JP2010020624A - External storage medium management system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an external storage medium management system that disables the use of USB memories and others beyond their use limits. <P>SOLUTION: The external storage medium management system includes an operation log information detection part for detecting operation log information about file access to an external storage medium on a computer terminal, an external storage medium use limit decision part for identifying the file subjected to the file access by the detected operation log information, acquiring file authority information representing use authority associated with the file, and deciding use limit information about the external storage medium according to the acquired file authority information, and an external storage medium use limit setting part for setting the decided use limit information in the external storage medium on the computer terminal. <P>COPYRIGHT: (C)2010,JPO&INPIT

Description

The present invention determines the usage range of a storage medium such as a USB memory (portable semiconductor storage device) and a computer terminal using the operation log information, and thus exceeds the usage range of the storage medium and the computer terminal. The present invention relates to an external storage medium management system that prevents use.

  Organizations such as companies take various measures to prevent information leakage from the organization. In recent years, thorough information management has been demanded, and usable hardware resources are often limited. In particular, external storage media such as semiconductor memory (USB memory, etc.) that can carry information are very convenient, but they are inappropriately used such as lost or stolen or forgetting to delete files that are no longer needed after use. It is a problem.

  Therefore, as described in Patent Document 1 below, there exists a system that prevents a predetermined fraud from being performed in the first place. In other words, it is a system that prevents information leakage by making it impossible to perform operations such as file copying on storage media and computer terminals. In addition to Patent Document 1, there is a case where a method of uniformly prohibiting use of a storage medium such as a USB memory in terms of software or hardware may be employed.

  In the case of Patent Document 1, by setting a file copy operation to a storage medium or a computer terminal as an illegal act, such an operation cannot be performed uniformly, and information leakage can be prevented. Also, in the case of a method of prohibiting the use of a storage medium such as a USB memory in terms of software and hardware, the storage medium cannot be used, so that information leakage can be prevented.

  However, a storage medium such as a USB memory can easily carry information and use the information on another computer terminal. Therefore, it is highly convenient, and if it is uniformly prohibited as described above, Business efficiency may be reduced.

  For example, in the case of the development department, a single user uses a computer terminal that performs normal business and a computer terminal for experimental environment, and the computer terminal for experimental environment is separated from the network of computer terminals for normal business. There are many. If you want to move files from a computer terminal that performs normal work to a computer terminal for an experimental environment, apply for permission to use a storage medium such as a USB memory to the department that oversees system management in advance. A file is moved using an authorized USB memory.

JP 2005-222216 A

  As described above, conventionally, a storage medium such as a USB memory is forbidden to use uniformly because importance is placed on information leakage. Therefore, in order to use it exceptionally, the USB memory to be used must be applied to the department in charge of system management beforehand, which is extremely complicated.

  Therefore, as in the past, storage media such as USB memory can be used without requiring complicated procedures such as application to the department that oversees system management in advance. A security system that can be prevented is desired. That is, a system that solves the conflicting problems of ease of daily work and prevention of information leakage is desired.

  In view of the above problems, the present inventor has made the following invention.

  A first invention is an external storage medium management system that sets usage range information in an external storage medium, wherein the external storage medium management system acquires operation log information of a computer terminal in which the external storage medium is mounted, An operation log information detection unit for detecting operation log information related to file access to the external storage medium in the computer terminal, and using the detected operation log information, a file that is a target of file access is specified, and the file An external storage medium usage range determination unit that acquires file authority information indicating usage authority associated with the external storage medium and determines the usage range information of the external storage medium based on the acquired file authority information; and the determined usage range information An external storage medium use range setting unit that sets the external storage medium of the computer terminal Parts is a storage medium management system.

  With the configuration according to the present invention, it is possible to automatically determine the use range information of the external storage medium from the operation log information and set it to the external storage medium. As a result, the external storage medium can be automatically used in an appropriate range without applying for an external storage medium such as a USB memory in advance.

  When an external storage medium in which use range information is set as in the above-described invention is loaded in a computer terminal, it is preferable to determine whether or not the use is possible as in the present invention. That is, when the computer terminal having the external storage medium attached determines that the external storage medium has been attached, the computer terminal user identification information and the use range information set in the external storage medium are used. It can be configured as an external storage medium management system that determines the content of usage restrictions on the external storage medium.

  The external storage medium management system according to claim 1 can be realized by causing the computer terminal to read and execute the program of the present invention. That is, at least one computer terminal acquires operation log information of a computer terminal equipped with an external storage medium, and detects operation log information related to file access to the external storage medium in the computer terminal Using the detected operation log information, identify the file that is the target of file access, obtain file authority information indicating the use authority associated with the file, and based on the acquired file authority information External storage that functions as an external storage medium use range determining unit that determines use range information of the external storage medium, and an external storage medium use range setting unit that sets the determined use range information in the external storage medium of the computer terminal It can also be configured like a media management program.

