JP2017142626A - Information management system and information management program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a technology of controlling transmission in accordance with the contents of data transmitted to an external server.SOLUTION: A relay/management apparatus receives a request transmitted from a terminal to an external server. When there is uploaded data, in response to the request, an inspection apparatus inspects the amount of protection information included in the uploaded data, by use of a dictionary database storing elements that constitute the protection information. The relay/management apparatus determines whether the uploaded data corresponds to protect-required data which includes predetermined pieces of protection information or more, or corresponds to unrecognizable data which cannot be referred and does not provide an inspection result. The relay/management apparatus further determines whether the uploaded data corresponds to regulation-required data which requires regulation of transmission, on the basis of a criterion on a threshold, or the like, of the uploaded data set in advance as a rule.SELECTED DRAWING: Figure 7

Description

  The present invention relates to a technique for relaying and managing information transmitted from one computer to another computer via a network.

In recent years, leaks of personal information and confidential information by companies and organizations have continued, and topics related to information security have often been covered in the press. Information leakage routes mainly include portable recording media such as the Internet and USB, e-mail, small devices such as PCs and smartphones, etc. Among them, the number of leaks via the Internet is overwhelmingly large. Is. In addition, the cause of information leakage is not necessarily caused by negligence, but there are cases where specific information is intentionally transmitted to the outside and leaked, and there are cases where a large amount of data is leaked due to a cyber attack.
Against this backdrop, the Personal Information Protection Law and Unfair Competition Prevention Law have been revised to strengthen legal protection of personal information and trade secrets. Strict management is also required for the My Number (social security / tax number: the same shall apply hereinafter), which began operation in 2016, in accordance with the Numbering Act.

  On the other hand, companies and organizations monitor the data transmission to the outside and the use of Internet sites in daily operations while preventing information leakage due to external factors by installing equipment to guard against cyber attacks. There is an urgent need to prevent information leakage due to internal factors by controlling according to the situation. Not only reliable sites on the Internet, but also dangerous sites that have been confirmed to be infected with viruses and illegal sites used for Internet fraud, for example, and information is uploaded to such sites There is a concern that the information may be diverted to a use that is not anticipated by the user. There are also sites that want to refrain from internal access due to the nature of the content posted.

  Accordingly, various filtering techniques have been developed to limit the use of such sites. For example, there is known an invention of a browsing control method for determining permission or prohibition of access based on information on an access-permitted site / access-prohibited site and useful-word keywords / prohibited-word keywords set in advance in a database (for example, patents) Reference 1). In this method, access is permitted when a site requested to be browsed by a user (hereinafter referred to as “requested site”) corresponds to an access-permitted site, and access is prohibited when it corresponds to an access-prohibited site. If none of these apply, the proxy server accesses the request site and checks the contents of that site. Specifically, if prohibited words are not included in the content, access to the requested site is permitted, and if prohibited words are included, access to the requested site is only included if useful words are also included. Allow.

  In addition, site information classified by category in the database is registered in advance, and a request method to be regulated for each category or site is set, and when the HTTP request is received by the data relay device, the request method is used. A technique for determining whether or not a request site is permitted is disclosed (for example, see Patent Document 2). For example, when only the POST method is set as a restriction target for the site A, if the request received by the data relay device is a request by the GET method for the site A, the request is permitted and the user is sent to the site A. Although access is possible, if the request is a request by the POST method for site A, the request is restricted and the user cannot access site A.

JP 2001-282797 A JP 2004-348202 A

  According to the former prior art, in order to determine whether the requesting site is a site that does not have a problem with access, in addition to the URL of the site, in addition to the keyword included in the content of the site, access permission or prohibition is determined. Compared to filtering performed based on URL-based site / category information set in advance, it is considered that finer access control according to the actual situation of the site can be realized. Further, according to the latter prior art, by allowing control of multiplying site / category information and request method, permission / prohibition can be switched in accordance with the type of request even in the same site. However, it is possible to control such that writing on the bulletin board is prohibited.

  However, in any prior art, since the content transmitted from the user's terminal to the requesting site is not confirmed, it is assumed that the written information and the uploaded file contain personal information and confidential information. However, if access to the site is permitted, the transmission request is executed. As a result, personal information and confidential information are transmitted to the external server, and the occurrence of information leakage cannot be prevented in advance.

  Therefore, an object of the present invention is to provide a technique for determining the degree of necessity of protection according to the contents of data being transmitted and controlling data transmission according to the result.

  That is, the information management system of the present invention inspects whether or not protection information is included in the data using elements constituting the protection information stored in the database, and outputs inspection results, and inspection means A means for recording the inspection result output by the method, and whether the data corresponds to protection required data that is one of a plurality of classifications according to the degree of necessity of protection based on the inspection result On the other hand, if the inspection result is not output by the inspection means, the protection necessity determination means and the protection necessity determination means for determining that the data corresponds to indeterminate data of a classification different from the protection required data If it is determined that the data does not correspond to data requiring protection, it is determined that the data is not required to be regulated data of a different classification, while the data is classified as data requiring protection or If it is determined that corresponds to the non data and a determining regulatory necessity determination means for determining whether data corresponds to the main regulation data based on preset determination conditions.

