining whether the added / changed electronic file is a personal information file is executed, and the determination result is notified to the management server 20.

  In the user terminal 10, the access monitoring unit 1400 monitors a personal information file (that is, an electronic file provided with a Pr mark / an electronic file determined to be a personal information file by the personal information searching unit 1100). When access to the personal information file (for example, data change by renaming, copying, erasing, moving, etc.) occurs, the fact is written as log information, and the management server 20 via the transmission / reception means 1500 and the network. Is registered and stored in the database 20b by the collection means 203 in the management server 20.

  In the user terminal 10, if there is a management condition violation, the transmission request monitoring unit 1600 uses the personal information file (that is, the electronic file / principal information search unit 1100 to which the Pr mark has been added) If the access to the personal information file is a write or transmission request, the presence or absence of the Pr mark is checked.

  If the Pr mark is given to the electronic file, the transmission control unit 1800 that has received an instruction from the transmission request monitoring unit 1600 writes the electronic file in a predetermined restriction state defined in the transmission restriction agent file or the like. Perform transmission.

  That is, when the electronic file is written or transmitted, if the personal information file exists, it is encrypted and written or transmitted, the writing or transmission is stopped, and the transmission destination is changed to the management server when writing or transmitting. Control is performed so as to execute predetermined restrictions such as writing or transmission prohibition including all electronic files not corresponding to Pr, deletion of the corresponding electronic files from the user terminal.

  If the Pr mark is not added to the electronic file, the transmission control unit 1800 that has received an instruction from the transmission request monitoring unit 1600 executes writing or transmission of the electronic file without restriction.

If the access to the personal information file is a display request (view request) to the display unit 1110e, the presence or absence of the Pr mark is similarly examined by the display control means.
Here, if the Pr mark is not given to the electronic file, the display control unit displays the electronic file on the display unit 1110e without restriction.

  If the Pr mark is given to the electronic file, the display control means determines whether or not the position of the user terminal 10 acquired by the processing unit (CPU) 110 is a predetermined position (for example, in-house). judge. The location information of the user terminal 10 is obtained from GPS information from a GPS device (not shown), base station information obtained from a cellular phone device, IP information at the time of network connection obtained through the transmission / reception means 1500, and the like.

  Here, if the position of the user terminal 10 exists at a predetermined position (in-house or the like), the display control unit displays the electronic file on the display unit 1110e in an unrestricted state.

  If the position of the user terminal 10 does not exist at a predetermined position (in-house or the like), the display control unit displays the electronic file on the display unit 1110e in a restricted state.

  That is, when the personal information file is sent from the display control means to the display unit 1110e, the portion corresponding to the personal information in the personal information file is controlled to be invisible and displayed on the display unit 1110e.

  Here, the invisible state means that the character color is the same as the background color, the character surroundings are filled with the same color as the character color, a watermark that is difficult to see is added, or a certain meaningless character is replaced. Execute the process.

  For example, if the background color is transparent or white and the text color is black, the text color will be white, or the area around the text will be filled with black, or the text will be constant, such as a black circle Replace with the character.

  As a result, the personal information portion of the personal information file is not displayed on the display, and personal information is prevented from being leaked through the display medium. It is also possible to display the personal information part in a light color. Further, according to the rank of the Pr mark, for a high-level personal information file, display of the entire personal information file may be prohibited or may be displayed in an invisible state.

  It should be noted that when the above electronic file writing, transmission or display is restricted, it is not simply canceled, but a message file stating that it cannot be written, transmitted or displayed because it is a personal information file, You may make it display.

[B4] Effects of the second embodiment:
Thus, according to the management system 1 as the second embodiment of the present invention, each user terminal 10 has at least one management condition (for example, the items (1) to (5) or (1) to (5) described above). And (a)
After executing the electronic education on security including matters relating to (at least one of (g)) (for example, electronic education about security in general when using the internal system 1A of a company, etc.), each user Whether the environmental information in the terminal 10 is collected from each user terminal to the management server 20, and whether each user terminal 10 satisfies the management condition based on the collected environmental information in the management server 20 (determination means 26). A warning is issued to the user (administrator who violated the management condition) or the administrator of the user terminal 10 that has been determined whether or not the management condition is determined to be not satisfied by the warning means 27, and the user terminal 10 On the other hand, detailed electronic education on matters related to violation management conditions will be implemented. In other words, if there is a violation of management conditions after e-education for security in general, the violation is likely to be intentional by the user, and a warning about the violation is given to the user and administrator, Electronic education about violations will be implemented for users who are violators.

Accordingly, the warning raises the security awareness of the administrator, and the administrator can surely grasp the status of the system and secure and maintain a safe environment in the internal system 1A such as a company. In addition, a warning is given to the user (violator), and electronic education for ensuring security for the user (violator) can be performed in accordance with the actual situation of each user terminal 10, and It is possible to raise the security awareness of the user (violator) and further contribute to securing and maintaining a safe environment in the internal system 1A of the company. In other words, since it is possible to conduct electronic education for violations that are likely to have been intentionally performed by users after electronic education on security in general, thorough user education (employee education) This can be performed, and contributes to securing and maintaining a safe environment for the internal system 1A.

  Also, environmental information in each of the plurality of user terminals 11 (for example, environmental information in each of the plurality of user terminals 10 belonging to the internal system 1A such as a company) is collected from each user terminal 10 to the management server 20, In this management server 20, based on the collected environment information in each user terminal 10, the security level for a plurality of user terminals 10, that is, the security status of the internal system 11 in a company or the like is evaluated. Is notified to users and administrators.

  As a result, a service for evaluating the security status of the internal system 1A in a company or the like can be provided to the company or the like, and even if there is no system administrator, the manager or administrator can take security measures. Even without care, the security status of the internal system 1A and each terminal 10 can be grasped extremely accurately and easily, and the security awareness of managers, managers, and users is raised, and the internal system 1A such as a company is safe. The environment can be secured and maintained. In particular, the service provided by the management server 20 in this way is effective for small and medium-sized businesses that are not as conscious of security as large enterprises. By using this service, The manager can grasp the security status of his / her system 1A and conduct electronic education very easily and thoroughly.

  At this time, in the management server 20, as shown in FIG. 5, at least one management condition (for example, the above items (1) to (5) or (1) to (5) and (a ) To (g) based on the ratio P of the user terminals 10 satisfying, or based on the important management conditions set as in the second example shown in FIG. 7, the ratios P1 to P5 of the user terminals 10 that satisfy the management conditions (1) to (5) or (1) to (5) and (a) to (g) and the management conditions (1 ) To (5) or (1) to (5) and (a) to (g) based on the importance M1 to M5, the degree of safety of the plurality of user terminals 10 (evaluation target system 1A) is quantified. Can be evaluated.

  According to the first method shown in FIG. 5, for example, at least one of the management conditions of the items (1) to (5) or (1) to (5) and (a) to (g) is satisfied. If the percentage of user terminals is 100%, the highest evaluation is given, and a graded evaluation level (security level) corresponding to the percentage can be given to the evaluation target system 1A. In other words, the higher the number of user terminals 10 that satisfy the management conditions (1) to (5) or (1) to (5) and (a) to (g), the higher the numerical value obtained and the higher the evaluation level. It is possible to make an evaluation corresponding to the safety level for the evaluation target system 1A.

In addition, as in the second method shown in FIG. 6, the management condition of item (4) “having no dangerous software installed on the user terminal” is important for ensuring the safety of the internal system. Since it is extremely high, by setting it as an important management condition, if there is at least one user terminal 10 that does not satisfy the above item (4), that is, one user terminal 10 in which dangerous software is installed. However, by giving a low evaluation level to the evaluation target system 1A regardless of the ratio of other items, the safety level (security status, security level) of the evaluation target system 1A can be easily and reliably evaluated. be able to.

Further, as in the third method shown in FIG. 7, the evaluation value V that increases as the number (ratio) of the user terminals 10 that do not satisfy the management condition having a high importance Mi (i = 1 to 5) increases. By determining the evaluation level, a low evaluation level (security level) can be assigned to the system 1A in which the user terminal 10 that does not satisfy the management condition with high importance exists, and the evaluation according to the high safety level Can be given to the evaluation target system 1A.

In this case, it is possible to change the contents of writing or transmission restriction according to the evaluation level.
For example,
Evaluation level 5: Writing or sending electronic files without restrictions,
Evaluation level 4: The electronic file is encrypted and written or transmitted, and a password necessary for decryption is transmitted from the management server side when the above management conditions are satisfied.
Evaluation level 3: Writing or sending of an electronic file is stopped.
Evaluation level 2: When the electronic file is written or transmitted, the transmission destination is changed to the management server.
Evaluation level 1: Writing or transmission of an electronic file is prohibited, and the corresponding electronic file is deleted from the user terminal.
It is possible to limit the writing or sending of electronic files in stages.

  Here, in this case, it is possible to impose restrictions on writing or transmission of the personal information file. It is also possible to change the contents of the restriction of writing or transmission according to the sum or product of the evaluation level and the rank of the personal information Pr.

  If the electronic file is encrypted and written or transmitted, and the above management conditions are satisfied, the transmission restriction agent file accesses the management server, and the password required for decryption is received from the management server by the user. Sent to a terminal or electronic file destination.

  At this time, the environment information collection agent file is transmitted from the management server 20 to the plurality of user terminals 10, and the environment information collection agent file is executed in each user terminal 10, whereby the environment information in the user terminal 10 is managed by the management server. 20 can be collected. Therefore, the management server 20 creates an environment information collection agent file and transmits the environment information collection agent file to the plurality of user terminals 10 belonging to the evaluation target system 1A all at once. The environmental information in 10 can be collected very easily.

  Further, the first and second electronic education agent files and the electronic education agent file corresponding to the evaluation result are transmitted from the management server 20 to each user terminal 10, and these electronic education agent files are executed in each user terminal 10. Thus, in addition to electronic education about security in general and electronic education about violations, it is possible to cause the user of the user terminal 10 to execute electronic education according to the evaluation result. Therefore, the management server 20 simply transmits the first electronic education agent file and the electronic education agent file corresponding to the evaluation result to the plurality of user terminals 10 belonging to the evaluation target network 10, thereby simultaneously In addition to being able to execute electronic education on the security of the terminal 10 in general and electronic education according to the evaluation results, it is also possible to send a second electronic education agent file to the violator's user terminal 10 by simply sending it. Detailed electronic education on violations for violators can be carried out very easily. This makes it possible to thoroughly perform security user education (employee education) in the in-company system 1A.

The security level (degree of safety) of the plurality of user terminals 10 (evaluation target system 1A) is periodically evaluated based on the environmental information collected periodically, and the periodic evaluation results are obtained from a plurality of evaluation results. By notifying the user, administrator, etc. of the user terminal 10, the user, administrator, etc. can periodically grasp the security status of the in-company system 1A, and the in-company system 1A is safe. It will contribute to securing and maintaining the environment.

  In addition, by restricting the writing or transmission of electronic files at user terminals that are determined by the management server as not satisfying the management conditions, it is possible to effectively spread information by writing or transmitting from the violator's terminal. Is prevented. In this case, the user terminal that satisfies the management condition does not have any restriction on writing or transmission, so that there is no problem with the use of the user terminal.

  In addition, by changing the restrictions on the writing or sending of electronic files according to the degree of management conditions determined by the management server, the spread of information by writing or sending from the violator's terminal is appropriate, and Effectively prevented. In addition, since the user terminal that satisfies the management condition does not have a restriction on writing or sending, there is no problem with the use of the user terminal.

  Then, by restricting writing or sending (stopping writing or sending, or writing or sending without personal information) to the user terminal that executes the second electronic education , The spread of information by writing or sending from the terminal of the offender is effectively prevented. In addition, since there is no restriction on writing or transmission in a user terminal that has only received the first electronic education without receiving the second electronic education, there is no problem with the use of the user terminal.

  That is, in the user terminal receiving the second electronic education, when a command for writing or sending an electronic file is generated, the sending control means restricts writing or sending the personal information file (writing stop or send). (Cancel or write or send without personal information). Thereby, the personal information file is not written or transmitted to the external storage medium or the network, and the leakage of the personal information via the external storage medium or the network is prevented. Similarly, if it is determined that the electronic file is a personal information file, the sending control means restricts the writing or sending of the personal information file (writing stop or sending stop or (Excluding writing or sending) Thereby, the personal information file is not written or transmitted to the external storage medium or the network, and the leakage of the personal information via the external storage medium or the network is prevented.

  In addition, a management server is further provided, and the management server manages the writing or transmission request for the searched personal information file, so that the personal information is inadvertently leaked or leaked due to the writing or transmission of personal information or illegal personal information. It becomes possible to prevent the use etc. more reliably.

[B5] Others:
The present invention is not limited to the above-described embodiment, and various modifications can be made without departing from the spirit of the present invention.

  For example, in the above-described embodiment, the management server 20 is provided outside the company, and the external management server 20 provides the company system 1A with a service for performing security evaluation and electronic education of the company system 1A (security evaluation service). However, the present invention is not limited to this. The function as the management server 20 described above is provided in the in-house management server and the like, and this in-house management server is the in-house system 1A. In order to manage the in-company system 1A, not as a service for the above, the above-described in-company system 1A security evaluation and electronic education may be performed.

  The above-described environment information collection agent file transmission means 21, environment information reception means 22, evaluation means 23, evaluation result notification means 24, first electronic education control means 25, determination means 26, warning means 27, and second electronic education control means 28 Functions (all or some of the functions of each means) are realized by a computer (including a CPU, an information processing device, and various terminals) executing a predetermined application program (management program / security evaluation service providing program) Is done.

  The program is, for example, a computer such as a flexible disk, CD (CD-ROM, CD-R, CD-RW, etc.), DVD (DVD-ROM, DVD-RAM, DVD-R, DVD-RW, DVD + R, DVD + RW, etc.). It is provided in a form recorded on a readable recording medium. In this case, the computer reads the management program / security evaluation service providing program from the recording medium, transfers it to the internal storage device or the external storage device, and uses it. Further, the program may be recorded in a storage device (recording medium) such as a magnetic disk, an optical disk, or a magneto-optical disk, and provided from the storage device to a computer via a communication line.

  Here, the computer is a concept including hardware and an OS (operating system), and means hardware operating under the control of the OS. Further, when the OS is unnecessary and the hardware is operated by the application program alone, the hardware itself corresponds to the computer. The hardware includes at least a microprocessor such as a CPU and means for reading a program recorded on a recording medium. The application program as the management program / security evaluation service providing program is stored in the above-described computer by the environment information collection agent file transmission means 21, environment information reception means 22, evaluation means 23, evaluation result notification means 24, first electronic Program codes for realizing the functions of the education control means 25, the determination means 26, the warning means 27, and the second electronic education control means 28 are included. Also, some of the functions may be realized by the OS instead of the application program.

  Furthermore, as a recording medium in the second embodiment, in addition to the flexible disk, CD, DVD, magnetic disk, optical disk, and magneto-optical disk described above, an IC card, a ROM cartridge, a magnetic tape, a punch card, an internal storage device of a computer ( It is also possible to use various computer-readable media, such as a memory such as a RAM or a ROM, an external storage device, or a written or transmitted material in which a code such as a barcode is written or transmitted.

[C] Third embodiment:
[C1] Configuration of the third embodiment:
FIG. 16 is a block diagram showing the configuration of the management system according to the third embodiment of the present invention. As shown in FIG. 16, the management system 1 of the third embodiment manages information in addition to a plurality of client terminals 10. The server 20 and the file access management server 30 are configured, and the terminal 10 and the servers 20 and 30 are connected via a network [for example, an in-house LAN (Local Area Network)] 40 so that they can communicate with each other.

  Each client terminal 10 is configured by a terminal device such as a personal computer (PC) used by each employee (user) in the company or the like, and has a functional configuration as described later with reference to FIGS. Have.

If the client terminal 10 is a portable terminal device such as a notebook type, it may be used not only inside the company but also outside the company.
The client terminal 10 is configured to be able to save various electronic files and various programs in storage means such as a hard disk device and a nonvolatile memory, and a personal information file described later exists as the electronic file. There is.

  The information management server 20 is connected to the plurality of client terminals 10 and the file access management server 30 via the network 40 so as to be able to communicate with each other, and manages personal information files in each client terminal 10, see FIG. However, it has a functional configuration as described later.

  In the third embodiment, the personal information file has a predetermined number or more records including personal information, and the personal information is information that can identify a specific individual by itself or in combination as described above. (Various personal information elements), for example, name, date of birth, contact information (address, address, telephone number, e-mail address), etc. In addition to these, personal information includes titles, basic resident register numbers, account numbers, credit card numbers, license numbers, passport numbers, and the like.

  The file access management server 30 is connected to the plurality of client terminals 10 and the information management server 20 via the network 40 so as to be able to communicate with each other, and manages access to an electronic file (a personal information file in the third embodiment). 21 has a functional configuration as described later with reference to FIG.

  In the third embodiment, as the plurality of client terminals 10, a first client terminal (personal information search program resident terminal (personal information search program resident terminal) (having a personal information search program (described later) resident) is provided. (Information management terminal)) 10A and a second client terminal (personal information search program non-resident terminal) 10B in which the personal information search program is not resident are mixed. The first client terminal 10A has a functional configuration as described later with reference to FIGS. 17 and 18, and the second client terminal 10B has a functional configuration as described later with reference to FIG. . In the following description, reference numerals 10A and 10B are used when the first client terminal and the second client terminal need to be specified, respectively, and reference numeral 10 is used when it is not necessary to specify them.

[C1-1] Functional configuration of the first client terminal of the third embodiment:
FIG. 17 is a block diagram showing a functional configuration of the first client terminal (personal information search program resident terminal) 10A of the third embodiment. As shown in FIG. 17, the first client terminal 10A of the third embodiment In addition to a CPU (Central Processin Unit) 10a that executes various processes and a storage unit 10b that can hold an electronic file including personal information, the quarantine table 10c provided from the information management server 20 and the storage unit 10b A P mark table 10d for holding a P mark (privacy level mark; a level indicating the high possibility of being a personal information file, a level determined by a determination value described later) of the electronic file to be held, a character or image A display unit 10e for performing display is provided. As will be described later, a personal information search program for causing the CPU 10a to function as first personal information search means 11 described later is installed from the information management server 20.

  Here, the storage unit 10b is a hard disk built in the client terminal 10A (10), a storage device connected to or externally attached to the client terminal 10A (10), such as a flexible disk, CD (CD-ROM, CD-R). , CD-RW, etc.), DVD (DVD-ROM, DVD-RAM, DVD-R, DVD-RW, DVD + R, DVD + RW, etc.), magnetic disk, optical disk, magneto-optical disk, IC card, ROM cartridge, magnetic tape, etc. This is a storage device using the recording medium. The quarantine table 10c and the P mark table 10d described above may be held in a RAM (Random Access Memory), a hard disk, or the like that constitutes the client terminal 10A, or may be held in the storage unit 10b.

  The CPU 10a functions as the first personal information search means 11, the detection means 12, the first control means 13, the access monitoring means 14, the print request monitoring means 16, the transmission / reception means 15, the print control means 18, and the display control means. is there. These functions are realized by the CPU 10a executing a personal information search program and a management program installed from the information management server 20 as described later.

  The first personal information search unit 11 executes a personal information search program installed from the information management server 20, thereby functioning as a text extraction engine that converts an electronic file stored in the storage unit 10b into a text file, and also a quarantine. It functions as a search engine for searching for a personal information file from data in the storage unit 10b using the table 10c. That is, the first personal information search unit 11 searches for the personal information file by referring to various electronic files existing in the storage unit 10b of the first client terminal 10A according to the condition (quarantine table 10c) instructed from the information management server 20. The electronic file determined to be a personal information file is written in a log (local cache database). In the third embodiment, the P mark determined based on the determination result (determination value) obtained by the first personal information searching means 11 is registered in the P mark table 10d. Details of the functional configuration of the first personal information searching means 11 will be described later with reference to FIG.

  The detection means 12 detects a change to an electronic file already stored in the storage unit 10b of the first client terminal 10A and a new electronic file added to the storage unit 10b.

  The first control means 13 makes the first personal information exploration means 11 first (at the time of starting the management system 1 / at the installation of the personal information exploration program / first client terminal 10A in the procedure described later with reference to FIG. The personal information file is searched only once for all data in the storage unit 10b of the first client terminal 10A at the time of new connection), and the electronic means is detected by the detection means 12 as described later with reference to FIG. Each time an addition / change of a file is detected, a personal information search program is started, and the first personal information search means 11 executes a real-time search to determine whether the added / changed electronic file is a personal information file. It is.

  The access monitoring unit 14 monitors an electronic file (electronic file given a P mark) that has been searched by the first personal information searching unit 11 and determined to be a personal information file, and accesses the electronic file (for example, renaming). , Data change due to copying, erasing, moving, etc.) is written as log information and notified to the information management server 20 through the transmission / reception means 15.

  The transmission / reception unit 15 transmits / receives various information to / from the information management server 20 (or the file access management server 30) via the network 40, and transmits the determination result by the first personal information search unit 11 to the information management server 20. It functions as a transmission means. When the transmission / reception unit 15 functions as the transmission unit, a difference between the determination result (link destination information and determination value of the personal information file) and the search result transmitted last time is obtained, and the difference is transmitted to the information management server 20. In addition, the information to be transmitted may be encrypted.

The print request monitoring unit 16 monitors an electronic file (an electronic file given a P mark) that has been searched by the first personal information searching unit 11 and determined to be a personal information file, and a print request as an access to the electronic file. If this occurs, the fact is written as log information and notified to the information management server 20 through the print control means 18 and the transmission / reception means 15.

  When it is determined that the electronic file is a personal information file, the print control unit 18 restricts transmission of the personal information file to the printer (cancel printing of the entire personal information file or cancel printing of the personal information file). Is.

  The display control unit 19 sends display data to the display unit 10e. When it is determined that the electronic file is a personal information file, the display control unit 19 sends the display data to the display unit 10e according to the position of the client terminal 10 or the like. It controls to limit the sending of display data.

  In the third embodiment, the print control unit 18 functions as a peripheral device operation control unit that controls writing or transmission of an electronic file to the peripheral device (printer). Similarly, the display control unit 19 functions as a peripheral device operation control unit that controls writing or transmission of an electronic file to the peripheral device (external display).

[C1-2] Functional configuration of the second client terminal of the third embodiment:
FIG. 18 is a block diagram showing the functional configuration of the second client terminal (personal information search program resident non-terminal) 10B of the third embodiment. As shown in FIG. 18, the second client terminal 10B of the third embodiment is also The second client terminal 10B has a personal information search program for causing the CPU 10a to function as the first personal information search means 11, although the CPU 10a and the storage unit 10b are the same as the first client terminal 10A. The CPU 10a of the second client terminal 10B is not installed, and functions as the access monitoring means 14, the print request monitoring means 16, the transmission / reception means 15, and the print control means 18 that are substantially the same as described above.

  This function is realized by executing a program installed in advance in the second client terminal 10B or a program installed from the information management server 20.

  As will be described later, the access monitoring means 14 of the second client terminal 10B is an electronic file (P mark) that has been searched by the second personal information searching means 204 (see FIG. 20) on the information management server 20 side and determined to be a personal information file. If an access to the electronic file (for example, data change due to rename, copy, erase, move, etc.) occurs, the fact is written as log information and information management is performed through the transmission / reception means 15 The server 20 is notified.

  The print request monitoring means 16 monitors an electronic file (electronic file given a P mark) that has been searched by the second personal information searching means 204 (see FIG. 20) and determined to be a personal information file. When a print request is made as an access to the information, the fact is written as log information and notified to the information management server 20 through the print control means 18 and the transmission / reception means 15.

