JP2010015542A - File management system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To specify any change of the presence of a storage medium storing information or a person, and to prevent an operation which might lead to the leakage of information in advance. <P>SOLUTION: The combination of the category and level of information is defined as a label, and conditions for executing an operation which is highly likely to exceed the shared range of the information for each label are defined as a policy list, and a label is assigned to the file. Furthermore, when a user holds an IC card over a sensor to enter/leave a room, the presence information of the user is obtained. Thus, when the user operates the file, and the attribute information or presence information of the user and the storage medium of a file or the like do not conform to the policy list, the operation is prevented so as to prevent an operation which might lead to the leakage of information in advance. Furthermore, an approval result is reflected on a DB for information identification for every approving operation in assigning the label and carrying the file to the outside of an organization so that an approver or manager improves information identifying precision without registering it. <P>COPYRIGHT: (C)2010,JPO&INPIT

Description

  The present invention relates to a file management system that achieves both prevention of information leakage and utilization of information.

  In recent years, computerization of information has been progressing, and various information such as personal information, technical information, and sales information has been digitized within an organization and utilized in various ranges such as within an organization or outside business partners. However, on the other hand, information leakage and loss often occur, and prevention of information leakage is an extremely high interest for organizations and should be addressed immediately.

  A variety of products that prevent information leakage are provided, but information leakage accidents have not disappeared, and once leakage occurs, even if the employee is negligent, the damage to the organization is significant. It costs the cost of countermeasures and the cost of subsequent preventive measures.

  Since the sharing range of information varies depending on the purpose of use, in order to prevent information leakage, it is only necessary to limit the sharing range that does not vary depending on the information. However, the following factors diversify the paths that may lead to information leakage beyond the sharing range.

(1) Diversification of information types Information handled by organizations is diverse. A wide range of information is handled in order to efficiently promote activities and services provided by the organization, including documents, blueprints, personal information, employee information, and information showing product distribution history. Since the sharing range of these pieces of information varies depending on the purpose of use, even if the same operation is performed from the information handling side, there is a possibility that the information exceeds the sharing range depending on the information.

(2) Diversification and miniaturization of media for storing information In recent years, miniaturization and diversification of media for storing information have progressed. Conventionally, the information storage was mainly HDDs installed in fixed desktop PCs, but now portable media such as USB memory and CD-R that can be easily taken out are readily available. It is. In addition, since the portable medium is small, it has become difficult to confirm whether it is taken out without permission.

(3) Diversification of employment styles and work styles Changes in employment styles and work styles in organizations may also cause information to exceed the scope of information sharing. In the organization, not only employees but contract employees may work, and at this time, there is a possibility that information that should be referred to only by employees may be seen. In addition, by adopting a telecommuting system, there is a possibility that it will be possible to work not only in the organization but also at home. Information that is highly confidential to the organization should be prevented from being viewed outside the company, but it is difficult for the organization to prevent acts that may exceed the scope of sharing due to changes in employee attributes and employee location. .

  In order to prevent information leakage that can occur in various routes as described above, information identification, information handling policy setting, policy-based control, and control recording / auditing should be performed. is necessary.

  For example, regarding the identification of information, when taking out a document outside the company, it is conceivable that the senior manager checks the document to be taken out. According to Patent Document 1, a document management server that cannot register a document without obtaining approval checks whether or not the document contains confidential information, personal information, or typographical errors, and includes confidential information or personal information. In such a case, the technology for supporting the identification work of the approver's information by displaying on the approval screen is shown.

  Regarding the setting of the information handling policy, for example, it may be possible to establish a strict rule such as prohibiting the removal of portable media uniformly in order to prevent leakage of confidential information via the portable media.

  Regarding control based on policy, there is a role-based access control technique according to Non-Patent Document 1. This does not give the user permission to execute the operation directly, but rather gives the role permission to execute the operation and associates the user with the role, so that "Read" or " This technique limits the number of users who perform the “Write” operation.

JP 2007-299093 A

David Ferraiolo et al., “Role Based Access Control”, 15th National Computer Security Conference, 1992.

However, when trying to prevent information leakage using the prior art, there are the following problems.
Regarding the identification of information, in Patent Document 1, the keyword for specifying the confidential information set in advance and the text of the applied information are matched, but since the information handled by the organization varies, the quality matched to the information It is difficult to set good keywords in advance. Furthermore, since the detection accuracy does not change unless the keyword is updated, it is conceivable that a keyword that should be detected is leaked or an unnecessary keyword is detected indefinitely.

  Regarding information handling policies and controls, first of all, if extreme measures are taken to prohibit the uniform removal of portable media, the burden on employees, who often work outside the company, such as sales, will be hindered. It is expected that

  Also in Non-Patent Document 1, since the information leakage path is wide as described above, it is difficult to prevent information leakage only by associating the user with the role. For example, in the technique of Non-Patent Document 1, even if a file is permitted to be viewed inside the organization but is not desired to be viewed from outside the organization, if the user is assigned to a role that permits the operation, the change of the location of the user Therefore, there is a possibility that the file can be viewed outside the organization and the contents of the file can be seen by a third party. When managing organization information, it is necessary to prevent leakage in advance according to dynamic changes in the information usage environment and storage medium.

  Furthermore, in the above prior art, a policy that controls operations so that the shared range does not exceed the shared range in real time is determined from the storage location of the information that dynamically changes and the state / status of the user for the shared range that varies depending on the information. Setting them one by one takes time.

  The present invention provides a file management system that prevents an operation that leads to leakage even if the storage location of the information and the state / situation of the user dynamically change without hindering the use of the information.

  That is, the present invention sets a sharing range according to the value of information for information such as files scattered under the management of an organization, and prevents operations that are likely to lead to information leakage beyond the sharing range. Provide a file management system.

  The file management method according to the present invention sets a combination of a category indicating the type of information and a confidential level as a label, sets an execution condition for each operation that is likely to cause information leakage in units of labels, and further knows in advance It also has a policy list that also sets sharing destinations, and sets the file sharing range by assigning labels to files instead of assigning policies directly to files.

  Since execution conditions are set for each operation in the label, fine setting and control can be performed on the file to which the label is assigned. In addition, since the operation for setting the execution condition is intended for an operation that is likely to lead to information leakage, it is possible to centrally manage the execution conditions of a wide range of operations, not limited to “Read” and “Write”. Furthermore, by specifying attributes such as the job title of the user, and the medium for storing the usage environment and information as execution conditions, it is possible to perform authority setting based on dynamic changes that could not be achieved with the prior art. .

  Regarding the assignment of the above policy to the file, the user should set the label to the file and label and apply the policy to the file simply by selecting the appropriate label according to the category of information and the confidentiality level. Can do.

  The file usage environment in which the label is set includes an administrator who constructs and manages the environment, an approver, and a user who is a general user. The administrator sets the access right for each label in advance as a policy, Distribute policies to clients assigned to users.

  The user who handles the file assigns a label to the file, so that the control set in the distributed policy is applied. When assigning a label to a file, the file owner first sets the label based on the category of information and the confidentiality level, and then the approver determines whether the label assigned by the user is appropriate. By changing or approving, a label is assigned to the information. As a result, even if the user who first assigns the label assigns a label that is negligent or intentionally unsuitable, the approver can confirm it to ensure reliability.

  Note that a file to which no label is assigned is regarded as confidential information, and operations such as sending mail outside the company or taking out portable media are prohibited. As a result, it is possible to prevent an operation of taking a file outside the company even if no label is assigned.

  Furthermore, the above file management system has a database in which highly confidential objects (characteristics such as descriptions, images, and logos) are registered in order to determine the risk of leakage, and a certain file is given a label and approved by the approver. When a request is made, or when an approval request is made to the approver when a label is not assigned when the file is taken out, the database is checked against the file, and the requested file contains sensitive objects Is identified and displayed on the approval screen. As a result, the approver can quickly grasp the value of the file applied for. Furthermore, since the file management system updates the database based on the approval result, even if the approver or administrator does not update the database, it is possible to add an object to be originally registered that is effective in preventing leakage risk and Unnecessary objects can be deleted.

  Further, the file management system detects a movement of a registered user and a client and a document management server having a monitoring / control program for controlling a user operation based on a policy. It is equipped with a sensor that can grasp which area of the device, and by referring to the policy from the location information of the user obtained from the sensor and the information of the operation performed on the client, the operation execution permission / non-permission, If execution is permitted, label inheritance is performed. As a result, control can be performed without losing the label even when the information to which the label is assigned moves from the client to another medium. Alternatively, the operation can be executed only when the location of the user is appropriate.

  Further, when the user takes the file out of the organization, the user stores the encrypted file in the notebook PC after obtaining approval from the approver. When a user uses an encrypted file outside the organization, the decryption key is transmitted to the mobile phone only when the location information of the user can be confirmed using the mobile phone. The user passes the decryption key by communicating with the mobile phone and the notebook PC, and can use the file only at an appropriate place outside the organization.

According to the above aspect, the following effects can be obtained.
・ Since information handling conditions can be specified from the internal and external usage environment and attributes such as employee's job title, operations that lead to leakage beyond the scope of sharing can be prevented, and information utilization and leakage prevention can be performed. Can be compatible.
・ Users can set detailed policies just by selecting information levels and categories.
-Since the system is configured to centrally manage policies and distribute them to clients, if the policies are modified, the settings of each file can be reflected on the clients without being updated.
By setting a policy for a file that has not been assigned a label, an operation with a high possibility of leakage can be prevented even for a file that has not been assigned a label. This prevents information from being taken out of the organization regardless of negligence or intention.
-By updating the database used for identification at the time of approval judgment, the identification accuracy of information can be improved without the administrator updating it.
For example, it can be used as a tool for supporting file management by a security department administrator in managing files scattered in an information system and its surrounding environment in preparation for preventing information leakage.

  The file management system of the present invention described above is a system that assigns labels to files and restricts operations that lead to information leakage, and distributes at least policy setting means for setting policies and clients that include monitoring / control means to the policies. Policy distribution means, a sensor for identifying the user when the user passes, a state management means for centrally managing information acquired from the sensor to identify the location of the user, and assigning a label to the file Label assigning means for associating a policy, and the monitoring / control means identifies a label assigned to the file when the user operates the file, and determines the location of the user, the attribute of the user, and the storage location of the file. Originally, the label and the policy are collated, and the execution of the operation is permitted.

  The file management system of the present invention is a file management system that assigns a label, which is a combination data of a category indicating the type of information and a confidentiality level, to a file and restricts an operation that leads to information leakage. Storage means for storing an object registration database for storing handling information, and the handling information in the object registration database indicating whether or not there is a prohibited object in the file for which the application has been accepted at the time of receiving the application for the label or the application for taking out the file. The file identification means to be identified based on the above and the approval result for the label application or file take-out application are obtained from another terminal or input means, and the handling information regarding the object in the object registration database is obtained. And DB management means new to, characterized in that it comprises a.

  In the file management system, the DB management unit may update the object registration database when an approval result is received.

  In the file management system, the object registration database may be a database in which an object of a file is registered for each label, a database in which an object is registered for each partner having a history of taking out a file, and a file and a label. And a database in which objects are registered.

  Further, in the file management system, the file identification means identifies a page configuration, a text position and an object position on the corresponding page for the file for which the application has been accepted, and the items identified here are similar to each other The other device is specified based on the attribute information of the object registration database, the difference between the file and the other file is acquired, and the presence / absence of the object registered in the object registration database is detected in the acquired difference. Alternatively, it may be output to another terminal.

  According to the present invention, it is possible to prevent an operation leading to information leakage without hindering the use of information.