  A second invention is an external storage medium capable of storing use range information in a predetermined storage area, and the external storage medium is determined based on file authority information of a file stored in the external storage medium The use range information is written to the predetermined storage area by the first computer terminal with the external storage medium attached, and the write is performed when it is determined that the external storage medium is attached to the second computer terminal. The used range information is read by the second computer terminal, and the external storage medium is used in the second computer terminal by using the user identification information of the user of the second computer terminal and the use range information. This is an external storage medium for which the content of usage restrictions is determined.

  By configuring as in the present invention, when the usage range information of the external storage medium is set, when the external storage medium is attached to the computer terminal, based on the set usage range information, Whether or not the external storage medium can be used can be determined.

  Further, when the above-described invention is carried out, the above-mentioned external storage medium can be realized by causing the computer terminal to read and execute the program of the present invention. That is, the computer terminal that determines the mounting of the external storage medium storing the usage range information determined based on the file authority information of the file stored in the external storage medium is used as the computer terminal. When attached, the use range information stored in the external storage medium is read out to the computer terminal, and the user identification information of the user of the computer terminal and the use range information are used in the external storage medium in the computer terminal. It is a security program that functions as a means for determining the contents of the usage restrictions.

  When a file is stored in an external storage medium such as a USB memory by the external storage medium management system of the present invention, it is possible to set the usage range of the external storage medium based on the authority information of the file. . Then, when the external storage medium is connected to the computer terminal, even if the external storage medium is lost by determining the user's range of use, the third party who acquired the external storage medium can do so at his / her computer terminal. On the other hand, it is possible for an employee to make a copy via an external storage medium to a laptop computer lent by the company.

Thus, according to the external storage medium management system of the present invention, it is possible to achieve both prevention of information leakage and ease of daily work.

  A conceptual diagram of the entire external storage medium management system 1 of the present invention is shown in FIG. A conceptual diagram of the system configuration of the external storage medium management system 1 of the present invention is shown in FIG. The external storage medium includes a storage medium such as a semiconductor memory such as a USB memory, an optical disk, a magneto-optical disk, a magnetic disk, and the like, and any storage medium or storage device that is connected to a computer terminal and stores data. It can be anything. This also applies to computer terminals such as laptop computers, or network-attached storage. Furthermore, a device such as a mobile phone, PHS, PDA, or smartphone may be used.

  In the external storage medium management system 1 of the present invention, a predetermined program is read and processed in a computer terminal or server (hereinafter referred to as “management server 2”) used by an administrator who manages each client terminal 3. It is realized by. The management server 2 preferably records what program is being executed in each client terminal 3, what operation has been performed, and the like. Therefore, each client terminal 3 has information such as the program name and file name executed on the client terminal 3 periodically or at a predetermined timing such as when a new program or file is executed or terminated. The client terminal 3 has a function of transmitting information on the program name and file name to the management server 2. The function of transmitting program name and file name information can be extracted by extracting the program name and file name being executed by the arithmetic unit 20 of the client terminal 3, or by extracting and transmitting the program name and file name in the memory. Good. That is, so-called operation log information may be transmitted from the client terminal 3 to the management server 2. In the present specification, programs, files, data, and the like are collectively referred to as “files”.

  The management server 2 and the client terminal 3 store an arithmetic device 20 such as a CPU that executes program arithmetic processing, a storage device 21 such as a RAM or a hard disk that stores information, processing results of the arithmetic device 20, and the storage device 21. And a communication device 24 that transmits and receives information to be transmitted and received via a network such as the Internet or a LAN. Each function (each unit) realized on the computer is executed when a unit (program, module, etc.) for executing the process is read into the arithmetic unit 20. When using the information stored in the storage device 21 in the processing, each function reads the corresponding information from the storage device 21 and uses the read information for processing in the arithmetic device 20 as appropriate. The computer may include an input device 23 such as a keyboard, a mouse, and a numeric keypad, and a display device 22 such as a display (screen). FIG. 3 schematically shows an example of the hardware configuration of the management server 2. Further, the management server 2 may have its functions distributed in a plurality of computer terminals or servers.

  Each means in the present invention is only logically distinguished in function, and may be physically or practically the same area.

  The management server 2 includes an operation log information detection unit 4, an operation log information storage unit 5, an operation log information extraction unit 6, a file authority information storage unit 7, a user information storage unit 8, an external storage medium use range determination unit 9, and an external storage. A medium use range setting unit 10.