  When it is determined that the electronic file is a personal information file, the print control unit 18 restricts transmission of the personal information file to the printer (cancel printing of the entire file or printing of the personal information portion). is there.

Here, information about the P mark, which is the determination result by the second personal information searching means 204 (see FIG. 20), is given to each electronic file as a flag, and the access monitoring means 14 and the print request monitoring means 16 set the flag. The personal information file (P mark) may be recognized by referring to the P mark table 1 similar to the first client terminal 10A.
0d may be provided in the second client terminal 10B so that the access monitoring unit 14 and the print request monitoring unit 16 can recognize the personal information file (P mark) by referring to the P mark table 10d.

  The transmission / reception means 15 of the second client terminal 10B transmits / receives various information to / from the information management server 20 (or the file access management server 30) via the network 40, similarly to the first client terminal 10A. As described above, in addition to performing the function of notifying the information management server 20 of the access log monitored by the access monitoring means 14, all files or files in the second client terminal 10 </ b> B in response to a request from the information management server 20 A later-described difference file is transmitted to the information management server 20, or the latest information on all files (for example, file creation / update date, file size, file name) in the second client terminal 10B (storage unit 10b) is filed. Extract from directory and send Function so that the plays.

  In the third embodiment, the print control unit 18 functions as a peripheral device operation control unit that controls writing or transmission of an electronic file to the peripheral device (printer). Similarly, the display control unit 19 functions as a peripheral device operation control unit that controls writing or transmission of an electronic file to the peripheral device (external display).

[C1-3] Detailed functional configuration of the first personal information search means of the third embodiment:
FIG. 19 is a block diagram showing a detailed functional configuration of the first personal information search means 11 in the first client terminal 10A of the third embodiment. As shown in FIG. 19, the first personal information search means 11 of the third embodiment. Has functions as an extraction unit 111, a cutting unit 112, a first determination unit 113, a character determination unit 114, a collation unit 115, and a second determination unit 116. These functions are also described later by the CPU 10a. As described above, the personal information search program installed from the information management server 20 is executed.

The extraction unit 111 extracts text data [for example, CSV (Comma Separated Value) format data] of an electronic file (determination target file) in the storage unit 10b.
It functions as the text extraction engine.

  The cutout unit 112 cuts out character sections delimited by delimiters from the text data extracted by the extraction unit 111 and sequentially writes them in a buffer (not shown) as a determination target / collation target. Here, the delimiter is, for example, a half-width space, a half-width comma (half-width comma + half-width space is also regarded as a half-width comma), a tab character (half-width), CR (Carrige Return), or LF (Line Feed).

  Further, symbols other than alphanumeric characters, katakana, hiragana, and kanji characters, such as hyphens, underbars, and parenthesis symbols, are removed from the character section cut out by the cutting means 112. In the third embodiment, it is assumed that the cutting means 112 has a function of removing the symbol characters as described above.

  The first determination unit 113 uses a personal information element other than the name (specifically, in the third embodiment), the character string in the character section cut out by the cutting unit 112 and from which the symbol character has been removed (hereinafter simply referred to as a character string). In order to determine whether or not any one of a telephone number, an e-mail address, and an address), functions as a telephone number determination unit 113a, an e-mail address determination unit 113b, and an address determination unit 113c are provided. Yes. In the first determination unit 113 of the third embodiment, the character string determination process is performed in the order of the light load of the determination process, that is, in the order of the telephone number, the e-mail address, and the address.

  The telephone number determination means 113a determines whether or not the character string corresponds to a telephone number. If the character string satisfies the telephone number determination condition set in the quarantine table 10c, the character string is a telephone number. It judges that it corresponds to a number, notifies that to the 2nd judgment means 116, and ends the judgment processing by the 1st judgment means 113 with respect to the said character string. In the third embodiment, the telephone number determination condition is that a 9 to 15 digit number is included in the character string.

  The e-mail address determination unit 113b determines whether or not the character string corresponds to a telephone mail address when the telephone number determination unit 113a determines that the character string does not correspond to a telephone number. If the character string satisfies the e-mail address determination condition set in the quarantine table 10c, it is determined that the character string corresponds to the e-mail address, and that is notified to the second determination means 116. The determination process by the first determination unit 113 is terminated. In the third embodiment, the e-mail address determination condition is as follows: “One or more ASCII (American Standard Code for Information Interchange)” + “@ (at sign)” + “One or more ASCII characters” + “. It is assumed that the character string “(dot)” + “ASCII of one or more characters” is included. In this case, the shortest e-mail address is “a@a.a”, for example.

  The address determination unit 113c determines whether or not the character string corresponds to an address (residence) when the e-mail address determination unit 113b determines that the character string does not correspond to an e-mail address. If the character string satisfies the address determination condition set in the quarantine table 10c, it is determined that the character string corresponds to an address, and the second determination means 116 is notified of this. In the third embodiment, the address determination condition includes a character string “one or more double-byte characters” + “city” or “city” or “county” + “one or more double-byte characters” in the character string. Suppose that At this time, if the arithmetic processing capability of the CPU 10a is sufficiently high, it may be added to the address determination condition that a 7-digit number corresponding to the postal code is included in addition to the character string. In addition, the address determination condition is that the character string includes a 7-digit numeric string corresponding to the postal code or “3-digit numeric string” + “− (−” instead of the above-described conditions. Hyphens) ”+“ a digit string of four digits ”may be included.

  When the first determination unit 113 determines that the character string does not correspond to any of a telephone number, an e-mail address, and an address, the character determination unit 114 sets the character string in the quarantine table 10c. Specifically, it is determined whether the number of characters in the character string is within a predetermined range and whether all the characters in the character string are kanji. In the third embodiment, as described above, the character determination condition is that the number of characters in the character string is within a predetermined range and all the characters in the character string are kanji characters. The range is set to a general (appropriate) number range, for example, 1 to 6 as the number of characters of the name (including only the last name and only the name).

  The collating unit 115 is a character section determined by the first determining unit 113 as not corresponding to any of a telephone number, an e-mail address, and an address, and is further within the predetermined range by the character determining unit 114 and For a character section in which all characters are determined to be kanji, a character / character string included in the character section and an inappropriate character / inappropriate character string preset as a character / character string that cannot appear in the name Is checked to determine whether or not the character section includes an inappropriate character / unsuitable character string, and the result of the verification determination is notified to the second determination means 116.

Here, the inappropriate character / unsuitable character string is preset in the quarantine table 10c. For example, Tokyo, Osaka, Yokohama, Kyushu, Hokkaido, Kyoto, capital, individual, school, store, stock, prefecture, university ,
Gakuin, TSE, Research, Administration, General Affairs, Accounting, Sales, General Management, Pharmaceutical, Sales, School, Education, Specialty, Architecture, Machine, Corporation, Factory, Manufacturing, Technology, Commerce, Books, Unknown, Deputy Director, Public, Publication, Advertising, Broadcasting, Target, Wholesale, Retail, Planning, Human Resources, Information, Department, President, Regulatory, General Manager, Section Manager, General Manager, Director, Head Office, Branch Office, Business, Business, Education, Precision, Oil, Transportation, Management, Strategy, Material, engineer, electricity, production, tax, public relations, transportation, chief, computer, finance, office work, development, policy, production, economy, industry, finance, bank, research, English, quality, warranty, equipment, charge, chief, Director, Audit, Support, Design, Insurance, Safe, Business, Representative, Transportation, 1st, 2nd, 3rd, 4th, 5th, 6th, 7th, 8th, 9th, Special Sales, Facility, Name , Postal, name, name, city hall, affiliation, feature, kindergarten, Christian, association, church, union, cult, commerce, nationwide, branch, contact Characters / character strings that cannot appear in general names such as parliament, life, consumption, promotion, city hall, ward office, general, modification, function, overview, composition, company, organization, association, deletion, document, deadline, validity That is, it is a character / character string that is inappropriate as a name.

  The second determination unit (determination unit) 116 is based on the determination result by the telephone number determination unit 113a, the e-mail address determination unit 113b and the address determination unit 113c in the first determination unit 113 and the collation determination result by the collation unit 115. It is determined whether or not the determination target file is a personal information file.

  More specifically, the second determination means 116 receives notification of the determination results from the telephone number determination means 113a, the e-mail address determination means 113b, and the address determination means 113c, and sets each of the telephone number, e-mail address, and address. Counts the number of character sections considered to be applicable, and receives the collation determination result from the collating means 115, and the character section determined by the collating means 115 as not including an inappropriate character / inappropriate character string as the name Count the number.

  Then, the second determination means 116 is based on the counting results (four count values; the number of telephone numbers, the number of e-mail addresses, the number of addresses, the number of names) for each of the telephone number, e-mail address, address, and name. A determination value that increases as these count values increase is calculated. For example, the second determination means 116 may calculate the sum of four count values as the determination value, or set a weighting factor in advance for each of the telephone number, e-mail address, address, and name. The sum of the multiplication results of the weighting coefficient and the count value for the personal information element may be calculated as the determination value, and various methods for calculating the determination value are conceivable.

  When the determination value as described above is calculated, the second determination unit 116 determines whether or not the determination target file is a personal information file based on the determination value. Specifically, when the determination value exceeds a predetermined threshold, it is determined that the determination target file is a personal information file. When making such a determination, the second determination means 116 further assigns a P mark (private level mark) according to the size of the determination value to the determination target file and sets it in the P mark table 10d. Register and rank. As described above, the P mark is a level indicating the high possibility that the determination target file is a personal information file. The larger the determination value, the higher the P mark is set.

  For example, when the determination value is 10 or more, it is determined that the determination target file is a personal information file. When the determination value is 10 or more and less than 100, “P1” is assigned as the P mark, and when the determination value is 100 or more and less than 1000, “P2” is assigned as the P mark. When it is 1000 or more and less than 10,000, “P3” is assigned as the P mark, and when the determination value is 10000 or more, “P4” is assigned as the P mark. The predetermined threshold for determining the personal information file and the reference value for determining the P mark are set as appropriate from the information management server 20 (a management console 24 described later). In addition, although the P mark is ranked into four “P1” to “P4” here, the number of ranks is not limited to this.

  Although the above is general ranking of the P mark, it can also be handled as follows. For example, character strings such as disease name (medical history), hospital name (visit history, hospitalization history), drug name (medicine history), annual income, occupation, criminal record (crime history) appear in general sentences regardless of personal information. However, if it is related to personal information such as an address, name, phone number, or email address, the personal information that you do not want to be known to others is considered a particularly high P mark level. Must be set.

  In other words, disease name (medical history), hospital name (visiting history, hospitalization history), drug name (medicine history), annual income, occupation, criminal history (crime history), character strings, address, name, phone number, e-mail address, etc. If there is a character string associated with the personal information, the P mark calculated by setting a particularly large weighting coefficient is assigned to the determination target file, set and registered in the P mark table 10d, and ranked. Do.

  The P mark (P mark table 10d) given to the determination target file as described above is transmitted to the information management server 20 via the transmission / reception means 15 and the network 40, and as will be described later with reference to FIG. 23 is stored in the database 20b. An electronic file (determination target file / personal information file) to which the P mark is assigned will be described later as a personal information file by the information management server 20 (personal information management means 208 described later) according to the rank of the P mark. It is managed like this.

  In addition, when it is determined that the electronic file is a personal information file as described above, the personal information of the electronic file is stored in the P mark table 10d serving as a storage unit in a state associated with the P mark information described above. (Corresponding to the address in the electronic file) is stored.

[C1-4] Functional configuration of the personal information management server of the third embodiment:
FIG. 20 is a block diagram showing a functional configuration of the information management server 20 according to the third embodiment. As shown in FIG. 20, the information management server 20 according to the third embodiment includes a CPU 20a that executes various processes and each client. A database (RDB: Relational DataBase) 20b for storing / saving log information and personal information files from the terminal 10, and a display unit 20c for displaying various information including log information and personal information stored in the database 20b. It is composed.

  The CPU 20a includes client information collection means 201, installation means 202, collection means 203, second personal information search means 204, difference extraction means 205, second control means 206, management console 207, personal information management means 208, display control means 209. These functions are realized by the CPU 20a executing a personal information management server program (including a personal information search program).

  The client information collecting unit 201 starts the search and management of the personal information file when the management system 1 is started up or when a new client terminal 10 is connected to the network 40. The client information (host information) is collected from the client terminals 10 that are communicably connected via the network, and the client terminal 10 to be searched and managed for the personal information file is recognized. At this time, information on whether or not each client terminal 10 requests installation of the personal information search program described above (whether or not the personal information search program is desired to reside) is also collected.

The installation unit 202 is connected to the client terminal 10 (1
0B), the above-described personal information search program is installed via the network 40 and the transmission / reception means 210 in response to a request from the user of the client terminal 10 (10B). The client terminal 10 in which the personal information search program is installed by the installation means 202 becomes the first client terminal (personal information search program resident terminal) 10A, and the client terminal 10 in which the personal information search program is not installed is the second client terminal ( Personal information exploration program non-resident terminal) 10B.

  The collection unit 203 receives and collects the personal information file search result (link information, determination value, P mark, etc. of the personal information file) executed by the first client terminal 10A via the network 40 and the transmission / reception unit 210. In addition to performing the function of storing in the database 20b, in order to search for the personal information file in the second client terminal 10B, all files in the second client terminal 10B are transferred via the network 40 and the transmission / reception means 210 at the time of the first search. In the function of sucking up the difference file (described later) in the second client terminal 10B via the network 40 and the transmission / reception means 210 in the periodic search after the initial search or in the periodic search after the initial search, The latest in the client terminal 10B The Airu information (described later), a function to suck via the network 40 and the transmitting and receiving unit 210 also fulfills.

  The second personal information search means 204 searches the personal information file in the second client terminal 10B via the network 40 by executing the above-described personal information search program by the CPU 20a. In the third embodiment, The file sucked from the second client terminal 10B by the collection unit 203 is set as a determination target, and it is determined whether or not the file is a personal information file.

  The second personal information search unit 204 also functions as a text extraction engine that converts the determination target file into a text file, as well as the first personal information search unit 11 described above, and a quarantine table 20b-1 in the database 20b (the above-mentioned first personal information search unit 204). The same as the quarantine table 10c in the client terminal 10A) functions as a search engine that searches for a personal information file from data in the storage unit 10b of the second client terminal 10B. That is, the second personal information searching unit 204 searches for a personal information file by referring to various electronic files existing in the storage unit 10b of the second client terminal 10B according to the quarantine table 20b-1, and is a personal information file. The electronic file determined to be written to the log. In the third embodiment, the P mark determined based on the determination result (determination value) obtained by the second personal information exploration means 204 is the P mark table 20b-2 in the database 20b (the above-mentioned first mark). The same as the P mark table 10d in the client terminal 10A).

  The second personal information searching unit 204 has the same functional configuration as the first personal information searching unit 11 shown in FIG. 19, but in the second personal information searching unit 204, the extracting unit 111 includes a storage unit. The collecting means 203 is connected instead of 10b, and the quarantine table 20b-1 and P mark table 20b-2 are used instead of the quarantine table 10c and P mark table 10d. In addition, the transmission / reception unit 210 is connected to the second determination unit 116 instead of the transmission / reception unit 15, and the determination result by the second personal information search unit 204 is notified to the second client terminal 10B.

  Then, the determination result notified to the second client terminal 10B as described above and the data of the location (address in the electronic file) corresponding to the personal information of the electronic file are stored in the storage means such as the storage unit 10b. Remembered.

  Here, in the database 20b of the information management server 20, the same quarantine table 20b-1 as the quarantine table 10c to be provided to the first client terminal 10A and the determination result by the first personal information exploration means 11 of the first client terminal 10 ( A P mark table 20b-2 for holding a (P mark) and a determination result (P mark) by the second personal information searching means 204, and an electronic file information storing means 20b-3 to be described later are provided.

  The file information storage unit 20b-3 stores the latest file information sucked from the second client terminal 10B by the collecting unit 203 at the time of the first search or the periodic search, and finally stores the personal information file by the second personal information search unit 204. The information is stored as information on the electronic file in the second client terminal 10B at the time when the periodic search is performed. Here, as described above, the file information is information regarding all files in the second client terminal 10B (storage unit 10b), specifically, file creation / update date and time, file size, and file name.

  The difference extraction unit 205 performs the periodic search for the latest information (latest file information) regarding the electronic file in the second client terminal 10B and the information stored in the file information storage unit 20b-3 (finally the personal information file is periodically searched). The electronic file added / changed between the time when the personal information file was last searched and the current time as a difference file, and the network 40 and transmission / reception means 410 And periodically extracted from the second client terminal 10B via the collecting means 203.

  The second control means 206 sends the second personal information search means 204 first (when the management system 1 is started up / when the second client terminal 10B is newly connected) in the procedure described later with reference to FIG. As will be described later with reference to FIG. 25, the personal information search program is executed every time the personal information file is searched once for all data in the storage unit 10b of the two client terminals 10B. The second personal information exploration means 204 is started to perform periodic exploration to determine whether the difference file extracted by the difference extraction means 205 is a personal information file.

  The management console 207 sets and manages personal information file determination conditions (the quarantine tables 10c and 20b-1, the predetermined threshold necessary for determining the personal information file and the P mark, and the like). In the quarantine tables 10c and 20b-1, the above-described telephone number determination conditions, e-mail address determination conditions, address determination conditions, character determination conditions (the predetermined range) and inappropriate characters / unsuitable character strings are set.

  The personal information management means 208 manages personal information files in each client terminal 10 (10A, 10B) based on the search results collected by the collection means 203 and stored in the database 20b. An electronic file determined as a personal information file in 204 (an electronic file with a P mark; hereinafter referred to as a personal information file) is a management target.

  This personal information management means 208 gives attention information to the user (holder) of the personal information file according to the judgment value (or P mark) of the personal information file registered in the P mark table 20b-2 of the database 20b. / Notify alert information, forcibly capture / collect personal information file from client terminal 10 storing the personal information file, or output personal information file from client terminal 10 to the outside Is forcibly prohibited, the personal information file is stored in a folder (not shown) accessible only to the administrator, or the file access management server 30 manages access to the personal information file.

  For example, when the rank of the P mark is “P1”, the recommendation by the warning information is not performed, but the fact that the personal information file of “P1” exists is recorded as a log. When the rank of the P mark is “P2”, notice information in a pop-up display is notified in order to call attention to the user of the personal information file. When the rank of the P mark is “P3”, the system administrator is notified by e-mail as warning information that there is a user storing the personal information file, and the personal information file is returned. To the user. When the rank of the P mark is “P4”, the personal information file is forcibly captured / collected from the client terminal 10 and the personal information file is forcibly prohibited from being output from the client terminal 10 to the outside. The personal information file is stored in a folder accessible only to the administrator, or the file access management server 30 manages the access to the personal information file. Even if the P mark rank is not “P4”, if the personal information file of “P3” is left for a predetermined number of days, the rank of the P mark is “P4” for the personal information file. You may make it perform the treatment similar to the case.

  Further, the personal information management means 208 has a function of searching the personal information file stored in each client terminal 10 or the database 20b with various accuracy, and a function of causing the display control means 26 to display the search result on the display unit 20c. have.

  The display control unit 209 controls the display state of the display unit 20c so that various types of information are displayed on the display unit 20c. The transmission / reception unit 210 transmits various types of information to and from each client terminal 10 via the network 40. Send and receive.

  The digital signature unit 211 gives a digital signature to the personal information file searched by the first personal information search unit 11 or the second personal information search unit 204. Here, the digital signature is encrypted signature information attached to guarantee the authenticity of the digital document, and proves the creator of the digital document (here, the personal information file) by applying public key cryptography. And that the document has not been tampered with. The signer (administrator on the information management server 20 side) sends a signature encrypted with its own private key to the digital document. The recipient (the user on the client terminal 10 side) decrypts the signature using the signer's public key and confirms whether the content is correct. As a result, it can be used not only to prevent forgery by a third party but also to prove that the signer has created the digital document.

  Note that the personal information file of the first client terminal 10A is transmitted from the first client terminal 10A to the information management server 20 via the network 40, and after the digital signature is given by the digital signature means 211, the first client terminal 10A. The original personal information file that has been returned to and not given a digital signature will be deleted. Also, the personal information file of the second client terminal 10B is returned to the second client terminal 10B after being digitally signed by the digital signature means 211 after determination on the information management server 20 side, and is not given a digital signature. The original personal information file will be deleted.

[C1-5] Functional configuration of the file access management server of the third embodiment:
FIG. 21 is a block diagram showing the functional configuration of the file access management server 30 according to the third embodiment. As shown in FIG. 20, the file access management server 30 according to the third embodiment includes, for example, the information management server 20 (individual A personal information file (a personal information file whose rank of the P mark is “P4”) designated by the information management means 208) is to be managed, a CPU 30a that executes various processes, and an encryption key and a decryption key as described later Etc., and a storage unit 30b for storing and the like. Here, the personal information file whose P mark rank is “P4” is a management target. However, regardless of the P mark rank, all of the personal information search means 11 and 204 determined to be personal information files. The electronic file may be managed by the file access management server 30.

  The CPU 30a functions as a transmission / reception unit 31, a conversion unit 32, an encryption unit 33, and a determination unit 34, which will be described later. These functions are realized by the CPU 30a executing a program for a file access management server. Is done. Further, as will be described later, the storage unit 30b has an encryption key for encrypting the personal information file, a decryption key for decrypting the encrypted personal information file, and an access to the encrypted personal information file. Stores authority (to be described later) and user ID / password of a pre-registered user [registrant (employee) who is permitted to view encrypted files], and is configured by a hard disk or RAM, for example. .

  The transmission / reception means 31 is realized by a communication function originally possessed by the file access management server 30, and includes a personal information file reception means 31a, an encrypted file transmission means 31b, an authentication information reception means 31c and a decryption which will be described later. It functions as the key transmission means 31d.

The personal information file receiving means 31 a receives a personal information file to be managed from the information management server 20 via the network 30.
The conversion unit 32 converts the personal information file to be managed received by the personal information file receiving unit 31a into a completed document file such as a PDF (Portable Document Format) file that is difficult to falsify. The conversion means 32 is realized by, for example, a PDF driver. By starting the PDF driver, the personal information file is converted to PDF, and a PDF file as a completed document file is generated.

The encryption unit 33 encrypts the PDF file obtained by the conversion unit 32 using a predetermined encryption key.
The encrypted file transmission unit 31 b transmits a file encrypted (keyed) by the encryption unit 33 (hereinafter referred to as an encrypted file) to the information management server 20 via the network 40.

  In the management by the file access management server 30, the user has various access authorities (permissions such as viewing, printing, copying, etc.) for each encrypted file depending on the policy setting at the time of encryption by the encryption means 33 as described above. Set for each encrypted file. At that time, one type of policy is set in order to simplify the system operation, and the access right at each client terminal 10 for all encrypted files is determined by the policy setting [for example, all the in-houses where the system 1 is installed. As the access authority of all employees / all users (all registered users registered in the file access management server 30), only the viewing authority is set / granted automatically (forced), and access other than browsing, such as printing, It may be possible to prevent access such as copying, saving as another name, and screen capture (screen shot).

The authentication information receiving unit 31c receives the authentication information transmitted from the client terminal 10 or the information management server 20 via the network 40 when the client terminal 10 or the information management server 20 accesses the encrypted file. Here, the authentication information indicates that the user of the client terminal 10 or the information management server 20 trying to open the encrypted file is a file access management indicating that the encrypted file is a valid transmission destination (user / registrant). This information is necessary for determination / authentication by the server 30 and includes a user ID and a password registered in advance in the file access management server 30 (storage unit 30b) for the user of the service by the file access management server 30. . These user ID and password are input by the user operating the keyboard and mouse when opening the encrypted file.