  In order to identify the protection information as elements constituting the protection information, such as the name of the last name constituting the name list, the keyword of the name of the prefecture, the city, the name of the prefecture, the format that forms the standard information such as an e-mail address or telephone number, etc. Necessary information is stored in advance. Therefore, by using this database, the protection information included in the data can be detected efficiently.

  Further, the data targeted by the information management system is classified into a plurality according to the degree of necessity of protection determined based on the inspection result. Specifically, first, data is classified into one of three branches “corresponding to protection required data”, “not corresponding to protection required data”, and “corresponding to undecidable data” according to the inspection result. Based on this classification, the data “corresponding to protection required data” or “corresponding to data that cannot be determined” is classified into one of the two branches “corresponding to regulatory data” or “not applicable to regulatory data”. Is done. According to the above-described aspect, since the latter classification is performed based on a predetermined determination condition, whether or not “corresponds to restriction data” is determined by setting a determination condition according to the use environment. The determination can be performed with high accuracy.

  The protection necessity determination means determines that the data corresponds to protection required data when the number of pieces of protection information included in the data is equal to or greater than a threshold set in advance for the protection information, and is equal to or less than the threshold. In this case, it is determined that the data does not correspond to the data requiring protection.

  The content of information to be protected varies depending on the type of business and job description. Considering data that contains a large number of address (location) information, in the case of data with addresses as part of personal information such as customer lists and employee lists, the number of addresses included is small. However, since the necessity for protection is high, it is considered to fall under protection data. On the other hand, in the case of data where the address is described as part of publicly available information, such as a list of business establishments or a list of affiliations of so-called professionals such as lawyers and tax accountants, Even if the number of locations included is large, the need for protection is low, so this data is not considered to require protection. In this way, the weight of the information to be protected is not uniformly determined, and if it is determined whether or not the data requires protection based on the uniformly determined determination condition, the determination result is used. Depending on the scene, it can be a useless long item.

  According to the above-described aspect, when any number of protection information is included in the data, it is determined that the data is “corresponding to protection required data”, that is, a threshold for each type of protection information is set in the use environment. Accordingly, the threshold value set in advance can be used as a determination condition, so that it is possible to accurately determine whether or not “corresponding to protection required data”.

  Preferably, the information management system further includes rule pre-setting means for setting in advance a determination condition as to whether or not the data determined by the restriction necessity determination means corresponds to the restriction data.

  Based on the result of inspection by the inspection means, the data to be determined by the regulation necessity determination means is “data that falls under protection required data” and the data that cannot be referred to and cannot be inspected. Data, which have different properties. Therefore, when the regulation necessity determination unit performs classification different from the protection necessity determination unit for these data, it is desirable to apply different determination criteria for each data.

  According to the above-described aspect, different determination conditions are set in advance for each data to be determined, and the restriction necessity determination means sets these data as “required restriction data”, “not applicable restriction data”. This determination condition can be applied when classifying it into one of the two branches. Therefore, it is possible to determine whether or not “corresponds to the regulation required data” in a form that is more realistic.

  More preferably, the rule pre-setting unit sets the data size threshold as a determination condition, and if the protection necessity determination unit determines that the data corresponds to protection required data or data that cannot be determined, the rule pre-setting unit uniformly sets the data. Whether to determine whether the data falls under the restriction data, whether the data does not fall under the restriction data uniformly, or whether the data corresponds to the restriction data according to the data size. The restriction necessity determination unit determines whether the data corresponds to the restriction data based on the determination condition preset by the rule presetting unit.

  According to such an aspect, the condition for determining whether the data “corresponding to protection required data” is “corresponding to regulation data” and the data “corresponding to undecidable data” are “regulation required”. It is possible to set different conditions for determining whether or not “applicable to data”, and to set a different value for the threshold value of the data size that forms part of the determination condition. Can do. Therefore, it is possible to determine whether or not “corresponding to regulation-required data” based on more detailed determination conditions for two patterns of data having different properties.

  The information management system further includes receiving means for receiving a request for the external server transmitted from the user terminal, and the inspection means stores the protection information in the user data uploaded in response to the request received by the receiving means. Check if it is included.

  According to such an aspect, it is inspected whether the protection information is included for the data being transmitted from the user terminal to the external server, and based on the inspection result, the data “corresponds to regulation data” It can be determined whether or not. Therefore, when determining whether or not the request transmitted from the user terminal should be transferred to the external server, this determination result can be used as one determination material.

  The information management program of the present invention is a program for causing a computer that transmits a request to an external server to function as a means included in the information management system of each aspect described above. Including performing a check to see if the protection information is included in the data being sent to the server.

The computer that transmits a request to the external server is a computer that transmits a request to the external server due to an operation performed by the user through the input device, and can be referred to as a user terminal.
According to such an aspect, since each means provided in the information management system can be implemented only by the user terminal, without being affected by the network congestion situation or the load situation of other computers, The data being transmitted to the external server is inspected, and data transmission can be controlled according to the result.