It is a block diagram of the file management system which concerns on 1st Example. It is a block diagram which illustrates the hardware constitutions of a client. It is a figure which illustrates the data structure of a policy list. It is a figure which illustrates the data structure of a policy list. It is a figure which illustrates the setting screen of a policy list. It is a figure which illustrates the flow of a policy delivery process. It is a figure which illustrates the flow of a label allocation process. It is a figure which illustrates the label allocation application screen. It is a figure which illustrates the approval screen of label allocation. It is a figure which illustrates the data structure of a label list and a state management list. It is a figure which illustrates the process which specifies a user's location. It is a flowchart which illustrates operation | movement of a monitoring and control program. It is a figure which illustrates the process which concerns on file taking-out operation. It is a figure which illustrates the process which concerns on the file operation outside an organization. It is a figure which illustrates the process in the organization after taking out a file. It is a figure which illustrates the application and approval screen concerning take-out operation. It is a figure which illustrates the label allocation process in 2nd Example. It is a flowchart which illustrates operation | movement of the monitoring and control program in 2nd Example. It is a block diagram of the file management system which concerns on 3rd Example. It is a figure which illustrates the supplier list | wrist in 3rd Example. It is a figure which illustrates approval management DB in the 3rd example. It is a figure which illustrates DB for collation in 3rd Example. It is a figure which illustrates taking-out rule DB in 3rd Example. It is a figure which illustrates the taking-out application screen of the file in 3rd Example. It is a figure which illustrates the taking-out approval screen of the file in 3rd Example. It is a figure which illustrates the process which concerns on the taking-out application operation of the file in 3rd Example. It is a flowchart which illustrates the process which concerns on taking-out approval operation of the file in 3rd Example. It is a flowchart which illustrates operation | movement of the file identification program in 3rd Example. It is a flowchart which illustrates operation | movement of the DB management program in 3rd Example.

--- Example 1 ---
Examples will be described below with reference to the drawings as appropriate. FIG. 1 is a configuration diagram of a file management system according to the first embodiment. The file management system 1000 includes a policy setting server 10, a state management server 20, a log management server 30, an Internet server 41, one or more sensors 50, one or more printers 60, one or more clients 70, and a document management server 80. The ID management system 90 and the asset management system 100 are connected to the network 40 by wire or wireless.

  For example, the user 1 enters and leaves the organization using the IC card 76 in which his / her user ID is stored in the tamper-resistant area. The organization refers to the inside of the sensor arranged on the outermost side, in which sensors are installed in a part dividing a living room such as a building or office. The user 1 further performs various operations using the client 70, the portable medium 77, or the notebook PC 78. The user 1 has a mobile phone 79 in which user information that can be uniquely specified is stored in a tamper-resistant area, and carries the mobile phone 79 inside and outside the organization. The client 70 can also read the ID recorded on the IC card by connecting the card reader 795, reading the IC card 76, and communicating with the client 70. The administrator 2 performs various operations using the policy setting server 10. The approver 3 performs various operations using the document management server 80.

  The sensor 50 is installed at an entrance that divides the building of the organization or the office. For example, when the physical building is separated in the same organization, such as a branch, if the sensor 50 is installed, the sensor 50 is used. When the person 1 holds the IC card 76 over, the sensor reads the ID of the IC card, performs authentication, and can enter and leave the room.

  The Internet server 41 is an e-mail server that relays transmission / reception of the e-mail 43 exchanged in the network 40 or on the Internet and stores the transmitted / received e-mail, or a proxy server that relays Web communication with the Internet 42. .

  Further, the client 70 can be connected to a portable medium 77 such as a CD-R / DVD-R, a USB flash memory, a portable HDD, an SD card for storing multimedia contents, and the client 70 exchanges files with the portable medium 77. Can do.

  Here, in principle, the client 70 is assigned to each user 1. Note that the client 70 may be assigned to two or more users, and in this case, the client 70 can identify which user has used the client 70 by identifying and authenticating the user. You can do it. Further, when a plurality of clients use the client 70 by using a common account, account management is performed by the ID management system 90 so as to know who is associated with which account.

  Further, a software configuration in the policy setting server 10, the state management server 20, the log management server 30, the sensor 50, the client 70, the document management server 80, and the notebook PC 78 will be described with reference to FIG.

  The policy setting server 10 includes a policy setting program 11 that sets a policy list 13 that stores policies to be applied to files, and a policy distribution program 12 that distributes the policy list 13 set by the policy setting program 11 to the client 70. Further, the policy setting program 11 and the policy distribution program 12 store the work log in the terminal log 14. The policy setting program 11 may be accessed by the administrator 2 directly to the policy setting server 10 or from the administrator terminal via the network 40.

  The state management server 20 includes a label management list 23, a state management list 24, a decryption key list 25, and a terminal log 26. The sensor log received from the log analysis program 31 of the log management server 30 and the user of the ID management system 90 The state management program 21 is operated in which the user list 91 for storing the attribute information is stored together and the location of the user registered in the user list 91 is written in the state management list 24. Further, the state management program 21 also updates the label management list 23 that manages file storage location information when a file moves between clients. The state management server also includes an authentication program 22 for authenticating the mobile phone 79 carried by the user 1 and a decryption key list 25 distributed to the mobile phone that has been successfully authenticated. Thereby, even when the user is outside the organization, it is possible to control the file described in the present embodiment.

  The log management server 30 collects the terminal log acquired by the client 70, the document management server 80, and the policy setting server 10 and the sensor log 52 acquired by the sensor 50, analyzes the collected terminal log, and shapes the log. A log analysis program 31 that operates in the collection log 32 and transmits the sensor log acquired from the sensor among the collection logs to the state management server 20 operates.

  The client 70 monitors the operation of the user 1 in detail, and when the operation occurs, the client 70 refers to the label management table 74 that stores the label information of the target file and the policy list 73 received from the policy setting server 10 to determine the policy. The monitoring / control program 72 for permitting or preventing the operation and storing the control result in the terminal log 75 as a log operates.

  In the document management server 80, a label allocation program 81 for allocating labels to files and a monitoring / control program 82 having the same functions as the monitoring / control program 72 provided in the client 70 operate. The label allocation program 81 receives the label information of the file applied by the user 1 at the client 70, receives the approval or change request from the approver, and updates the label management list 84. Information on the correspondence between files and labels assigned by the label assignment program 81 is stored in the label management list 84. Logs of operations executed by the label allocation program 81 and the monitoring / control program 82 of the document management server 80 are stored in the terminal log 85. Note that the file stored in the document management server 80 is a file that has been examined in the organization and is handled as overwriting prohibited.

  Note that the file described in this patent is not a system file or the like, but targets all information assets that are generated in the organization or obtained from the outside and that are valuable in the organization.

  FIG. 2 is a block diagram illustrating a hardware configuration of the client 70 in the file management system 1000. The client 70 includes a terminal log 75, a policy list 73, an external storage medium 702 that stores a label management table 74, a CPU 701 that executes a monitoring / control program 72, a memory 703, a display unit 704 that displays an input / output screen, and an input / output. An operation unit 705 to be controlled, a portable medium connection unit 706 for reading and writing data stored in the portable medium 77, a RAM 707, a communication unit 708 for communicating with the network 40 by wire or wireless, each of these devices, etc. The bus 709 is interconnected.

  The document management server 80, policy setting server 10, state management server 20, and log management server 30 also have the same hardware configuration as that of the block diagram of the client 70 shown in FIG. However, the portable medium connection unit 706 is not necessarily provided in the document management server 80, the policy setting server 10, the state management server 20, and the log management server 30.

  In each apparatus, the CPU executes a program stored in the external storage medium 702, thereby realizing processing and functions described below. However, in the description of each embodiment, each program is an execution subject for convenience.

  In addition, each program may be stored in advance in the external storage medium 702 or the memory 703 of each of the above devices, and the portable medium connecting unit 706 and the communication unit 708 and each device can be used when necessary. May be introduced from another device via a medium. The medium refers to, for example, a removable portable medium 77 or a communication medium (that is, the network 40 or a carrier wave or a digital signal propagating through the network 40).

  FIG. 3 shows an example of the data structure of the policy list 13. The policy list 13 records conditions for performing an operation when an operation occurs on a file stored in any of the client 70, the document management server 80, the portable medium 77, and the notebook PC 78. The information is stored in storage devices on the policy setting server 10 and the client 70.

  The policy list 13 is table data composed of zero or more entries, a label 281 set for a combination of information category and level, an information category 282, a level 283 indicating the degree of confidentiality of information, a control target, Files can be shared among access subjects 285 indicating conditions for executing the operations 284 and 284, users not registered in the user list 91 of the ID management system 90, or Web sites accessible via the Internet 42, etc. A common sharing destination 286.

Hereinafter, the configuration of the policy list 13 will be described in detail.
First, the label 281 is set by a combination of the category shown in the column 282 and the level shown in the column 283. The label name may be an alphabet as shown in the column 281 or may be any other name as long as the label can be uniquely identified.

The reason why labels are set by combinations of categories and levels is that the types of information currently are diversified, and handling rules such as sharing ranges differ depending on the levels and categories. For example, when the information sharing range is broadly classified into the following four, the handling rules are different, and therefore control is required so as not to exceed each sharing range.
(1) Items that can be opened to the public Items that have been reviewed within the organization and publicly available information obtained from outside.
(2) What you want to share only within the organization Most of the information, including draft versions and unclassifiable items.
(3) Those who want to limit the scope of sharing even within the organization Can be classified according to the confidentiality level and type.
(4) Items to be shared with a specific organization (outside the organization) Can be classified by business partner or contractor.

  Furthermore, the file stored in each client 70 includes a draft version being created and a completed document. In order to prevent these files from exceeding different sharing ranges, not only the person who handles the files, but also the location where the files are stored and the usage location should be restricted for each operation. The policy list 13 sets different units of the sharing range as labels from categories and levels, and further specifies the access subject and the sharing destination for the operation for each label, and assigns the label to the file. You can apply a fine-grained policy.

  For the label 281, a label “no label” 2811 is set as a policy to be assigned to a file for which no label is set, and a condition for an operation is set. In this embodiment, when the user 1 assigns a label to a file, for example, the monitoring / control program 72 of the client 70 applies a policy associated with the label, but the label is assigned to all the files stored by the client. It takes time and effort. Furthermore, there is a possibility that a file that is not labeled will be uncontrolled and leaked. Therefore, files that are not assigned a label should be treated as confidential at least, and operations that take information out of the organization should be controlled, and a policy without labels is also set and applied.

  Next, the category 282 is a value set based on the type of information of the organization. For example, the type of information such as “HR information”, “financial information”, and “technical information” may be defined. Or the like as customer information. These values can be added or modified by the administrator 2 using the policy setting program 11.

  Level 283 is a value set based on the value of information, and defines, for example, “top secret”, “secret”, “public”, and “unset”. These definitions are classified so as to be easily set by the user 1 who assigns labels and the approver 3 who approves labels.

  Operation 284 defines operations that have a high possibility of leaking beyond the information sharing range, in addition to “browse” and “edit”, which are operations in which access rights are designated by the conventional access control technology. For example, “browsing” “editing (including file deletion, file name change, etc.)” “copying (electronic, paper, scanning, etc.)” “printing” “network transmission (hereinafter referred to as NW transmission) (mail, Web upload) Etc.) ”“ Take out ”etc.

The access subject 285 defines conditions under which the operation 284 can be executed. Specifically, the access subject 285 is set based on the access subject condition list 301. The access subject 285 is data composed of at least zero logical expressions, and defines an expression that can uniquely identify the condition selected from the access subject condition list 301. The logical expression describes a condition under which the operation can be executed or a condition where the operation is not permitted. Further, in the logical expression, the symbol “^” indicates an AND operator, and the symbol “|” indicates an OR operator. Conditional expressions connected by an AND operator indicate information handling conditions.
The definition method of the access subject 285 will be described after the data structure of the access subject condition list 301 is described.