  The operation log information detection unit 4 receives operation log information at the client terminal 3 from each client terminal 3 periodically or at a predetermined timing, and the operation log information is an operation indicating file access to the external storage medium. Monitor for it. The received operation log information is stored in an operation log information storage unit 5 (to be described later) together with information for identifying the date and time, which user and which client terminal 3 is the operation log information. The operation log information may be information indicating the operation content in each client terminal 3. For example, “file copy”, “file write”, “file selection”, “file deletion”, “file alias storage”, “ The information indicating the operation of the user of the client terminal 3 such as “add drive” and “delete drive” is applicable.

  The operation log information is, for example, information indicating contents operated by the user using the input device 23 or the like, contents executed or executed in the client terminal 3, and an application or hardware processed in middleware, OS, or the like. There is information indicating control over the wearer. More specifically, key input, pointing device operation (button press, move, etc.), external storage medium attachment / detachment, connection with external device (printer, etc.), file operation (create, delete, copy, move, file name) Change, file read, file write, etc.), folder operation (create, delete, copy, move, folder name change, etc.), application operation (start, end, etc.), drive addition / deletion / detection, IP address change, computer name There is information indicating changes, storage media writing, printing, copying to the clipboard, and the like. These are merely examples and are not limited.

  When the management server 2 receives operation log information from each client terminal 3, it may be received via a network, or the operation log information is recorded on a recording medium such as a DVD in the client terminal 3, and the recording medium is stored in the recording medium. It may be read by the management server 2 and received by reading operation log information therefrom.

  The operation log information detection unit 4 determines whether the operation log information is a predetermined operation based on the operation log information received from the client terminal 3. The predetermined operation includes, for example, an operation indicating access to a file on the external storage medium. For example, when the operation content in the operation log information is “file writing” and the storage location indicates an external storage medium, it can be determined that the file is stored in the external storage medium. When the operation content in the operation log information is “file deletion” and the storage location indicates an external storage medium, it can be determined that the file has been deleted from the external storage medium. Alternatively, when the operation content in the operation log information is “file alias save” and the save location indicates an external storage medium, the file saved in the external storage medium is saved as a file alias (changed file name). Can be determined.

  It should be noted that, as a predetermined operation such as an access operation to a file on the external storage medium to be monitored, it is preferable to determine the operation content in advance, but it is not always necessary.

  The operation log information storage unit 5 stores the operation log information received from each client terminal 3 by the operation log information detection unit 4. The operation log information includes information for identifying the client terminal 3, information for identifying the user (such as a login name), information indicating the operation content, file identification information (name of the file or application) that is the operation target of the operation content, Information indicating the location of the file or application (information indicating a storage location, etc.), date / time or information obtained by quantifying the date / time, and the like are included. The operation log information may include all of these items or a part thereof. FIG. 6 shows an example of operation log information.

  The operation log information is preferably stored for each client terminal 3 or each user (login name or the like). In addition, when associating the information indicating the operation content with the date and time, it may be performed at the client terminal 3, may be performed when the operation log information is received by the management server 2, or an operation log information storage unit This may be done when storing in step 5. FIG. 7 shows an example of the operation log information storage unit 5. FIG. 7 shows a case where operation log information is stored for each computer name (3 client terminals).

  When the operation log information extraction unit 6 determines that the file access to the external storage medium has been performed in the operation log information detection unit 4, the operation log information extraction unit 6 extracts the operation log information.

  The file authority information storage unit 7 stores file identification information of each file and file authority information indicating use authority of the file. The file authority information is information indicating a user who is permitted or restricted to use the file, and includes user identification information, user attribute information, information indicating a user authority level, and the like. An example of the file authority information storage unit 7 is shown in FIG. The file authority information storage unit 7 stores the authority to use each file by associating user identification information with file identification information, or by associating user affiliation information with file identification information. Or can be stored by various methods, such as storing information by associating information indicating user authority with file identification information. FIG. 8A shows a case where the file name and the department to which the file can be used are stored in association with each other. In FIG. 8B, the file name and user identification information that can use the file are shown. Are stored in association with each other. In FIG. 8C, the file name and the authority level of the user who can use the file are stored in association with each other. In the above description, file storage location information and file authority information may be stored in association with each other instead of the file name. Further, instead of the file name, a list of keywords included in the file name and file authority information may be stored in association with each other, and the use authority of the file including the keyword in the file name may be used.

  The user information storage unit 8 stores user identification information and user attribute information in association with each other. User attribute information includes, for example, the name of the user, affiliation information (department, job title, etc.), authority level, and the like. FIG. 9 shows an example of the user information storage unit 8.

  The external storage medium use range determination unit 9 determines use range information of the external storage medium based on the file identification information in the operation log information extracted by the operation log information extraction unit 6. That is, when the extracted operation log information is “file write”, the file identification information in the operation log information is extracted, and the file authority information associated with the file identification information is extracted from the file authority information storage unit. 7 to determine the use range information of the external storage medium.