In other words, the information management program according to the present invention uses the elements constituting the protection information stored in the database to the computer that sends a request to the external server to the data that is being sent to the external server in response to the request. An inspection step for checking whether protection information is included and outputting the inspection result, a recording step for recording the inspection result output by the inspection step, and the data based on the inspection result to the degree of need for protection In response to this, it is determined whether or not the data needs to be protected, which is one of a plurality of classifications. If the inspection result is not output by the inspection step, the data is different from the data that requires protection. The data is classified as protection-required data by the protection necessity determination step and the protection necessity determination step. If it is determined that the data does not correspond to the required regulation data of a different classification, on the other hand, if it is determined that the data corresponds to the protection required data or the data that cannot be determined, the predetermined determination condition is satisfied. And a regulation necessity determination step for determining whether or not the data corresponds to the regulation requirement data.
The protection necessity determination step determines that the data corresponds to protection required data when the number of pieces of protection information included in the data is equal to or greater than a threshold set in advance for the protection information, and is equal to or less than the threshold. In this case, it is determined that the data does not correspond to the data requiring protection.
Preferably, the method further includes a rule pre-setting step for presetting a determination condition as to whether or not the data determined in the restriction necessity determination step corresponds to the restriction requirement data.
More preferably, in the rule pre-setting step, in addition to setting a data size threshold as a determination condition, the data is uniformly set when the data is determined to be protection required data or data that cannot be determined by the protection necessity determination step. Whether to determine whether the data falls under the restriction data, whether the data does not fall under the restriction data uniformly, or whether the data corresponds to the restriction data according to the data size. Then, the restriction necessity determination step determines whether the data corresponds to the restriction data based on the determination condition set in advance by the rule pre-setting step.

  According to the present invention, it is possible to determine the degree of necessity of protection according to the content of data being transmitted, and to realize control of data transmission according to the result.

It is a block diagram of the environment where an information management system operates. It is a figure explaining the scene where an information management system is used. It is a functional block diagram of an information management system. It is a figure which shows the example of a rule setting screen. It is a figure which shows the example of the policy setting screen regarding protection information. It is a flowchart which shows the example of a procedure of an information management process. It is a flowchart which shows the example of a procedure of an information management main process. It is a flowchart which shows the example of a procedure of a protection information inspection process. It is a sequence diagram which shows the operation example at the time of the information management system managing the data transmitted with respect to an external server. It is a figure showing the example of the alert message displayed on a screen by the control which an information management system performs. It is a block diagram of the environment where an information management program operates. It is a functional block diagram of an information management program. It is a flowchart which shows the example of a procedure of an information management process. It is a flowchart which shows the example of a procedure of an information management main process. It is a flowchart which shows the example of a procedure of a protection information inspection process. It is a sequence diagram which shows the operation example at the time of the information management program managing the data transmitted with respect to an external server. It is a flowchart which shows the example of a different procedure of the information management main process in an information management system / program.

Hereinafter, embodiments of the present invention will be described with reference to the drawings. The following embodiment is a preferred example, and the present invention is not limited to this example.
FIG. 1 is a configuration diagram of an environment in which an information management system 100 according to an embodiment operates. The information management system 100 can be applied to, for example, a computer environment connected to an in-house LAN as assumed by a general company.

  As shown in this figure, the network 20 corresponding to the in-house LAN is wired inside the firewall 60. The network 20 is connected to a proxy server 30 that relays communications from which the terminal 10 is a transmission source, in addition to the terminal 10 that the user uses in daily work. When the user activates a web browser on the terminal 10 to display an external website or send an e-mail addressed to an external e-mail address, the terminal 10 sends requests associated with these operations on the Internet 70. The data is transmitted to an external server existing outside (outside the firewall 60). These requests transmitted from the terminal 10 and the data uploaded with this are relayed by the proxy server 30. The proxy server 30 is a web proxy and relays the connection by HTTP between the terminal 10 and the external server.

  By the way, for example, when a user sends a file on which an employee list is posted to the outside, regardless of whether the user's operation is intentional or negligent, once the file goes outside the company, There is a risk of information leakage. Therefore, it is desirable to minimize the transmission of such information to the outside.

  The information management system 100 is configured to function effectively in such a situation. The information management system 100 is configured across a proxy server 30 and an inspection server 40 that can be connected to each other via a network 20. The proxy server 30 is provided with a function for relaying and managing a request transmitted from the terminal 10 to an external server connected to the Internet 70 and data accompanying the request. In addition, the inspection server 40 detects and further detects information (hereinafter referred to as “protection information”) that requires attention in handling confidential information, personal information, and the like included in data relayed by the proxy server 30. A function for inspecting whether or not this data is data that needs to be protected (hereinafter referred to as “required protection data”) in consideration of the type of protected information and the number of cases is implemented. That is, the proxy server 30 functions as a relay / management device, and the inspection server 40 functions as an inspection device.