  Based on the authentication information received by the authentication information receiving unit 31c, the determining unit 34 determines whether or not the client terminal 10 / information management server 20 that has transmitted the authentication information is a valid transmission destination of the encrypted file. In practice, it is determined whether or not the user ID and password input by the user match the user ID and password registered and stored in the storage unit 30b of the file access management server 30 in advance. Thus, it is determined and authenticated whether or not the user is a valid registrant.

  The decryption key transmitting means 31d reads out the decryption key for decrypting the encrypted file from the storage unit 30b when the determination means 34 authenticates that the user is a valid registrant, and the client terminal 10 or The information is transmitted to the information management server 20 via the network 40.

  When the client terminal 10 or the information management server 20 receives the decryption key from the file access management server 30, the decryption key is decrypted using the decryption key to restore the original personal information file. The personal information file is accessed (for example, browsed) according to the given access authority.

[C2] Operation of the management system of the third embodiment:
Next, the operation of the management system 1 according to the third embodiment configured as described above will be described with reference to FIGS.

[C2-1] Operation of personal information exploration means:
In the personal information search means 11 and 204 of the third embodiment, the frequency of appearance of telephone numbers, e-mail addresses, addresses, and names is digitized as follows to specify and search for personal information files. At that time, when the character section cut out by the cutting means 112 includes an inappropriate character / unsuitable character string preset as a character / character string that cannot appear in the personal information, the character section is As a character / character string that cannot be seen in the personal information in the character section cut out by the cutting means 112 while being excluded because it is regarded as not corresponding to the personal information element (name in the third embodiment). If the preset inappropriate character / unsuitable character string is not included, the character section is regarded as corresponding to the personal information element forming the personal information, that is, the personal information element is regarded as appearing. It is done, and the number of appearances is counted up.

  In the first client terminal 10A or the information management server 20 of the third embodiment, a series of procedures for the first personal information file search operation executed by the personal information search means 11 and 204 (personal information search program) described above are performed. This will be described with reference to the flowchart (steps S102 to S118) shown in FIG.

When constructing the management system 1 of the third embodiment, first, a personal information management server program is installed in a computer that functions as the information management server 20, and the computer executes the personal information management server program. Thus, the information management server 20 functions. When starting the search / management of the personal information file, the information management server 20 requests the client terminal that wishes to reside in the personal information search program as will be described later with reference to FIG. 25 (steps S402, S403, S411). 10, a personal information search program is installed via the network 40. By executing the personal information search program installed in this way by the CPU 10a of the first client terminal 10A, the CPU 10a causes the personal information search means 11, the detection means 12, and the first control means 1 to operate.
3. Functions as access monitoring means 14, transmission / reception means, and print request monitoring means 16. When installing the personal information search program, the quarantine table 10c is also transmitted. The personal information search program is included in advance in the personal information management server program. The personal information search program is installed in the client terminal 10 and the personal information search program is executed by the information management server 20. Thus, the CPU 20a of the information management server 20 functions as the second personal information search means 204.

  FIG. 22 is executed by the first personal information search unit 11 in the first client terminal 10A when the management system 1 is started up / when the personal information search program is installed / when the first client terminal 10A is newly connected. This is executed by the second personal information search means 204 in the information management server 20 at the time of the initial personal information file search operation procedure or when the management system 1 is started up or when the second client terminal 10B is newly connected. The procedure of the search operation of the first personal information file is shown.

  An electronic file that has not yet been determined is selected as a determination target file from all data of the client terminal 10 and read out (step S102), and extraction means (text extraction engine) is extracted from the determination target file. Text data is extracted by 111 (step S103).

  From the text extracted in this way, the character section delimited by the delimiter described above is extracted by the extraction means 112 and sequentially written in a buffer (not shown) as a determination target / collation target (step S104). When cutting out a character section, as described above, the cutting means 112 removes symbols other than alphanumeric characters, katakana, hiragana, kanji characters, such as hyphens, underbars, and parenthesis symbols, from the character section. .

  Whether or not the character string (hereinafter simply referred to as a character string) in the character section from which the symbol character has been removed by the cutting means 112 corresponds to any one of a telephone number, an e-mail address, and an address. Are sequentially determined by the telephone number determination means 113a, the e-mail address determination means 113b, and the address determination means 113c (steps S105, S107, S109).

  First, the telephone number determination means 113a determines whether or not the character string corresponds to a telephone number (step S105). At that time, if the character string satisfies the telephone number determination condition set in the quarantine table 10c, that is, if the character string includes 9 to 15 digits, the character string is converted to the telephone number. (YES route of step S105), the fact is notified to the second determination unit 116, and the second determination unit 116 increments the count value corresponding to the number of appearances of the telephone number by one. (Step S106), the process proceeds to Step S114.

  If it is determined that the character string does not correspond to a telephone number (NO route of step S105), the e-mail address determination means 113b determines whether or not the character string corresponds to a telephone mail address (step S107). ). At that time, if the character string satisfies the e-mail address determination condition set in the quarantine table 10c, that is, “one or more ASCII” + “@” + “one or more ASCII” + If the character string “.” + “ASCII of one or more characters” is included, it is determined that the character string corresponds to the e-mail address (YES route in step S107), and that is the second determination means. 116, the second determination means 116 increments the count value corresponding to the number of appearances of the e-mail address by 1 (step S108), and the process proceeds to step S114.

  When it is determined that the character string does not correspond to an e-mail address (NO route in step S107), the address determination unit 113c determines whether the character string corresponds to an address (location) (step S109). ). At that time, if the character string satisfies the address determination condition set in the quarantine table 10c, that is, “one or more double-byte characters” + “city” or “city” or “county” + If a character string that is “one or more double-byte characters” is included, it is determined that the character string corresponds to an address (YES route of step S109), and that is notified to the second determination means 116, In the second determination means 116, the count value corresponding to the number of appearances of the address (residence) is incremented by 1 (step S110), and the process proceeds to step S114.

  When it is determined that the character string does not correspond to an address (NO route in step S109), that is, the first determination unit 113 determines that the character string does not correspond to any of a telephone number, an e-mail address, and an address. If the character determination unit 114 determines that the character string satisfies the character determination condition (the number of characters is 1 or more and 6 or less and all characters are kanji characters) set in the quarantine table 10c. Determination is made (step S111). When this character determination condition is not satisfied (NO route in step S111), the process proceeds to step S114.

  On the other hand, if this character determination condition is satisfied (YES route in step S111), the collation means 115 determines whether or not there is a character / character string included in the character section (the character string) and the name set in the quarantine table 10c. The appropriate character / inappropriate character string is collated, and it is determined whether or not the character section includes an inappropriate character / inappropriate character string (step S112). If there is at least one character / character string that matches the inappropriate character / inappropriate character string in the character section (YES route in step S112), matching with the inappropriate character / inappropriate character string at that time The process is immediately terminated, and the process proceeds to step S114.

  If the character section does not contain an inappropriate character / unsuitable character string (NO route of step S112), the result of the collation determination is notified to the second determination means 116. In the second determination means 116, The character section is considered to correspond to the name, and the count value corresponding to the number of appearances of the name is incremented by 1 (step S113), and the process proceeds to step S114.

  In step S114, it is determined whether or not there is a character section that has not yet been extracted from the text data extracted from the determination target file. If there is a character segment (YES route), the process returns to step S104, and the same processing as described above (steps S104 to S104). S113) is repeatedly executed. In this way, when all character sections are cut out from the text data and the determination processing, collation processing, counting processing, etc. for all character sections are completed (NO route in step S114), the second determination means 116 uses the telephone number, electronic Based on the count values for each of the mail address, address, and name, the above-described determination value is calculated (step S115).

  Then, the second determination means 116 determines whether or not the determination target file is a personal information file based on the determination value calculated in step S115, and ranks the P mark. (In the third embodiment, four of “P1” to “P4”) are performed (step S116).

Thereafter, it is determined whether or not the personal information has been searched for all the electronic files in the client terminal (step S117). If there is still an unsearched electronic file (NO route in step S117), the process returns to step S102. When the same processing as described above is executed, but all the electronic files have been searched (YES route in step S117), the personal information file determination result and the P mark ranking result in step S116 are P mark. It is registered in the table 10d or 20b-2, transmitted to the information management server 20 via the transmission / reception means 15 and the network 40, and registered and stored in the database 20b by the collection means 203 in the information management server 20 (step S118). The determination result of the second client terminal 10B is registered and stored in the database 20b from the second personal information searching means 204 (step S118). After completing the process in step S118, the personal information file search operation is terminated.

[C2-2] Operation of the first client terminal (personal information search program resident terminal):
Next, the operation of the first client terminal 10A will be described according to the flowchart (steps S21 to S26) shown in FIG. More specifically, here, a real-time search operation and an access monitoring operation executed by the first client terminal 10A after the first search for the personal information file described above will be described with reference to FIG.

  In the first client terminal 10A, the detection unit 12 monitors changes to the electronic file already stored in the storage unit 10b and addition of a new electronic file to the storage unit 10b (step S21). When an addition / change is detected (YES route in step S21), the personal information search program is immediately started by the first control means 13 (step S22) and added / changed by the first personal information search means 11 each time. The determination processing in steps S103 to S116 in FIG. 22 is executed using the electronic file as the determination target file (step S23). As a result, a real-time search for determining whether the added / changed electronic file is a personal information file is executed, and the determination result is notified to the information management server 20 (step S24).

  In the first client terminal 10A, the personal information file (that is, the electronic file assigned with the P mark / the electronic file determined to be a personal information file by the first personal information searching unit 11) by the access monitoring unit 14 is used. If it is monitored (step S25) and an access to the personal information file (for example, data change by renaming, copying, erasing, moving, etc.) occurs (NO route in step S21 to YES route in step S25), this is indicated. The log information is written out, transmitted to the information management server 20 via the transmission / reception means 15 and the network 40 (step S26), and registered and stored in the database 20b by the collection means 203 in the information management server 20.

  In the first client terminal 10A, the personal information file (that is, the electronic file given the P mark / the electronic file determined to be a personal information file by the first personal information searching unit 11) by the print request monitoring unit 16 is used. Is monitored (step S25 in FIG. 23, step S1401 in FIG. 29), and if the access to the personal information file is a print request (YES in step S1402 in FIG. 29), the presence or absence of the P mark is checked. It is done.

  If a P mark is given to the electronic file (YES in step S1403 in FIG. 29), the print control means 18 that has received an instruction from the print request monitoring means 16 executes printing in the restricted state (FIG. 29). Middle step S1404).

That is, when transmitting the personal information file to the printer, control is performed so that the portion corresponding to the personal information in the personal information file is made invisible and transmitted to the printer.
Here, the “invisible state” is a state in which the corresponding character is invisible or a state in which the corresponding character is extremely difficult to recognize. Specifically, change the character color (make the character color the same as the background color (white, etc.)), fill it (fill the area around the character with the same color as the character color), replace the character (a constant such as a black circle or a black square) Various processing such as replacement with characters, and replacement with characters that do not make sense by shifting the character code to another character code according to a certain rule) are applicable. Moreover, you may perform combining these some processes.

  Here, when a character is replaced with another character such as a black circle or a black square, the presence of the character itself is visible, but the content of the information is invisible, which is one aspect of the invisible state in the present specification.

  For example, assume that there are two types of data shown in FIGS. 30 (a) and 30 (b). Here, since data #A is hospital data and not personal information, no P mark is given. On the other hand, data #B is personal information including name, hospital history and medication data, and is given a P mark.

Here, when both the data #A and the data #B are printed, the printing process is executed as follows.
For example, if the background color is transparent or white and the character color is black, the character color corresponding to the personal information is made white as shown in FIG. 30C, or the personal color is applicable as shown in FIG. The area around the character is filled with black. As a result, the personal information portion of the personal information file is not printed out on the paper medium, and the leakage of personal information via the paper medium is prevented.

  Further, according to the rank of the P mark, for a high-level personal information file, printing of the entire personal information file may be prohibited or may be printed in an invisible state. In the example of FIGS. 30 and 31, not only the name but also the medicine name, hospital name, or the whole may be invisible.

  If the P mark is low in accordance with the rank of the P mark, as shown in FIG. 32, at least the personal information portion is printed with a watermark that prohibits copying. As a result, although the printed original can be read, it cannot be copied. Also in this case, it is possible to determine only the name part, or other parts, the whole, and parts to be restricted as necessary.

Alternatively, instead of the watermark, the personal information portion can be printed at such a low density that it cannot be copied.
If the P mark is not given to the electronic file (NO in step S1403 in FIG. 29), the print control means 18 that has received an instruction from the print request monitoring means 16 performs printing in an unrestricted state (FIG. 29, step S1405).

  If the access to the personal information file is a display request (view request) to the display unit 10e (YES in step S1406 in FIG. 29), the display control means 19 checks whether or not there is a P mark (in FIG. 29). Step S1407).

  Here, if the P mark is not added to the electronic file (NO in step S1407 in FIG. 29), the display control means 19 displays the electronic file on the display unit 10e without any restriction (in FIG. 29). Step S1409).

If a P mark is given to the electronic file (YES in step S1407 in FIG. 29), the display control means 19 indicates that the position of the client terminal 10 acquired by the CPU 10a is a predetermined position (for example, in-house). It is determined whether or not there is (step S1408 in FIG. 29). The location information of the client terminal 10 is obtained from GPS information from a GPS device (not shown), base station information obtained from a mobile phone device, etc., IP information at the time of network connection obtained through the transmission / reception means 15 and the like.

  Here, if the position of the client terminal 10 is present at a predetermined position (such as in-house) (YES in step S1408 in FIG. 29), the display control unit 19 displays the display unit 10e in an unrestricted state. The electronic file is displayed (step S1409 in FIG. 29).

  If the position of the client terminal 10 does not exist at a predetermined position (in-house or the like) (NO in step S1408 in FIG. 29), the display control unit 19 causes the display unit 10e to enter the restricted state. An electronic file is displayed (step S1410 in FIG. 29).

  That is, when the personal information file is sent from the display control means 19 to the display unit 10e, the portion corresponding to the personal information in the personal information file is controlled to be invisible and displayed on the display unit 10e.

  Here, the invisible state means that the character color is the same as the background color (FIG. 30C), or the character periphery is painted with the same color as the character color (FIG. 31), and a watermark that is difficult to see is added. (FIG. 32), processing such as replacement with a certain meaningless character (FIG. 33) is executed.

  For example, if the background color is transparent or white and the text color is black, the text color will be white, or the area around the text will be filled with black, or the text will be constant, such as a black circle Replace with the character.

  As a result, the personal information portion of the personal information file is not displayed on the display, and personal information is prevented from being leaked through the display medium. It is also possible to display the personal information part in a light color. Further, according to the rank of the P mark, the display of the entire personal information file may be prohibited or may be displayed in an invisible state for the high-level personal information file.

  It should be noted that when the above-described restrictions on printing and display are used, a message indicating that printing or display cannot be performed because the file is a personal information file may be printed or displayed in addition to simply making it invisible.

In the above specific examples, specific examples of making the basic part of the personal information in the personal information file invisible have been shown, but the present invention is not limited to this.
For example, if there are data such as name and annual income, name and medical history, instead of making the name part invisible, clarify the name by setting in advance or setting at the time of printing, The annual income part and the medical history part may be printed as invisible. That is, depending on the purpose of printing, a name portion is required, but when other portions are not used, printing is executed in such a state.

  Here, in the first client terminal 10A, the print request monitoring unit 16 uses the personal information file (that is, the electronic file assigned the P mark / the electronic file determined to be the personal information file by the first personal information search unit 11). ) Is monitored and the access to the personal information file is a print request (step S2001 in FIG. 35), the presence / absence of a P mark, the presence / absence of a restriction setting, and the state are checked (step S2002 in FIG. 35). .

If no P mark is given to the electronic file (NO in step S2003 in FIG. 35), the print control means 18 that has received an instruction from the print request monitoring means 16 executes printing without a restricted state (FIG. 35, step S2009).

  If the P mark is given to the electronic file (YES in step S2003 in FIG. 35), the print control means 18 checks the restriction state (step S2004 in FIG. 35), and if the entire print is restricted. (NO in step S2004 in FIG. 35 (overall)), printing is stopped. That is, the electronic file is not transmitted to the printer (step S2005 in FIG. 35).

  If the P mark is given to the electronic file (YES in step S2003 in FIG. 35), the print control means 18 checks the restriction state (step S2004 in FIG. 35), and a part of the print is restricted. If so (YES in step S2004 in FIG. 35 (partial)), the restriction setting is checked. This restriction may be set in advance, or if not set in advance, the user may be inquired on the spot.

  If the restriction that makes the name portion invisible is set, the name portion is made invisible as shown in FIG. 31 to FIG. 33 or FIG. 34B (step S2007 in FIG. 35), and the electronic file is saved. Send to the printer and print.

  On the other hand, if there is data with a disease name as shown in FIG. 34 (a) and a name print is required as necessary, the setting for making the disease name portion invisible (step S2006 in FIG. 35). In FIG. 34C, other than the name is made invisible (step S2008 in FIG. 35), and printing is performed (step S2009 in FIG. 35). Similarly, in the case of annual income, occupation, affiliation faction, etc., it is possible to set the part other than the name as invisible.

  In addition, in this case, for each item included in the data other than the name, if the address, age, gender, annual income, medical history, existence of debt, debt amount, deposit amount, etc. are prohibited, the entire electronic file is prohibited from printing. Various modifications are possible, such as printing with the name portion invisible, printing with the portion other than the name invisible, and specifying a specific item other than the name to make it invisible.

  Further, for each item, it is possible to make fine settings such as visible, invisible, thin print (not copyable), and the like. The process in FIG. 35 may be performed not only for printing but also for display.

  In addition, even within the same item, settings are made such that the item of annual income is made invisible only for specific income earners less than or above the prescribed annual income, or specific disease names such as mental illness are made invisible. It is also possible.

[C2-3] Operation of second client terminal (personal information search program non-resident terminal):
Next, the operation of the second client terminal 10B will be described according to the flowchart (steps S31 to S36) shown in FIG. More specifically, the file / file information transmission operation and the access monitoring operation executed by the second client terminal 10B after the first personal information file search described above will be described with reference to FIG.

In the second client terminal 10B, the file information transmission request from the information management server 20 is monitored by the transmission / reception means 15 (step S31). When the file information transmission request is received (YES route in step S31), the file directory is changed. The latest file information (for example, file creation / update date / time, file size, file name) of all files is transmitted to the information management server 20 via the transmission / reception means 15 and the network 40 (step S32).

  In the second client terminal 10B, the transmission / reception unit 15 monitors the transmission request for the difference file during the periodic search from the information management server 20 (step S33). When the file transmission request is received (NO in step S31) The difference file corresponding to the transmission request is read from the storage unit 10b and transmitted to the information management server 20 via the transmission / reception means 15 and the network 40 (step S34).

  Further, also in the second client terminal 10B, as in the first client terminal 10A, the access monitoring means 14 causes the personal information file (that is, the second personal information search means 204 of the electronic file / information management server 20 to which the P mark is given). (Electronic file determined to be a personal information file) is monitored (step S35), and access to the personal information file (for example, data change by renaming, copying, erasing, moving, etc.) occurs (step S33). From the NO route of step S35), the fact is written as log information, transmitted to the information management server 20 via the transmission / reception means 15 and the network 40 (step S36), and collected by the information management server 20 Register to database 20b by means 203 - it is saved.

  Further, in the second client terminal 10B, the personal information file (that is, the electronic file given the P mark / the electronic file determined to be the personal information file by the second personal information searching means 204) by the print control means 18. Is monitored (step S25 in FIG. 23, step S1401 in FIG. 29), and if the access to the personal information file is a print request (YES in step S1402 in FIG. 29), the presence or absence of the P mark is checked. It is done.

  If a P mark is given to the electronic file (YES in step S1403 in FIG. 29), the print control unit 18 executes printing in the restricted state (step S1404 in FIG. 29).

  That is, at the time of transmitting the personal information file to the printer, as shown in FIGS. 30 to 33, control is performed such that the portion corresponding to the personal information in the personal information file is made invisible and the transmission to the printer is executed. .

Here, the invisible state executes processing such as making the character color the same as the background color (white, etc.), or painting the periphery of the character with the same color as the character color.
For example, if the background color is transparent or white and the text color is black, the text color is white, or the area around the text is painted black, or the personal information part such as the name is Replace with characters such as black circles.

  As a result, the personal information portion of the personal information file is not printed out on the paper medium, and the leakage of personal information via the paper medium is prevented. Further, according to the rank of the P mark, for a high-level personal information file, printing of the entire personal information file may be prohibited or may be printed in an invisible state.

  If the P mark is low in accordance with the rank of the P mark, as shown in FIG. 32, at least the personal information portion is printed with a watermark that prohibits copying. As a result, although the printed original can be read, it cannot be copied. Also in this case, it is possible to determine only the name part, or other parts, the whole, and parts to be restricted as necessary.

  If the P mark is not added to the electronic file (NO in step S1403 in FIG. 29), the print control unit 18 performs printing without restriction (step S1405 in FIG. 29).

  If the access to the personal information file is a display request (view request) to the display unit 10e (YES in step S1406 in FIG. 29), the display control means 19 checks whether or not there is a P mark (in FIG. 29). Step S1407).

  Here, if the P mark is not added to the electronic file (NO in step S1407 in FIG. 29), the display control means 19 displays the electronic file on the display unit 10e without any restriction (in FIG. 29). Step S1409).

  If a P mark is given to the electronic file (YES in step S1407 in FIG. 29), the display control means 19 indicates that the position of the client terminal 10 acquired by the CPU 10a is a predetermined position (for example, in-house). It is determined whether or not there is (step S1408 in FIG. 29). The location information of the client terminal 10 is obtained from GPS information from a GPS device (not shown), base station information obtained from a mobile phone device, etc., IP information at the time of network connection obtained through the transmission / reception means 15 and the like.

  Here, if the position of the client terminal 10 is present at a predetermined position (such as in-house) (YES in step S1408 in FIG. 29), the display control unit 19 displays the display unit 10e in an unrestricted state. The electronic file is displayed (step S1409 in FIG. 29).

  If the position of the client terminal 10 does not exist at a predetermined position (in-house or the like) (NO in step S1408 in FIG. 29), the display control unit 19 causes the display unit 10e to enter the restricted state. An electronic file is displayed (step S1410 in FIG. 29).

  That is, when the personal information file is sent from the display control means 19 to the display unit 10e, the portion corresponding to the personal information in the personal information file is controlled to be invisible and displayed on the display unit 10e.

  Here, the invisible state means that the character color is the same as the background color (FIG. 30C), or the character periphery is painted with the same color as the character color (FIG. 31), and a watermark that is difficult to see is added. (FIG. 32), processing such as replacement with a certain meaningless character (FIG. 33) is executed.

  For example, if the background color is transparent or white and the text color is black, the text color is white, or the area around the text is painted black, or the personal information part such as the name is Replace with characters such as black circles.

  As a result, the personal information portion of the personal information file is not displayed on the display, and personal information is prevented from being leaked through the display medium. It is also possible to display the personal information part in a light color. Further, according to the rank of the P mark, the display of the entire personal information file may be prohibited or may be displayed in an invisible state for the high-level personal information file.

It should be noted that when the above-described restrictions on printing and display are used, a message indicating that printing or display cannot be performed because the file is a personal information file may be printed or displayed in addition to simply making it invisible.

  Also in the second client terminal 10B, as in the case of the first client terminal 10A, when data such as name and annual income, name and medical history exist, the name portion is not made invisible in advance. The name may be clarified by a predetermined setting or a setting at the time of print instruction, and the annual income part or the medical history part may be printed in an invisible state. That is, depending on the purpose of printing, a name portion is required, but when other portions are not used, printing is executed in such a state.