The access subject condition list 301 is table data composed of at least one or more entries. The category number 302 is a candidate to be set as a condition, and the category summary 303 indicates attribute information that the organization can select for the category number 302. , Data that can be selected by the organization in the category 303 (304 to 308).
The category 303 includes user attribute information such as “employment classification”, “title”, and “organization name”, the location of the user who handles the file, the type of medium for storing the file, conditions for use outside the organization, etc. Define

  The data set for each category (column 304 to column 308) is attribute information that can be selected by the organization such as “part”, “contract”, “employee” in “employment classification” described in C1 of the access subject condition list 301, for example. Define Note that the administrator 2 may add a category or attribute information to be defined more finely. With respect to these data, management of users and assets is performed using a user list 91 and an asset list 101 separately. The user list 91 is managed by the ID management system 90 and manages, for example, attribute information such as “name”, “employment classification”, and “position” in units of user IDs that can uniquely identify users. The asset list 101 is managed by the asset management system 100 and manages, for example, “asset ID”, “type” indicating the type of storage medium, “owning department”, “medium identification ID” and the like in units of assets. is there. These user list 91 and asset list 101 are used for ID management system 90 and asset management for registration associated with the addition of users and assets, or for deletion of items associated with movement or retirement of users, change or destruction of assets. The general function of the system 100 is used.

  Now, a method for defining the access subject 285 in the policy list 13 will be described. The condition 2861 for executing the “browsing” operation describes “C1 = 3 ^ C2> 3 ^ C3 = 3 ^ C4> 2.” In these expressions, the item described on the left side indicates the category number 302 of the access subject condition list 301, and the item described on the right side indicates the data numbers shown in the columns 304 to 308. In this example, “the employment classification indicated by C1 is 3 (that is, employee)”, “the position indicated by C2 is a position that is greater than 3 (ie, the section manager or higher)”, and “the organization name indicated by C3 is 3 (ie, the research department). ”And“ the location indicated by C4 is greater than 2 (that is, any of the office room, server room, and laboratory) ”indicates that the browsing operation can be executed. As described above, by setting the access subject for each operation that may exceed the sharing range, it is possible to set detailed conditions for the label defined by the combination of the information category and the level.

  For the access subject 285, there is no need to describe anything about a category that does not permit operation under any conditions. For example, nothing is described in the condition 2864 for executing the “take-out” operation. This means that file export is not permitted under any conditions.

  Furthermore, categories that do not need to be restricted need not be included in the formula. For example, “C5> 3” is described in the condition 2862 for executing the “edit” operation. In this case, if the condition of the storage medium indicating the condition of C5 is satisfied, it means that the operation is permitted regardless of the data of other categories.

  On the other hand, “*” is described when the operation is permitted under any conditions. For example, the condition 2863 for executing the “NW transmission” operation is described as “*”, which means that the NW transmission can be executed under any conditions.

  The sharing destination 286 in the policy list 13 specifies a sharing destination of information outside the organization. Mainly, in the NW transmission of operation 284, when the person in charge of the business partner is determined or the URL of the website for uploading the file is known, the mail address or URL of the person in charge is registered in advance. Thus, the registered person in charge and URL can be set so that the file can be shared even outside the organization. Also, by registering these pieces of information, it is possible to prevent erroneous transmission due to an incorrect input of an email address and erroneous transmission of a file to be transmitted. Even when not registered as a sharing destination (column 286), it is possible to execute these operations by applying to the approver 3 for sharing destination information and purpose, and obtaining approval.

  By providing the policy list 13 having the structure described above, it is possible to set execution conditions for a wide range of operations that are likely to lead to leakage, rather than monitoring and controlling only user browsing and editing as in the prior art. it can.

  Further, this policy is centrally managed by the policy list 13 stored in the policy setting server 10, and is set in advance by the administrator 2 using the policy setting program 11. The administrator 2 may change the policy every time a periodic review is performed or according to an application from the user. In this embodiment, since the label 281 is assigned to the file 300, once the label is assigned to the file, even if the category and level that define the label and the access subject for each operation are changed, the label 281 is already assigned. It does not affect the file. Further, since the policy list 13 is also distributed to the client 70 by the policy distribution program 12 and is referred to by the monitoring / control program 72 of the client 70, even if the client changes due to file copying or the like, the same policy can be obtained if the label is known. Can be applied. A more specific policy setting example and feasible control will be described with reference to FIG.

  FIG. 4 shows a specific example of the policy described in FIG. 3 and shows that fine control can be performed for each type of information. In FIG. 4, as an example in which four types of labels are defined, the definition of the label “A” is 4001, the definition of the label “B” is 4002, the definition of the label “C” is 4003, and the definition of the label “none” is 4004. Show.

  A label A 4001 is a label assigned to personnel information whose level is confidential, and is intended to further limit the sharing range within the organization. Such information should not be taken outside the company, and should be restricted within the organization until the expiration date. Therefore, as a control of the file to which the label A 4001 is assigned, a condition is set so that employees from the section manager or higher can execute only the operation from the browsing operation to the NW transmission only on the desktop PC in the office without allowing the take-out. As a result, for example, even if an employee who is a section manager or more tries to copy the file of the label A4001 from the desktop PC to the portable medium, the desktop PC is set as a device that can perform the copy operation. Cannot execute. Also, for NW transmission, since the sharing range is equal to or greater than the section manager, an operation in which the section manager mistakenly transfers a file to the subordinate can be prevented. In the unlikely event that a subordinate obtains a file, the viewing conditions do not match, so they are not seen.

  A label B4002 is a label assigned to catalog information that can be disclosed. Possible uses include in-house browsing and taking-out actions such as explanation to specific customers outside the company. Therefore, as a control of the file to which the label B 4002 is assigned, browsing and NW transmission are set to “* (possible without conditions)”, and other operation conditions are set. For example, since it has already been released, an “edit” operation is not permitted in order to prohibit overwriting. On the other hand, if the employee uses a medium other than the RFID attached paper, the take-out operation can be taken out of the organization regardless of the sharing destination.

  The label C4003 is a label assigned to the business partner A whose level is secret. This information should be shared only with users who have a relationship with the business partner A within the organization, and with only the user of the business partner A outside the organization. Therefore, as a control of the file to which the label C4003 is assigned, it is defined in the company that a user more than a contract employee in the research or sales department performs browsing and editing operations in a place beyond the office. Further, the mail address of the person in charge of the business partner A is registered as a share destination of NW transmission, and the Tokyo office of the business partner A is registered as a take-out destination. As a result, when the user creates or sends a file created for the business partner A by e-mail or the like, the file cannot be executed without approval other than the registered address or destination. In addition, it cannot be operated outside the Tokyo office of the customer A who has been taken out without obtaining approval or registered as a user. Details of the file take-out process will be described with reference to FIGS.

  The unlabeled 4004 is a label assigned to a file to which no label is assigned. Files that are not set with a label include information that should be handled in an extremely confidential manner, and information to be disclosed. Therefore, it should be controlled by setting the shared range to be the same as the internal secret or by setting the shared range to be the narrowest range. It is. Therefore, for example, printing, NW transmission, and take-out operations are prohibited, and browsing, editing, and copying are performed only by the user's own client (“ID” portion). If it is necessary to share a file with someone other than the user itself, such as when creating a file with someone or sharing information, an appropriate label other than “unset” may be assigned.

  An unlabeled policy may be changed according to the business in the organization. For example, in cooperation with the ID system, the file system user information and affiliation between users, or between users It may be possible to adopt a policy permitting browsing, editing, printing, and NW transmission between users in positions and higher.

  As an example of a method for reducing the labor of label assignment, for a file in which a template is determined in advance, the template to which the label is assigned is stored in the document management server 80, and the user downloads and uses it.

  As described above, by defining the policy list 13, it is possible to limit the user's attribute, location, and medium for storing information depending on the type of information. An example of an operation that is likely to lead to leakage and a policy for preventing the operation are shown below.

(1) Information take-out control For example, for a copy operation to a file that requires high confidentiality such as label A, by limiting the copy destination to the desktop PC, it is possible to leak high-value information. The act of writing to a portable medium can be prohibited. In addition, the file that can be disclosed on the label B4002 can be copied to a portable medium or taken out, and the label C can be taken out according to the type of information because it is necessary to approve the takeout. Can control.

(2) Access control of files taken out For example, when browsing the label A4001, the condition at the location is limited to only in-house, preventing browsing at an inappropriate location such as when using a notebook PC outside the company. it can. Since it is necessary to specify the location of a person, this is controlled in cooperation with the entry / exit information at the sensor 50. Specific processing will be described with reference to FIG.

(3) Control of printing For example, a policy that restricts a printing place such as a label A 4001 and a policy that allows anyone to print such as a label B 4002 can be set. By restricting printing according to the value of information, it is possible to control so that highly confidential information can be viewed but not printed.

(4) Network transmission control For example, for highly confidential information of label A4001, network transmission is limited to in-house to prevent unauthorized transmission outside the organization, wrong destination, and wrong file to be transmitted. Is possible.

  Furthermore, for a file shared with an external business partner such as label C4003, the email address of the business partner or the contracted company and the URL of the Web upload destination are designated in advance as the sharing destination. By submitting an application, it is possible to perform an operation without waiting for the approval of the approver. In addition, it is possible to send an e-mail to the other party illegally, to prevent erroneous transmission, and to correctly send information to a legitimate destination.

(5) Access control to confidential information from outside the company For example, in the browsing operation of the label A 4001, a place where browsing is possible is set as a condition. When the user leaves and leaves the office, the IC card is brought close to the sensor and the ID is read, so that the user's location is recorded as the outside in the status management list 24. Even when trying to access the file of A4001, it cannot be accessed. As a result, even if an employee who is permitted to use a notebook PC outside the company operates the notebook PC outside the company, it is possible to prevent the browsing of highly confidential information, and the third party can see the file. Leakage can be prevented.

  It is also possible to link entry / exit management and login to the client, hold the IC card and enter the room, and log in to the client without logging in. It is also possible to prevent remote access from an external network without a record of leaving the room. As a result, it is possible to prevent an act of remote access by pretending to be in the office without holding an IC card when leaving the room. The control described above is an example, and other controls are possible.

FIG. 5 shows an example of a setting screen for the policy list 13.
In the policy list 13 stored in the policy setting server 10, the administrator 2 directly accesses the policy setting program 11 via the operation unit 705 of the policy setting server 10, or the policy setting program 11 via a network 40 from another terminal. Set by accessing. When the administrator 2 accesses the policy setting program 11, the display unit 704 displays the policy setting screen 501 shown in FIG.

  On the policy setting screen 501, a new policy is set or a registered policy is checked and corrected. The policy setting screen 501 includes a registered label list 510 representing a list of registered policy labels, and a new addition button 511 for setting a new policy.

  The registered label list table 510 is table data including zero or more entries. The registered policy label name 5011, the file category 5012, the level 5013 indicating the degree of confidentiality, and the policy set in the label 5011 A setting display button 5014 for displaying a label, a correction button 5015 for displaying a screen for correcting a policy already set in the label 5011, and a policy already set in order to reuse a policy set in the label 5011 to add a new policy A reuse button 5016 for displaying the policy setting screen, and the number of registered files 5017 to which the label 5011 is assigned.

When the administrator 2 presses a button he wants to execute, the screen is displayed as follows. For example, a column 5014 button is pressed to refer to a set policy, a column 5015 button is pressed to modify a set policy, and a new label is registered by copying the set policy. When a new policy is to be added, a new addition button 511 is pressed.
When one of the above buttons is pressed by the administrator 2, the policy setting program 11 displays a policy setting screen 502.

  The policy setting screen 502 specifies a label setting form 520 for assigning a category and level to a label name to be newly registered, an input form 5214 for inputting a share destination URL and mail address, and specifying the share destination URL and mail address from an ID management system or the like. For the newly added label, an operation authority setting screen 522 for setting authority to be executed for each operation, and a registration button 523 for registering the set data in the policy list 13. When the button 5014 is pressed, the set policy is displayed on the operation authority setting screen 522. When the button 5015 is pressed, the set policy is displayed on the operation authority setting screen 522. Furthermore, the displayed authority can be changed. Further, when the button 5016 is pressed, the set policy is displayed on the operation authority setting screen 522, and the label 520 can be corrected to be newly added.

In the label setting form 520, the label name 5211 is input, and the value to be set by the administrator 2 is selected from the pull-down menu from the category 5212 and the level 5213. If there is no category to be set, the administrator 2 may input an appropriate category name in the new input form 521.
In the external sharing destination input form 5214, when a partner who shares a file outside the company is known in advance, information such as a URL or an e-mail address that can uniquely identify the partner is input.