  More specifically, when receiving a request issued from the terminal 10 toward the external server, the proxy server 30 first confirms whether there is upload data associated with this request. If upload data exists, this data is transmitted to the inspection server 40. Upon receiving the upload data, the inspection server 40 inspects the protection information for the data using the dictionary database 50 and transmits the inspection result to the proxy server 30. The proxy server 30 considers conditions such as the data size in addition to the inspection result, and determines whether or not the upload data is data that requires transmission restriction (hereinafter referred to as “required restriction data”). Then, the proxy server 30 performs determination based on the request destination URL to determine whether the request from the terminal 10 should be transferred to the external server (hereinafter referred to as “site determination”). And transfer or discard the request. Specific processing relating to each determination and protection information inspection processing will be described in detail later.

  Although one proxy server 30 is shown in FIG. 1, a plurality of proxy servers 30 may be configured, and the relay / management function of the information management system 100 may be implemented in each server. The dictionary database 50 may be mounted in the internal storage area of the inspection server 40, or may be an external device such as a USB memory or an external hard disk drive (HDD) connected via various ports such as USB and SCSI. It may be mounted on a storage medium or another computer connectable via the network 20. Furthermore, all the functions of the information management system 100, that is, the relay / management function and the inspection function may be implemented on the same server (proxy server 30).

FIG. 2 is a diagram illustrating a scene in which the information management system 100 functions.
FIG. 2A shows a scene in which contents written on an external web page are transmitted. This web page has an inquiry form. In addition to a field for selecting one of a plurality of options prepared in advance, a field for freely inputting the question contents in text format, up to 3 supplementary materials are attached. Combined with the upload field that allows.

  When the user opens this web page on the terminal 10 and presses the [Send] button after completing the input in each field, the terminal 10 transmits the input data to the URL specified on this web page. Send a request. The information management system 100 functions in this scene, receives a request, examines input data, and determines whether or not this data is required data. In this case, all the contents entered on the inquiry form are sent as input data, that is, the choice selected in “Category”, the text entered in “Question Details”, and the file uploaded as “Supplementary Material” These are subject to inspection of protection information.

  FIG. 2B shows a scene in which a web mail screen is activated and mail is transmitted to an external mail address. In this mail, in addition to the subject inputted as text and the mail body, one attached file is set. When the user presses the [Send] button in this state, a mail is sent from the terminal 10. The information management system 100 functions here, and receives and inspects the mail transmitted from the terminal 10, and determines whether or not the data transmitted by this mail is the regulation required data. In this case, the file attached as “subject”, “mail body”, and “attached file” is the inspection target of the protection information.

  FIG. 2C shows a scene in which a file is uploaded to a shared folder using the cloud service. In this example, a screen on which a menu for uploading a new file to this folder appears on the front side of the screen on which the file list of the folder “archive” is displayed. Two files have been added. When the user presses the [Upload the above file] button in this state, the terminal 10 transmits a request for transmitting these two files to a predetermined URL specified by the cloud service. The information management system 100 functions in this scene, and the same processing as in the above example is executed. In this case, the two files being uploaded to the shared folder on the cloud are subject to protection information inspection.

  FIG. 3 is a functional block diagram of the information management system 100. As shown in this figure, the information management system 100 includes a rule management unit 110, a request reception unit 120, a data transmission unit 130, an inspection result reception unit 140, a data determination unit 150, a site determination unit 160, a log recording unit 170, The request processing unit 180, the pattern storage unit 200, the policy management unit 210, the data reception unit 220, the protection information detection unit 230, the protection determination unit 240, and the inspection result transmission unit 250 are included. The information management system 100 is configured across the proxy server 30 and the inspection server 40, functions related to relay and management are implemented in the proxy server 30, and functions related to data inspection are implemented in the inspection server 40. . Thereby, the proxy server 30 functions as a relay / management apparatus, and the inspection server 40 functions as an inspection apparatus.

  The data to be subject to relay, inspection and management by the information management system 100 is data transmitted from the terminal 10 to the external server by the user. The terminal 10 is not included in the category of the information management system 100, but is also included in FIG. 3 to explain the relationship with the proxy server 30 that relays and manages requests transmitted from the terminal 10 to the external server. Is shown. The terminal 10 has an application used for HTTP communication with an external server such as a web browser or a mail client, and the proxy server 30 receives a request transmitted from the application. If any notification is returned from the proxy server 30 in response to this request, the application 18 displays it.

  Functions from the rule management unit 110 to the request processing unit 180 are implemented in the proxy server 30, and functions from the pattern storage unit 200 to the inspection result transmission unit 250 are implemented in the inspection server 40. For convenience of describing the interrelationship between functions, the following description with respect to FIG. 3 will be described in an unordered order of the symbols attached to each function.

  The rule management unit 110 abbreviates detailed items necessary for the information management system 100 to relay and manage a request transmitted from the terminal 10, for example, an in-house information manager (hereinafter, “manager”). ) Is set in advance according to the designation made via the rule setting screen, and the setting content is stored in the internal storage area 36 of the proxy server 30. The detailed matters (hereinafter referred to as “rules”) relating to request relay and management are, for example, URL filtering information of external sites used when determining whether or not a request can be transferred, and upload data accompanying the request. This is a recording form of the inspection result of the protection information, conditions for determining whether or not upload data transmission restriction is necessary based on the inspection result of the protection information, and the like.