  For example, if the operation content of the extracted operation log information is “file write”, the file identification information “AAAAAAA” is extracted from the operation log information. Then, by referring to the file authority information storage unit 7 based on the file identification information “AAAAAAA”, the use department “sales department XX section ○ G” and the use range “confidential” which are the file authority information of the file. And the usage range information of the external storage medium is determined as “sales department”. In the above case, the affiliation information of the user who can access the file is used as the file authority information, but the identification information of the user who can access the file and the authority of the user who can access the file are also used as the file authority information. Information can also be extracted from the file authority information storage unit 7 and determined as use range information of the external storage medium. In addition, user identification information of a user who has written a file to an external storage medium can be used as file authority information, and the user identification information can be determined as usage range information.

  The external storage medium use range setting unit 10 transmits the use range information of the external storage medium determined by the external storage medium use range determination unit 9 to the client terminal 3 that has accessed the file of the external storage medium, The usage range information is set in the external storage medium.

  For example, when the external storage medium use range determination unit 9 determines the use department “sales department” from the above-mentioned use department “sales department XX section ○ G” and the use scope “confidential” as the use range information, Users who belong to “Department” can be accessed. Then, the external storage medium usage range setting unit 10 transmits these control instructions to the client terminal 3. Then, in the client terminal 3 that has received the control instruction including the usage range information, the usage range information received from the management server 2 is written and set as usage range information in the external storage medium attached to the client terminal 3. As a result, the use range information is written to the external storage medium.

  Here, when the use range information is written in the external storage medium, when the external storage medium is next attached to the client terminal 3, the use range information and the user identification information of the user (login name or the like) of the client terminal 3 or By comparing the attribute information of the user, it can be determined whether the external storage medium can be used in the client terminal 3. The external storage medium has a storage area for storing the usage range information, and stores the usage range information therein.

  Next, an example of a processing process in the external storage medium management system 1 of the present invention will be described with reference to the flowcharts of FIGS. 4 and 5, the conceptual diagram of the system configuration in FIG. In the following description, the case of a USB memory as an external storage medium will be described, but the same can be realized even if the external storage medium is a computer terminal or the like. A case in which the file identification information is a file name will be described.

  First, a process for preliminarily storing the usage range information (usage range information) for each USB memory in the USB memory will be described.

  The operation log information of the client terminal 3 is transmitted from each client terminal 3 to the management server 2 periodically or at a predetermined timing. The operation log information is received by the operation log information detection unit 4 (S100).

  The operation log information received by the operation log information detection unit 4 is stored in the operation log information storage unit 5. The operation log information generally includes information for identifying the client terminal 3, date and time information, etc., but if not included, by receiving these information together, The data is stored in the operation log information storage unit 5 in association with each other.

  Further, the operation log information detection unit 4 monitors whether or not the operation is a file access operation to the USB memory based on the received operation log information (S110), and the client terminal 3 performs the file access operation to the USB memory. Is determined (S120).

  When it is determined that the file access operation to the USB memory is not performed, the operation log information detection unit 4 stands by for receiving the next operation log information as it is. If it is determined that a file access operation to the USB memory has been performed, the operation log information extraction unit 6 extracts the operation log information while waiting for the next operation log information to be received. For example, assume that the extracted operation log information is shown in FIG.

  For example, when the operation log information received by the operation log information detection unit 4 from the client terminal 3 “ABC12345678” is FIG. 10, the operation content is “file write”, and the storage location information is “external storage medium”. Therefore, it is determined that a file access operation to the USB memory has been performed, and the operation log information extraction unit 6 extracts this operation log information.

  Then, the external storage medium usage range determination unit 9 extracts the file identification information “AAAAAAA” from the extracted operation log information, and refers to the file authority information storage unit 7 based on the extracted file identification information, so that the file Use department “sales department XX section ◯ G” and use range “confidential” are acquired as file authority information (S130). When the file authority information storage unit 7 is as shown in FIG. 8B, a user who can use the file such as “XXXXX, △△△△, □□□□,...” As file authority information of the file. And when the file authority information storage unit 7 is as shown in FIG. 8C, “authority level 2” is acquired as the file authority information of the file.

  As described above, the use range information of the USB memory is determined using the file authority information of the file “AAAAAAA” (S140), and the external storage medium use range setting unit 10 determines the use of the client terminal 3 “ABC123345678”. Then, a control instruction for setting the USB memory usage range information determined by the external storage medium usage range determination unit 9 to the USB memory is transmitted.

  Upon receiving this control instruction, the client terminal 3 “ABC12345678” writes the use range information of the USB memory in the control instruction to the USB memory attached to the client terminal 3 “ABC12345678”, thereby the use range information is stored in the USB memory. (S150).