  In the operation authority setting screen 522, the authority setting screen can be switched with a tab 5221 that is different for each operation. Therefore, the administrator 2 presses the tab 5221 to switch the operation and sets the authority for all operations. The operation authority setting screen 522 includes a table 5223 for setting operation authority and a reset button 5222 for invalidating all inputs only to the displayed table among the set data and returning to the initial display.

  The operation authority setting table 5223 is a table for setting authority for all operations likely to cause information leakage described in FIG. 3, and the background is displayed when nothing is input, such as when a new addition button 511 is pressed. It is displayed in white (5224). When the administrator 2 sets the operation authority, when an item that does not satisfy the condition is pressed in the operation authority setting table 5223, the background of the pressed item is reversed to, for example, black (5225). As described above, the operation authority can be set by changing the color of the item pressed in the operation authority setting table 5223.

  When the administrator sets all the authority and presses the registration button 523, the policy setting program 11 closes the operation authority setting screen 522, and the data entered in the operation authority setting table 5223 is shown in the access subject 285 of FIG. Then, all the input data is registered in the policy list 13. When the data registration to the policy list 13 is completed, the last line of the registered label list table 510 is newly added and the set label information is displayed.

  As described above, when the administrator 2 generates the policy list 13 and distributes the policy list 13 updated by the policy distribution program 12 to the client 70, the policy list 73 of the client 70 is updated. Distribution of the policy list 13 to the client 70 will be described with reference to FIG.

FIG. 6 shows the flow of policy distribution processing.
After starting the program (step 601), the monitoring / control program 72 of the client 70 accesses the policy distribution program 12 of the policy setting server 10, transmits the user ID of the client 70, and applies for acquisition of the policy table ( Step 602).

After receiving the policy table acquisition application, the policy distribution program 12 refers to the user list 91 of the ID management system 90 (step 603) and determines whether the received user ID is registered in the user list 91 (step 604). . If the user ID is registered, the policy list 13 is distributed to the client 70 (step 607). If not registered, an error is returned to the monitoring / control program 72 of the client 70 (step 605). The error and user ID are displayed on the display unit 704 (step 606).
When the monitoring / control program 72 of the client 70 receives the policy list 91 from the policy distribution program 12, it updates the policy list 73 of the client 70 (step 608).

  With this operation flow, the policy list 73 is updated to the latest state every time the client 70 is activated. When the monitoring / control program 72 is newly installed in the client 70, a policy list storing at least a policy for a file with the label “none” is installed at the same time. Thereby, even if the label is not assigned to the file immediately after the monitoring / control program 72 is installed, the control based on the label can be executed. If the client 70 is not connected to the network, cannot communicate with the policy setting server 10, or if the card reader 795 cannot confirm that the IC card and the client are in the organization, the label “none” is displayed. Apply the policy to all files.

FIG. 7 shows the flow of label allocation processing.
The process of assigning a label to a file is performed when the file user 1 wants to set the file sharing range to other than the user. Even when the file creator is not the user 1, when the file is stored in the client 70, the label “none” policy is applied until the user 1 assigns a label.

  First, when the user 1 of the client 70 newly assigns a label to a file that is newly created or obtained and stored via NW transmission or the Internet 40 from outside the client, the user assigns a label assignment program of the document management server 80. 81 and log in. At this time, the client monitoring / control program 72 transmits the user ID of the client. When control is performed to operate a file with no label set, the monitoring / control program 72 accesses the document management server and transmits a user ID (7001).

  Then, the label allocation program 81 of the document management server 80 performs server authentication (7002), refers to the policy list 13 of the policy setting server 10 (7003), and specifies a label whose user ID satisfies the conditions of the access subject ( 7004), a label allocation screen is displayed on the screen of the client (7005).

  The user 1 assigns a file label on the displayed label assignment screen (7006), further designates a file to which the label is assigned (7007), and transmits the file to the label assignment program 81 (7008). Details of the label allocation screen will be described with reference to FIG. The monitoring / control program 72 updates the label management table 74 and sets the status of the file applied for awaiting approval (7009).

  The label allocation program 81 collates the user ID and label information received from the client 70 with the policy list 13 to determine whether approval is required (7010), and if the label requires approval, transmits the application contents to the approver. To do. A label that does not require approval may or may not be set. At this time, the label allocation program 81 refers to the label management list 84, and from the list of label allocated files registered in the label management list 84, a file to which the same label as the label selected by the user is allocated, or At least one file assigned with the same category is extracted and transmitted (7011). The extraction condition may be a label of a file owned by a user in the same department as the user.

The approver 3 confirms whether the file and the label applied are appropriate, and requests a change of the label if necessary (7012). Details of the editing screen at this time will be described with reference to FIG.
After the approver 3 confirms or changes the label, the label allocation program 81 stores the file in the document management server 10 (7014) when the file to which the label is allocated is a completed document (7013), The label management list 84 is updated (7015). If the document is not a completed document, the label management list 84 is updated without storing the file (7015).

  Next, the label allocation program 81 confirms whether or not the sharing destination is specified in the application content (7016), and if the sharing destination needs to be specified, refer to the policy list 13 to add the sharing destination. Share destination information is transmitted to the setting program 11 (7017). In addition, no operation is performed when it is not necessary to specify the sharing destination information.

  When the label allocation program 81 completes registration and sends a registration completion notification to the monitoring / control program 72 (7018), the monitoring / control program 72 of the client 70 updates the label management table 74 and approves the status of the file applied. (7019). As a result, a label is assigned to the file, and the policy set for the label is applied to the file thereafter.

  Note that the label assignment to the file is not limited to the method of managing the label using the table described in this embodiment, but the method of embedding the label in the header area and content of the file, and the label and the file body using the DRM technology. May be encapsulated.

FIG. 8 shows an example of a label assignment application screen.
As described with reference to FIG. 7, the user 1 of the client 70 that stores the file first assigns a label, and the approver 3 checks whether the assigned label is appropriate. When approved, a label is assigned to the file, and control based on the label is performed.

  The label assignment application screen 801 includes a button 8011 for selecting whether to assign a new label or change a label once assigned, a user ID 8012 of a user who requests label assignment, a file path 8013 for assigning a label, A button 8014 for referring to and selecting a file to which a label is to be assigned, whether or not to register the file in the document management server is selected. A button 8016 to be referred to and selected from the management server, a history use tab 8017 or pull-down selection tab 8018 for selecting a label selection method, a label selection table 8019 displaying options when the history use tab is selected, From the application button 8020 for applying for input contents That. Note that the label displayed as an option of the history use tab 8017 is a label that satisfies the condition for the user 1 to perform the operation.

For example, the user 1 can select a label to be assigned by selecting a corresponding label as shown in 8010.
When user 1 wishes to select a label by pull-down and presses down a pull-down selection tab 8018, a label assignment application screen 802 is displayed.

  In the label allocation application screen 802, the basic configuration is the same as that of the label allocation application screen 801, and a pull-down selection table 8021 for selecting a part of the label selection table 8019 by pull-down is displayed. The pull-down selection table 8021 displays a pull-down for selecting the category 8022 and a pull-down for selecting the level 8023. Therefore, the user 1 selects the corresponding category and level, and presses the decision button 8014 when the selection is completed. You can apply for the assigned label.

FIG. 9 shows an example of an approval screen for label allocation, and a label approval method for the approver 3 will be described.
When the approver 3 accesses the label allocation program 81 of the document management server 80, a label approval screen 901 is displayed. The label approval screen 901 includes a user ID 9011 of the applicant, a file path 9012 to which the user 1 has assigned a label, a registration destination folder 9013 in the case of registration in the document management server 80, and a label 9014 to which the user 1 has been assigned. And a display button 9015 for displaying a file, a label candidate list 9016 to be selected when changing the label, a label list 9018 of similar files, and an approval button 9019.

The approver 3 looks at the label approval screen 901 and determines whether the file and the label are suitable. If the contents of the file are to be confirmed, when the display button 9015 is pressed, the file uploaded to the document management server 10 is opened, so that the approver 3 can approve the label by looking at the contents of the file. If the approver 3 determines that it is not necessary to change the label for the file applied, the approver 3 presses the approval button 9019, and if it is determined that the label needs to be changed, selects another label (9017). Then, an approval button 9019 is pressed. As a result, even if the user 1 assigns an inappropriate label to the file, the approver 3 makes a change to make an appropriate label assignment.
Since the label approval screen 901 displays a list of labels of similar files, the approver 3 can be used as a guide for determining whether the label set by the user 1 is appropriate.

FIG. 10 shows an example of the data structure of the label management list 23 and the state management list 24.
The label management list 23 stores data relating to files to which labels are assigned. The label management list 23 is data composed of at least 0 or more entries. The file path 1011 can uniquely identify the storage location of the information, the medium identification ID 1012 for storing the file, the label 1013 assigned to the file, and the label at the end. Final label assigner ID 1014, label registration date and time 1015, label approval status 1016, and other status 1017.

  The data managed in the other status 1017 displays the status of the file such as “label approval in progress”, “takeout application in progress”, and “takeout in progress”. With the label management list 23, it is possible to quickly grasp which client has which label has information stored, and the approval status of information to which a label is assigned. The client 70 includes a label management table 74 having the same format, and the document management server 80 includes a label management list 84 having the same format. In the label management table 74 and the label management list 84, the statuses of files stored in the client 70 or the document management server 80 are managed in the same format.

Next, the state management list 24 will be described.
The state management list 24 manages the location of the user registered in the user list 91 of the ID management system 90 based on the log that the user has passed through the sensor 50.
The state management list 24 is data composed of at least 0 or more entries, and includes a user ID 1031 and a location 1032 indicating the current location of the user.

For example, it is indicated that the user whose user ID 1031 is 001 is in the office. This is because when the user passes from outside the organization to the building in the organization and from the building to the office, the ID is read by bringing the IC card close to the sensor 50, so that the entered data is reflected in the state management list 24. Means that The state management list 24 is updated when the user 1 passes the IC card through a legitimate method such as reading the ID by bringing the sensor 50 close to the IC card. If the login condition is set as follows, the client 70 is operated by impersonation or sharing and the client 70 is operated to access the file, but if there is no record of entering the status management list 24, control is performed so that even the login cannot be performed. be able to.
As a means for confirming the location of the user, it is possible to determine where the user is located in the company by acquiring not only the sensor 50 but also the IP address to which the client 70 operated by the user is connected. .

FIG. 11 shows a flow of processing for specifying the location of the user.
When the user 1 holds the IC card 76 or the mobile phone 79 storing ID information over the sensor 50 and enters or exits the area where the sensor is installed (1101), the sensor log acquired by the sensor log acquisition program 51 of the sensor 50 is logged. It transmits to the log analysis program 31 of the management server 30 (1102). When receiving the sensor log (1103), the log analysis program 31 refers to the user list 91 (1104) and specifies the user ID of the user who has entered or exited the room (1105). Further, the log analysis program 31 transmits the specified user ID and sensor identification information to the state management program 21 of the state management server 20 (1106). When receiving the user ID and sensor identification information (1107), the state management program 21 refers to the state management list 24 (1108) and updates the location information of the received user ID (1109).

  As described above with reference to FIG. 11, by managing the information that the user has passed through the sensor 50 installed in the organization with the state management list 24 of the state management server 20, the change in the location of the user is grasped. be able to.

An operation flow of the monitoring / control program 72 operating on the client 70, the document management server 80, and the notebook PC 78 will be described with reference to FIG.
When the monitoring / control program 72 is activated (step 1201), the user's operation on the client 70 is monitored (step 1202). When the user performs an operation on the file (step 1203), the state of the generated operation is identified (step 1204). At this time, the monitoring / control program 72 also displays the operation that has occurred and the external sharing destination information such as the mail address or URL as the destination, the user ID of the client, the file path, etc. Identify.

Next, the label management table 74 stored in the client 70 is referred to (step 1205), and the label assigned to the file is specified using the file path of the file to be operated as a key (step 1206).
If the label is set to something other than “none” (step 1207), the state management server 20 is accessed and the state management list 24 is referred to (step 1209), and the user's location is specified using the user ID as a key. (Step 1210).