The request receiving unit 120 receives a request for an external server transmitted from the application 18 of the terminal 10 and temporarily buffers it, and confirms whether there is upload data associated with this request.
The data transmission unit 130 transmits this data to the data reception unit 220 of the inspection server 40 when upload data exists in the request buffered by the request reception unit 120.
The data reception unit 220 receives the upload data transmitted by the data transmission unit 130 of the proxy server 30 and temporarily stores it in the internal storage area 46 of the inspection server 40.

  The pattern storage unit 200 corresponds to the dictionary database 50 of the inspection server 40, and forms elements constituting the protection information, more specifically, keywords indicating the last name, prefecture name, city name, etc., and fixed protection information. The pattern etc. are memorized. Here, the “standard protection information” is protection information formed in a fixed format such as a credit card number, a telephone number, a date of birth, a mail address, or the like. For example, in the case of a credit card number, the “pattern for forming fixed protection information” refers to a continuous 16-digit Arabic numeral or a format in which 16-digit Arabic numerals are separated by four digits each with a hyphen or a space.

  The policy management unit 210 performs details necessary for the information management system 100 to check whether or not the data uploaded from the terminal 10 includes protection information, for example, by the administrator via the policy setting screen. The setting contents are stored in advance in the internal storage area 46 of the inspection server 40. The detailed items (hereinafter referred to as “policy”) regarding the inspection of the protection information are conditions for determining that the data to be inspected is data requiring protection.

  The protection information detection unit 230 detects the protection information included in this data for the upload data temporarily stored by the data reception unit 220. The protection information is detected by matching with information stored in the pattern storage unit 200 or the like. The protection information detection unit 230 outputs the type of detected protection information and the number of detections for each type.

  The protection required determination unit 240 determines whether the uploaded data is protection required data based on the result output from the protection information detection unit 230 and the policy set in the policy management unit 210. For example, the policy management unit 210 stores a determination condition that “if the target data includes 10 or more email addresses or 5 or more credit card numbers, it is determined that the data needs protection”. If the protection information detection unit 230 outputs the detection result “email address: 12 cases, credit card number: 2 cases”, the protection determination unit 240 requires the threshold value in which the number of detected email addresses is set in the policy. From the above, it is determined that “upload data is data requiring protection”.

The inspection result transmission unit 250 receives the inspection result of the protection information for the upload data, more specifically, the output content of the protection information detection unit 230 and the determination result of the protection determination unit 240 by the inspection result of the proxy server 30. The data temporarily transmitted by the data receiving unit 220 is deleted while being transmitted to the unit 140.
The inspection result receiving unit 140 receives the inspection result transmitted by the inspection result transmitting unit 250 of the inspection server 40.

The data determination unit 150 determines whether or not the upload data is restriction data based on the inspection result received by the inspection result reception unit 140 and the rules set in the rule management unit 110.
The site determination unit 160 determines whether or not the request buffered by the request reception unit 120 should be transferred to the external server based on the rules set in the rule management unit 110. When there is upload data associated with the buffered request, the site determination unit 160 determines whether the request can be transferred based on the determination result made by the data determination unit 150 in addition to the filtering information.

  The log recording unit 170 displays the inspection result received by the inspection result receiving unit 140, the determination result made by the data determination unit 150, the site determination unit 160, and the like according to the rules set in the rule management unit 110. In the internal storage area 36.

  The request processing unit 180 processes the request buffered by the request reception unit 120 based on the determination result of the site determination unit 160. The request processing unit 180 transfers this request to the external server when it is determined that transfer is possible, and discards this request when it is determined that transfer is not possible. When discarding the request, the request processing unit 180 further transmits an alert message (HTML file) indicating that the request has been discarded (data transmission has been canceled) to the terminal 10. When the terminal 10 receives this notification, the application 18 that is the transmission source of the request displays an alert message (HTML file) transmitted from the request processing unit 180 of the proxy server 30.

  FIG. 4 is a diagram illustrating an example of a rule setting screen provided by the rule management unit 110. As shown in this figure, items necessary for the information management system 100 to relay and manage requests are displayed on the rule setting screen. The administrator can set in advance rules relating to request relay and management through this setting screen.

  The rule management unit 110 provides a screen for setting, for example, a site determination target URL, a log recording form, whether a request can be transferred based on a data inspection result, and the like.

The “site determination target URL” is a URL used when the site determination unit 160 determines whether or not the request transmission destination, that is, the site that the user tried to access is a problem site, that is, filtering of external sites based on the URL. Set the information. The site determination target URLs are classified into “unconditionally permitted sites”, “restricted sites”, and “restricted exception sites”, and the URLs of the corresponding sites are designated.
An unconditionally permitted site refers to a site that has been confirmed to be a trusted site and allows unconditional access. The information management system 100 permits all transfer of requests to the unconditionally permitted site. When upload data accompanies the request, the information management system 100 permits the transfer of the request without checking the protection information for this data.