The invisible processing based on such settings may be performed not only for printing but also for display.
In addition, even within the same item, settings are made such that the item of annual income is made invisible only for specific income earners less than or above the prescribed annual income, or specific disease names such as mental illness are made invisible. It is also possible.

[C2-4] Operation of personal information management server:
Next, the operation of the information management server 20 will be described according to the flowchart shown in FIG. 25 (steps S401 to S428) and the flowchart shown in FIG. 26 (steps S501 to S511).

  When the information management server 20 starts up the management system 1 or recognizes a new connection of the client terminal 10 to the network 40 (YES route in step S401), the client information collection unit 201 communicates via the network 40. Client information is collected from the client terminals 10 that are connected as possible (step S402).

  The presence or absence of the client terminal 10 that has issued the installation request for the personal information search program is recognized from the collected client information (step S403), and there is no client terminal 10 that has issued the installation request (NO in step S403). Route), all files in the storage unit 10b of the second client terminal 10B from one of the second client terminals 10B not installed with the personal information search program via the network 40, the transmission / reception means 210 and the collection means 203 The received file is received together with the latest file information in the second client terminal 10B (step S404).

  Thereafter, the first personal information file search for all the files of the second client terminal 10B is executed according to the procedure of steps S102 to S117 shown in FIG. 22 (step S405), and the determination result and P mark obtained thereby. Are registered and stored in the database 20b from the second personal information searching means 204 (steps S406 and S117). At this time, the latest file information transmitted from the second client terminal 10B is registered and stored in the file information storage unit 20b-3 of the database 20b as file information at the time of the last periodic search (step S407).

  Then, it is determined whether or not the first exploration has been completed for all the second client terminals 10B (step S408). If there is still an unexplored second client terminal 10B (NO route in step S408), the process proceeds to step S404. Returning, the same processing as described above is executed, but when the initial search for all the second client terminals 10B is completed (YES route in step S408), the search result registered and stored in the database 20b [here, the P mark level ( In accordance with (Rank)], the personal information management means 208 manages and operates each personal information file (step S409). Details of management and operation by the personal information management means 208 will be described later with reference to FIG.

  On the other hand, if there is a client terminal 10 that has issued an installation request (YES route in step S403), the personal information search program is installed on the client terminal 10 via the network 40 by the installation unit 202 (step S403). S410). When the personal information search program is installed, the presence or absence of the client terminal 10 (that is, the second client terminal 10B) that has not issued the installation request for the personal information search program is recognized (step S411), and the second client terminal 10B exists. (YES route of step S411), the same processing as the above-mentioned steps S404 to S408 is executed to execute the first search for the second client terminal 10B (step S412).

  When the second client terminal 10B does not exist (NO route of step S411), or after completing the initial search in step S412, the personal information search program is executed in the first client terminal 10A in which the personal information search program is installed. The result of the initial search of the personal information file (link destination information of personal information file, determination value, P mark, etc.) received and collected by the collecting means 203 via the network 40 and the transmitting / receiving means 210, Waiting for registration / storage in the database 20b (step S413), and when the first search result of the first client terminal 10A is obtained (YES route in step S413), the search result registered / stored in the database 20b is used. Personal information management means 208 More, management and operation for each personal information file as described later is performed (step S409).

  Further, when the information management server 20 recognizes that the real-time search result has been received from the first client terminal 10A (from the NO route in step S401 to the YES route in step S414), the real-time search result registered and stored in the database 20b is displayed. In response, personal information management means 208 manages and operates each personal information file as described later (step S409).

  Furthermore, when the information management server 20 recognizes the timing for executing the periodic search for the second client terminal 10B (from the NO route in step S414 to the YES route in step S415), the information management server 20 is updated with respect to the second client terminal 10B to be periodically searched. The file information transmission request is issued so as to transmit the file information of the second client terminal 10B, and the latest file information (files) about all the files in the second client terminal 10B through the network 40, the transmission / reception means 210 and the collection means 203 from the second client terminal 10B. (Created / updated date, file size, file name) are acquired (step S416).

  Then, the latest file information acquired in step S416 by the difference extraction unit 205 and the previous (finally) personal information file at the time of periodic exploration are stored in the file information storage unit 20b-3. The file information about the second client terminal 10B is compared, and it is determined whether or not the file creation / update date / time, file size, and file name have changed (step S417). As a result, files that have been newly added, or electronic files in which at least part of these information has been changed, that is, the period from the last periodic exploration of personal information files to the present time The changed electronic file is recognized as a difference file (step S418).

  When it is recognized that a difference file exists (YES route in step S418), a file transmission request is issued to the second client terminal 10B to transmit the added / changed electronic file (difference file), A difference file is received / extracted from the second client terminal 10B via the network 40, the transmission / reception means 210 and the collection means 203 (step S419).

  Thereafter, the personal information search program is started by the second control means 206 (step S420), and the determination process in steps 103 to S116 in FIG. 22 is executed by the second personal information search means 204 using the difference file as a determination target file. (Step S421). Thereby, the periodic search for determining whether or not the difference file is a personal information file is executed, and the determination result (periodic search result) is registered and stored in the database 20b (step S422).

  At this time, the latest file information acquired in step S416 is registered and stored in the file information storage unit 20b-3 of the database 20b as file information at the time when the personal information file was last searched regularly (step S416). S423).

  Then, according to the periodic search result registered / saved in the database 20b, the personal information management means 208 manages / operates each personal information file as described later (step S409).

  On the other hand, when the information management server 20 receives an installation request for the personal information search program from the second client terminal 10B already connected to the network 40 (from the NO route in step S415 to the YES route in step S424), the second A personal information search program is installed on the client terminal 10B via the network 40 by the installation unit 202 (step S425).

  As a result, the personal information search program resides in the second client terminal 10B, and is thereafter treated as the first client terminal 10A. At this time, the P mark table 20b-2 corresponding to the first client terminal 10A stored in the database 20b is transferred to the first client terminal 10A as the P mark table 10d (step S426).

  Furthermore, when the information management server 20 receives access log information (log information notified in step S25 in FIG. 23 or step S36 in FIG. 24) from the client terminal 10 (from the NO route in step S424 to the YES route in step S427). The access log information is recorded / saved in the database 20b (step S428).

Next, the management / operation for each personal information file performed by the personal information management unit 208 in step S409 will be described with reference to FIG.
The personal information management means 208 refers to the initial search result, the real-time search result, and the periodic search result (P mark table 20b-2) in the database 20b, and determines whether or not there is a personal information file (file with a P mark). (Step S501).

  If a personal information file exists (YES route in step S501), a digital signature is given to the personal information file by the digital signature giving means 211 (step S502), and then the personal information file search result [in this case P In accordance with the mark level (rank)], the personal information management means 208 manages / operates each personal information file as follows (steps S503 to S511).

  First, it is determined whether or not there is a personal information file of P mark level “P1” (step S503). If there is a personal information file of P mark level “P1” (YES route of step S503), access monitoring of the personal information file is performed. It is set and registered as a target (access log recording target) (step S504).

  When there is no personal information file of P mark level “P1” (NO route of step S503), or after registration in step S504, it is determined whether or not there is a personal information file of P mark level “P2” (step S505). If there is a personal information file of P mark level “P2” (YES route in step S505), the personal information file is set and registered as an access monitoring target, and the user of the personal information file is cautioned. Attention information by pop-up display is notified (step S506).

  When there is no personal information file of P mark level “P2” (NO route of step S505), or after the notice information is notified in step S506, it is determined whether or not there is a personal information file of P mark level “P3” (step S507). ) If there is a personal information file of P mark level “P3” (YES route in step S507), the personal information file is set and registered as an access monitoring target, and the user who stores the personal information file The fact that it exists is notified to the system administrator by e-mail or the like as warning information, and the user is instructed to return the personal information file (step S508).

  If there is no personal information file of P mark level “P3” (NO route of step S507), or after issuing an alarm information notification and a return instruction in step S508, whether there is a personal information file of P mark level “P4”. If there is a personal information file of P mark level “P4” (YES route in step S509), the personal information file is forcibly captured and collected from the client terminal 10 (step S510). Then, the personal information file is placed under the management of the file access management server 30, and the file access management server 30 manages access to the personal information file (step S511). If there is no personal information file with the P mark level “P4” (NO route in step S509), or after the process in step S511 ends, the process ends.

  As described above, with respect to the personal information file of the P mark level “P4”, the personal information file is forcibly prohibited from being output from the client terminal 10 to the outside, or only the administrator can It may be stored in an accessible folder. Further, when a personal information file having a P mark level “P3” is left for a predetermined number of days, the same processing as that for a personal information file having a P mark level “P4” may be executed. Furthermore, all of the personal information files of the P mark levels “P1” to “P4” may be placed under the management of the file access management server 30.

[C2-5] Operation of file access management server:
Next, the operation of the file access management server 30 will be described with reference to FIGS.

First, the electronic file conversion operation by the file access management server 30 of the third embodiment will be described with reference to the flowchart shown in FIG. 27 (steps S61 to S64).
In the file access management server 30, a personal information file (electronic file to be managed) instructed to be placed under the management of the file access management server 30 is transmitted from the information management server 20 (personal information management means 208) via the network 40. When the personal information file is received by the personal information file receiving means 31a (YES route in step S61), the personal information file is converted into a PDF file by the converting means 32 (step S62). Is used to perform encryption processing (keying processing) (step S63). Then, the encrypted file is transmitted to the information management server 20 via the network 40 by the encrypted file transmission unit 31b (step S64).

Next, an authentication operation performed by the file access management server 30 according to the third embodiment will be described with reference to the flowchart shown in FIG. 28 (steps S71 to S75).
When a user of the client terminal 10 or a user (administrator) of the information management server 20 tries to view the contents of the encrypted file, authentication information is input by the user and transmitted to the file access management server 30. . When the authentication information is received by the authentication information receiving unit 31c via the network 40 (YES route in step S71), the determination unit 34 searches the storage unit 30b with the user ID included in the authentication information, and the user The registration password corresponding to the ID is read from the storage unit 30b, the password included in the authentication information is compared with the registration password read from the storage unit 30b, and it is determined whether or not these passwords match (client authentication) Step S72) is performed.

  When these passwords match and it is authenticated that the user of the client terminal 10 or the information management server 20 is a valid registrant (legal transmission destination) (YES route in step S73), the decryption key transmission means 31d. Thus, the decryption key for decrypting the encrypted file is read from the storage unit 30b and transmitted to the client terminal 10 or the information management server 20 via the network 40 (step S74).

  Then, when the decryption key is received at the client terminal 10 or the information management server 20, the encrypted file is decrypted using the decryption key, and the original personal information file is restored. Access according to the access authority given in advance is executed. For example, when only the viewing authority is given as the access authority as described above, the user can browse the contents of the restored personal information file, but access other than browsing, for example, print output by a printer, Access to copy to other recording media, screen copy (screen capture), and alias saving is not possible at all.

  On the other hand, if the determination unit 34 of the file access management server 30 determines that the passwords do not match, or if the registered password corresponding to the user ID is not registered in the storage unit 30b, the user is authorized. The file access management server 30 notifies the client terminal 10 or the information management server 20 of the error via the network 40 (step S75). .

  In the above description of the third embodiment, the print control means 18 acts as a device driver (peripheral device operation control means) for the printer, and similarly, the display control means 19 serves as a device driver for the external display. It is working.

  Therefore, as shown in steps S1005 to S1007 in FIG. 2, printing or display is executed in a predetermined state in accordance with the set restrictions in a canceled or partially invisible state (FIGS. 29S1404, S1405, S1409, S1410). .

  On the other hand, in the case of transferring an electronic file by a specific protocol without using a device driver such as the above-described PTP or MTP, information is likely to be diffused. Therefore, the CPU 110a as a control unit of the user terminal 10 is When communication according to the protocol is detected, transmission of an electronic file is permitted on condition that there is no violation of the management conditions described in the second embodiment or that a detailed electronic education has been taken (steps S1003, S1004, S1005 in FIG. 2). S1008).

This ensures that protected information files that exist in a distributed manner, for example, within a company can be reliably explored and managed without human cooperation and without placing a special burden on the person in charge. Thus, it is possible to reliably prevent inadvertent leakage or leakage of protected information and unauthorized use of protected information. In addition, it is possible to reliably prevent display, printing, inadvertent leakage or leakage of information to be protected to peripheral devices, and unauthorized use of the information to be protected.

[C3] Effects of the management system of the third embodiment:
As described above, according to the management system 1 as the third embodiment of the present invention, when the addition / change of a file is detected in the first client terminal 10A in which the personal information search program is resident, the personal information search is performed. The program is activated to execute real-time search, and it is determined whether the added / changed electronic file is a personal information file, and the determination result is transmitted to the information management server 20. On the other hand, the electronic file in the second client terminal 10B in which the personal information search program is not resident is managed by the information management server 20, and the latest information on the electronic file in the second client terminal 10B and finally the regular period of the personal information file Differences with the information about the file at the time of the search are periodically monitored, and an electronic file corresponding to the difference is extracted (sucked up) from the second client terminal 10B to the information management server 20 side. The information management server 20 determines whether the file that has been executed and sucked is a personal information file.

  Thereby, the personal information file in the terminal 10A resident in the personal information search program and the personal information file in the terminal 10B non-resident in the personal information search program are automatically searched and placed under the management of the information management server 20. It becomes possible.

  At that time, first, the personal information search program is executed only once for all data in the terminal 10A where the personal information search program is resident, and the information management server 20 executes the network 40 for the terminal 10B where the personal information search program is not resident. If the search of the personal information file is executed only once for all the data via, the search (determination) is only performed on the added / changed electronic file or the difference file as described above. Thus, the personal information file newly created and added in each terminal 10 can be searched extremely efficiently and reliably without searching for all data every time.

  Therefore, it is possible to ensure personal information files (electronic files that are likely to be personal information files) that exist in a distributed manner, for example, within a company, without obtaining human cooperation and without placing a special burden on the person in charge. Can be explored and managed. Accordingly, it is an object of the present invention to make it possible to reliably respond to requests for disclosure and correction of personal information and to reliably prevent inadvertent leakage and leakage of personal information and unauthorized use of personal information.

  At this time, at least file creation / update date / time, file size, and file name can be used as file information for extracting the difference file in the second client terminal 10B. By simply recognizing the addition, the difference file can be recognized and extracted very easily.

  Further, the information management server 20 is configured to install a personal information search program in response to a request from a user of the client terminal 10 to the client terminal 10 connected to the network 40, whereby the client terminal 10 Each time, the user can select and set whether the personal information search program is resident or non-resident, so the user requests non-resident personal information search program for reasons such as memory capacity and compatibility with other programs. In this case, it is possible to meet the demand and the convenience is enhanced. The terminal for which non-resident is selected / set is handled as the second client terminal 10B described above, and is subject to regular exploration by the information management server 20.

Furthermore, by giving a digital signature to the personal information file searched in the management system 1 of the third embodiment, it can be ensured that the personal information file has not been tampered with, and counterfeiting by a third party can be prevented. can do.

  The personal information file searched in the management system 1 of the third embodiment is managed by the information management server 20 (personal information management means 208) according to the P mark (rank / level) given to each personal information file. The personal information file is forcibly captured and collected from the client terminal 10 (storage unit 10b), the collected personal information file is stored in a folder accessible only to the administrator, or the personal information file is stored in the client terminal. 10 (storage unit 10b) is forcibly prohibited from being output to the outside, the user (owner) of the personal information file and the system administrator are notified of the caution information / warning information, and the personal information file The file access management server 30 can manage the access, and personal information is inadvertently leaked or leaked. It is possible to more reliably prevent the illegal use of human information.

  Further, in each client terminal 10, the access monitoring means 14 and the print request monitoring means 16 monitor the electronic file determined to be a personal information file (file given a P mark in the third embodiment), and the electronic file is monitored. When an access to a file (for example, data change due to rename, copy, delete, move, or print request) occurs, that fact is sent to the information management server 20 as log information and registered / saved in the database 20b. Therefore, access (operation / change history) to an electronic file that is likely to be a personal information file is tracked and managed by the information management server 20, thereby preventing unauthorized use of personal information more reliably. can do.

  On the other hand, in the management system 1 of the third embodiment, according to the personal information search function realized by executing the personal information search program by the computer (CPU 10a, 20a), the second determination means 116 uses the telephone number, electronic Character sections that do not correspond to either email address or address and contain inappropriate characters / inappropriate character strings are considered not to be related to personal information, but correspond to any of phone numbers, email addresses, and addresses. Character sections that do not and do not contain inappropriate characters / unsuitable character strings are considered to be related to names.

  Therefore, for the character section determined to correspond to any one of the telephone number, the e-mail address, and the address in the first determination means 113, the determination process is terminated at the time when the determination is made, and the telephone number, the e-mail Only a character section determined not to correspond to either an address or an address is subjected to a matching process with an inappropriate character / unsuitable character string, and the matching unit 115 also includes one inappropriate character / unsuitable character string. However, when it is determined that it is included in the character section, the collation process can be terminated, so the name collation process is faster than the conventional method that collates with all name strings in the name list. In other words, the personal information file search process can be performed at high speed.

  At this time, in the first determination unit 113, the determination process of the character string in the character section is performed in order from the lighter determination process load, that is, in the order of the telephone number, the e-mail address, and the address. Can be executed efficiently.

  In addition, since all the character sections that do not include inappropriate characters / inappropriate character strings are regarded as corresponding to names in the second determination means 116, an electronic file that does not include inappropriate characters / inappropriate character strings for names, It is possible to reliably search for an electronic file that is likely to contain name information and is likely to be a personal information file. In other words, the number of electronic files that are determined to be personal information files by the third embodiment is larger than that of the conventional method, and an electronic file that is likely to be a personal information file (suspicious electronic file) is surely obtained. Can be washed out.

  Furthermore, in the third embodiment, the character determination unit 114 determines whether the number of characters in the character section is 1 or more and 6 or less and all the characters in the character section are kanji, and satisfies this character determination condition. Since only the character section is the target of collation by the collating means 115, the character section to be collated by the collating means 115 is narrowed down to the character section that is more likely to be a name, and the name collation accuracy can be improved. In addition, the name verification process can be performed at high speed. In addition, since a long character section having more than 6 characters is excluded from the collation target by the collating means 115, it contributes to further speeding up the name collating process, that is, further speeding up the personal information file search process. Become.

  The information management server 20 manages the determination target file and the personal information file according to the determination value (P mark) calculated for each determination target file by executing the above-described personal information search program. For each determination target file or personal information file, a management method corresponding to the determination value level (high possibility of being a personal information file / the number of personal information elements) can be selected and executed.

In the above third embodiment, in the case of electronic file transfer by a specific protocol not via a device driver such as PTP or MTP, transmission is permitted on the condition that there is no violation of management conditions or that detailed electronic education has been attended. By doing so, diffusion of information by the protocol is prevented in advance.
Therefore, without obtaining human cooperation and without placing a special burden on the person in charge, for example, it is possible to ensure that the information files to be protected existing in a distributed manner in a company etc. can be searched and managed. Thus, it is possible to reliably prevent inadvertent outflow / leakage of protected information and unauthorized use of protected information. In addition to this, it is possible to reliably prevent display, printing, inadvertent leakage or leakage of information to be protected to peripheral devices, and unauthorized use of the information to be protected.

[C4] Other:
The present invention is not limited to the above-described embodiment, and various modifications can be made without departing from the spirit of the present invention.

  For example, in the above-described embodiment, the case where the personal information file is searched and managed has been described. However, the present invention also applies to the case where the confidential information (information with confidentiality obligation) is searched and managed in a company or the like. It is possible to obtain the same operational effects as in the above-described embodiment, and to reliably prevent inadvertent outflow / leakage of confidential information and unauthorized use of confidential information. In that case, as an inappropriate character or inappropriate character string, a character or a character string that cannot appear in the confidential information is set.

  In the above-described embodiment, the case where the personal information elements other than the name are the three elements of the telephone number, the e-mail address, and the address has been described. However, the present invention is not limited to this, and other than the name. As the personal information element, for example, date of birth, basic resident register number, account number, credit card number, license number, passport number, etc. may be used.

Further, while the search (search for all electronic files stored in the storage unit 10b) by the personal information search means 11 and 204 of each client terminal 10 is not completed, the electronic files in the storage unit 10b of the client terminal 10 are not processed. Access (for example, data change by renaming, copying, erasing, moving, etc .; more specifically, output to an external recording medium, mail attachment, etc.) may be prohibited. In this case, the presence or absence of an electronic file determined to be a personal information file is confirmed, and the electronic file determined to be a personal information file is placed under the management of the information management server 20 (or file access management server 30). Since access to the electronic file in the storage unit 10b of the client terminal 10 is prohibited, it is possible to prevent the leakage and leakage of personal information more reliably.

  By the way, in the first client terminal 10A, the above-described first personal information search means 11, detection means 12, first control means 13, access monitoring means 14, transmission / reception means, print request monitoring means 16, print control means 18, and display control means. 19 (all or part of the functions of each means) is a predetermined application program (individual) installed from the information management server 20 by a computer (including a CPU, an information processing device, and various terminals) as described above. This is realized by executing an information exploration program.

  In the information management server 20, the client information collection means 201, installation means 202, collection means 203, second personal information search means 204, difference extraction means 205, second control means 206, management console 207, personal information management described above. As described above, the computer 208 (including the CPU, the information processing apparatus, and various terminals) has predetermined functions as the means 208, the display control means 209, the transmission / reception means 210, and the digital signature means 211 (all or a part of the functions of each means). This is realized by executing the application program (personal information management server program).

  The personal information management server program including the personal information search program is, for example, a flexible disk, CD (CD-ROM, CD-R, CD-RW, etc.), DVD (DVD-ROM, DVD-RAM, DVD-R, DVD-). (RW, DVD + R, DVD + RW, etc.) and the like are provided in a form recorded on a computer-readable recording medium. In this case, the computer reads the personal information management server program from the recording medium, transfers it to the internal storage device or the external storage device, and uses it. Further, the program may be recorded in a storage device (recording medium) such as a magnetic disk, an optical disk, or a magneto-optical disk, and provided from the storage device to a computer via a communication line.

  Here, the computer is a concept including hardware and an OS (operating system), and means hardware operating under the control of the OS. Further, when the OS is unnecessary and the hardware is operated by the application program alone, the hardware itself corresponds to the computer. The hardware includes at least a microprocessor such as a CPU and means for reading a computer program recorded on a recording medium.

  The personal information search program and the application program as the personal information management server program are stored in the computer as described above on the personal information search means 11, (first) control means 13, access monitoring means 14, transmission / reception means 15, and print. Request monitoring means 16, print control means 18, display control means 19, client information collection means 201, installation means 202, collection means 203, second personal information search means 204, difference extraction means 205, second control means 206, management console 207, personal information management means 208, display control means 209, transmission / reception means 210, and program code for realizing functions as digital signature means 211. Some of the functions may be realized by the OS instead of the application program.

  Furthermore, as a recording medium in the third embodiment, in addition to the above-mentioned flexible disk, CD, DVD, magnetic disk, optical disk, magneto-optical disk, IC card, ROM cartridge, magnetic tape, punch card, internal storage device of a computer ( It is also possible to use various computer-readable media such as a memory such as a RAM and a ROM, an external storage device, and a printed matter on which a code such as a barcode is printed.

[D] Fourth embodiment:
[D1] Outline of the management system of the fourth embodiment:
Here, a fourth embodiment will be described. The present invention can be applied to the management system shown in the block diagram of FIG. 1 of the first embodiment described above.