  If the label is not set in step 1207, or if the status management server 20 cannot be accessed in step 1209, the policy for label non-setting is referred to (step 1208). Note that if the status management list 24 cannot be accessed in step 1209, it is considered that the label is not set. If the status management server 20 cannot be accessed, it is considered that the client is offline, and if it is offline, the location of the user is specified. This is because it cannot be done. Further, when the client is offline, the policy list 13 stored in the policy setting server 10 and the policy table 73 stored in the client 70 may be different. It is for preventing it.

  Next, when the policy with the label “none” is referenced in step 1208, it is determined whether the state identified in step 1204 matches the policy with the label “none” (step 1214). If it does not match, the operation is prevented (step 1216). If the operation is prevented in step 1216, an alert is displayed to the user (step 1217), and a screen for allowing the user to perform label allocation operation or input is displayed, and input is performed when the user performs label allocation operation. Is received (step 1218), a label allocation screen is displayed (step 1219). When label allocation is not performed or after the label allocation screen is displayed (step 1219), a log is acquired (step 1220).

  On the other hand, if the location of the user is specified in step 1210, it is determined whether the operation is an operation to any storage destination other than the client, such as NW transmission or file copy or printing to a storage medium other than the client. If the operation is an output operation (1211), the asset information of the file storage destination is acquired by referring to the asset list 101 (step 1212), and the policy set in the label of the policy list 73 is referenced (step 1213). ). If it is determined in step 1211 that the operation is not an output operation, step 1213 is executed.

  If the policy is referenced in step 1213 and it is determined that the state identified in step 1204 matches the policy condition (step 1221), the operation is performed (step 1222). Further, if the file path is changed by executing an operation such as copying, renaming, or deleting (step 1223), the label management table 74 is updated (step 1224) and a log is acquired. (Step 1220). If the file path is not changed, step 1220 is executed.

  In the case of an operation that does not satisfy the policy conditions in Step 1221, the operation is prevented (Step 1225), an alert is displayed to the user (Step 1226), and a log is acquired (Step 1220). In step 1220, at least the operation occurrence time, the user ID, whether or not the operation is executed, and the file label are recorded as a log.

  After step 1220, unless a program end command is issued (step 1227), the process returns to step 1202 for monitoring. If a program end command is issued, the program is terminated (step 1228).

  In the present embodiment, by referring to the state management list 24 managed by the state management server 20 and acquiring and controlling the operation environment of the user, not only control of the access right from the person to the file, The file operation can be controlled also by the environment of the user who uses the file.

  In FIG. 12, the monitoring / control program 72 in the client 70 has been described. However, in the monitoring / control program 82 of the document management server 80, the label management list 84 and the policy list 13 of the policy setting server 10 are referred to, and the notebook PC 78. Then, the label management table 7813 and the policy list 7814 copied from the client 70 are referred to.

FIG. 13 shows a flow of processing related to a file take-out operation.
When the user 1 accesses the state management program 21 of the state management server 20 (1301), an application screen is displayed (1302). When the application information is input according to the application screen displayed by the user 1 (1303) and the application information and the file to be taken out are transmitted to the state management server 20 (1304), the state management program 21 loads the file to be taken out with the label management list 23 The file label is identified by comparing with the path, and whether the file can be taken out is identified by referring to the policy of the identified label (1305). Is displayed (1306). If the conditions for the take-out operation are satisfied, the application information is transmitted to the approver 3 (1307). The approver 3 confirms the take-out application information on the displayed approval screen, determines whether or not to take out the application information (1308), and transmits it to the state management program 21 (1309).

  The state management program 21 accepts the approval result (1310), if not permitted, notifies the application not-permitted message (1311), and if permitted, takes out the status of the label management list 23 and updates it to approved (1312). Then, an encryption key including at least the location information of the usage destination and the identification ID of the storage medium as a decryption condition is generated (1313), and the file is encrypted (1314).

  When the state management program 21 sends a take-out permission notice to the user (1315), the user 1 accesses the state management server 20 (1316), downloads the encrypted file (1317), and downloads the file to the notebook PC 78 to be taken out. Store (1318). At this time, the monitoring / control program 71 of the client 70 detects the download of the file and reflects the approval result in the label management table 74 (1323).

  When the user 1 subsequently goes out of the organization from outside the organization, the mobile phone 79 storing the IC card 76 or the user's ID information is brought close to the sensor 50 to perform short-range wireless communication and read the ID (1319). ). Then, user information is acquired by the log acquisition program 51 of the sensor 50 (1320), and the acquired information is transmitted to the state management program 21 (1321). The state management program 21 updates the state of the label management list 23 while it is being taken out based on the received user information (1322).

  By this process, files taken out of the organization are encrypted and taken out. Therefore, even if the user 1 accesses in a place other than the application destination that has been applied for and approved in advance, it will not be decrypted. Operation can be prevented.

  Note that file encryption is forcibly performed even when the level of information stored in a portable medium having no CPU such as a USB memory is high. The encryption method is disclosed in, for example, “Internal Control for Information Leakage Risk Recommendation and Information Asset Management (Author: Kai et al., Hitachi Review, September 2007, pp. 51, 3.3)”. As described above, the file to be taken out is encrypted in a self-decryption type, and the identification information (MAC address, etc.) of the prescribed PC is stored in the encrypted file, so that browsing / editing on a home PC or a suspicious PC can be prevented. .

FIG. 14 shows the flow of processing related to file operations outside the organization.
The user 1 accesses the authentication program 22 of the state management server 20 using the authentication program 791 stored in the mobile phone 79, and transmits login information 792 (1401).
The authentication program 22 of the state management server 20 determines whether or not the login information 792 is authentic (1402). If the authentication is successful, the authentication program 791 requests the authentication program 791 to transmit the location information of the mobile phone 79 (1403). If it fails, an error message is transmitted (1408).
When the authentication program 22 transmits GPS information as the location information of the user 2 (1404), the state management program 21 refers to the state management list 24 (1405) and checks whether the user's location is an approved location. (1406).
If the location is not approved, the state management program 21 sends an error message (1407). If the location is approved, the state management program 21 refers to the decryption key list 25 and identifies the decryption key of the file that can be used at the current location. And transmit (1408).

  The authentication program 22 receives the decryption key (1409) and activates the communication program 793 (1410). The communication program 793 transmits login information to the authentication program 782 of the notebook PC 78 (1411). When the authentication is successful (1412), the communication program 793 requests the decryption key from the communication program 793 (1413). The decryption key is transmitted using (1414). When the decryption key is received, the communication program 783 of the notebook PC 78 stores the decryption key in the notebook PC 78 (1415). When the user 1 accesses the file (1416), only the approved file is decrypted with the decryption key ( 1417), an operation such as browsing can be executed.

  Note that the communication program 783 of the notebook PC 78 communicates with the authentication program 791 of the mobile phone 79 at regular intervals, and when the communication cannot be performed, the monitoring / control program 791 of the notebook PC 78 prevents the operation. As a result, the operation can be prevented from continuing when the notebook PC 78 is moved from an approved location with the notebook PC 78 open.

FIG. 15 shows the flow of processing in the organization after taking out the file.
When the user 1 takes the notebook PC 78 from outside the organization back into the organization (1501) and causes the sensor 50 to read the ID, for example, the IC card 76 (1502), the sensor log acquisition program 51 of the sensor 50 is stored in the IC card 76. The acquired user information is acquired (1503), and data is transmitted to the state management program 21 of the state management server 20 (1504).

  The state management program 21 refers to the label management list 23 (1505), specifies whether there is a file whose take-out time limit has expired among the files being taken out (1506), and uses it when there is a file whose take-out time limit has expired. A file deletion message is displayed on the client 70 of the user 1 (1507). When the user 1 deletes a file whose take-out time has expired from the notebook PC 78 (1508), the monitoring / control program 72 of the client 70 transmits the identification ID of the storage medium storing the deleted file to the state management program 21 ( 1509), the state management program 21 deletes the “Now taking” data set in the state column of the label management list 23 (1510). As a result, it is possible to prevent the files stored in the notebook PC 78 from remaining, so that only the files related to the takeout can be taken out each time the takeout is carried out.

FIG. 16 shows an example of an application and approval screen related to the take-out operation.
An example of a take-out application screen is shown at 160. The take-out application screen 160 is a screen for the user 1 to take out a file outside the organization, and is displayed in step 1303 in FIG.
On the take-out application screen 160, at least the applicant information 1601, the file name 1602 to be taken out, a button 1603 for referring to and selecting the file to be taken out from the client 70, the ID ID 1604 of the medium for storing the file, and the medium to be stored are referred to A selection button 1605, a usage destination 1606, a button 1607 for selecting location information of the usage destination, a take-out time limit 1608, a take-out purpose 1609, an application button 161, and an application cancellation button 162. To do.
When the user 1 inputs the take-out application screen 160 and presses the application button 161, the approver 3 approves the take-out operation and the file selected by the button 1603 for selecting the file name to be taken out.

Next, an example of a take-out approval screen is shown at 163. The take-out approval screen 163 is a screen on which the approver 3 who approves the application of the user 1 performs the approval, and is displayed in step 1308 in FIG.
The take-out approval screen 163 includes at least applicant information 1601, a take-out file name 1602, a medium ID ID 1604 for storing the file, a take-out time limit 1608, and take-out as information input by the user 1 on the take-out application screen 160. In addition to the purpose 1609, a button 1611 for displaying a file to be taken out, label information 1612 of the file to be taken out, position information setting status 1613 of use destination information, a button 164 for permitting approval, and a button 165 for returning approval , Is displayed. It should be noted that the label information 1612 of the file to be taken out is identified and displayed by referring to the label management list 84 after the take-out approval program 83 receives the file name 1602 input by the user 1.

  According to the first embodiment described above, an operation leading to information leakage can be prevented without obstructing utilization of information.

--- Example 2 ---
The second embodiment shows a method of embedding file label information in a file.
FIG. 17 shows the flow of label allocation processing in the second embodiment. The rough flow of the label allocation process in the second embodiment is the same as the label allocation process in the first embodiment shown in FIG. 7, but in the second embodiment, an extension area of a file is used, and at least a label name is included in the extension area. And label setting or approver information. Specifically, before identifying the completed document in step 7014, label embedding processing is performed (1701).

  FIG. 18 shows an operational flowchart of the monitoring / control program in the second embodiment. The general flow of the operation flowchart of the monitoring / control program in the second embodiment is the same as the operation flowchart of the monitoring / control program shown in FIG. 12, but in the second embodiment, the label information by referring to the label management table 74 is changed. Perform label reading processing instead of specific processing. Also, since the label is embedded in the extension area of the file, the file path changing operation is not executed. For this reason, after the state is identified in step 1204, label reading processing is performed (1801), and the label setting status is confirmed (1207). In addition, after performing an operation on the file for which the label is set in step 1222, a log acquisition process is performed (1220).

  According to the second embodiment described above, it is possible to prevent an operation leading to information leakage without obstructing the utilization of information with the same system configuration as that of the first embodiment.

--- Example 3 ---
・ System configuration:
In the third embodiment, a method for identifying information in an approval process when a file is taken out of an organization is shown. FIG. 19 shows a system configuration diagram of the third embodiment. In the system configuration in the third embodiment, a mail server 192 including a mail log 1921 obtained from a log of transmitted / received mail and an approval management server 193 are newly provided. The client 70 includes an application management program 1911, and the notebook PC 78 includes an application management program 7801.

  The application management program 1911 and the application management program 7801 perform the same operation. By installing the application management program on the target device, a file having an approved attribute is identified from the storage means, and the existing file The approved file can be highlighted on the display interface in the search program or the like by the existing function or the like of the file search program (for example, the display of the corresponding file is highlighted or bolded). The approval flow in this embodiment will be described in detail later with reference to FIGS. 27 and 28.