A restricted site refers to a site that restricts access unconditionally because access should not be allowed for any reason. The information management system 100 discards all requests transferred to the regulated site and notifies the terminal 10 that is the request transmission source. When upload data accompanies the request, the information management system 100 checks the protection information for this data, records a log of what information was being sent to the regulated site, and Discard the request.
A regulatory exception site is literally a “regulatory site exception” and refers to a site that allows access monitoring while permitting access. The information management system 100 permits a request for a regulation exception site, and inspects protection information and records a log for upload data associated therewith.

  It should be noted that a site that does not correspond to any of the URLs set in the above three categories does not know in advance whether there is a reason for restricting access on the site side. Thus, all requests for such sites are forwarded if no upload data is involved. On the other hand, when upload data is accompanied, whether or not the request is transferred is determined depending on how much protection information is included in the data. More specifically, whether or not the request can be transferred when upload data is accompanied is determined according to the determination condition set in “Request transfer based on data inspection result” at the bottom of the rule setting screen shown in FIG. It will be judged.

  In the “log recording form”, the recording form of the inspection result of the protection information performed on the upload data accompanying the request is set. When “only output of inspection result” is selected, the information management system 100 records the type of protection information included in the upload data, the number of cases for each type, and the like. When “output of inspection result and storage of inspection target data” is selected, the information management system 100 records the inspection result and stores the upload data as the inspection target.

  In “whether or not a request can be transferred based on the data inspection result”, a condition for determining whether or not the upload data is data requiring regulation is set based on the inspection result of the protection information. If the uploaded data can be referred to without any problem, the information management system 100 can check the protection information and determine whether or not the data needs protection. However, if the uploaded data cannot be referenced, for example, if the data is in a file format, and this file has a password, is encrypted, or is damaged, information management Since the system 100 cannot check the contents, the protection information cannot be inspected.

  Therefore, there are three patterns that can be assumed in advance as inspection results: “When data is determined to be protected (when it can be inspected without problems)” and “When the data is an uninspectable file (file with password)” And “when the data is an uninspectable file (other reason)”, it is possible to set in advance what criteria the information management system 100 determines to determine that this data is regulated data. .

  For example, as shown in FIG. 4, when “partial restriction (target data size: 5 MB or more)” is set in “when data is determined to require protection”, the file size specified as the threshold is set. (5MB) is changed, and if the data is 5MB or more, it is determined to be regulated data and treated as regulated, while if it is less than 5MB, it is judged as not regulated data and regulated. Treated as outside. In addition, if “all restrictions” is selected in “when the data is an uninspectable file”, it is determined that the data is required to be regulated uniformly, and all data that could not be inspected is treated as a regulation target. Become.

  If the data is a file that cannot be inspected, the data cannot be inspected, so it is not known at all whether the data includes protection information. However, if the data cannot be referred to, even if it is sent to an external server, it can only be opened by a person who knows what kind of file the data is. (Regulation is not necessary). For example, if an email being sent is subject to inspection and the data attached to this email was a file with a password and could not be referenced and could not be inspected, if the recipient of the email knows the password, the attached file However, even if this email is intercepted for some reason during the transfer process, there is no worry that the file will be opened if the password is not known. Therefore, for uninspectable files, as well as when they can be inspected (when the data is determined to be protected), prepare three options: “Allow all”, “Partial restrictions”, and “All restrictions”. Yes.

  FIG. 5 is a diagram illustrating an example of a policy setting screen related to protection information provided by the policy management unit 210. As shown in this figure, on the policy setting screen, a policy necessary for checking protection information for data uploaded in response to a request from the terminal 10 to be managed by the information management system 100 Is displayed. The administrator can set a policy in advance through this setting screen.

  For example, the policy management unit 210 sets an item to be detected as protection information and a threshold for each item as a condition for determining whether or not the data uploaded in response to a request from the terminal 10 is protection required data. . For example, when there are 10 or more descriptions identified as mail addresses in the data, the threshold value for “mail address” is set to “10” if the data is to be handled as protection required data. It is preferable to set a smaller value for the threshold value as the sensitivity of the item to be detected, and hence the necessity for protection, is higher. For example, in FIG. 5, the threshold value for “My Number” is set to “1”, but this is determined as data requiring protection when there is at least one description identified as My Number in the data. Means.

  In addition, it is possible to select whether the detection conditions of individual items are linked by AND / OR, and it is possible to specify more flexible determination conditions according to the use environment. For example, in FIG. 5, the first to third lines (phone number / address / last name) and the fourth to fifth lines (last name / birth date) are connected with AND, and the other lines are connected with OR. ing. In this case, “Telephone number is 2 or more, address is 2 or more, and last name is 2 or more” or “last name is 10 or more and date of birth is 10 or more” or “My Number” The determination condition such as “one or more places”, “10 or more e-mail addresses” or... (Hereinafter abbreviated) is set. By specifying such a determination condition in advance, it is possible to accurately inspect whether or not the inspection target data is data requiring protection.