  That is, the management system 1 of the present embodiment is configured to include an information management server 20 and a file access management server 30 in addition to a plurality of client terminals 10, and these terminals 10 and servers 20, 30 are connected to a network [for example, in-house LAN (Local Area Network)] 40 so that they can communicate with each other.

  The client terminal 10 is configured to be able to save various electronic files and various programs in an external memory 70 as a storage device such as a hard disk device or a non-volatile memory. Protected information files may exist.

  Similarly, the mobile terminal 80 can be connected to various mobile terminals 80 such as a mobile phone device, a PDA, and a music information reproducing device. Similarly, the printer 60 (60B) can be connected to the client terminal 10.

  Note that the storage device 70 ′ such as a hard disk device may be directly connected to the network 40. Similarly, the mobile terminal 80 may be directly connected to the network 40. Similarly, the printer 60 (60A) can be directly connected to the network 40.

  The information management server 20 is connected to a plurality of client terminals 10 and the file access management server 30 via the network 40 so as to be able to communicate with each other, and manages personal information files and their diffusion prevention in each client terminal 10. The contents are the same as those described in the second / third embodiment.

  The file access management server 30 is connected to the plurality of client terminals 10 and the information management server 20 through the network 40 so as to be able to communicate with each other, and accesses the electronic file (personal information file in the present embodiment) serving as protection target information. The contents are those described in the second / third embodiment.

  First, in the present system 1, it is determined whether or not the client terminal 10 satisfies the management condition, and electronic education is executed according to the determination result (step S3601 in FIG. 36).

  Here, the management condition mentioned above means a desirable use condition or use state regarding the security measures on the user terminal side determined by the administrator side. Details and specific examples of the management conditions will be described in detail in the second embodiment.

  The management conditions and the electronic education have been described in detail in the second embodiment, but here, each client terminal 10 executes general electronic education (first electronic education) related to security, and after the electronic education is executed. It is determined whether each client terminal 10 satisfies the management condition, and detailed electronic education (second electronic education) related to security is applied to the client terminal 10 that does not satisfy the management condition.

In the client terminal 10, when data is exchanged with various devices (peripheral devices) such as the printer 60, the external memory 70, and the portable terminal 80, a device driver or a device driver that is easy for each device is used. Generally, it is performed through a similar means (in this embodiment, “peripheral device operation control means”).

  Here, the peripheral device means various external devices that can be connected to the client terminal 10 via wire, wireless, light, or the like, or various devices that exchange signals with the client terminal 10. Here, at least an electronic file is transferred between the client terminal 10 and the peripheral device.

  The peripheral devices include auxiliary storage devices using various storage media, input devices such as keyboards and scanners, output devices such as printers and displays, and communication devices such as modems and routers.

[A2] Operation of the management system of the fourth embodiment:
The operation of the fourth embodiment will be described below. Here, a specific description will be given using a printer as a peripheral device.

  Note that judgment of management conditions and electronic education are described in the second embodiment, and redundant description is omitted. Further, various restrictions and collection of personal information in the printer are described in the third embodiment, and redundant description is omitted.

  Here, it is assumed that a command (sending command) for writing or transmitting an electronic file to a peripheral device (printer 60, external memory 70, portable terminal 80, etc.) is generated in any of the client terminals 10 (FIG. 36). Step S3602).

  Note that sending (writing or sending) is not only sent from the client terminal 10 to the peripheral device in the form of an electronic file, but also sent after being converted in format, such as image data for printing. Including.

Therefore, even when a print command is generated in the client terminal 10, it corresponds to the generation of the above transmission command.
In this case, when this transmission command is generated, when it is determined that the user terminal satisfies the management condition based on whether or not the management condition described above is satisfied (step in FIG. 36). In step S3603, YES, the designated electronic file is sent to the peripheral device, in this case, the print image file is sent to the printer (step S3605 in FIG. 36).

  Further, in this case, when this print command is generated, when it is determined that the user terminal does not satisfy the management condition based on whether or not the above-described management condition is satisfied (in FIG. 36). In step S3603, it is checked whether or not the above-described detailed electronic education has been completed in the client terminal 10.

  Here, even when it is determined that the user terminal does not satisfy the management conditions described above (NO in step S3603 in FIG. 36), the above-described detailed electronic education attendance is received by the client terminal. If the process is completed at step 10 (YES in step S3604 in FIG. 36), the designated electronic file is sent to the peripheral device (step S3605 in FIG. 36).

On the other hand, when it is determined that the user terminal does not satisfy the management condition described above (NO in step S3603 in FIG. 36), the attendance of the detailed electronic education described above is performed at the client terminal 10. If not completed (NO in step S3604 in FIG. 36), as shown in the third embodiment, predetermined restrictions (print stop, partial print stop, partial print invisible, etc.) are added. In the state, the designated electronic file is printed (step S3606 in FIG. 36).

  At this time, in the user terminal 10 that does not satisfy the management condition or the user terminal 10 that has not completed the detailed electronic education, the personal information searched for (protection target information) in the same manner as in the third embodiment. It is only necessary to execute printing in a predetermined state such as an invisible state in any part or a necessary part or the whole.

  Here, a specific example of the printer 60 connected to the client terminal 10 has been described as a peripheral device. However, the external memory 70, the portable terminal 80, and the storage device 70 ′ and the portable terminal 80 existing on the network are also described. The same applies to the case. Further, various peripheral devices not shown, for example, an external display (projector) that performs display may be performed in the same manner as described above.

  This restricts the diffusion of electronic files from user terminals that do not satisfy management conditions such as security measures on the user terminal side determined by the administrator side. As a result, it is possible to reliably search and manage protected information files that exist in a distributed manner, for example, within a company, without obtaining human cooperation and without placing a special burden on the person in charge. Thus, it is possible to reliably prevent inadvertent leakage / leakage of protected information and unauthorized use of protected information. In addition to this, it is possible to reliably prevent display, printing, inadvertent leakage or leakage of information to be protected to peripheral devices, and unauthorized use of the information to be protected.

Note that the above management condition determination, electronic education, and personal information determination may be performed by the client terminal 10 itself or by the management server 20.
[E] Other embodiments:
In each of the embodiments described above, the electronic education is made in two stages. However, the present invention is not limited to this, and may be made in one stage or may be made in three stages or more.

Note:
The following notes are also one aspect of this embodiment.
(A1) Appendix A1:
Personal information search means for searching a personal information file by executing a personal information search program, and starting the personal information search program, and determining whether or not the electronic file to be held is a personal information file A control unit to be executed by a search unit; a storage unit that stores the determination result by the personal information search unit when the electronic file is determined to be a personal information file by the personal information search unit; A function of transmitting the contents of the electronic file to the printer in response to the print command, and when the personal information search means determines that the electronic file is a personal information file, the personal information file is transmitted to the printer. An information management terminal characterized by comprising a print control means for canceling.

(A2) Appendix A2:
Personal information search means for searching a personal information file by executing a personal information search program, and starting the personal information search program, and determining whether or not the electronic file to be held is a personal information file Corresponding to the determination result by the personal information searching means and the personal information of the electronic file when the electronic information file is determined to be a personal information file by the control means to be executed by the searching means and the personal information searching means A storage means for storing the location of the electronic file and a function for transmitting the contents of the electronic file to the printer in response to a print command for the electronic file, and the personal information search means determines that the electronic file is a personal information file. If the personal information file is transmitted to the printer, the personal information of the personal information file And print control means for performing transmission to the printer and invisible for those that point, which is configured to include a information management terminal, characterized in that.

(A3) Appendix A3:
A personal information management server connected to the client terminal via a network so as to be able to communicate with each other and managing a personal information file in the client terminal; The management server searches the personal information file in the client terminal via the network by executing the personal information search program, and searches the personal information file by the personal information search unit. Electronic file information storage means for storing information about the electronic file in the client terminal at the time, and control means for causing the personal information search means to execute a search for determining whether or not the electronic file is a personal information file. The client end is configured However, if the personal information search means determines that the electronic file is a personal information file, the storage means for storing the determination result by the personal information search means, and the contents of the electronic file according to the print command of the electronic file And a print control means for canceling transmission of the personal information file to the printer when the personal information search means determines that the electronic file is a personal information file. Management system characterized by being configured.

(A4) Appendix A4:
A personal information management server connected to the client terminal via a network so as to be able to communicate with each other and managing a personal information file in the client terminal; The management server searches the personal information file in the client terminal via the network by executing the personal information search program, and searches the personal information file by the personal information search unit. Electronic file information storage means for storing information about the electronic file in the client terminal at the time, and control means for causing the personal information search means to execute a search for determining whether or not the electronic file is a personal information file. The client end is configured When the personal information search means determines that the electronic file is a personal information file, the storage stores the determination result by the personal information search means and the location corresponding to the personal information of the electronic file And a function for transmitting the contents of the electronic file to the printer in response to a print command for the electronic file, and the personal information file when the personal information search means determines that the electronic file is a personal information file And a print control means for making the portion corresponding to the personal information in the personal information file invisible and executing transmission to the printer when transmitting to the printer.

(A5) Appendix A5:
A plurality of client terminals, and a plurality of client terminals connected to the plurality of client terminals so as to be communicable with each other via a network and managing personal information files in the plurality of client terminals; Including a first client terminal in which a personal information search program for executing a search for a personal information file is resident, and a second client terminal in which the personal information search program is not resident, the first client terminal Includes a first personal information search unit that searches for a personal information file by executing the personal information search program, a detection unit that detects addition / change of an electronic file in the first client terminal, and an electronic When an addition / change of a file is detected, the individual A first control unit that activates an information search program and causes the first personal information search unit to execute a real-time search to determine whether the added or changed electronic file is a personal information file; Means for transmitting the determination result by the first personal information search means to the personal information management server via the network when the electronic file is determined to be a personal information file by the means, and the first personal information search means When it is determined that the electronic file is a personal information file, the storage unit stores the determination result by the first personal information search unit, and the function of transmitting the content of the electronic file to the printer in response to the print command of the electronic file And determining that the electronic file is a personal information file by the first personal information searching means. And a print control means for canceling transmission of the personal information file to the printer, and the personal information management server executes the personal information search program to execute the personal information search program via the network. A second personal information search means for searching a personal information file in the second client terminal, and an electronic device in the second client terminal at the time when the personal information file was last searched by the second personal information search means. The electronic file information storage means for storing information on the file, the latest information on the electronic file in the second client terminal and the information stored in the file information storage means are compared, and finally the personal information file is periodically searched. An electronic file that has been added or changed between the current time and the current Difference extraction means for periodically extracting from the second client terminal via the network, and periodic exploration for determining whether the difference file extracted by the difference extraction means is a personal information file. A second control unit that is executed by the second personal information search unit, and the second client terminal determines that the electronic file is a personal information file by the second personal information search unit A storage means for storing the determination result by the second personal information search means, and a function for transmitting the contents of the electronic file to the printer in response to a print command for the electronic file. Print control means for canceling transmission of the personal information file to the printer when it is determined that the file is a personal information file; The provided with is configured, it is characterized by the management system.

(A6) Appendix A6:
A plurality of client terminals, and a plurality of client terminals connected to the plurality of client terminals so as to be communicable with each other via a network and managing personal information files in the plurality of client terminals; Including a first client terminal in which a personal information search program for executing a search for a personal information file is resident, and a second client terminal in which the personal information search program is not resident, the first client terminal Includes a first personal information search unit that searches for a personal information file by executing the personal information search program, a detection unit that detects addition / change of an electronic file in the first client terminal, and an electronic When an addition / change of a file is detected, the individual A first control unit that activates an information search program and causes the first personal information search unit to execute a real-time search to determine whether the added or changed electronic file is a personal information file; Means for transmitting the determination result by the first personal information search means to the personal information management server via the network when the electronic file is determined to be a personal information file by the means, and the first personal information search means Storage means for storing a portion corresponding to the personal information of the electronic file based on the determination result by the first personal information search means when the electronic file is determined to be a personal information file by the electronic file; And the function of transmitting the contents of the electronic file to the printer in response to the print command of the first personal information If it is determined by the checking means that the electronic file is a personal information file, when the personal information file is transmitted to the printer, the portion corresponding to the personal information in the personal information file is made invisible and transmitted to the printer. A print control means for executing, and the personal information management server searches for a personal information file in the second client terminal via the network by executing the personal information search program. Personal information search means, electronic file information storage means for storing information about the electronic file in the second client terminal at the time when the personal information file was last searched by the second personal information search means, Latest information on the electronic file in the second client terminal and the file information Compared with the information stored in the storage means, the electronic file added / changed between the time when the personal information file was last searched and the current time is added as a difference file via the network. Difference extraction means periodically extracting from the second client terminal and periodic search for determining whether the difference file extracted by the difference extraction means is a personal information file is executed in the second personal information search means And when the second personal information search means determines that the electronic file is a personal information file, the second client terminal sends the personal information file to the printer. A print control means for making a portion corresponding to the personal information in the personal information file invisible and transmitting to the printer at the time of transmission; The provided with is configured, it is characterized by the management system.

(A7) Appendix A7:
The client terminal further includes display means for displaying characters or images, and display control means for controlling display on the display means. The display control means is an electronic device determined to be the personal information file. The management system according to any one of Supplementary Note A3 to Supplementary Note A6, wherein the file is controlled to be displayed without limitation.

(A8) Appendix A8:
The client terminal further comprises display means for displaying characters or images, display control means for controlling display on the display means, and position detection means for detecting the position of the client terminal, and the display control means. In any one of appendix A3 to appendix A6, the display of the electronic file that is determined to be the personal information file is limited according to the position detected by the position detection unit. Management system as described in.

(A9) Appendix A9:
Personal information search means for searching for a personal information file in a client terminal connected to a personal information management server for managing the personal information file in the client terminal so as to be able to communicate with each other via a network, and addition of an electronic file in the client terminal Detection means for detecting a change, and when the addition / change of an electronic file is detected by the detection means, a real-time search for determining whether the added / changed electronic file is a personal information file or not When the electronic file is determined to be a personal information file by the control means to be executed by the means and the personal information search means, the personal information search means corresponds to the personal information of the electronic file based on the determination result by the personal information search means. Storage means for storing locations, responding to print instructions for electronic files Having the function of transmitting the contents of the electronic file to the printer, and when the personal information searching means determines that the electronic file is a personal information file, the personal information is transmitted when the personal information file is transmitted to the printer. A management program for causing a client terminal to function as print control means for executing a transmission to a printer by making a portion corresponding to personal information of a file invisible.

(A10) Appendix A10:
When the personal information management server determines that the electronic file is a personal information file in a client terminal that is communicably connected to the personal information management server that manages the personal information file via the network, the determination is made Based on the result, the storage means for storing the portion corresponding to the personal information of the electronic file, the function of transmitting the contents of the electronic file to the printer according to the print command of the electronic file, and the electronic file is a personal information file When the personal information file is transmitted to the printer, the client terminal is used as a print control means for making the portion corresponding to the personal information in the personal information file invisible and executing transmission to the printer. A management program characterized by functioning.

(A11a) Appendix A11a:
The management system according to appendix A1 to appendix A8, characterized in that first, the personal information file is searched for all data in the information management terminal or the client terminal, and then the real-time search is executed.

(A11b) Appendix A11b:
The management system according to appendix A3 to appendix A8, wherein the personal information file is first searched for all data in the client terminal, and then the periodic search is executed.

(A12) Appendix A12:
Appendices A3 to A8, wherein the personal information management server forcibly prohibits the personal information file from being output to the outside from a client terminal storing the searched personal information file. Management system.

(A13) Appendix A13:
Each of the plurality of client terminals further includes print request monitoring means for monitoring the searched personal information file and notifying the personal information management server when a print request for the personal information file is generated. The management system according to appendix A3 to appendix A8, wherein the management system is configured as follows.

  The personal information management server further includes an electronic file access management server that is communicably connected to the personal information management server and manages access to the electronic file, and the personal information management server issues a print request for the searched personal information file. The management system according to appendix A3 to appendix A8, wherein the file access management server manages the file.

(A14) Appendix A14:
The personal information exploration program is for causing a computer to realize a function for determining whether or not a determination target file is a personal information file having a predetermined number or more of personal information elements that can identify a specific individual. Extraction means for extracting the text data contained in the determination target file, extraction means for extracting the character section delimited by the delimiter from the text data extracted by the extraction means, and the extraction means It is a personal information element other than the name by determining whether or not the character string in the character section satisfies any one of the preset telephone number determination condition, e-mail address determination condition, and address determination condition The first judgment to judge whether it corresponds to any one of telephone number, e-mail address and address Whether or not the number of characters in the character section determined not to correspond to any of the telephone number, the e-mail address, and the address by the first determination means is within a predetermined range, and whether the character in the character section is a Chinese character A character determination means for determining whether or not a character section that is within the predetermined range and determined to be a kanji by the character determination means cannot appear in a character or a character string and a name included in the character section Collating means for judging whether or not the character section includes the inappropriate character or the inappropriate character string by collating the inappropriate character or the inappropriate character string preset as a sequence; and The number of character sections determined to correspond to any one of a telephone number, an e-mail address, and an address by one determination means and the collation means And counting the number of character sections determined not to include the inappropriate character or the inappropriate character string, and based on the count result, whether or not the determination target file is a personal information file. A management program that causes the computer to function as second determination means for determining.

(A15) Appendix A15:
In the first determination means, it is determined whether or not the character string in the character section cut out by the cut-out means corresponds to a telephone number. If it does not correspond to an e-mail address, it is determined whether or not it corresponds to an address. The personal information exploration program described in appendix A14, which ends the determination process for.

(A16) Appendix A16:
The second determination means regards the character string in the character section determined not to include the inappropriate character or the inappropriate character string by the matching means as a personal information element corresponding to the name, and the determination target file is A personal information search program described in appendix A14 for determining whether the file is a personal information file.

(A17) Appendix A17:
Further, the second determination means determines the number of character sections determined by the first determination means to correspond to any one of a telephone number, an e-mail address, and an address based on the counting result and the collation A determination value that increases as the number of character sections determined not to include the inappropriate character or inappropriate character string by the means increases, and the determination is made when the calculated determination value exceeds a predetermined threshold The personal information search program described in appendix A14, which determines that the target file is a personal information file.

(A18) Appendix A18:
Then, the personal information management server manages the determination target file according to the determination value calculated by the second determination unit, or searches the first personal information search unit or the second personal information search unit. The personal information search program according to appendix A14, which manages the personal information file as a management target, and manages the personal information file according to the determination value calculated by the second determination means.

(B1) Appendix B1:
Multiple client devices,
The plurality of client terminals are communicably connected to each other via a network, and have a personal information management server that manages personal information files in the plurality of client terminals,
The plurality of client terminals include a first client terminal in which a personal information search program for executing a search for a personal information file is resident, and a second client terminal in which the personal information search program is not resident,
The first client terminal is
First personal information exploration means for exploring a personal information file by executing the personal information exploration program;
Detecting means for detecting addition / change of a file in the first client terminal;
When the addition / change of a file is detected by the detection means, the personal information search program is started, and the real-time search is performed to determine whether the added / changed file is a personal information file. First control means to be executed by the information search means;
When the first personal information search means determines that the file is a personal information file, the first personal information search means includes a transmission means for transmitting the determination result by the first personal information search means to the personal information management server via the network. Configured,
The personal information management server
Second personal information search means for searching for a personal information file in the second client terminal via the network by executing the personal information search program;
File information storage means for storing information on the file in the second client terminal at the time when the personal information file was last searched by the second personal information search means;
The latest information on the file in the second client terminal is compared with the information stored in the file information storage means, and the personal information file has been added / changed since the last periodic search of the personal information file Differential extraction means for periodically extracting a file as a differential file from the second client terminal via the network;
And a second control means for causing the second personal information search means to execute a periodic search for determining whether or not the difference file extracted by the difference extraction means is a personal information file. A characteristic management system.

(B2) Appendix B2:
The first control means causes the first personal information search means to first search the personal information file for all data in the first client terminal and then execute the real-time search. The management system according to Appendix B1.

(B3) Appendix B3:
The second control means causes the second personal information search means to first search the personal information file for all data in the second client terminal and then execute the periodic search. The management system according to Supplementary Note B1 or Supplementary Note B2.

(B4) Appendix B4:
The management system according to any one of Appendix B1 to Appendix B3, wherein the file information storage means stores at least a file creation / update date, file size, and file name as information about the file. .

(B5) Appendix B5:
The personal information management server
Appendices B1- The management system according to any one of Appendix B4.

(B6) Appendix B6:
The personal information management server
Appendices B1 to B1, further comprising digital signature means for giving a digital signature to the personal information file searched by the first personal information search means or the second personal information search means The management system according to any one of B5.

(B7) Appendix B7:
The personal information management server forcibly collects the personal information file from a client terminal storing the personal information file searched by the first personal information searching means or the second personal information searching means. The management system according to any one of Supplementary Notes B1 to B6.

(B8) Appendix B8:
The management system according to appendix B7, wherein the personal information management server stores the collected personal information file in a folder accessible only by an administrator.

(B9) Appendix B9:
The personal information management server compulsorily outputs the personal information file from the client terminal storing the personal information file searched by the first personal information searching means or the second personal information searching means. The management system according to any one of appendix B1 to appendix B6, wherein the management system is prohibited.

(B10) Appendix B10:
The personal information management server notifies the warning information to the client terminal storing the personal information file searched by the first personal information searching means or the second personal information searching means. The management system according to any one of -Appendix B6.

(B11) Appendix B11:
Each of the plurality of client terminals
Access monitoring for monitoring the personal information file searched by the first personal information searching means or the second personal information searching means and notifying the personal information management server when access to the personal information file occurs The management system according to any one of Appendix B1 to Appendix B6, further comprising means.

(B12) Appendix B12:
A file access management server connected to the personal information management server so as to be able to communicate with each other and managing access to the electronic file;
The personal information management server causes the file access management server to manage access to the personal information file searched by the first personal information search means or the second personal information search means. The management system according to any one of the above.

(B13) Appendix B13:
The personal information exploration program is
In order for a computer to realize a function of determining whether a determination target file is a personal information file having a predetermined number or more of personal information elements that can identify a specific individual,
Extraction means for extracting text data included in the determination target file;
Cutting means for cutting out character sections delimited by delimiters from the text data extracted by the extracting means;
By determining whether or not the character string in the character section cut by the cutting means satisfies any one of the preset telephone number determination condition, e-mail address determination condition, and address determination condition, A first judging means for judging whether or not any one of a telephone number, an e-mail address and an address which is a personal information element other than the name;
Whether or not the number of characters in the character section determined not to correspond to any of the telephone number, e-mail address, and address by the first determination means is within a predetermined range, and whether or not the character in the character section is a Chinese character Character judging means for judging,
A character section that is determined by the character determining means to be within the predetermined range and to be a kanji character is a character or character string included in the character section and a kanji or kanji character string that is not set in advance in the name. Collating means for determining whether or not the character section includes the inappropriate character or the inappropriate character string by verifying the appropriate character or the inappropriate character string, and
The number of character sections determined to correspond to any one of a telephone number, an e-mail address, and an address by the first determination means and the inappropriate character or the inappropriate character string is not included by the matching means The number of character sections determined is counted, and the computer is caused to function as second determination means for determining whether the determination target file is a personal information file based on the count result. The management system according to any one of Appendix B1 to Appendix B12.

(B14) Appendix B14:
In the first determination means, it is determined whether or not the character string in the character section cut out by the cut-out means corresponds to a telephone number. If it does not correspond to an e-mail address, it is determined whether or not it corresponds to an address. The management system as set forth in Appendix B13, wherein the determination process is terminated.

(B15) Appendix B15:
The second determination unit regards the character string in the character section determined not to include the inappropriate character or the inappropriate character string by the matching unit as a personal information element corresponding to the name, and the determination target file is The management system according to appendix B13 or appendix B14, wherein it is determined whether the file is a personal information file.