  In addition, the application management program 1911 has “take-out application” in the context menu. For example, it is assumed that the user 1 selects a file via the client 70 or the notebook PC 78 and selects “Bringout Application” from the context menu provided by the application management program 1911. In this case, the application management program 1911 communicates with and connects to the approval management program 1931 of the approval management server 193, and displays an authentication screen for launching a take-out application screen. In the first embodiment, the file take-out approval process is performed by the state management server. However, as shown in the system configuration of the third embodiment, an information processing apparatus having an approval management function = an approval management server 193 is installed. A new role may be provided to share the role in the label allocation process.

  The approval management server 193 generates screens to be displayed on the client 70 and the notebook PC 78 of the user 1 who applies for file take-out and the approver 3 who makes an approval decision for take-out, and manages the status and file of the application case. Approval management program 1931, file identification program 1932 (file identification means) for performing identification processing of the applied file, supplier list 1941 in which supplier information outside the organization is registered, and DB 1943 for verification used for file identification (object registration) Database management program 1934 (DB management means), a file conversion program 1935 for converting a file approved for export to a file format for export, an approval management DB 1942 for storing an approval status, and a file organization For taking out That includes a take-out rules DB1944, who has registered the rules of the organization.

  As already shown in FIG. 2, the hardware configuration of the client 70 includes the terminal log 75, the policy list 73, the external storage medium 702 (storage means) for storing the label management table 74, the application management program 1911 and the monitoring. CPU 701 for executing the control program 72, memory 703, display unit 704 (output unit) for displaying the input / output screen, operation unit 705 (input unit) for controlling input / output, data stored in the portable medium 77, and the like A portable medium connection unit 706 for reading and writing, a RAM 707, a communication unit 708 for communicating with the network 40 by wire or wireless, and a bus 709 for interconnecting these devices and the like. Further, the notebook PC 78 and the approval management server 193 newly introduced in the third embodiment also have the same hardware configuration as the client 70.

  In each device, processing and functions described below are realized by the CPU executing a program stored in an external storage medium. However, in the description of each embodiment, each program is an execution subject for convenience. In addition, each program may be stored in advance in an external storage medium or memory of each device described above, and when necessary, a portable medium connection unit or a communication unit, a medium that can be used by each device, It may be introduced from another device via The medium refers to, for example, a removable portable medium or a communication medium (that is, the network 40 or a carrier wave or a digital signal propagating through the network 40).

  The approval management server 193 according to the third embodiment is a file management system that assigns a label, which is a combination data of a category indicating information type and a confidential level, to a file and restricts an operation leading to information leakage. The approval management server 193 determines whether or not there is a use-prohibited object in the file for which the application has been accepted based on the handling information in the database for comparison 1943 (object registration database) at the time of accepting the label application or accepting the file export application. The file identification program 1932 (file identification means) to identify is provided.

  Further, the approval management server 193 obtains an approval result for the label application or file take-out application from another terminal (such as the client 70 or the notebook PC 78) or the operation unit (input means), and the verification database 1943 (object A DB management program (DB management means) for updating handling information related to the object in the registration database) is provided. It is preferable that the DB management unit updates the object registration database when receiving the approval result.

  In addition, the file identification program 1932 specifies the page configuration, the text position and the object position on the corresponding page for the file that has received the application, and another file that is similar with respect to the items specified here, Based on the attribute information of the collation DB 1943 (object registration database), the difference between the file and another file is acquired, and the object registered in the collation DB 1943 (object registration database) in the acquired difference is acquired. The presence or absence may be detected and output to a display unit (output means) or another terminal (client 70, notebook PC 78, etc.).

・ About database structure:
FIG. 20 shows the data structure of the supplier list 1941. The business partner list 1941 is a list in which information of business partners other than the organization in which the file management system 1000 is introduced and the business in business is registered, and the DB management program 1934 is stored in the mail server 192. Created from the log 1921 or the like. This supplier list 1941 includes a registration number 2001, an email address 2002, a supplier name 2003, a final reception date and time 2004 which is the date and time when the email was last received, an approval count 2005 indicating the number of times that the take-out application has been approved, It consists of the user ID that is recognized. By referring to this supplier list, it is possible to determine whether the export destination for which the file export has been applied is the partner with whom the organization has been involved or has started a new relationship.

  The supplier list 1941 is created by the following procedure. The approval management program 1931 periodically accesses the mail log 1921 stored in the mail server 192. Then, the approval management program 1931 analyzes the reception log of the user in the organization, and the sender information specifies the mail address of the other party outside the organization.

  Next, the approval management program 1931 identifies the mail address of the user in the organization from the recipient mail address corresponding to the mail address from the identified partner outside the organization, for example, the user list 91 of the ID management system 90. The user ID is specified by collating with the mail address registered in.

  When the business partner is registered in the business partner list, the approval management program 1931 updates the last reception date and time in the corresponding record of the business partner list 1941 (the specified user ID is related to the business partner). If it is an unregistered user ID, the user ID 2006 field is also updated). On the other hand, when the business partner is not registered in the business partner list 1941, the approval management program 1931 adds a new record and registers the acquired information (company name, e-mail address, etc. of the business partner).

  FIG. 21 shows the data structure of the approval management DB 1942. The approval management DB 1942 includes metadata relating to an approval item created for each user ID and metadata relating to the contents of the file applied. The metadata related to the approval item includes a user ID 2100, an approval item table 2101 created for each approval item, and a mail reception table 2102 that stores the recipients of the mails received in the order of date and time.

  The approval case table 2101 is updated by the approval management program 1931 when the approval operation is completed, and the mail reception table 2102 is updated by the DB management program 1934 when the supplier list 1941 described in FIG. 24 is updated. The approval case table 2101 includes an application ID 2111 assigned when an application is made, a supplier registration number 2112, a export method 2113, a file format 2114, a reason for export 2115, an approver comment 2116, a status 2117 related to approval, an approval date and time 2118, The file ID 2119 of the file applied for.

  The mail reception table 2102 is a table in which the upper number of mails whose senders are outside the organization among the mails received by the user 2100 is registered, and includes a mail address 2121 and a reception date and time 2122. This number can also be customized by the administrator.

  Further, the metadata 2103 relating to the contents of the applied file includes the ID 2123 and the file 2124 of the applied file, data 2125 obtained by adding the object detected by the matching DB 1943 to the analysis data analyzed by the file identification program 1932, Data for file comparison 2126 is stored. As the data for file comparison, a hash value or the like is stored so that the similarity between files can be compared.

  FIG. 24 shows the data structure of the verification DB 1943 (object registration DB). The collation DB 1943 includes a general-purpose DB 2104 and a partner-specific DB 2105. The general-purpose DB 2104 is a DB (= a database in which objects regardless of file and label are registered) that can be used uniformly for processing related to take-out application and label registration. Data such as personal names and organization names, templates, etc. associated with handling information (or vice versa, handling information on unconditionally taken-out information such as public information on the Internet), files such as figures and logos, etc. This is a registered object. Further, the destination-specific DB 2105 is generated for each take-out destination and is used for processing related to the take-out application (= a database in which an object is registered for each destination having a history of taking out a file) and has the same format as the general-purpose DB 2104. Object information is registered. The collation DB 1943 may further include a label database 2106 in which file objects are registered for each label. In each DB, a use prohibited object 2127 and a useable object 2128 are registered, and are registered together with the number of detected cases 2129 for the approved cases.

  In the collation DB 1943, data indicating words such as person names and organization names, templates, etc., and data relating to figures and logos are attribute information of objects. In addition, information such as “takeout prohibited” and “takeout OK” associated with the attributes of these objects is the handling information.

  FIG. 25 shows the data structure of the take-out rule DB 1944. The take-out rule DB 1944 is a database in which rules for permitting or not permitting a combination of a file format and a take-out method at the time of file take-out are described. This is updated by the administrator or the approver in advance through the DB management program 1934, and can be set in small units such as the entire organization or department. For example, a rule 2129 is defined such that (1) file details need to be confirmed for export to a export destination not registered in the supplier list 1941, and (2) the reason is required if the file format is other than DRM. Is done.

・ About screen display examples:
FIG. 24 shows an example of an application screen 220 when the user 1 applies for taking out a file outside the organization. When the user 1 who is the applicant accesses the approval management server 193 with the client 70 or the notebook PC 78, the application management program 1931 of the approval management server 193 sends back the response to the client 70 or the notebook PC 78. It is something to be made. When the application management program 1911 of the client 70 receives an instruction from the user 1 in the context menu and connects to the approval management server 193, the application management program 1911 approves the file path of the selected file. Transmit to the management server 193. Further, the approval management program 1931 causes the user 1 to perform user authentication, and when the authentication is established, the user ID is specified from the authentication information at the time of the user authentication and displayed on the application screen 220.

  The application screen 220 accepts input of the following information by the user (via the client 70, the notebook PC 78, etc.). Applicant name 2211, export date 2212, export file name 2213, export destination email address 2214, export reason 2215, export method 2216, file format 2217 at the time of export, and for example, a file format other than the export method defined in advance ( In this embodiment, in the case of DRM (Digital Rights Management) format), the reason for taking out can be input. At this time, in addition to inputting the file 2213 to be taken out using the application management program 1911 of the client 70 as described above, the user 1 depresses the reference button 2220 and designates the file from the dialog. You may enter. When a plurality of files are taken out at a time, the user 1 can additionally register files by pressing an “add” button 2221.

  As for the export destination 2214, when the user presses the “input from history” button 2223, the approval management server 193 outputs the export destination candidate list 221 to the client 70, the notebook PC 78, etc. It may be selected. On the other hand, if it is not registered in the take-out destination candidate list 221, that is, if it is a new take-out destination, an input of an e-mail address may be accepted. For example, the approval management server 193 extracts data (e-mail address 2002, supplier name 2003, etc.) from the stored information of the supplier list 1941, and sends the e-mail address 222 and supplier name to the export destination candidate list 221. The database is composed of 223.

  In addition, the take-out destination candidate list 221 includes the business partner 2241 having a take-out history so far, the supplier order 2242 with the highest frequency of application for take-out, the mail receiving order 2243, and the registered name order 2244. It is more preferable that the data extracted from the list 1941 is listed, and the approval management server 193 performs display switching of the take-out destination candidate in response to pressing of the corresponding tab. When the user 1 selects a take-out destination from the take-out destination candidate list 221 and executes a take-out destination input, the approval management server 193 is registered in the supplier list 1941 next to the input form 2214. The business partner name ("A company AAA" in the figure) is also displayed. As a result, it is possible to confirm whether or not a customer whose mail address is similar is entered by mistake.

  In the application screen 220, for the carry-out method 2216, for example, DRM, encryption, plain text, or the like can be selected. On the other hand, for example, the default value (for example, “DRM”) of the export method 2216 can be designated in advance according to the organization (for example, the approval management server 193 receives the designation of the client 70, the notebook PC 78, etc.) A default value is set in the data of the application screen 220). In addition, when the approval management server 193 receives a designation to change from the default export method to another method, for example, if the reason 2218 is not filled in, the approval management server 193 does not shift the process even if the application button 2231 is pressed. Such a determination may be executed, and the reason 2218 may be entered by the user. When all the items related to the application are input and the user presses the application button 2231, the input data on the application screen 220 is transmitted from the client 70 or the notebook PC 78 to the approval management server 193. finish. The approval management server 193 stores the input data on the application screen 220 in the approval management DB 1942.

  FIG. 25 shows an approval screen when the approver 3 makes an approval decision. The approval screen for making an approval decision includes an approval waiting list screen 230 showing a list of information that has been applied for and a detailed screen 233 for each case. Instructions from the approver's client 70, notebook PC 78, etc. In response to pressing of the application button on the screen 220, the approval management server 193 generates and outputs it to the client 70, the notebook PC 78, and the like. The approver 3 first performs approval determination of the target file on the approval waiting list screen 230, and for the file that needs detailed confirmation, sees the details screen 233 to determine approval. The details of the screen will be described below.