  For example, if the usage range information is the sales department “Sales Department”, write them to the USB memory, and the usage range information is “XXXXX, △△△△, □□□□, ...” Are written in the USB memory, and when the usage range information is “authority level 2”, they are written in the USB memory. In addition, as the usage range information, information indicating the usage range of the external storage medium such as a used department, user identification information, and authority level may be used in combination.

  By executing the processing as described above, it is possible to set the use range information in the USB memory. FIG. 11 schematically shows the outline of the above processing.

  Next, a case where a USB memory in which usage range information is set is newly attached to the client terminal 3 will be described. The processing process in this case is shown in FIG. Note that the client terminal 3 attached here is “DEF1341234”, and the user identification information of the user is “ΔΔΔΔ”.

  When the client terminal 3 “DEF 1341234” detects that the USB memory is installed (S200), it acquires the user identification information “ΔΔΔΔ” of the user who has logged into the client terminal 3 “DEF12341234”. Then, by comparing the acquired user identification information with the use range information set in the USB memory (S210), it is determined whether or not the USB memory can be used (S220).

  For example, if the user identification information acquired from the client terminal 3 “DEF12341234” is “ΔΔΔΔ” and the usage range information of the USB memory is the usage department “sales department”, the client terminal 3 By referring to the user information storage unit 8 of the management server 2 based on “ΔΔΔΔ”, the affiliation information of the user is acquired. Then, since the user with the user identification information “△△△△” can acquire the affiliation information indicating that the user is “group member” of “sales department XX section ○ G”, it is compared with the department “sales department” that uses the USB memory. Then, it can be determined that the USB memory can be used.

  If the USB memory usage range information is “XXXXX, △△△△, □□□□,...”, The client terminal 3 compares it with the user identification information “△△△△”. To do. Then, since the user identification information of the user is included, it can be determined that the USB memory is usable.

  Further, if the usage range information of the USB memory is “authority level 2”, the client terminal 3 refers to the user information storage unit 8 of the management server 2 based on the user identification information “ΔΔΔΔ”. The authority level information “authority level 2” of the user is acquired. Then, when the acquired authority level information “authority level 2” of the user is compared with the usage range information “authority level 2” of the USB memory, the authority level information “authority level 2” of the user is equal to or higher than the usage range information of the USB memory. It can be determined that the USB memory is usable.

  When it is determined that the USB memory can be used in the client terminal 3 as described above, the client terminal 3 permits the use of the USB memory (S230). If the client terminal 3 determines that the USB memory cannot be used, the client terminal 3 prohibits the use of the USB memory and executes a predetermined control process (S240).

  If the use is not permitted, for example, access to the USB memory or a file stored in the USB memory is denied, recognition of the USB memory as a device is canceled, or a file stored in the USB memory is encrypted. There are control processes such as enabling or deleting a file, enabling only a file reading process, and enabling only a file writing process.

  As for the processing after S210 in the client terminal 3 as described above, a program for executing the processing is stored in the USB memory, and when the USB memory is attached to the client terminal 3, the program is stored in the client terminal 3. It is preferable to read and execute. Further, this program may be provided in the client terminal 3 in advance, or in S150, the external storage medium usage range setting unit 10 transmits to the client terminal 3 together with a control instruction when transmitting usage range information, The client terminal 3 may write the usage range information and the program in the USB memory.

  In the above-described first embodiment, when the file is stored in the USB memory, the use range information is determined and set in the USB memory using the file authority information of the file. However, in the present embodiment, A case will be described in which when the file is deleted from the USB memory, the use range information corresponding to the file is deleted from the USB memory.

  The operation log information of the client terminal 3 is transmitted from each client terminal 3 to the management server 2 periodically or at a predetermined timing. The operation log information is received by the operation log information detection unit 4 (S100).

  The operation log information received by the operation log information detection unit 4 is stored in the operation log information storage unit 5. The operation log information generally includes information for identifying the client terminal 3, date and time information, etc., but if not included, by receiving these information together, The data is stored in the operation log information storage unit 5 in association with each other.

  Further, the operation log information detection unit 4 monitors whether or not the operation is a file access operation to the USB memory based on the received operation log information (S110), and the client terminal 3 performs the file access operation to the USB memory. Is determined (S120).

  When it is determined that the file access operation to the USB memory is not performed, the operation log information detection unit 4 stands by for receiving the next operation log information as it is. If it is determined that a file access operation to the USB memory has been performed, the operation log information extraction unit 6 extracts the operation log information while waiting for the next operation log information to be received. For example, assume that the extracted operation log information is shown in FIG.

  For example, when the operation log information received by the operation log information detection unit 4 from the client terminal 3 “ABC12345678” is FIG. 12, the operation content is “file deletion”, and the storage location information is “external storage medium”. Therefore, it is determined that a file access operation to the USB memory has been performed, and the operation log information extraction unit 6 extracts this operation log information.