(B16) Appendix B16:
The second determining means determines the number of character sections determined by the first determining means to correspond to any one of a telephone number, an e-mail address, and an address based on the counting result and the matching means. A determination value that increases as the number of character sections determined not to include the inappropriate character or inappropriate character string increases, and when the calculated determination value exceeds a predetermined threshold, the determination target file The management system according to any one of Supplementary Note B13 to Supplementary Note B15, wherein it is determined that is a personal information file.

(B17) Appendix B17:
The management system according to appendix B16, wherein the personal information management server manages the determination target file according to the determination value calculated by the second determination means.

(B18) Appendix B18:
The personal information management server manages the personal information file searched by the first personal information search means or the second personal information search means, and according to the determination value calculated by the second determination means, The management system according to Supplementary Note B16 or Supplementary Note B17, wherein the personal information file is managed.

(B19) Appendix B19:
Storage means for storing a determination result when it is determined that the electronic file is a personal information file;
A print having a function of transmitting the contents of an electronic file to a printer in response to a print command of the electronic file, and canceling transmission of the personal information file to the printer when the electronic file is determined to be a personal information file And a control means,
The management system according to appendix B1 to appendix B18, wherein

(B20) Appendix B20:
Storage means for storing a determination result when it is determined that the electronic file is a personal information file;
A print that has a function of transmitting the contents of an electronic file to a printer in response to a print command of the electronic file, and restricts transmission of the personal information file to the printer when it is determined that the electronic file is a personal information file And a control means,
The management system according to appendix B1 to appendix B19, wherein

(B21) Appendix B21:
Storage means for storing a determination result when it is determined that the electronic file is a personal information file;
A function of displaying the contents of the electronic file on the display unit according to the display instruction of the electronic file is provided, and when it is determined that the electronic file is a personal information file, the display of the display unit of the personal information file is stopped. Display control means, and
The management system according to appendix B1 to appendix B20, wherein

(B22) Appendix B22:
Storage means for storing a determination result when it is determined that the electronic file is a personal information file;
A function to display the contents of the electronic file on the display unit in response to the display instruction of the electronic file, and restricting the display of the personal information file on the display unit when it is determined that the electronic file is a personal information file Display control means to be configured,
The management system according to appendix B1 to appendix B20, wherein

(C1) Appendix C1:
The management system of the present invention includes a plurality of user terminals, a management server connected to the plurality of user terminals so as to communicate with each other and managing the plurality of user terminals, and each of the plurality of user terminals. Environmental information collection means that collects environmental information in each user terminal to the management server, and the management server causes the plurality of user terminals to execute electronic education about security; and Judgment means for judging the management conditions of each user terminal based on the environmental information in each user terminal collected by the environmental information collecting means after the electronic education by the electronic education control means, Each of the plurality of user terminals restricts the writing or transmission of the electronic file at the user terminal determined by the management server as not satisfying the management condition. And transmission control means is configured to include a, characterized in that.

(C2) Appendix C2:
The management system of the present invention includes a plurality of user terminals, a management server connected to the plurality of user terminals so as to communicate with each other and managing the plurality of user terminals, and each of the plurality of user terminals. Environmental information collection means that collects environmental information in each user terminal to the management server, and the management server causes the plurality of user terminals to execute electronic education about security; and Judgment means for judging the management conditions of each user terminal based on the environmental information in each user terminal collected by the environmental information collecting means after the electronic education by the electronic education control means, Each of the plurality of user terminals transmits a transmission control unit that changes restrictions on writing or transmission of an electronic file according to the degree of the management condition determined by the management server. When being configured to include a, characterized in that.

(C3) Appendix C3:
The management system of the present invention includes a plurality of user terminals, a management server connected to the plurality of user terminals so as to communicate with each other and managing the plurality of user terminals, and each of the plurality of user terminals. The first electronic education control is provided with environmental information collection means for collecting environmental information in each user terminal from the user terminals to the management server, and the management server executes electronic education on security in general to the plurality of user terminals. And whether or not each user terminal satisfies the management condition based on the environmental information in each user terminal collected by the environmental information collecting means after the electronic education by the first electronic education control means And a second electronic device that causes a user terminal that has been determined not to satisfy the management condition to execute detailed electronic education on matters relating to the management condition. The user terminal that is determined by the management server that each of the plurality of user terminals does not satisfy the management condition, stops writing or transmitting the electronic file. And a transmission control means.

(C4) Appendix C4:
The management system of the present invention includes a plurality of user terminals, a management server connected to the plurality of user terminals so as to communicate with each other and managing the plurality of user terminals, and each of the plurality of user terminals. The first electronic education control is provided with environmental information collection means for collecting environmental information in each user terminal from the user terminals to the management server, and the management server executes electronic education on security in general to the plurality of user terminals. And whether or not each user terminal satisfies the management condition based on the environmental information in each user terminal collected by the environmental information collecting means after the electronic education by the first electronic education control means And a second electronic device that causes a user terminal that has been determined not to satisfy the management condition to execute detailed electronic education on matters relating to the management condition. The user terminal determined by the management server that each of the plurality of user terminals does not satisfy the management condition is determined to be a personal information file. And a transmission control means for canceling writing or transmission of the electronic file.

(C5) Appendix C5:
The management system of the present invention includes a plurality of user terminals, a management server connected to the plurality of user terminals so as to communicate with each other and managing the plurality of user terminals, and each of the plurality of user terminals. The first electronic education control is provided with environmental information collection means for collecting environmental information in each user terminal from the user terminals to the management server, and the management server executes electronic education on security in general to the plurality of user terminals. And whether or not each user terminal satisfies the management condition based on the environmental information in each user terminal collected by the environmental information collecting means after the electronic education by the first electronic education control means And a second electronic device that causes a user terminal that has been determined not to satisfy the management condition to execute detailed electronic education on matters relating to the management condition. And a user control device that is determined by the management server that each of the plurality of user terminals does not satisfy the management condition. And a transmission control means for transmitting.

(C6) Appendix C6:
The management system of the present invention includes a plurality of user terminals, a management server connected to the plurality of user terminals so as to communicate with each other and managing the plurality of user terminals, and each of the plurality of user terminals. The first electronic education control is provided with environmental information collection means for collecting environmental information in each user terminal from the user terminals to the management server, and the management server executes electronic education on security in general to the plurality of user terminals. And whether or not each user terminal satisfies the management condition based on the environmental information in each user terminal collected by the environmental information collecting means after the electronic education by the first electronic education control means And a second electronic device that causes a user terminal that has been determined not to satisfy the management condition to execute detailed electronic education on matters relating to the management condition. The user terminal determined by the management server that each of the plurality of user terminals does not satisfy the management condition is determined to be a personal information file. And a transmission control means for encrypting and writing or transmitting the electronic file.

(C7) Appendix C7:
The management system of the present invention includes a plurality of user terminals, a management server connected to the plurality of user terminals so as to communicate with each other and managing the plurality of user terminals, and each of the plurality of user terminals. The first electronic education control is provided with environmental information collection means for collecting environmental information in each user terminal from the user terminals to the management server, and the management server executes electronic education on security in general to the plurality of user terminals. And whether or not each user terminal satisfies the management condition based on the environmental information in each user terminal collected by the environmental information collecting means after the electronic education by the first electronic education control means And a second electronic device that causes a user terminal that has been determined not to satisfy the management condition to execute detailed electronic education on matters relating to the management condition. And the user terminal determined by the management server that each of the plurality of user terminals does not satisfy the management condition, stops writing or transmitting the electronic file. And a transmission control means for transmitting the electronic file to the management server.

In this case, it is also desirable that the sending control means deletes the corresponding electronic file from the user terminal.
(C8) Appendix C8:
The management system of the present invention includes a plurality of user terminals, a management server connected to the plurality of user terminals so as to communicate with each other and managing the plurality of user terminals, and each of the plurality of user terminals. The first electronic education control is provided with environmental information collection means for collecting environmental information in each user terminal from the user terminals to the management server, and the management server executes electronic education on security in general to the plurality of user terminals. And whether or not each user terminal satisfies the management condition based on the environmental information in each user terminal collected by the environmental information collecting means after the electronic education by the first electronic education control means And a second electronic device that causes a user terminal that has been determined not to satisfy the management condition to execute detailed electronic education on matters relating to the management condition. The user terminal determined by the management server that each of the plurality of user terminals does not satisfy the management condition is determined to be a personal information file. And a transmission control means for stopping writing or transmission of the electronic file and transmitting the electronic file to the management server.

In this case, it is also desirable that the sending control means deletes the corresponding electronic file from the user terminal.
(C9) Appendix C9:
In the management system of the present invention, in the above (Appendix C1) to (Appendix C8), each of the user terminals further includes notification means for notifying the administrator that there has been an instruction to write or transmit an electronic file. It is characterized by comprising.

(C10) Appendix C10:
In the management system of the present invention, in the above (Appendix C1) to (Appendix C9), when the transmission control means tries to write or transmit the electronic file by attaching an electronic mail, It is characterized in that attachment of is canceled.

(C11) Appendix C11:
In the management program of the present invention, the environment information collection means includes: an environment information collection agent file transmission means and an environment information reception means in the management server; and an environment information collection agent file execution means in each of the plurality of user terminals. An environment information collection agent configured to cause the environment information collection agent file transmission means in the management server to collect the environment information and notify the management server of the collection result to each of the plurality of user terminals A file is transmitted to the plurality of user terminals, and the environment information collection agent file execution means in each user terminal executes the environment information collection agent file transmitted from the management server, thereby Collect the environmental information in the terminal and manage the collected results The environment information receiving means in the management server receives the environment information transmitted from each user terminal and passes it to the evaluation means or the judging means. The management system according to any one of claims 1 to 10.

(C12) Appendix C12:
A management system of the present invention is a management program that is connected to a plurality of user terminals so as to be communicable with each other, and that causes a computer to function as a management server that manages the plurality of user terminals. An environment information collection agent file transmission means for transmitting an environment information collection agent file to each of the plurality of user terminals, each of which collects environment information and notifies the management server of the collection result, and each user terminal Environmental information receiving means for receiving the environmental information transmitted from the first electronic education control means for causing the plurality of user terminals to execute electronic education on security including matters relating to at least one management condition; Environmental information collection agent sent by the environmental information collection agent file transmission means after electronic education by the electronic education control means Judgment means for judging whether or not each user terminal satisfies the at least one management condition based on the environment information at each user terminal received by the environment information receiving means according to a file, the judgment means Warning means for issuing a warning to a user and / or administrator of a user terminal that is determined not to satisfy the management conditions by the user terminal, and a user terminal that is determined not to satisfy the management conditions by the determination means In addition, a second electronic education control means for executing electronic education on matters relating to the management conditions, and a user terminal that has determined that the management conditions are not satisfied by the judgment means is an electronic file writing or transmission command. Even if it occurs, the computer functions as a transmission control means for restricting writing or transmission of an electronic file. And wherein the door.

(C13) Appendix C13:
The management program of the present invention is a management program that is connected to a plurality of user terminals so as to be able to communicate with each other and causes a computer to function as a management server that manages the plurality of user terminals. An environment information collection agent file transmission means for transmitting an environment information collection agent file to each of the plurality of user terminals, each of which collects environment information and notifies the management server of the collection result, and each user terminal Environmental information receiving means for receiving the environmental information transmitted from the first electronic education control means for causing the plurality of user terminals to execute electronic education on security including matters relating to at least one management condition; Environmental information collection agent sent by the environmental information collection agent file transmission means after electronic education by the electronic education control means Determination means for determining whether or not each user terminal satisfies the at least one management condition based on the environment information received by the environment information receiving means according to the file, Warning means for issuing a warning to the user and / or administrator of the user terminal that is determined not to satisfy the management conditions by the means, and the user that is determined not to satisfy the management conditions by the determination means Second electronic education control means for causing the terminal to execute electronic education on matters relating to the management conditions, and writing or sending an electronic file is generated when it is determined that the user terminal does not satisfy the management conditions Even if this is the case, the transmission restriction agent file that executes the restriction of writing or transmission is transmitted to the plurality of user terminals. Limited agent file transmission means, characterized in that to function the computer as.

(C14) Appendix C14:
In the above (Appendix C12) or (Appendix C13), the management program of the present invention stops writing, sending, or sending the electronic file as a restriction on writing or sending the electronic file in the sending control means. One of encryption of the electronic file and change of the destination of writing or transmission to the management server are executed.

(C15) Appendix C15:
In the above (Appendix C1) to (Appendix C14), when the determination means determines that the management condition is satisfied by completion of the electronic education or the second electronic education, the restriction of the writing or transmission of the electronic file by the restriction means is restricted. It is desirable to be released. In addition, it is desirable that the restriction on the writing or transmission of the electronic file by the restricting means is changed when the judging means determines that the degree of the management condition has changed due to the completion of the electronic education.

(CA) Appendix CA:
In the above management system or management program, the plurality of user terminals are connected to a common local area network to constitute an internal system, and the management server is connected to an external communication network connected to the local area network The plurality of user terminals are communicably connected to each other via the local communication network, and the evaluation unit of the management server evaluates the security level of the plurality of user terminals, thereby You may comprise so that the security level of the whole system may be evaluated.

(CB) Appendix CB:
In the management system or the management program, the evaluation unit in the management server uses the plurality of usages based on a ratio of user terminals satisfying the at least one management condition among the plurality of user terminals. The security level of the person terminal may be quantified and evaluated.

(CC) Appendix CC:
In the management system or the management program, the plurality of usages based on a ratio of user terminals satisfying the at least one management condition among the plurality of user terminals and importance of the management conditions. The security level of the person terminal may be quantified and evaluated.

(CD) Additional CD:
In the above management system or management program, a plurality of management conditions for evaluating the security level are set in advance, and among the plurality of management conditions, those having higher importance than other management conditions are important management It is preset as a condition, and the evaluation means in the management server first determines whether or not each of the plurality of user terminals satisfies the important management condition, and even one of the plurality of user terminals is When there is something that does not satisfy the important management condition, the security level for the plurality of user terminals is determined as the lowest level, while there is no user terminal that does not satisfy the important management condition. Is based on the percentage of user terminals that satisfy at least one of the management conditions other than the important management conditions. The security level for the user terminal may be evaluated by digitizing.

(CE) Appendix CE:
In the above management system or management program, as the management condition, as a desirable use condition or use state of the user terminal determined by the administrator side,
(1) The security software is installed on the user terminal and turned on.
(2) The security patch update information of the security patch update software as security countermeasure software on the user terminal is the latest.
(3) The update information of the virus definition file of the antivirus software as the security software on the user terminal is the latest.
(4) Dangerous software is not installed on the user terminal,
(5) User terminal does not have unauthorized copy,
It is preferable that at least one of them is included.

In the above management system or management program, the management condition further includes:
(a) No software other than licensed software is installed on the user terminal,
(b) No prohibited software is installed on the user terminal,
(c) No data for software other than licensed software is stored on the user terminal,
(d) No data for prohibited software is stored in the user terminal.
(e) No sharing settings that are not permitted to be used on the user terminal,
(e) No unauthorized folder has been created on the user terminal,
(f) Peripheral devices other than authorized peripheral devices are not connected to the user terminal,
(g) Peripheral devices that are prohibited for use are not connected to the user terminal.
(CF) Appendix CF:
In the above management system or management program, the environment information collection means includes: environment information collection agent file transmission means and environment information reception means in the management server; and environment information collection agent file execution means in each of the plurality of user terminals. The environment information collecting agent file transmission means in the management server causes each of the plurality of user terminals to collect the environment information and notify the management server of the collection result The collection agent file is transmitted to the plurality of user terminals, and the environment information collection agent file execution means in each user terminal executes the environment information collection agent file transmitted from the management server, thereby Collect the environmental information on user terminals The collection result is transmitted to the management server for notification, and the environment information receiving means in the management server receives the environment information transmitted from each user terminal and passes it to the evaluation means or the judgment means. You may comprise as follows.

(CG) Appendix CG:
In the above management system or management program, the first electronic education control means in the management server causes each of the plurality of user terminals to execute electronic education on security including matters relating to the at least one management condition. First electronic education agent file creation / holding means for creating or holding a first electronic education agent file, and the first electronic education agent file created / held by the first electronic education agent file creation / holding means, First electronic education agent file transmission means for transmitting to the plurality of user terminals, each of the plurality of user terminals executing the first electronic education agent file transmitted from the management server By the user terminal, the at least one management The electronic education about security, including the matters relating to the matter may be provided with a first electronic educational agent files execution means for executing to the user of the user terminal.

(CH) Appendix CH:
In the above management system or management program, the second electronic education control means in the management server performs electronic education on matters relating to the management conditions determined to be not satisfied by the determination means by the determination means. Second electronic education agent file creation / holding means for creating or holding a second electronic education agent file to be executed by the user terminal determined not to satisfy the management conditions, and the second electronic education agent file creation / holding means The second electronic education agent file transmission means that transmits the second electronic education agent file created / held by the user terminal to the user terminal, and the user terminal is transmitted from the management server. By executing the second electronic education agent file, the user end Then, there may be provided second electronic education agent file execution means for executing electronic education on matters relating to the management condition determined not to be satisfied by the determination means for the user of the user terminal. .

(CI) Appendix CI:
In the management system or management program of the above items (Appendix C1) to (Appendix C15), (Appendix CA) to (Appendix CH), the evaluation means in the management server periodically collects by the environmental information collection means. The security level of the plurality of user terminals is periodically evaluated based on the environmental information, and the notification means in the management server sends the periodic evaluation results to the users of the plurality of user terminals. And / or an administrator may be notified.

(CJ) Appendix CJ:
The management server of the present invention is connected to a plurality of user terminals so as to be able to communicate with each other, and manages the plurality of user terminals, and collects environmental information in each of the plurality of user terminals and Environment information collection agent file transmission means for transmitting an environment information collection agent file for executing notification of the collection result to the management server to the plurality of user terminals, receiving the environment information transmitted from each user terminal Environment information receiving means, first electronic education control means for causing the plurality of user terminals to perform electronic education on security including matters relating to at least one management condition, and after electronic education by the first electronic education control means Each environment information receiving means that receives the environment information collecting agent file according to the environment information collecting agent file sent by the environment information collecting agent file sending means Based on the environmental information in the user terminal, a determination means for determining whether each user terminal satisfies the at least one management condition, and a user determined by the determination means that the management condition is not satisfied Electronic education about matters related to management conditions is given to warning means for issuing warnings to terminal users and / or managers, and user terminals that are judged not to satisfy the management conditions by the judgment means. Second electronic education control means to be executed, even when an electronic file writing or transmission command is issued to a user terminal determined not to satisfy the management conditions by the determining means, It is characterized by comprising transmission control means for stopping transmission.

According to the above supplementary notes C1 to CJ, it is as follows.
(Appendix Ci) At least one management condition (for example, at least one of the above items (1) to (5) or the above items (1) to (5) and (a) to (g) After executing electronic education on security including matters relating to at least one of the above)), environmental information on each user terminal is collected from each user terminal to the management server and collected on this management server. Based on the environmental information, whether or not each user terminal satisfies the management conditions is determined, and for the user terminal that is determined not to meet the management conditions E-education is executed. In other words, if there is a violation of management conditions after e-education for security in general, the violation is likely due to the intention of the user, and e-learning about violations is executed for the violating user. Will be.

  Therefore, electronic education to ensure security for users can be conducted thoroughly and thoroughly in accordance with the actual situation of each user terminal, raising the user's awareness of security, and ensuring a safe environment in the internal system of companies, etc. Can further contribute to securing and maintaining In other words, since it is possible to conduct electronic education for violations that are likely to have been intentionally performed by users after electronic education on security in general, thorough user education (employee education) It will be possible to do this, and it will contribute to securing and maintaining a safe environment for the internal system.

(Appendix Cii) Environmental information in each of the plurality of user terminals is collected from each user terminal to the management server. Based on the collected environmental information in each user terminal, the plurality of users is collected. The security level of the terminal, that is, the security status of the internal system in the company or the like is evaluated, and the evaluation result is notified to the user and the administrator. As a result, a service that evaluates the security status of internal systems in a company, etc., can be provided to the company, etc., even if there is no system administrator in place, and the manager and administrator are indifferent to security measures. Even so, the security status of internal systems and terminals can be grasped extremely accurately and easily, raising the security awareness of managers, administrators and users, and ensuring a safe environment in internal systems of companies, etc. Can be maintained. In particular, services such as those mentioned above are effective for small and medium-sized enterprises that are not as conscious of security as large enterprises. By using this service, managers and managers of such small and medium-sized enterprises have their own The system security status and electronic education can be done very easily and thoroughly.

(Supplementary Note Ciii) In the management server, at least one management condition (for example, at least one of the above items (1) to (5) or the above items (1) to (5)) among a plurality of user terminals. And at least one of (a) to (g)), or based on the ratio and importance of each management condition, multiple user terminals (internal It is possible to evaluate the security level of the system) numerically. When performing quantification / evaluation based only on the above ratio, for example, management of at least one of the above items (1) to (5) or the above items (1) to (5) and (a) to (g) If the percentage of user terminals satisfying at least one of the conditions is 100%, the highest evaluation is given. Hereinafter, a graded evaluation level corresponding to the ratio may be given to the internal system to be evaluated. it can. That is, a higher evaluation level can be given to a system with more user terminals that satisfy the management conditions, and an evaluation according to the level of safety can be given to the internal system to be evaluated. In addition, by performing quantification / evaluation based on the importance of management conditions, a low evaluation level can be assigned to a system in which user terminals that do not satisfy the management conditions with high importance exist, and the safety is high. Can be given to the internal system to be evaluated.

(Appendix Civ) Multiple management conditions (for example, the above items (1) to (5), or, for example, the above item (1)
If at least one of (5) and (a) to (g)) is extremely important to ensure the safety of the internal system, the management conditions are importantly managed. By setting as a condition, if there is even one user terminal that does not satisfy the important management condition, regardless of the ratio of other items, by giving a low evaluation level to the internal system to be evaluated, The security level (security status) of the internal system to be evaluated can be easily and reliably evaluated.

  (Appendix Cv) The environment information collection agent file is transmitted from the management server to a plurality of user terminals, and the environment information collection agent file is executed on each user terminal to collect environment information on the user terminal in the management server. It is possible. Therefore, the management server creates an environment information collection agent file, and transmits the environment information collection agent file to a plurality of user terminals belonging to the internal system to be evaluated at the same time. Environmental information can be collected very easily.

(Appendix Cvi) The first or second electronic education agent file is transmitted from the management server to the user terminal, and the first or second electronic education agent file is executed on each user terminal, so that electronic education about security in general It is possible to allow the user of the user terminal to perform electronic education on violations. Therefore, the management server makes it very easy to provide electronic education on security for multiple user terminals simply by sending the first electronic education agent file to multiple user terminals belonging to the internal network to be evaluated simultaneously. In addition, the second electronic education agent file can be transmitted to the violator's user terminal, and electronic education about violations for the violator can be executed very easily.

(Appendix Cvii) Based on the environmental information collected periodically, the security level of multiple user terminals (internal systems to be evaluated) is periodically evaluated, and the results of the periodic evaluation are acquired by multiple users. By notifying terminal users and administrators, the users and administrators can periodically grasp the security status of the internal system and contribute to ensuring and maintaining a safe environment for the internal system. become.