  The approval wait list screen 230 is a screen that displays a check box 2410, an applicant name 2411, a take-out date 2412, a take-out destination 2413, a confirmation item 2414, a preview 2415, and an approval determination button 2416, and an approval management server 193. Has the template data of the corresponding screen in advance in the storage means. Among the items shown on the approval screen 230, for the take-out destination 2413, the approval management server 193 checks the supplier list 1941 against the take-out destination input by the user, and the export destination registered in the supplier list 1941 If registered, the registered customer name is displayed. If not registered, “unregistered” is displayed. In addition, as the data of the applicant name 2411 and the take-out date 2412, data accepted by the approval management server 193 through the application screen 220 is set.

  Since the approver cannot grasp the take-out destination only by the e-mail address, the approval management server 193 indicates whether or not the destination information corresponding to the e-mail address is registered and the registered name in the supplier list 1941 in the waiting list for approval. This information is shown as information of 230 take-out destination 2413. Thereby, the approver can easily determine an erroneous input of a business partner or an input of an unauthorized business partner.

  Further, the confirmation required item 2414 on the approval waiting list screen 230 indicates an item that may have a high risk of taking out the application information when it is approved (processing executed by the approval management server 193 in the flow of FIG. 28 described later). Identified by). For example, in the case 2431 in the figure, personal information is detected, which indicates that there is a high possibility that personal information is being taken out.

  Further, the approval management server 193 displays a cover 2417 of the file applied for in the preview 2415 and a page 2418 on which information to be most confirmed in the file is described (the flow of FIG. 28 described later). In the process executed by the approval management server 193). The reason why the cover of the file is displayed in preview is that information representing the summary information of the file such as the destination, creator name, and title is often described on the cover. Further, by displaying a preview of the page 2418 on which the information to be checked most is described, the approver can quickly grasp the contents of the information. In addition, displaying the preview has an advantage that the approver can identify information without opening the file. For example, in the case of an approval screen with only a file attached, the approver must know the contents efficiently and accurately without opening the file and seeing all the pages that are listed. It is difficult. On the other hand, like the preview 2415, by displaying the cover and the page that should be checked most preferentially, the effort for opening the file by the approver can be reduced. Further, when the approver presses the detail button 2432 on the screen 230, the approval management server 193 extracts information from the storage unit regarding the application item corresponding to the press of the detail button 2432, and generates data for the detail screen 233. Send back. According to this detail screen 233, for example, the approver can confirm the details of the file that could not be approved on the approval wait list screen 230.

  When the approver checks the check box 2431 on the screen 230 and presses the “approve all checked applications” 232 button, the approval management server 193 determines the approval without displaying the detail screen 233. Can be accepted. The “Approve all checked applications” 232 button may be a button to “Reject all checked applications”. However, an application management server 193 is arranged so that an application case in which the number of required confirmation items 2414 is larger than a predetermined number cannot be approved even if the check box 2431 is checked unless the output of the detailed screen 233 is executed. May be controlled.

  The configuration of the detailed screen 233 will be described. The details screen 233 is intended to allow the details of the application contents to be grasped when the approver cannot make an approval decision based on the information in the approval waiting list 230. The detailed screen 233 is output by the approval management server 193 to the client 70, the notebook PC 78, and the like. The application date 2451, the applicant name 2452, the file 2453, the export date 2454, the export destination 2455, the export reason 2456, and the export method 2457. , Screen data including each data in a comment description field 2465 such as a confirmation required item 2458, a file preview 2461, an inappropriate expression designation button 2463, a reason for rejection 2464, a reason for return / rejection.

  In the confirmation required item 2458, not only the type of object with high risk but also the most similar file among the previously approved / rejected files is displayed (the approval management server 193 in the flow of FIG. 28 described later). Specified and set by the process executed by If the most similar file is a rejected file, the rejection reason of the rejected case (eg, the approval management DB 1942 includes a column of the reason for rejection, and holds data of the rejection reason for the rejected case. The approval management server 193 can extract the data of the reason for rejection from the approval management DB 1942 and display it up to the detailed screen 233, so that the approver can make a reference for the approval judgment. For example, in the example shown in the figure, the corresponding application item is most similar to a file rejected in the past, and the reason for rejection is “for personal information”. The approver confirms the difference between the file export destination of the similar project and the file export destination of this application, and the similar project, and if there is no significant difference between the two, the approver rejects the similar project, Judgment such as approval can be made according to the difference in expression.

  In addition, the approval management server 193 displays the preview screen displayed on the approval wait list screen 230 for each page in the corresponding file in the preview 2461. Further, an object having a high risk of information leakage included in the file such as personal information or a company name is displayed with a highlight 2462. Thereby, the approver can know where to check carefully on the preview screen 2461. When the approver presses the “confirmation order” button 2459, the approval management server 193 displays a preview screen in the order of high priority to be confirmed (eg, in descending order of the number of objects having a high upward leakage risk). Sort the. When the approver presses the “page order” button 2460, the approval management server 193 displays the preview screen in page order. When the approver presses the “open file” button 2466, the approval management server 193 reads out the file of the application item from the storage unit and outputs it to the client 70, the notebook PC 78, etc., and the file contents of the approver Use for confirmation.

  On the other hand, the approver selects an approval / rejection / return determination and presses one of the buttons “Approve” 2471, “Reject” 2472, and “Return” 2473 to determine the approval. Exit. When the approval determination is “reject” or “return”, the approval management server 193 receives the reason input by the approver via the client 70 or the notebook PC 78 in the field of the comment 2465. Upon receiving such reason input, the approval management server 193 transmits the reason data to the user's client 70, the notebook PC 78, etc., thereby using the reason why the approver made the judgment of “return” or “rejection”. Can be notified.

  Further, the approver presses the inappropriate expression designation button 2463 (for example, the authorization management server 193 outputs a cursor for range designation to the client 70 or the notebook PC 78), and the range of the object on the preview screen 2461 is displayed. If specified, the approval management server 193 can accept the range specification and acquire information on the object that the approver feels inappropriate. The approval management server 193 can tell the user which part of the expression that the approver has determined to have a high risk of leakage by transmitting the range designation information to the client 70 of the user, the notebook PC 78, or the like. it can.

  Furthermore, the rejection reason 2464 can allow the approver to select whether there is an inappropriate expression as a rejection reason or whether there is an inappropriate content in terms of leakage risk. For example, if the requested content is confidential information that should be shared only within the organization, the approver checks “content inappropriate”. The approval management server 193 accepts the check contents for the rejection reason 2464 from the approver's client 70, the notebook PC 78, etc., determines that the risk of leakage is high regardless of the presence or absence of expression, and rejects the application. Notify the user (or may). Note that the comment entry or indication performed by the approver is an “approval result”, and is used for updating the collation DB 1943 (reflected in the next and subsequent applications).

  In addition, about the display item of each screen mentioned above, it is also possible to customize the item displayed by approver itself. The approval wait list screen 230 may be approved by an approver using a mobile phone. If it is necessary to check the file in detail, it is possible to request approval from a proxy registered in advance.

・ Example of processing flow:
First, referring to FIG. 26, the flow of file takeout application by the user will be described. The approval management program 1931 of the approval management server 193 presents the interface related to the acceptance processing of the user's take-out application to the user's client 70, notebook PC 78, etc. (hereinafter referred to as client 70).
First, it is assumed that a user who takes a file out of the organization accesses the approval management server 193 by the client 70 and instructs a login process. Then, the client 70 receives this instruction and executes a login process for the approval management server 193 (2501).

  On the other hand, the approval management program 1931 of the approval management server 193 returns the data of the application screen 220 illustrated in FIG. 24 to the client 70 (2502). As described with reference to FIG. 24, when the user uses the application management program 1911 of the client 70 and the client 70 accesses the approval management program 1931 from the context menu, the approval management program 1931 displays the ID of the user. Returns the data of the application screen with the selected file path entered.

  Next, it is assumed that the user presses the “input from history” button 2223 among the input items on the application screen 220. The client 70 receives this pressing event (2503: Y), and notifies the approval management server 193. At this time, the approval management program 1931 uses the logged-in user = the user ID of the user as a key, refers to the supplier list 1941 and the mail reception table 2102 of the approval management DB 1942, and sets the destination candidate list. Generate (2504). Then, data of the destination candidate screen (see FIG. 24) including the data of the destination candidate list is generated and sent to the client 70 (2505).

  When the user inputs all the input items on the application screen 220 and presses the application button 2231 (2506), the client 70 transmits the input data on the application screen 220 to the approval management server 193 (2507). On the other hand, the approval management program 1931 of the approval management server 193 receives the input data. Then, the input data is collated with the take-out rule DB 1944, and it is specified whether there is any deficiency in the application contents (for example, contents that are prohibited from being taken out unconditionally such as “confidential” are included from the beginning) (2508). ).

  Further, following the step 2508, the approval management program 1931 transmits a confirmation screen for the application contents of the user to the client 70 (2509). If it is determined in step 2508 that the application is deficient, the approval management program 1931 highlights the deficient items on the confirmation screen transmitted in step 2509, for example. In this case, the client 70 receives and displays the data of the confirmation screen from the approval management server 193, and accepts correction regarding the corresponding part from the user (2510: Y, 2511). In this case, the flow returns to step 2506. On the other hand, if it is determined in step 2508 that there is no flaw in the application (2510: N), the client 70 accepts pressing of an application button from the user (2512).

  Thereby, the application contents and the file to be applied are transmitted from the client 70 to the approval management server 193 (2513). The approval management program 1931 of the approval management server 193 receives the data transmitted from the client 70, stores it in the approval management DB 1942, and accepts an outside organization application regarding the file (2514).

  Next, based on FIG. 27, the flow of an approval process for a file export application will be described. In this case, as described with reference to the flow of FIG. 26, the client 70 accepts the user pressing the application button on the application screen 220 (2701) and transmits the application contents and the file to be applied to the approval management server 193 ( 2702). The approval management program 1931 of the approval management server 193 receives this.

  Next, the approval management program 1931 refers to the supplier list 1941 for the requested take-out destination, and acquires counterpart registration information (2703). Then, the presence or absence of the collation DB 1943 for the other party is specified (2704). In addition, in the case of a new application, there is no matching DB 1943 for each partner, so that the file is identified using only the general-purpose DB 2104.

  Next, the approval management program 1931 reads the pending case from the application contents (and the “status” of the approval management DB 1942) (the case that was “deficient” in the step 2510 in FIG. 26 and was resubmitted). (2705), if the relevant case is a pending case (2705: Y), the previous file held is sent to the file identification program 1932 (2706). The requested file is also transmitted to the file identification program 1932 (2707).

  On the other hand, when file identification processing is performed in the file identification program 1932 (2708), the identification result is transmitted to the approval management program 1931 (2709). The detailed operation flow of the file identification program 1932 will be described with reference to FIG.

  When the approval management program 1931 receives the identification result from the file identification program 1932, it refers to the take-out rule DB 1944 and extracts the confirmation items that are necessary (2710). In the take-out rule DB 1944, rules for permitting or not permitting a combination of a file format and a take-out method at the time of take-out are described. This is updated by the administrator or the approver in advance through the DB management program 1934, and can be set in small units such as the entire organization or department. For example, a rule is defined in which (1) file details need to be confirmed for exports not registered in the supplier list 1941, and (2) the reason is required if the file format is other than DRM.

  The approval management program 1931 that has extracted the necessary confirmation items notifies the approval request to the client 70 or the like of the approver 3 (2711). The approver's client 70 receives the approver's instruction, uses the approval management program 1931, communicates with the approval management program 1931, and reads and displays the contents of the application item corresponding to the approval request (2712, 2713). ). The approval waiting list screen 230 viewed by the approver on the client 70 is as described with reference to FIG.

  When the approver inputs a decision of approval / rejection / holding from the client 70, the client 70 transmits the determination result to the approval management program 1931 (2714). At this time, the approval management program 1931 receives the determination result, and determines whether the content is rejected or suspended. If the content is “rejected” or “hold” (2715: N), the approval management program 1931 sends a notification that the application is not permitted to the user's client 70 (2716). This notification may be notified to the user using e-mail or the like, or the approval status may be displayed when the user's client 70 accesses the approval management program 1931.