  If it is determined that the file deletion operation has been performed, the usage range information may be deleted from the USB memory. Therefore, the external storage medium usage range setting unit 10 sends the USB memory to the client terminal 3 “ABC12345678”. The control instruction to delete the use range information of the USB memory determined and set using the file authority information of the file “AAAAAAA” set in the above is transmitted. The client terminal 3 that has received the control instruction deletes the usage range information set (written) in the USB memory.

  By such processing, when all files are deleted from the USB memory, it is possible to delete the usage range information of the USB memory.

  Next, use range information setting processing when a plurality of files are stored in the USB memory will be described. In this embodiment, the case where the file “AAAAAAA” is already stored in the USB memory and “sales department” is set as the usage range information in the USB memory will be described.

  The operation log information of the client terminal 3 is transmitted from each client terminal 3 to the management server 2 periodically or at a predetermined timing. The operation log information is received by the operation log information detection unit 4 (S100).

  The operation log information received by the operation log information detection unit 4 is stored in the operation log information storage unit 5. The operation log information generally includes information for identifying the client terminal 3, date and time information, etc., but if not included, by receiving these information together, The data is stored in the operation log information storage unit 5 in association with each other.

  Further, the operation log information detection unit 4 monitors whether or not the operation is a file access operation to the USB memory based on the received operation log information (S110), and the client terminal 3 performs the file access operation to the USB memory. Is determined (S120).

  When it is determined that the file access operation to the USB memory is not performed, the operation log information detection unit 4 stands by for receiving the next operation log information as it is. If it is determined that a file access operation to the USB memory has been performed, the operation log information extraction unit 6 extracts the operation log information while waiting for the next operation log information to be received. For example, assume that the extracted operation log information is shown in FIG.

  For example, when the operation log information received from the client terminal 3 “ABC12345678” by the operation log information detection unit 4 is FIG. 13, the operation content is “file write”, and the storage location information is “external storage medium”. Therefore, it is determined that a file access operation to the USB memory has been performed, and the operation log information extraction unit 6 extracts this operation log information.

  Then, the external storage medium usage range determination unit 9 extracts the file identification information “BBBBBBB” from the extracted operation log information, and refers to the file authority information storage unit 7 based on the extracted file identification information. Use department “sales department XX section ◯ G” and use range “extra secret” are acquired as file authority information (S130). When the file authority information storage unit 7 is shown in FIG. 8B, the user who can use the file such as “●●●●, ▲▲▲▲, ■■■■,... And when the file authority information storage unit 7 is as shown in FIG. 8C, “authority level 4” is acquired as the file authority information of the file.

  The management server 2 acquires use range information already set in the USB memory from the client terminal 3. Here, since “sales department” is set as the use range information, this information is acquired. Then, the file authority information of the acquired file is compared with the usage range information already set in the acquired USB memory, and any strict usage range information is determined as the usage range information of the USB memory. Here, the usage department “sales department XX section XXG” that is the file authority information of the file identification information “BBBBBBB” is used based on the usage range “extra secret” rather than the already used department “sales department”. Since the range information “Sales Department XX Section” is stricter, “Sales Department XX Section” is set as new usage range information.

  In addition, if user identification information of a user who can use the file such as “●●●●, ▲▲▲▲, ■■■■,... The user identification information of the file authority information is compared with the user identification information of the user already set in the USB memory as the usage range information, and only the user identification information of the overlapping user is set as the usage range information.

  Further, when the authority level such as “authority level 2” is set as the usage range information, the authority level of the file authority information of the file is compared with the authority level already set in the USB memory as the usage range information. Then, a higher authority level is set as usage range information.

  As described above, the strict usage range information is a comparison between the file authority information of the acquired file and the usage range information already set in the USB memory. Of these, the restriction range is large, the usage range is small, This is usage range information that satisfies conditions such as a small number of users included in the usage range or a high authority level (monitoring level) of the usage range. For example, there is usage range information that satisfies the AND condition for the file authority information of each file.

  As described above, the USB memory use range information is determined (S140), and the external storage medium use range setting unit 10 determines the external storage medium use range determination unit 9 for the client terminal 3 “ABC12345678”. The control instruction for causing the USB memory to set the used range information of the USB memory is transmitted.

  Upon receiving this control instruction, the client terminal 3 “ABC12345678” writes the use range information of the USB memory in the control instruction to the USB memory attached to the client terminal 3 “ABC12345678”, thereby the use range information is stored in the USB memory. (S150).

  By executing the processing as described above, it is possible to set the use range information in the USB memory. FIG. 14 schematically shows the outline of the above processing.

  In the above description, even when a plurality of files are stored in the USB memory, the use range information is set in the USB memory in advance. However, the use range information of the USB memory may be determined when the file is accessed.