  (Appendix Cviii) In a user terminal that is judged by the management server as not satisfying the management conditions, the writing or transmission of an electronic file is restricted so that information can be spread by writing or sending from the violator's terminal. Effectively prevented. In addition, since the user terminal that satisfies the management condition does not have a restriction on writing or sending, there is no problem with the use of the user terminal. In addition, by changing the restrictions on the writing or sending of electronic files according to the degree of management conditions determined by the management server, the spread of information by writing or sending from the violator's terminal is appropriate, and Effectively prevented. In addition, since the user terminal that satisfies the management condition does not have a restriction on writing or sending, there is no problem with the use of the user terminal.

  As a result, even if personal information and confidential information are distributed and stored in a plurality of user terminals, personal information and confidential information can be obtained at each terminal without obtaining human cooperation and placing a special burden on the person in charge. The electronic file containing confidential information can be prohibited from being written / transmitted to an external medium, the electronic file can be prevented from being taken out or transmitted, and personal information or confidential information can be unintentionally leaked. Leakage and unauthorized use can be reliably prevented.

  (Appendix Cix) And, for the user terminal that executes the second electronic education, write or send restrictions (stop writing or sending, or writing or sending without personal information) By executing, it is possible to effectively prevent the spread of information by writing or transmitting from the terminal of the offender. In addition, since there is no restriction on writing or transmission in a user terminal that has only received the first electronic education without receiving the second electronic education, there is no problem with the use of the user terminal.

  That is, in the user terminal receiving the second electronic education, when a command for writing or sending an electronic file is generated, the sending control means restricts writing or sending the personal information file (writing stop or send). (Cancel or write or send without personal information). Thereby, the personal information file is not written or transmitted to the external storage medium or the network, and the leakage of the personal information via the external storage medium or the network is prevented. Similarly, if it is determined that the electronic file is a personal information file, the sending control means restricts the writing or sending of the personal information file (writing stop or sending stop or (Excluding writing or sending) Thereby, the personal information file is not written or transmitted to the external storage medium or the network, and the leakage of the personal information via the external storage medium or the network is prevented.

  In addition, a management server is further provided, and the management server manages the writing or transmission request for the searched personal information file, so that the personal information is inadvertently leaked or leaked due to the writing or transmission of personal information or illegal personal information. It becomes possible to prevent the use etc. more reliably.

(D1) Appendix D1:
Personal information search means for searching a personal information file by executing a personal information search program, and starting the personal information search program, and determining whether or not the electronic file to be held is a personal information file A control unit to be executed by a search unit; a storage unit that stores the determination result by the personal information search unit when the electronic file is determined to be a personal information file by the personal information search unit; A function of transmitting the contents of the electronic file to the printer in response to the print command, and when the personal information exploration means determines that the electronic file is a personal information file, it transmits the personal information file to the printer. An information management terminal characterized by comprising a print control means for canceling That.

  According to the information management terminal of this appendix, in the first client terminal in which the personal information exploration program is resident, if an electronic file print command is generated, it is determined that the electronic file is a personal information file. The print control means controls to stop the transmission of the personal information file to the printer. As a result, the personal information file is not printed out on the paper medium, and the leakage of personal information via the paper medium is prevented.

(D2) Appendix D2:
Personal information search means for searching a personal information file by executing a personal information search program, and starting the personal information search program, and determining whether or not the electronic file to be held is a personal information file Corresponding to the determination result by the personal information searching means and the personal information of the electronic file when the electronic information file is determined to be a personal information file by the control means to be executed by the searching means and the personal information searching means A storage means for storing the location of the electronic file and a function for transmitting the contents of the electronic file to the printer in response to a print command for the electronic file, and the personal information search means determines that the electronic file is a personal information file. If the personal information file is transmitted to the printer, the personal information of the personal information file And print control means for performing transmission to the printer and invisible for those that point, which is configured to include a, a service terminal, characterized in that.

  According to the information management terminal of this appendix, in the first client terminal in which the personal information exploration program is resident, if an electronic file print command is generated, it is determined that the electronic file is a personal information file. The print control means controls to make the portion corresponding to the personal information in the personal information file invisible and execute transmission to the printer. As a result, the personal information portion of the personal information file is not printed out on the paper medium, and the leakage of personal information via the paper medium is prevented.

(D3) Appendix D3:
A personal information management server connected to the client terminal via a network so as to be able to communicate with each other and managing a personal information file in the client terminal; The management server searches the personal information file in the client terminal via the network by executing the personal information search program, and searches the personal information file by the personal information search unit. Electronic file information storage means for storing information about the electronic file in the client terminal at the time, and control means for causing the personal information search means to execute a search for determining whether or not the electronic file is a personal information file. The client end is configured However, when the personal information search means determines that the electronic file is a personal information file, the storage means for storing the determination result by the personal information search means, and the contents of the electronic file according to the print command of the electronic file And a print control means for stopping transmission of the personal information file to the printer when the personal information searching means determines that the electronic file is a personal information file. It is the management system characterized by being comprised.

According to the management system of this appendix, in the second client terminal that does not have the personal information search program resident, when a print command for an electronic file is generated, the personal information management server determines that the electronic file is a personal information file. If so, the print control means controls to stop sending the personal information file to the printer. As a result, the personal information file is not printed out on the paper medium, and the leakage of personal information via the paper medium is prevented.

(D4) Appendix D4:
A personal information management server connected to the client terminal via a network so as to be able to communicate with each other and managing a personal information file in the client terminal; The management server searches the personal information file in the client terminal via the network by executing the personal information search program, and searches the personal information file by the personal information search unit. Electronic file information storage means for storing information about the electronic file in the client terminal at the time, and control means for causing the personal information search means to execute a search for determining whether or not the electronic file is a personal information file. The client end is configured When the personal information search unit determines that the electronic file is a personal information file, the storage stores the determination result by the personal information search unit and the location corresponding to the personal information of the electronic file And a function for transmitting the contents of the electronic file to a printer in response to a print command for the electronic file, and when the personal information search means determines that the electronic file is a personal information file, the personal information file And a print control means for executing the transmission to the printer by making the portion corresponding to the personal information in the personal information file invisible when transmitting to the printer. is there.

  According to the management system of this appendix, in the second client terminal that does not have the personal information search program resident, when a print command for an electronic file is generated, the personal information management server determines that the electronic file is a personal information file. If so, the print control means controls to make the portion corresponding to the personal information in the personal information file invisible and execute transmission to the printer. As a result, the personal information portion of the personal information file is not printed out on the paper medium, and the leakage of personal information via the paper medium is prevented.

Appendix D5:
A plurality of client terminals, and a plurality of client terminals connected to the plurality of client terminals so as to be communicable with each other via a network and managing personal information files in the plurality of client terminals; Including a first client terminal in which a personal information search program for executing a search for a personal information file is resident, and a second client terminal in which the personal information search program is not resident, the first client terminal Includes a first personal information search unit that searches for a personal information file by executing the personal information search program, a detection unit that detects addition / change of an electronic file in the first client terminal, and an electronic When an addition / change of a file is detected, the individual A first control unit that activates an information search program and causes the first personal information search unit to execute a real-time search to determine whether the added or changed electronic file is a personal information file; Means for transmitting the determination result by the first personal information search means to the personal information management server via the network when the electronic file is determined to be a personal information file by the means, and the first personal information search means When it is determined that the electronic file is a personal information file, the storage unit stores the determination result by the first personal information search unit, and the function of transmitting the content of the electronic file to the printer in response to the print command of the electronic file And determining that the electronic file is a personal information file by the first personal information searching means. And a print control means for canceling transmission of the personal information file to the printer, and the personal information management server executes the personal information search program to execute the personal information search program via the network. A second personal information search means for searching a personal information file in the second client terminal, and an electronic device in the second client terminal at the time when the personal information file was last searched by the second personal information search means. The electronic file information storage means for storing information on the file, the latest information on the electronic file in the second client terminal and the information stored in the file information storage means are compared, and finally the personal information file is periodically searched. An electronic file that has been added or changed between the current time and the current Difference extraction means for periodically extracting from the second client terminal via the network, and periodic exploration for determining whether the difference file extracted by the difference extraction means is a personal information file. A second control unit that is executed by the second personal information search unit, and the second client terminal determines that the electronic file is a personal information file by the second personal information search unit A storage means for storing the determination result by the second personal information search means, and a function for transmitting the contents of the electronic file to the printer in response to a print command for the electronic file. Print control means for canceling transmission of the personal information file to the printer when it is determined that the file is a personal information file; The provided with is configured, a management system, characterized in that.

  According to the management system described in this appendix, when the addition / change of a file is detected in the first client terminal in which the personal information search program is resident, the personal information search program is started and real-time search is executed. Then, it is determined whether or not the added / changed electronic file is a personal information file, and the determination result is transmitted to the personal information management server. On the other hand, the electronic file in the second client terminal that does not have the personal information search program resident is managed by the personal information management server, and the latest information on the electronic file in the second client terminal and finally the personal information file is periodically searched. The difference with the information about the file at the time of the execution is regularly monitored, the electronic file corresponding to the difference is extracted from the second client terminal to the personal information management server side (sucked up), and the periodic search is executed, A determination is made by the personal information management server as to whether or not the sucked-up file is a personal information file.

  As a result, the personal information file on the terminal resident in the personal information search program and the personal information file on the terminal non-resident in the personal information search program can be automatically searched and placed under the management of the personal information management server. It becomes possible.

  When an electronic file print command is generated, if it is determined that the electronic file is a personal information file, the print control unit controls to stop the transmission of the personal information file to the printer. As a result, the personal information file is not printed out on the paper medium, and the leakage of personal information via the paper medium is prevented.

(D6) Appendix D6:
A plurality of client terminals, and a plurality of client terminals connected to the plurality of client terminals so as to be communicable with each other via a network and managing personal information files in the plurality of client terminals; Including a first client terminal in which a personal information search program for executing a search for a personal information file is resident, and a second client terminal in which the personal information search program is not resident, the first client terminal Includes a first personal information search unit that searches for a personal information file by executing the personal information search program, a detection unit that detects addition / change of an electronic file in the first client terminal, and an electronic When an addition / change of a file is detected, the individual A first control unit that activates an information search program and causes the first personal information search unit to execute a real-time search to determine whether the added or changed electronic file is a personal information file; Means for transmitting the determination result by the first personal information search means to the personal information management server via the network when the electronic file is determined to be a personal information file by the means, and the first personal information search means Storage means for storing a portion corresponding to the personal information of the electronic file based on the determination result by the first personal information search means when the electronic file is determined to be a personal information file by the electronic file; And the function of transmitting the contents of the electronic file to the printer in response to the print command of the first personal information If it is determined by the checking means that the electronic file is a personal information file, when the personal information file is transmitted to the printer, the portion corresponding to the personal information in the personal information file is made invisible and transmitted to the printer. A print control means for executing, and the personal information management server searches for a personal information file in the second client terminal via the network by executing the personal information search program. Personal information search means, electronic file information storage means for storing information about the electronic file in the second client terminal at the time when the personal information file was last searched by the second personal information search means, Latest information on the electronic file in the second client terminal and the file information Compared with the information stored in the storage means, the electronic file added / changed between the time when the personal information file was last searched and the current time is added as a difference file via the network. Difference extraction means periodically extracting from the second client terminal and periodic search for determining whether the difference file extracted by the difference extraction means is a personal information file is executed in the second personal information search means And when the second personal information search means determines that the electronic file is a personal information file, the second client terminal sends the personal information file to the printer. A print control means for making a portion corresponding to the personal information in the personal information file invisible and transmitting to the printer at the time of transmission; The provided with is configured, a management system, characterized in that.

  According to the management system described in this appendix, when the addition / change of a file is detected in the first client terminal in which the personal information search program is resident, the personal information search program is started and real-time search is executed. Then, it is determined whether or not the added / changed electronic file is a personal information file, and the determination result is transmitted to the personal information management server. On the other hand, the electronic file in the second client terminal that does not have the personal information search program resident is managed by the personal information management server, and the latest information on the electronic file in the second client terminal and finally the personal information file is periodically searched. The difference with the information about the file at the time of the execution is regularly monitored, the electronic file corresponding to the difference is extracted from the second client terminal to the personal information management server side (sucked up), and the periodic search is executed, A determination is made by the personal information management server as to whether or not the sucked-up file is a personal information file.

  As a result, the personal information file on the terminal resident in the personal information search program and the personal information file on the terminal non-resident in the personal information search program can be automatically searched and placed under the management of the personal information management server. It becomes possible.

  When an electronic file print command is generated, if it is determined that the electronic file is a personal information file, a location corresponding to the personal information of the personal information file is transmitted to the printer. Is controlled to be invisible and to be sent to the printer. As a result, the personal information portion of the personal information file is not printed out on the paper medium, and the leakage of personal information via the paper medium is prevented.

(D7) Appendix D7:
The client terminal further includes display means for displaying characters or images, and display control means for controlling display on the display means. The display control means is an electronic device determined to be the personal information file. The management system according to any one of Supplementary Note D3 to Supplementary Note D6, wherein the file is controlled to be displayed without limitation.

  According to the management system of the above-mentioned supplementary note, the display control means of the client terminal performs control to execute display without limitation, although the electronic file determined to be a personal information file imposes restrictions on printing. The personal information file is not printed out on the paper medium, and the leakage of personal information via the paper medium is prevented.

(D8) Appendix D8:
The client terminal further comprises display means for displaying characters or images, display control means for controlling display on the display means, and position detection means for detecting the position of the client terminal, and the display control means. In any one of Supplementary Note D3 to Supplementary Note D6, which restricts the display of the electronic file determined to be the personal information file according to the position detected by the position detection means. It is a management system described in 1.

  In (D1) to (D8), it is desirable to first execute the search for the personal information file for all data in the information management terminal or the client terminal and then execute the real-time search.

  Further, in (D3) to (D8), it is preferable that the personal information file is first searched for all data in the client terminal and then the periodic search is executed.

  In addition, the personal information management server forcibly prohibits the personal information file from being output to the outside from a client terminal storing the searched personal information file (D3) to (D8). ) Is desirable.

  Further, each of the plurality of client terminals monitors the searched personal information file, and when a print request for the personal information file is generated, print request monitoring means for notifying the personal information management server to that effect In addition, it is desirable that (D3) to (D8) be configured.

  The personal information management server further includes an electronic file access management server that is communicably connected to the personal information management server and manages access to the electronic file, and the personal information management server issues a print request for the searched personal information file. In (D3) to (D8), it is preferable to manage the file access management server.

  According to the management system described in the above supplementary note, it further includes a position detecting unit that detects the position of the client terminal, and the display control unit determines that the file is a personal information file according to the position detected by the position detecting unit. In order to limit the display of electronic files that have been created, personal information files are no longer printed out on paper media, preventing personal information from leaking through the paper media, and suppressing the display of personal information outside the company. This prevents the leakage of personal information.

Note that, according to the management system described in the appendix, the personal information file is first searched for all data in the client terminal, and then the real-time search is executed. At that time, if the personal information file search is executed only once for all data at the terminal where the personal information search program resides, then the electronic file added / changed as described above will be used thereafter. And just exploring (determining) the difference file,
Without conducting a search for all data, a personal information file newly created and added in each terminal can be searched very efficiently and reliably.

  Therefore, without obtaining human cooperation and without placing a special burden on the person in charge, for example, it is possible to reliably search and manage personal information files that exist in a distributed manner within a company, etc. The purpose is to ensure that personal information disclosure requests and correction requests can be dealt with, and to prevent inadvertent leakage and leakage of personal information and unauthorized use of personal information.

  In addition, according to the management system described in the appendix described above, the personal information file is first searched for all data in the second client terminal, and then the periodic search is executed. At that time, if the personal information management server executes the search of the personal information file only once for all the data via the network for the terminal that is not resident in the personal information search program, As described above, personal information newly created / added at each terminal without searching for all data, just by searching (determining) the added / changed electronic file or difference file. Files can be explored extremely efficiently and reliably.

  Therefore, without obtaining human cooperation and without placing a special burden on the person in charge, for example, it is possible to reliably search and manage personal information files that exist in a distributed manner within a company, etc. The purpose is to ensure that personal information disclosure requests and correction requests can be dealt with, and to prevent inadvertent leakage and leakage of personal information and unauthorized use of personal information.

  In addition, according to the management system described in the appendix described above, the personal information management server forcibly prohibits the personal information file from being output to the outside from the client terminal storing the personal information file. It is possible to more reliably prevent inadvertent leakage and leakage of personal information and unauthorized use of personal information.

  Further, according to the management system described in the appendix, each of the plurality of client terminals monitors the searched personal information file, and when a print request for the personal information file is generated, the personal information is notified to that effect. Since it further comprises print request monitoring means to notify the management server, it is possible to manage the print request by the personal information management server, and the personal information is inadvertently leaked or leaked, or the personal information is illegally used. Etc. can be prevented more reliably.

  Further, according to the management system described in the supplementary note, the electronic file access management server that manages access to the electronic file is further provided, and the personal information management server sends a print request for the searched personal information file to the file access management server. Since it is managed by the server, the print request can be managed by the file access management server, and the inadvertent leakage / leakage of personal information and unauthorized use of personal information can be prevented more reliably.

(D9) Appendix D9:
Personal information search means for searching for a personal information file in a client terminal connected to a personal information management server for managing the personal information file in the client terminal so as to be able to communicate with each other via a network, and addition of an electronic file in the client terminal Detection means for detecting a change, and when the addition / change of an electronic file is detected by the detection means, a real-time search for determining whether the added / changed electronic file is a personal information file or not When the electronic file is determined to be a personal information file by the control means to be executed by the means and the personal information search means, the personal information search means corresponds to the personal information of the electronic file based on the determination result by the personal information search means. Storage means for storing locations, responding to print instructions for electronic files And having the function of transmitting the contents of the electronic file to the printer, and when the personal information search means determines that the electronic file is a personal information file, the personal information is transmitted when the personal information file is transmitted to the printer. A management program that causes the client terminal to function as print control means for executing transmission to a printer by making a portion corresponding to personal information of a file invisible.

  According to the management program described in this supplementary note, in the first client terminal in which the personal information search program is resident, when the addition / change of a file is detected, the personal information search program is started and real-time search is executed. Then, it is determined whether or not the added / changed electronic file is a personal information file, and the determination result is transmitted to the personal information management server. On the other hand, the electronic file in the second client terminal that does not have the personal information search program resident is managed by the personal information management server, and the latest information on the electronic file in the second client terminal and finally the personal information file is periodically searched. The difference with the information about the file at the time of the execution is regularly monitored, the electronic file corresponding to the difference is extracted from the second client terminal to the personal information management server side (sucked up), and the periodic search is executed, A determination is made by the personal information management server as to whether or not the sucked-up file is a personal information file. As a result, the personal information file on the terminal resident in the personal information search program and the personal information file on the terminal non-resident in the personal information search program can be automatically searched and placed under the management of the personal information management server. It becomes possible. When an electronic file print command is generated, if it is determined that the electronic file is a personal information file, the print control unit controls to stop the transmission of the personal information file to the printer. As a result, the personal information file is not printed out on the paper medium, and the leakage of personal information via the paper medium is prevented.

(D10) Appendix D10:
When the personal information management server determines that the electronic file is a personal information file in a client terminal that is communicably connected to the personal information management server that manages the personal information file via the network, the determination is made Based on the result, the storage means for storing the portion corresponding to the personal information of the electronic file, the function of transmitting the contents of the electronic file to the printer according to the print command of the electronic file, and the electronic file is a personal information file When the personal information file is transmitted to the printer, the client terminal is used as a print control means for making the portion corresponding to the personal information in the personal information file invisible and executing transmission to the printer. It is a management program characterized by functioning.

The personal information search program causes the computer to realize a function of determining whether the determination target file is a personal information file having a predetermined number or more of personal information elements that can identify a specific individual. Extraction means for extracting text data included in the determination target file, extraction means for extracting a character section delimited by a delimiter from the text data extracted by the extraction means, and the extraction means Personal information other than the name by determining whether the character string in the extracted character section satisfies any one of the preset telephone number determination condition, e-mail address determination condition, and address determination condition Judges whether one of the elements phone number, e-mail address and address is applicable The first determination means, the number of characters in the character section determined not to correspond to any of the telephone number, e-mail address, and address by the first determination means is within a predetermined range, and the characters in the same character section are kanji Character judging means for judging whether or not there is a character or character string included in the character section and the name of the character section that is judged to be kanji by the character judging means. Collating means for judging whether or not the character section includes the inappropriate character or the inappropriate character string by collating with the inappropriate character or the inappropriate character string preset as no kanji or the Chinese character string, And the number of character sections determined by the first determination means to correspond to any one of a telephone number, an e-mail address, and an address; The number of character sections determined not to include the inappropriate character or the inappropriate character string by the matching unit is counted, and based on the count result, whether the determination target file is a personal information file. The computer may be caused to function as second determination means for determining whether or not.

  At this time, in the first determination means, it is determined whether or not the character string in the character section extracted by the extraction means corresponds to a telephone number, and if it does not correspond to a telephone number, it corresponds to an e-mail address. When it is determined not to be an e-mail address, it is determined whether it corresponds to an address, and when it is determined that it corresponds to any one of a telephone number, an e-mail address, and an address, The determination process for the character string may be terminated.

  Further, the second determination means regards the character string in the character section determined not to include the inappropriate character or the inappropriate character string by the matching means as a personal information element corresponding to the name, and It may be determined whether or not the file is a personal information file.

  Further, the second determination means determines the number of character sections determined by the first determination means as corresponding to any one of a telephone number, an e-mail address, and an address based on the counting result and the collation. A determination value that increases as the number of character sections determined not to include the inappropriate character or inappropriate character string by the means increases, and the determination is made when the calculated determination value exceeds a predetermined threshold It may be determined that the target file is a personal information file.

  Then, the personal information management server manages the determination target file according to the determination value calculated by the second determination unit, or searches the first personal information search unit or the second personal information search unit. The personal information file may be managed, and the personal information file may be managed according to the determination value calculated by the second determination unit.

  According to the management program described in this supplementary note, in the first client terminal in which the personal information search program is resident, when the addition / change of a file is detected, the personal information search program is started and real-time search is executed. Then, it is determined whether or not the added / changed electronic file is a personal information file, and the determination result is transmitted to the personal information management server. On the other hand, the electronic file in the second client terminal that does not have the personal information search program resident is managed by the personal information management server, and the latest information on the electronic file in the second client terminal and finally the personal information file is periodically searched. The difference with the information about the file at the time of the execution is regularly monitored, the electronic file corresponding to the difference is extracted from the second client terminal to the personal information management server side (sucked up), and the periodic search is executed, A determination is made by the personal information management server as to whether or not the sucked-up file is a personal information file. As a result, the personal information file on the terminal resident in the personal information search program and the personal information file on the terminal non-resident in the personal information search program can be automatically searched and placed under the management of the personal information management server. It becomes possible. When an electronic file print command is generated, if it is determined that the electronic file is a personal information file, a location corresponding to the personal information of the personal information file is transmitted to the printer. Is controlled to be invisible and to be sent to the printer. As a result, the personal information portion of the personal information file is not printed out on the paper medium, and the leakage of personal information via the paper medium is prevented.

At this time, at least file creation / update date / time, file size, and file name can be used as the file-related information for extracting the difference file in the second client terminal. By simply recognizing the change / addition, the difference file can be recognized and extracted very easily.

  In addition, by configuring the personal information management server to install a personal information search program in response to a request from the user of the client terminal for the client terminal connected to the network, Since the user can select and set resident / non-resident personal information exploration program, if the user requests non-resident personal information exploration program for reasons such as memory capacity or compatibility with other programs It is possible to respond to the request and the convenience is enhanced. The terminal that is selected and set to be non-resident is handled as the second client terminal described above, and is subject to periodic search by the personal information management server.

  Furthermore, by giving a digital signature to the personal information file searched in the management system of this appendix, it is possible to guarantee that the personal information file has not been tampered with, and to prevent counterfeiting by a third party. it can.