  FIG. 6 is a flowchart illustrating a procedure example of information management processing by the information management system 100. The information management process starts as the OS of the proxy server 30 starts, and continues to operate until the proxy server 30 is shut down unless it is forcibly terminated. 6 to 8 is executed by the information management system 100, and more specifically, the functional units 110 to 250 included in the information management system 100. The main body that operates the system 100 is the CPUs 32 and 42 of the servers 30 and 40 on which the functions of the information management system 100 are mounted. That is, strictly speaking, the information management system 100 functions by causing the CPUs 32 and 42 to execute the respective processes shown in these flowcharts by the respective function units mounted on the servers 30 and 40.

Hereinafter, it demonstrates along the example of a procedure.
Step S100: The CPU 32 causes the request receiving unit 120 to receive a request for the external server transmitted from the terminal 10, and temporarily buffers the request.
Step S102: The CPU 32 causes the site determination unit 160 to check whether or not the transmission destination of the request buffered in the previous step S100 is not an unconditionally permitted site. If it is not an unconditionally permitted site (Yes), the CPU 32 next executes step S104. If it is an unconditionally permitted site (No), the CPU 32 next executes step S112.
Step S104: The CPU 32 executes an information management main process. Details of the information management main process will be described later.

Step S106: The CPU 32 confirms the determination result returned in the previous step S104. When it is determined that the upload data accompanying the request transmitted from the terminal 10 is the restriction data (Yes), the CPU 32 next executes step S108. When it determines with it not being regulation required data (No), CPU32 performs step S110 next.
Step S108: The CPU 32 causes the site determination unit 160 to check whether or not the transmission destination of the request buffered in step S100 is a restriction exception site. If it is a restriction exception site (Yes), the CPU 32 next executes step S112. If it is not a restriction exception site (No), the CPU 32 next executes step S114.
Step S110: The CPU 32 causes the site determination unit 160 to check whether or not the transmission destination of the request buffered in step S100 is a restricted site. If it is not a restricted site (Yes), the CPU 32 next executes step S112. If it is a restricted site (No), the CPU 32 next executes step S108.

Step S112: The CPU 32 causes the request processing unit 180 to transfer the request buffered in step S100 to the external server.
Step S114: The CPU 32 causes the request processing unit 180 to discard the request buffered in step S100.
Step S116: The CPU 32 causes the request processing unit 180 to notify the terminal 10 that is the transmission source of the request that the request has been discarded.
When the above processing is completed, the information management processing executed by the proxy server 30 (relay / management device) for one request transmitted from the terminal 10 is completed.

  FIG. 7 is a flowchart illustrating a procedure example of information management main processing by the information management system 100. Hereinafter, it demonstrates along the example of a procedure.

Step S150: The CPU 32 causes the request reception unit 120 to confirm whether or not the request for the external server transmitted from the terminal 10 is accompanied by upload data. When the request is accompanied by upload data (Yes), the CPU 32 next executes step S152. When the request does not accompany upload data (No), the CPU 32 next executes step S168.
Step S152: The CPU 32 causes the data transmission unit 130 to transmit the upload data accompanying the request to the inspection server 40.
Step S154: The CPU 42 of the inspection server 40 executes a protection information inspection process. Details of the protection information inspection process will be described later.
Step S156: The CPU 32 causes the inspection result receiving unit 140 to receive the result of the protection information inspection process executed in the previous step S154 from the inspection server 40.

Step S160: The CPU 32 causes the data determination unit 150 to refer to a rule set in advance in the rule management unit 110, and prepares for processing executed in subsequent steps.
Step S162: The CPU 32 causes the data determination unit 150 to confirm the inspection result received in step S156. If it is determined that the upload data accompanying the request transmitted from the terminal 10 is protection required data (Yes), the CPU 32 next executes step S164. When it is determined that the data is not protection required data (No), the CPU 32 next executes step S168. If it is unknown whether the data is protection required data (unknown), that is, if the data is an uninspectable file, the CPU 32 next executes step S170.

Step S164: The CPU 32 causes the data determination unit 150 to confirm the rule setting relating to the necessity of regulation for the protection required data. When the setting is such that transfer of all requests with protection data required is permitted (all permitted), the CPU 32 next executes step S168. If the setting determines whether to restrict the transfer of the request according to the data size of the protection required data (partial restriction), the CPU 32 next executes step S166. If the setting is to restrict all transfer of requests accompanied by the protection required data (all restrictions), the CPU 32 next executes step S174.
Step S166: The CPU 32 causes the data determination unit 150 to check whether or not the data size of the protection required data (upload data) is less than the size set by the rule. When it is less than the prescribed size (Yes), the CPU 32 next executes step S168. When the size is equal to or larger than the specified size (No), the CPU 32 next executes step S174.