  On the other hand, when the judgment of the approver is “approval” (2715: Y), the approval management program 1931 transmits the corresponding file to the file conversion program 1935 and converts it into an approved file format (2717). ). Further, the approval management program 1931 transmits the approval result to the DB management program 1934 to update the handling information of the object in the matching DB 1943 to the latest determination result (2718). The file conversion program 1935 converts the file format and embeds attribute information that can identify the approved file. As a result, when the file is downloaded to the client 70, the application management program 1911 identifies and colors the file and displays it. Which of the files stored in the client 70 is the approved file? Can be understood at a glance.

  When the file conversion by the file conversion program 1935 is completed, the approval management program 1931 updates the approval management DB 1942 (such as “status”) (2719) and notifies the user client 70 of the approval result (2720). . When the user client 70 accesses the approval management server 193 (2721) and downloads the file converted into the export format (2722), the user can take out the file. Detailed processing of the control in the subsequent carry-out is as shown in the first embodiment.

  Next, the processing flow of the file identification program 1932 will be described with reference to FIG. The file identification program 1932 acquires the file to be applied from the approval management program 1931 (2811), and analyzes the structure of the application file (2812). In the structure analysis of the application file, header footer information, template information (eg, format template used for file creation), text information, and the like are acquired for each page and stored in a memory or the like. Further, in order to specify another file similar to the application target file, a hash value of the application target file is acquired. For the file whose structure could not be analyzed due to the file format or the like, in step 2812, the file identification program 1932 returns an error to the approval management program 1931 and ends the process.

  Next, the file identification program 1932 acquires the file of the suspended matter from the storage means (2814) when the application is a matter once suspended by the approver (2813: Y), and the pending matter file and The difference from the current application file is specified (2815).

  In the case of a new application (2813: N), the file identification program 1932 extracts from the approval management DB 1942 the history file that has been filed for the same export destination, the file rejected in the past, and the like. From the extracted files, the file most similar to the file to be applied is specified (2816). Similar judgment criteria include header / footer information and template information (for example, format template used for file creation), text information, etc., obtained in the structural analysis (step 2812). The file identification program 1932 searches the approval management DB 1942 for a match (that is, a file application for the same export destination, a file rejected in the past, etc.). The file identification program 1932 which specified such similar other files specifies the difference between the specified other file and the application target file (2817). By specifying the difference, for example, in the other file, by identifying a part in which the same word or sentence is input at the same page position or the like, an object that has already been approved in the past (= other file) In this case, a new approval judgment can be omitted. If there is no file with high similarity, the next process is executed without performing the difference acquisition process (2822).

  Next, the file identification program 1932 selects one page of data from the analyzed application target file (2818), refers to the collation DB 1943, and uses the prohibited object in the difference part identified in the step 2817 ( (Example: Text such as “Top Secret”) and if a prohibited object is included, the position within the page (eg: XX line of the page XX) is identified, and the identified detection The position is highlighted by highlighting or the like (2819). The collation DB 1943 may be classified into a plurality of security terms, personal names, company names, individual partner DBs, etc., and stored so that the collation results can be identified for each DB.

  When the file identification program 1932 performs the process of step 2819 for all pages in the application target file (2820: Y), the number of detected prohibited objects is compared on a page-by-page basis, and includes prohibited objects. List pages in descending order. In this way, the confirmation necessary order is determined (2821), and the result (display mode when the confirmation necessary order 2459 in the preview 2461 in the detail screen 233 of FIG. 25 is pressed) is transmitted to the approval management program 1931. .

  As described above, the file identification program 1932 narrows down features that have not been permitted to be exported so far by specifying the difference between another file that has already been approved (or rejected) and the file to be applied for, and further prohibits use. By detecting the presence or absence of an object, it is possible to narrow down the points that the approver should check. Furthermore, by comparing the number of detected objects in units of pages and setting the priority of confirmation based on the number of detections, pages to be confirmed by the approver can be efficiently presented. Furthermore, by specifying the detection position for each type of use-prohibited object, it is possible to recognize at a glance which part of the page has a risk in which category.

  Next, the processing flow of the DB management program 1934 will be described with reference to FIG. The DB management program 1934 is a program for updating the collation DB 1943 based on the approval result when the approval determination is completed. In this case, after receiving the approval result by the approver by the approval management program 1931 (2718 in FIG. 27), the DB management program acquires the approval result and the analysis data analyzed by the file identification program 1932 (241). The approval result includes the registration information of the export destination and the approval result of any one of approval / rejection / holding. The analysis data includes objects detected as corresponding to prohibited objects in the matching DB 1943 and the number of detected cases in addition to the structure data and text information of the file to be applied.

  Next, the DB management program 1934 specifies whether there is a collation DB 1943 for the export destination from the export destination registration information (for example, the company name of the export destination and its mail address) acquired from the approval result ( 242). When the collation DB 1943 for the export destination does not exist (242: N), the DB management program 1934 newly creates a collation DB 1943 (243).

  Subsequently, the DB management program 1934 lists the detected objects in the order of the detected number in the analysis data acquired from the approval management program 1931 (244). Further, when the approval result is “approval” (245: Y), the DB management program 1934 registers the detected object as a usable object in the collation DB 1943 for the export destination (246).

  On the other hand, if the approval result is “rejected” (245: N, 247), the detected object is registered as an unusable object in the collation DB 1943 for the export destination (248). The data to be registered at this time is when the reason for rejection is “inappropriate in content”, and when there is an object selected by the approver as “inappropriate” on the detailed screen 233 (FIG. 25), only the selected portion Register. This is because there is no need to register an object in the matching DB 1943 for inappropriate parts such as punctuation marks and kanji mistakes.

  Subsequently, when the DB management program 1934 registers all detected objects in the collation DB 1943 in Steps 246, 248, etc., the DB management program 1943 for each export destination currently registered in the approval management server 193 is stored. If there is an object registered in each DB 1943 for comparison at a rate equal to or higher than a preset threshold (250: Y), it is registered in the general-purpose DB 2104 (251). As a result, objects that can be shared with the other party due to a contract, etc. are managed in the other party's collation DB 1943, and on the other hand, objects that should be managed in a unified manner (commonly handled across files, etc.) The object to be managed can be managed by the general-purpose DB 2104. Therefore, an object to be detected can be set according to the file export destination and refined.

  According to the third embodiment described above, in addition to the first embodiment and the second embodiment, it becomes easier for the approver to determine whether to take out the file for which the application is taken out at the time of approval, and to further reduce judgment errors. Is possible.

  Although the three embodiments have been described above, the present invention is not limited to the above-described embodiments, and various modifications can be made without departing from the gist thereof, and the embodiments may be combined.

1: user, 2: administrator, 3: approver, 10: policy setting server, 11: policy setting program, 12: policy distribution program, 13: policy list, 14: terminal log, 20: state management server, 21 : Status management program, 22: Authentication program, 23: Label management list, 24: Status management list, 25: Decryption key list, 26: Terminal log, 30: Log management server, 31: Log analysis program, 32: Collection log, 40: Network, 41: Internet server, 42: Internet, 43: E-mail, 50: Sensor, 51: Sensor log acquisition program, 52: Sensor log, 60: Printer, 70: Client, 72: Monitoring / control program, 73: Policy List, 74: Label management table, 75: Terminal log, 76: IC , 77: portable medium, 78: notebook PC, 781: monitoring / control program, 782: authentication program, 783: communication program, 7813: label management table, 7814: policy list, 7815: terminal log, 79: mobile phone Telephone: 791: Authentication program, 792: Login information, 793: Communication program, 80: Document management server, 81: Label allocation program, 82: Monitoring / control program, 84: Label management list, 85: Terminal log, 90: ID Management system, 91: User list, 100: Asset management system, 101: Asset list, 192: Mail server, 1921: Mail log, 1911: Application management program, 193: Approval management server, 1931: Approval management program, 1932: File Identification program, 1934: DB Management program, 1935: file conversion program, 1941: customer list, 1942: approval management DB, 1943: verification DB, 1944: takeout rule DB, 7801: application management program

Claims (18)

In a file management system that assigns labels to files and restricts operations that lead to information leakage,
Policy setting means for setting at least a policy;
Policy delivery means for delivering the policy to a client comprising monitoring and control means;
A sensor for identifying the user when the user passes,
State management means for centrally managing information acquired from the sensor and identifying the location of the user;
Label assigning means for associating the policy by assigning a label to the file,
The monitoring / control means identifies the label assigned to the file when the user operates the file, compares the label with the policy based on the user location, the user attribute, and the file storage location, and executes the operation. Allow,
A file management system characterized by that. The file management system according to claim 1,
The file management system characterized in that the policy includes a combination of information category and level as a label, and an execution condition and a sharing destination for each operation are set for each label. In the policy of claim 2,
The file management system characterized in that the policy specifies at least a file user, a storage location, and a usage location as the execution conditions. The file management system according to claim 1,
The policy setting means includes:
A file management system, wherein when setting the policy, a list of conditions for executing an operation is displayed in a table format, and the condition is set by pressing only a condition that the setter wants to specify. The file management system according to claim 1,
The label assigning means includes
A file management system that applies a policy set to a label assigned to a file by a user to the file. The file management system according to claim 5,
The label assigning means includes
A file management system, wherein when a user assigns a label to a file, the label that the user cannot perform an operation is hidden. The file management system according to claim 5,
The label assigning means includes
A file management system that makes it easy to determine whether a label is appropriate by displaying a similar label when an approver approves a label assigned by a user. The file management system according to claim 1,
The monitoring / control means of the client includes:
A file management system that prevents information leakage or error or intentional file transfer by specifying a sharing destination condition that can be uniquely specified in a policy and executing an operation when the condition is met. The file management system according to claim 1,
The monitoring / control means of the client includes:
A file management system that sets a policy that treats files with unlabeled labels as confidential and controls the removal of files that are not assigned labels. The file management system according to claim 9, wherein
The monitoring / control means of the client includes:
A file management system characterized by applying a label-unset policy to a file to which a label is assigned when network communication with the policy distribution unit and the state management unit is impossible. The file management system according to claim 1,
The monitoring / control means of the client includes:
A file management system for controlling file operations from an inappropriate use environment by using position information for performing file operations as an operation execution condition and linking with user entry / exit information. The file management system according to claim 11,
The monitoring / control means of the client includes:
State management means comprising: a state management means for encrypting after obtaining approval from the approver when the user takes out a file; and a communication means for measuring the user's location information and communicating with the state management means. If the location information is appropriate by communicating with the mobile phone, the decryption condition is acquired, the mobile phone that communicates with the portable medium storing the file and transmits the decryption condition, and the file taken out using the decryption condition is also specified. A file management system that can be operated in a user environment. The file management system according to claim 11,
The state management means includes
A file management system that sets a take-out time limit before taking out a file, holds the take-out time limit until information is deleted, and detects information that has passed the take-out time limit. The file management system according to claim 1,
The monitoring / control means of the client includes:
A file management system characterized by setting a policy to share files with unlabeled files if they are addressed to the same job title or a higher-level job title, and controlling the export of files that are not assigned a label. A file management system that assigns a label that is a combination data of a category indicating the type of information and a confidentiality level to a file, and restricts operations that lead to information leakage,
Storage means for storing an object registration database for storing object attribute information and handling information;
A file identifying means for identifying the presence or absence of a prohibited object in a file for which an application has been accepted based on the handling information in the object registration database at the time of application for a label or application for taking out a file;
DB management means for obtaining an approval result for the label application or file take-out application from another terminal or input means, and updating handling information regarding the object in the object registration database;
A file management system comprising: The file management system according to claim 15, wherein
The DB management unit updates the object registration database when an approval result is received. The file management system according to claim 15, wherein
The object registration database includes a database in which an object of a file is registered for each label, a database in which an object is registered for each partner having a history of taking out the file, and a database in which an object regardless of the file and the label is registered. A file management system characterized by that. The file management system according to claim 15, wherein
The file identification means identifies the page configuration, the text position and the object position on the corresponding page for the file for which the application has been accepted, and registers other files similar to the items identified here for the object registration. Specify based on the attribute information of the database, acquire the difference between the file and other file, detect the presence or absence of the object registered in the object registration database in the acquired difference, and output to the output means or other terminal, A file management system characterized by that.

Images