  In addition, the personal information file searched in the management system of this appendix is managed by the personal information management server, and the personal information file is forcibly captured and collected from the client terminal, or the collected personal information file can be collected only by the administrator. Store it in an accessible folder, forcibly prohibit the personal information file from being output from the client terminal, notify the client terminal storing the personal information file of warning information, The access to the information file can be managed by the file access management server, and personal information can be prevented from being inadvertently leaked or leaked or illegally used.

  Furthermore, each client terminal monitors the searched personal information file, and when a print request for the personal information file is generated, notifies the personal information management server to that effect, thereby accessing the personal information file. As a result, the personal information management server tracks and manages it, so that unauthorized use of personal information can be prevented more reliably.

  On the other hand, in the management system of this appendix, according to the personal information search function realized by executing the personal information search program on a computer, a personal information element other than the name (phone number, e-mail address, or address) Character sections that do not fall under ()) and contain inappropriate characters or inappropriate character strings are not considered to be related to personal information, but do not correspond to personal information elements other than names and are inappropriate characters or inappropriate character strings. Character sections that do not contain are considered to be related to personal information, especially name.

  Therefore, for character sections determined to correspond to personal information elements other than names (one of phone numbers, e-mail addresses, and addresses), the determination process is terminated when the determination is made and Only character sections that are determined not to be personal information elements are checked against inappropriate characters or inappropriate character strings, and it is determined that even one inappropriate character or inappropriate character string is included in the character section. The collation process can be terminated at the point in time, so that the name collation process can be performed at a higher speed than the conventional method of collating with all the name strings included in the name list, that is, the personal information file is searched. Processing can be performed at high speed. In addition, since all character sections that do not contain inappropriate characters or inappropriate character strings are considered to correspond to names, data aggregates that do not contain inappropriate characters or inappropriate character strings for names, that is, include name information An electronic file that is highly likely to be a personal information file can be reliably searched.

In addition, by further providing the character determination means, the character section does not correspond to a personal information element other than a name and does not include an inappropriate character or an inappropriate character string, and the number of characters in the character section is within a predetermined range. Can be regarded as information about the name, and the name collation accuracy can be improved, and the name collation process can be performed at high speed. Can do. At this time, by setting the predetermined range to a general (appropriate) number range for the number of characters of the name, for example, 1 to 6, the name collation accuracy can be further improved, and the name collation process Can be performed at a higher speed. In addition, since a long character section exceeding the predetermined range can be excluded from the object to be collated by the collating means, it contributes to further speeding up the name collating process, that is, further speeding up the personal information file search process. Become.

  Then, the personal information management server manages the determination target file and the personal information file according to the determination value calculated for each determination target file by executing the above-described personal information search program. For each personal information file, it is possible to select and execute a management method according to the judgment value level (high possibility of being a personal information file / the number of personal information elements).

(E1) Appendix E1:
Multiple user terminals,
A management server that is communicably connected to the plurality of user terminals and manages the plurality of user terminals;
Environmental information collecting means for collecting environmental information in each of the plurality of user terminals from each user terminal to the management server;
The management server
First electronic education control means for causing the plurality of user terminals to execute electronic education on security including matters relating to at least one safety condition;
Whether each user terminal satisfies the at least one safety condition based on the environmental information in each user terminal collected by the environmental information collecting means after the electronic education by the first electronic education control means. A judging means for judging;
Warning means for issuing a warning to the user and / or administrator of the user terminal that is determined not to satisfy the safety condition by the determination means;
It is characterized by comprising a second electronic education control means for executing electronic education on matters relating to the safety condition on the user terminal that is judged not satisfying the safety conditions by the judging means. Management system.

(E2) Appendix E2:
Multiple user terminals,
A management server that is communicably connected to the plurality of user terminals and manages the plurality of user terminals;
Environmental information collecting means for collecting environmental information in each of the plurality of user terminals from each user terminal to the management server;
The management server
Based on the environment information in each user terminal collected by the environment information collecting means, it is determined whether each user terminal satisfies at least one safety condition, and the security level for the plurality of user terminals An evaluation means for evaluating
Notification means for notifying the users and / or managers of the plurality of user terminals of the evaluation results obtained by the evaluation means;
First electronic education control means for causing the plurality of user terminals to perform electronic education on security including matters relating to the at least one safety condition;
Whether each user terminal satisfies the at least one safety condition based on the environmental information in each user terminal collected by the environmental information collecting means after the electronic education by the first electronic education control means. A judging means for judging;
Warning means for issuing a warning to the user and / or administrator of the user terminal that is determined not to satisfy the safety condition by the determination means;
It is characterized by comprising a second electronic education control means for executing electronic education on matters relating to the safety condition on the user terminal that is judged not satisfying the safety conditions by the judging means. Management system.

(E3) Appendix E3:
The plurality of user terminals are connected to a common local area network to constitute an internal system,
The management server is connected to the plurality of user terminals so as to be able to communicate with each other via the external communication network connected to the local communication network and the local communication network;
The management system according to appendix E2, wherein the evaluation unit of the management server evaluates the security level of the entire internal system by evaluating the security level of the plurality of user terminals.

(E4) Appendix E4:
The evaluation means in the management server digitizes security levels for the plurality of user terminals based on a ratio of user terminals satisfying the at least one safety condition among the plurality of user terminals. The management system according to supplementary note E2 or supplementary note E3, characterized by

(E5) Appendix E5:
The evaluation means in the management server uses the plurality of usages based on a ratio of user terminals satisfying the at least one safety condition among the plurality of user terminals and importance of the safety conditions. The management system according to Supplementary Note E2 or Supplementary E3, wherein the security level of a person terminal is digitized and evaluated.

(E6) Appendix E6:
A plurality of safety conditions for evaluating the security level are set in advance, and among the plurality of safety conditions, those having higher importance than other safety conditions are preset as important safety conditions,
The evaluation means in the management server first determines whether or not each of the plurality of user terminals satisfies the important safety condition, and even one of the plurality of user terminals satisfies the important safety condition. If there is nothing, the security level for the plurality of user terminals is determined as the lowest level, while if there is no user terminal that does not satisfy the important safety conditions, the important safety conditions An additional note E2 or the additional note, characterized in that the security level of the plurality of user terminals is quantified and evaluated based on a ratio of user terminals that satisfy at least one of the other safety conditions The management system according to E3.

(E7) Appendix E7:
The safety condition is
(1) The security software is installed on the user terminal and turned on.
(2) The security patch update information of the security patch update software as security countermeasure software on the user terminal is the latest.
(3) The update information of the virus definition file of the antivirus software as the security software on the user terminal is the latest.
(4) Dangerous software is not installed on the user terminal,
(5) User terminal does not have unauthorized copy,
The management system according to any one of supplementary notes E1 to E6, including at least one of the above.

(E8) Appendix E8:
The environmental information collecting means is composed of environmental information collecting agent file transmitting means and environmental information receiving means in the management server, and environmental information collecting agent file executing means in each of the plurality of user terminals,
The environment information collection agent file transmitting means in the management server causes the plurality of user terminals to execute collection of the environment information and notification of the collection result to the management server, Send to the user terminals,
The environment information collection agent file execution means in each user terminal collects the environment information in the user terminal by executing the environment information collection agent file transmitted from the management server, and displays the collection result. Send to the management server and notify
Any one of the supplementary notes E1 to E7, wherein the environmental information receiving means in the management server receives the environmental information transmitted from each user terminal and delivers it to the evaluation means or the judging means The management system according to one item.

(E9) Appendix E9:
The first electronic education control means in the management server is
First electronic education agent file creation / holding means for creating or holding a first electronic education agent file for causing each of the plurality of user terminals to perform electronic education on security including matters relating to the at least one safety condition; ,
A first electronic education agent file transmission means for transmitting the first electronic education agent file created / held by the first electronic education agent file creation / holding means to the plurality of user terminals;
Each of the plurality of user terminals
By executing the first electronic education agent file transmitted from the management server, the user terminal uses the user terminal to conduct electronic education on security including matters relating to the at least one safety condition. The management system according to any one of appendix E1 to appendix E8, further comprising first electronic education agent file execution means to be executed for.

(E10) Appendix E10:
The second electronic education control means in the management server is
A second electronic education agent file that causes a user terminal that is determined not to satisfy the safety condition by the determination means to execute electronic education on a matter related to the safety condition that is determined not to be satisfied by the determination means A second electronic education agent file creation / holding means for creating or holding
A second electronic education agent file transmission means for transmitting the second electronic education agent file created / held by the second electronic education agent file creation / holding means to the user terminal;
The user terminal is
By executing the second electronic education agent file transmitted from the management server, the user terminal uses the electronic education on the matter related to the safety condition determined not to be satisfied by the determination means in the user terminal. The management system according to any one of supplementary notes E1 to E9, further comprising second electronic education agent file execution means to be executed for a user of a user terminal.

(E11) Appendix E11:
A management server connected to a plurality of user terminals so as to be able to communicate with each other and managing the plurality of user terminals,
Environment information collection agent file transmission that transmits an environment information collection agent file that causes each of the plurality of user terminals to collect environment information and notify the management server of the collection result to the plurality of user terminals. Means,
Environmental information receiving means for receiving the environmental information transmitted from each user terminal;
First electronic education control means for causing the plurality of user terminals to execute electronic education on security including matters relating to at least one safety condition;
Based on the environment information in each user terminal received by the environment information receiving means according to the environment information collecting agent file transmitted by the environment information collecting agent file transmitting means after the electronic education by the first electronic education control means, Determining means for determining whether each user terminal satisfies the at least one safety condition;
Warning means for issuing a warning to the user and / or administrator of the user terminal that is determined not to satisfy the safety condition by the determination means;
It is characterized by comprising second electronic education control means for causing the user terminal determined not to satisfy the safety condition by the determination means to execute electronic education on the matter related to the safety condition. Management server.

(E12) Appendix E12:
A management server connected to a plurality of user terminals so as to be able to communicate with each other and managing the plurality of user terminals,
Environment information collection agent file transmission for transmitting an environment information collection agent file that causes each of the plurality of user terminals to collect environment information and notify the management server of the collection result to the plurality of user terminals Means,
Environmental information receiving means for receiving the environmental information transmitted from each user terminal;
Based on the environmental information in each user terminal received by the environment information receiving means, it is determined whether each user terminal satisfies at least one safety condition, and the security level for the plurality of user terminals An evaluation means for evaluating
Notification means for notifying the users and / or managers of the plurality of user terminals of the evaluation results obtained by the evaluation means;
First electronic education control means for causing the plurality of user terminals to perform electronic education on security including matters relating to the at least one safety condition;
Based on the environment information in each user terminal received by the environment information receiving means according to the environment information collecting agent file transmitted by the environment information collecting agent file transmitting means after the electronic education by the first electronic education control means, Determining means for determining whether each user terminal satisfies the at least one safety condition;
Warning means for issuing a warning to the user and / or administrator of the user terminal that is determined not to satisfy the safety condition by the determination means;
It is characterized by comprising second electronic education control means for causing the user terminal determined not to satisfy the safety condition by the determination means to execute electronic education on the matter related to the safety condition. Management server.

(E13) Appendix E13:
A management program connected to a plurality of user terminals so as to communicate with each other, and causing a computer to function as a management server for managing the plurality of user terminals,
Environment information collection agent file transmission for transmitting an environment information collection agent file that causes each of the plurality of user terminals to collect environment information and notify the management server of the collection result to the plurality of user terminals means,
Environment information receiving means for receiving the environment information transmitted from each user terminal;
First electronic education control means for causing the plurality of user terminals to perform electronic education on security including matters relating to at least one safety condition;
Based on the environment information in each user terminal received by the environment information receiving means according to the environment information collecting agent file transmitted by the environment information collecting agent file transmitting means after the electronic education by the first electronic education control means, Determining means for determining whether each user terminal satisfies the at least one safety condition;
Warning means for issuing a warning to the user and / or administrator of the user terminal that is determined not to satisfy the safety condition by the determination means; and
The computer is caused to function as second electronic education control means for causing a user terminal that is determined not to satisfy safety conditions by the determination means to execute electronic education on matters relating to the safety conditions. , Management program.

(E14) Appendix E14:
A management program connected to a plurality of user terminals so as to communicate with each other, and causing a computer to function as a management server for managing the plurality of user terminals,
Environment information collection agent file transmission for transmitting an environment information collection agent file that causes each of the plurality of user terminals to collect environment information and notify the management server of the collection result to the plurality of user terminals means,
Environment information receiving means for receiving the environment information transmitted from each user terminal;
Based on the environmental information in each user terminal received by the environment information receiving means, it is determined whether each user terminal satisfies at least one safety condition, and the security level for the plurality of user terminals Evaluation means to evaluate,
Notification means for notifying the users and / or managers of the plurality of user terminals of the evaluation results obtained by the evaluation means;
First electronic education control means for causing the plurality of user terminals to perform electronic education on security including matters relating to the at least one safety condition;
Based on the environment information in each user terminal received by the environment information receiving means according to the environment information collecting agent file transmitted by the environment information collecting agent file transmitting means after the electronic education by the first electronic education control means, Determining means for determining whether each user terminal satisfies the at least one safety condition;
Warning means for issuing a warning to the user and / or administrator of the user terminal that is determined not to satisfy the safety condition by the determination means; and
The computer is caused to function as second electronic education control means for causing a user terminal that is determined not to satisfy safety conditions by the determination means to execute electronic education on matters relating to the safety conditions. , Management program.

(F1) Appendix F1:
A management system, a management server, and a management program in which each supplementary note belonging to C and each supplementary note belonging to D are combined.

(F2) Appendix F2:
A management system, a management server, and a management program in which each supplementary note belonging to D and each supplementary note belonging to E are combined.

It is a block diagram which shows the structure of the management system (a management server and a user terminal) as 1st embodiment of this invention. It is a flowchart for demonstrating operation | movement of 1st embodiment. It is a block diagram which shows the structure of the management system (a management server and a user terminal) as 2nd embodiment of this invention. It is a flowchart for demonstrating operation | movement of the management server of 2nd embodiment. It is a flowchart for demonstrating operation | movement (1st example of a security evaluation method) of the evaluation means in the management server of 2nd embodiment. It is a flowchart for demonstrating operation | movement (2nd example of a security evaluation method) of the evaluation means in the management server of 2nd embodiment. It is a flowchart for demonstrating operation | movement (3rd example of a security evaluation method) of the evaluation means in the management server of 2nd embodiment. It is a flowchart for demonstrating the environmental information collection operation | movement of each user terminal in the evaluation object system of 2nd embodiment. It is a flowchart for demonstrating the electronic education operation | movement of each user terminal in the evaluation object system of 2nd embodiment. It is a flowchart for demonstrating writing or transmission restriction | limiting operation | movement of each user terminal in the evaluation object system of 2nd embodiment. It is a block diagram which shows the detailed functional structure of the 1st personal information search means in the user terminal of 2nd embodiment. It is a block diagram which shows the detailed functional structure of the 1st personal information search means in the user terminal of 2nd embodiment. It is a block diagram which shows the function structure of the personal information management server of 2nd embodiment. It is a block diagram which shows the function structure of the file access management server of 2nd embodiment. It is a flowchart for demonstrating operation | movement of the personal information search means of 2nd embodiment. It is a block diagram which shows the structure of the management system as one Embodiment of this invention. It is a block diagram which shows the function structure of the 1st client terminal (personal information search program resident terminal) of 3rd embodiment. It is a block diagram which shows the function structure of the 2nd client terminal (personal information search program resident non-terminal) of 3rd embodiment. It is a block diagram which shows the detailed function structure of the 1st personal information search means in the 1st client terminal of 3rd embodiment. It is a block diagram which shows the function structure of the personal information management server of 3rd embodiment. It is a block diagram which shows the function structure of the file access management server of 3rd embodiment. It is a flowchart for demonstrating operation | movement of the personal information search means of 3rd embodiment. It is a flowchart for demonstrating operation | movement of the 1st client terminal of 3rd embodiment. It is a flowchart for demonstrating operation | movement of the 2nd client terminal of 3rd embodiment. It is a flowchart for demonstrating operation | movement of the personal information management server of 3rd embodiment. It is a flowchart for demonstrating operation | movement of the personal information management server of 3rd embodiment. It is a flowchart for demonstrating the electronic file conversion operation | movement by the file access management server of 3rd embodiment. It is a flowchart for demonstrating the authentication operation | movement by the file access management server of 3rd embodiment. It is a flowchart for demonstrating operation | movement (printing, browsing) to the electronic file of 3rd embodiment. It is explanatory drawing which shows the printing state by operation | movement of 3rd embodiment. It is explanatory drawing which shows the printing state by operation | movement of 3rd embodiment. It is explanatory drawing which shows the printing state by operation | movement of 3rd embodiment. It is explanatory drawing which shows the printing state by operation | movement of 3rd embodiment. It is explanatory drawing which shows the printing state by operation | movement of 3rd embodiment. It is a flowchart which shows operation | movement of 3rd embodiment. It is a flowchart for demonstrating operation | movement of 4th embodiment.

Explanation of symbols

1 management system 10 client terminal (user terminal)
10a CPU
10b Storage unit 10c Quarantine table 10d P mark table 11 First personal information search means (search engine, text extraction engine)
12 Detection means 13 First control means 14 Access monitoring means 15 Transmission / reception means (transmission means)
16 Print Request Monitoring Unit 18 Print Control Unit 19 Display Control Unit 20 Personal Information Management Server 20a CPU
20b database 20b-1 quarantine table 20b-2 P mark table 20b-3 file information storage means 20c display unit 30 file access management server 40 network (in-house LAN)
60 Printer

Claims (11)

A determination means for determining whether or not the user terminal satisfies a predetermined predetermined management condition;
Electronic education control means for causing the user terminal to execute electronic education based on a determination result by the determination means;
Peripheral device operation control means for controlling writing or sending of electronic files to the peripheral device;
In addition to performing control when writing or transmitting an electronic file to the outside, a user terminal that does not satisfy the management conditions and is determined not to have completed the electronic education is provided with the peripheral device operation control means. Control means for controlling the electronic file not to be written out or transmitted outside by a specific protocol;
Management system characterized by comprising Multiple user terminals,
A management server that is communicably connected to the plurality of user terminals and manages the plurality of user terminals;
Environmental information collecting means for collecting environmental information in each of the plurality of user terminals from each user terminal to the management server;
The management server
Electronic education control means for causing the plurality of user terminals to execute electronic education about security;
Judgment means for judging the management conditions of each user terminal based on the environmental information in each user terminal collected by the environmental information collecting means after the electronic education by the electronic education control means,
Each of the plurality of user terminals
Peripheral device operation control means for controlling writing or sending of electronic files to the peripheral device;
In the user terminal which performs control when writing or transmitting an electronic file to the outside and the management server determines that the management conditions are not satisfied and the electronic education is not completed, the peripheral device operates. Control means for controlling the electronic file not to be written or transmitted to the outside by a specific protocol not via the control means;
Management system characterized by comprising Multiple user terminals,
A management server that is communicably connected to the plurality of user terminals and manages the plurality of user terminals;
Environmental information collecting means for collecting environmental information in each of the plurality of user terminals from each user terminal to the management server;
The management server
First electronic education control means for causing the plurality of user terminals to execute electronic education about security in general;
Judgment means for judging whether or not each user terminal satisfies a management condition based on the environmental information in each user terminal collected by the environmental information collecting means after the electronic education by the first electronic education control means. When,
A second electronic education control means for causing the user terminal determined not to satisfy the management conditions by the determination means to execute a detailed electronic education on matters relating to the management conditions;
Configured with
Each of the plurality of user terminals
Peripheral device operation control means for controlling writing or sending of electronic files to the peripheral device;
In the user terminal that performs control when writing or transmitting an electronic file to the outside and the management server determines that the detailed electronic education is not completed because the management condition is not satisfied, the peripheral device Control means for controlling the electronic file not to be written or transmitted to the outside with a specific protocol not via the operation control means;
Management system characterized by comprising Multiple user terminals,
A management server that is communicably connected to the plurality of user terminals and manages the plurality of user terminals;
Environmental information collecting means for collecting environmental information in each of the plurality of user terminals from each user terminal to the management server;
The management server
A first electronic education control means for causing the plurality of user terminals to perform general electronic education on security in general;
Judgment means for judging whether or not each user terminal satisfies a management condition based on the environmental information in each user terminal collected by the environmental information collecting means after the electronic education by the first electronic education control means. When,
A second electronic education control means for causing the user terminal determined not to satisfy the management conditions by the determination means to execute a detailed electronic education on matters relating to the management conditions;
Configured with
Each of the plurality of user terminals
Peripheral device operation control means for controlling writing or sending of electronic files to the peripheral device;
In the user terminal that performs control when writing or transmitting an electronic file to the outside and the management server determines that the detailed electronic education is not completed because the management condition is not satisfied, Control means for controlling the electronic file determined to be a file so as not to be written or transmitted to the outside by a specific protocol not via the peripheral device operation control means;
Management system characterized by comprising The control means, at the user terminal that is determined not to satisfy the management condition and the electronic education is not completed, the electronic file is encrypted and written or transmitted.
The management system as described in any one of Claims 1-4 characterized by the above-mentioned. The peripheral device operation control means is a device driver.
The management system according to any one of claims 1 to 5, characterized in that: The specific protocol is either a picture transfer protocol or a media transfer protocol.
The management system according to any one of claims 1 to 6, wherein: A management program that causes a computer to function as a user terminal,
A judging means for judging whether or not the user terminal satisfies a predetermined predetermined management condition;
Electronic education control means for causing the user terminal to execute electronic education based on a determination result by the determination means;
Peripheral device operation control means for controlling writing or sending of electronic files to peripheral devices,
In addition to performing control when writing or transmitting an electronic file to the outside, a user terminal that does not satisfy the management conditions and is determined not to have completed the electronic education is provided with the peripheral device operation control means. Control means for controlling the electronic file not to be written out or transmitted to the outside by any specific protocol;
Management program characterized by causing a computer to function as A management program in which a plurality of user terminals and a management server are communicably connected to each other, and functions as a management system for managing the plurality of user terminals. And
Environmental information collection means for collecting environmental information in each of the plurality of user terminals from each user terminal to the management server;
Electronic education control means for causing the plurality of user terminals to execute electronic education about security;
Judging means for judging the management condition of each user terminal based on the environmental information in each user terminal collected by the environmental information collecting means after the electronic education by the electronic education control means;
Peripheral device operation control means for controlling writing or sending of electronic files to peripheral devices,
In the user terminal which performs control when writing or transmitting an electronic file to the outside and the management server determines that the management conditions are not satisfied and the electronic education is not completed, the peripheral device operates. Control means for controlling the electronic file not to be written out or transmitted to the outside by a specific protocol not via the control means;
Management program characterized by causing a computer to function as A determination means for determining whether or not the user terminal satisfies a predetermined predetermined management condition;
Electronic education control means for causing the user terminal to execute electronic education based on a determination result by the determination means;
The terminal has a function of transmitting the contents of the electronic file to the printer in response to the print instruction of the electronic file, and at least a part of the terminal is determined not to satisfy the management condition and the electronic education is not completed. Control means for controlling the electronic file to execute printing in a state of being performed;
Management system characterized by comprising A judging means for judging whether or not the user terminal satisfies a predetermined predetermined management condition;
Electronic education control means for causing the user terminal to execute electronic education based on a determination result by the determination means;
The terminal has a function of transmitting the contents of the electronic file to the printer in response to the print instruction of the electronic file, and at least a part of the terminal is determined not to satisfy the management condition and the electronic education is not completed. Control means for controlling the electronic file to execute printing in a state where
Management program characterized by causing a computer to function as

Images