  That is, as shown in FIG. 15, the use range information determined for each file stored in the USB memory is stored in the USB memory, and the strictest use range information is used as the use range information of the USB memory. Also good.

  As shown in FIG. 15, when the usage range information determined for each file stored in the USB memory is stored, the usage range information of the USB memory is not determined and set in advance. When the access to the file stored in the USB memory is received from the client terminal 3 attached with USB, the USB memory use range information is determined at the timing when the accessed operation is detected, and the processing of S210 to S240 in FIG. May be executed.

  With this configuration, it is possible to set according to the usage range information determined for each file.

  A case will be described in which, when a file is deleted from a USB memory, usage range information of the USB memory is newly set. In this embodiment, it is assumed that the files “AAAAAAA” and “BBBBBBB” are stored in the USB memory, and the use range information shown in FIG. 15 is set in the USB memory.

  The operation log information of the client terminal 3 is transmitted from each client terminal 3 to the management server 2 periodically or at a predetermined timing. The operation log information is received by the operation log information detection unit 4 (S100).

  The operation log information received by the operation log information detection unit 4 is stored in the operation log information storage unit 5. The operation log information generally includes information for identifying the client terminal 3, date and time information, etc., but if not included, by receiving these information together, The data is stored in the operation log information storage unit 5 in association with each other.

  Further, the operation log information detection unit 4 monitors whether or not the operation is a file access operation to the USB memory based on the received operation log information (S110), and the client terminal 3 performs the file access operation to the USB memory. Is determined (S120).

  When it is determined that the file access operation to the USB memory is not performed, the operation log information detection unit 4 stands by for receiving the next operation log information as it is. If it is determined that a file access operation to the USB memory has been performed, the operation log information extraction unit 6 extracts the operation log information while waiting for the next operation log information to be received. For example, assume that the extracted operation log information is shown in FIG.

  For example, when the operation log information received from the client terminal 3 “ABC12345678” by the operation log information detection unit 4 is FIG. 16, the operation content is “file deletion” and the storage location information is “external storage medium”. Therefore, it is determined that a file access operation to the USB memory has been performed, and the operation log information extraction unit 6 extracts this operation log information.

  When it is determined that the file deletion operation has been performed, only the usage range information of the file needs to be deleted from the USB memory, so the external storage medium usage range setting unit 10 determines that the client terminal 3 “ABC12345678” , A control instruction to delete the use range information of the file “BBBBBBB” set in the USB memory is transmitted. The client terminal 3 that has received the control instruction deletes the usage range information of the file “BBBBBBB” that is set (written) in the USB memory. The use range information after deletion is as shown in FIG.

  Through such processing, the usage range information of the file “BBBBBBB” is deleted.

  When the usage range information is set for each file, the client terminal 3 “ABC12345678” uses the USB memory after deletion as shown in FIG. 17 as the usage range information after deletion of the file in the USB memory. The strictest usage range information is identified from the usage range information of the remaining file, and it is set and updated as new usage range information (written to the USB memory). In the above-described case, the usage range information of the USB memory is “sales department XX section” before the deletion, but is changed to “sales department” after the deletion.

  By executing the processing as described above, even if the file stored in the USB memory is deleted, the usage range information of the USB memory can be updated appropriately.

  In the first to fourth embodiments, the file authority information of the file and the use range information of the USB memory have been described such as the use department and use range, the usable user, and the authority level. And a user may be associated with each other, and an operation that can be performed for each user may be set as use range information. For example, for user A, only file read operation, for user B only file write operation, for user C, only file read / write operation may be restricted for each user. Of course, it is possible to limit the operations that can be performed not only by the user but also by the department and authority level.

  In the first to fourth embodiments described above, when a plurality of files are stored in the USB memory, the case where the strictest file authority information of each file is set as the usage range information of the USB memory has been described. Alternatively, the use range information that satisfies the OR condition for the loosest use range information or the file authority information of each file may be set as the use range information.

  For example, as the file authority information of file A, the department used is “sales department”, the usage range is “secret”, the file authority information of file B is “general affairs department”, and the usage scope is “extra secret”. In this case, as the usage range information of the USB memory, “sales department or general affairs section” can be set.

  Alternatively, the file authority information of the file A is the user “XXXXX, △△△△, □□□□”, and the file authority information of the file B is the user “●●●●, ▲▲▲▲, ■■■ ””, The usage range information of the USB memory is the user “XXXXX, △△△△, □□□□, ●●●●, ▲▲▲▲, ■■■■” Can also be set.

  Further, when the authority level “2” is set as the file authority information of the file A and the authority level “4” is set as the file authority information of the file B, the authority level “2” can be set as the use range information of the USB memory. .

  As described above, among the file authority information of the files stored in the USB memory, information using the OR condition of the file authority information of each file may be set as the usage range information of the USB memory. .

  Each function of the external storage medium management system 1 of the present invention may be appropriately distributed in the client terminal 3 and the management server 2.

  For example, the operation log information detection unit 4, the external storage medium use range determination unit 9, and the external storage medium use range setting unit 10 can be provided in the client terminal 3.

  Note that there are various patterns of variations in the distributed arrangement, and any arrangement form may be used. In these cases, when using the functions of another computer terminal or server during processing in the client terminal 3 or the management server 2, the inquiry is made to the other computer terminal or server and the result is received. It is used for processing. Then, the processing result is executed.

  When a file is stored in an external storage medium such as a USB memory by the external storage medium management system 1 described above, the use range of the external storage medium can be set based on the use range of the file. Become. When an external storage medium is connected to a computer terminal, it is determined whether the user is within the range of use, so that even if the external storage medium is lost, the third party who acquired it can The file recorded there cannot be used on the computer terminal, while the employee can copy to the laptop computer lent from the company via an external storage medium.

Thus, according to the external storage medium management system 1 of the present invention, it is possible to achieve both prevention of information leakage and ease of daily work.

1 is an overall conceptual diagram of the present invention. It is a conceptual diagram which shows an example of the system configuration | structure of this invention. It is a conceptual diagram which shows an example of the hardware constitutions of a management server. It is a flowchart which shows an example of the processing process of this invention. It is a flowchart which shows an example of the processing process of this invention. It is an example of operation log information. It is an example of the operation log information storage part. It is an example of a file authority information storage unit. It is an example of a user information storage part. It is an example of the extracted operation log information. It is a figure which shows typically the setting process of the use range information of a USB memory. It is another example of operation log information. It is another example of operation log information. FIG. 10 is a diagram schematically illustrating a setting process of use range information of a USB memory according to a third embodiment. It is a figure which shows that use range information is preserve | saved for every file preserve | saved at USB memory. It is another example of operation log information. It is a figure which shows the use range information for every file after the file preserve | saved at USB memory is deleted.

Explanation of symbols

1: External storage medium management system 2: Management server 3: Client terminal 4: Operation log information detection unit 5: Operation log information storage unit 6: Operation log information extraction unit 7: File authority information storage unit 8: User information storage unit 9 : External storage medium use range determining unit 10: External storage medium use range setting unit 20: Computing device 21: Storage device 22: Display device 23: Input device 24: Communication device

Claims (5)

An external storage medium management system for setting usage range information in an external storage medium,
The external storage medium management system includes:
An operation log information detection unit that acquires operation log information of a computer terminal equipped with the external storage medium and detects operation log information related to file access to the external storage medium in the computer terminal;
The detected operation log information is used to identify the file that is the target of file access, to acquire file authority information indicating the usage authority associated with the file, and based on the acquired file authority information, the external An external storage medium usage range determination unit for determining storage medium usage range information;
An external storage medium use range setting unit for setting the determined use range information in the external storage medium of the computer terminal;
An external storage medium management system comprising: The computer terminal equipped with the external storage medium is
When determining the mounting of the external storage medium, the user identification information of the computer terminal and the usage range information set in the external storage medium are used to determine the content of usage restrictions on the external storage medium.
The external storage medium management system according to claim 1. At least one computer terminal
An operation log information detection unit that acquires operation log information of a computer terminal equipped with an external storage medium and detects operation log information related to file access to the external storage medium in the computer terminal;
The detected operation log information is used to identify the file that is the target of file access, to acquire file authority information indicating the usage authority associated with the file, and based on the acquired file authority information, the external An external storage medium usage range determination unit for determining storage medium usage range information;
An external storage medium use range setting unit for setting the determined use range information in the external storage medium of the computer terminal;
An external storage medium management program that functions as a storage medium. An external storage medium capable of storing use range information in a predetermined storage area,
The external storage medium is
Usage range information determined based on file authority information of a file stored in the external storage medium is written to the predetermined storage area by a first computer terminal on which the external storage medium is mounted,
When it is determined that the external storage medium is attached to the second computer terminal, the written usage range information is read to the second computer terminal, and the user of the user of the second computer terminal Using the identification information and the usage range information, the content of usage restrictions on the external storage medium is determined in the second computer terminal.
An external storage medium characterized by the above. A computer terminal that determines the mounting of the external storage medium storing use range information determined based on file authority information of a file stored in the external storage medium,
When the external storage medium is attached to the computer terminal, the use range information stored in the external storage medium is read to the computer terminal, and the user identification information of the user of the computer terminal and the use range information are used. Means for determining the contents of usage restrictions on the external storage medium in the computer terminal;
Security program characterized by functioning as

Images