Step S168: The CPU 32 causes the site determination unit 160 to determine that the upload data is not restriction data.
Step S170: The CPU 32 causes the data determination unit 150 to confirm the rule setting relating to the necessity of regulation for the uninspectable file. When the setting is to permit all transfer of requests involving uninspectable files (all are permitted), the CPU 32 next executes step S168. If the setting determines whether to restrict the transfer of the request according to the file size of the uncheckable file (partial restriction), the CPU 32 next executes step S172. If the setting is to restrict all transfer of requests involving uninspectable files (all restrictions), the CPU 32 next executes step S174.

Step S172: The CPU 32 causes the data determination unit 150 to check whether or not the data size of the uninspectable file (upload data) is equal to or larger than the size set by the rule. If the size is equal to or larger than the specified size (Yes), the CPU 32 next executes step S174. When it is less than the prescribed size (No), the CPU 32 next executes step S168.
Step S174: The CPU 32 causes the site determination unit 160 to determine that the upload data is restriction data.

Step S176: The CPU 32 causes the log recording unit 170 to record the inspection result received in step S156 and the determination result as to whether or not the data is the regulation data required in step S168 or step S174. If there is no upload data (step S150: No), this processing may be skipped because there is no data to be inspected.
When the above processing is completed, the CPU 32 returns the determination result as to whether or not the data is the restriction required in step S168 or step S174 to step S104 in FIG. Return to the management process (FIG. 6).

FIG. 8 is a flowchart illustrating a procedure example of the protection information inspection process by the information management system 100. In the protection information inspection process, whether or not the inspection target data is protection required data in accordance with the contents set in advance in the policy management unit 210 (whether or not the protection target data includes the specified number or more of protection information) ) Is inspected.
Hereinafter, it demonstrates along the example of a procedure.

  Step S200: The CPU 42 causes the data receiving unit 220 to receive and temporarily store data transmitted from the proxy server 30.

Step S202: The CPU 42 causes the protection information detection unit 230 to detect protection information included in the data temporarily stored in step S200. The protection information is detected by matching with a keyword or pattern stored in the pattern storage unit 200.
Step S204: The CPU 42 determines that the number of protection information types detected by the protection determination unit 240 in the previous step S202 is equal to or greater than the detection number threshold value for each protection information type preset in the policy management unit 210. Let them check if. When the number of detected cases is equal to or greater than a predetermined threshold (Yes), the CPU 42 next executes step S206. When the number of detected cases is less than the predetermined threshold (No), the CPU 42 next executes step S208.

Step S206: The CPU 42 causes the protection determination unit 240 to determine that the inspection target data is protection data.
Step S208: The CPU 42 causes the protection determination unit 240 to determine that the inspection target data is not protection data.
Step S210: The CPU 42 causes the inspection result transmission unit 250 to transmit the temporarily stored data after transmitting the inspection result of the protection information executed in the above steps to the proxy server 30 for the data temporarily stored in Step S200. Let it be deleted.
When the above process is completed, the process returns to step S154 in the information management main process (FIG. 7) that is the caller of the protection information inspection process, and the control of the process returns from the CPU 42 of the inspection server 40 to the CPU 32 of the relay server.

  FIG. 9 is a sequence diagram illustrating an operation example when the information management system 100 manages data transmitted to an external server. The proxy server 30 functions as a management / relay device, and the inspection server 40 functions as an inspection device. Steps corresponding to protocol negotiation and session establishment that are performed in advance when a packet is transmitted and received between computers are general matters and are not described. Hereinafter, it demonstrates along an operation example.

  When a user starts a web browser on the terminal 10 to access an external website, inputs some information and clicks a send button, a request for an external server is transmitted from the terminal 10 at this timing (S11). This is received by the proxy server 30 and the presence / absence of data uploaded with this request is confirmed (S12). Since the information input by the user is to be transmitted this time and there is upload data, the proxy server 30 transmits this data to the inspection server 40 (S13). The inspection server 40 checks whether or not the protection information is included in the received data (S14), and transmits the inspection result to the proxy server 30 (S15). Based on the received inspection result, the proxy server 30 determines whether or not the upload data accompanying the current request is the restriction data (S16), and records the inspection result and the determination result in a log (S17). Then, site determination is performed for the request destination URL (S18). Although the upload data this time is data requiring regulation, since the transmission destination of the request corresponds to the regulation exception site, the proxy server 30 transfers the request to the external server (S19). Upload data is sent to the external server as the request is transferred. In this way, a series of processes executed for the first request transmitted from the terminal 10 is completed.

  After a while, when the user accesses a website different from the above on the terminal 10, inputs some information and clicks the send button, a request for the external server is transmitted from the terminal 10 at this timing (S21). This is received by the proxy server 30 and the presence / absence of data uploaded with this request is confirmed (S22). Since there is upload data this time, the proxy server 30 transmits this data to the inspection server 40 (S23). The inspection server 40 checks whether or not the protection information is included in the received data (S24), and transmits the inspection result to the proxy server 30 (S25). Based on the received inspection result, the proxy server 30 determines whether or not the upload data accompanying the current request is the restriction data (S26), and records the inspection result and the determination result in a log (S27). Then, site determination is performed for the request destination URL (S28). Since the upload data this time is required regulation data and the transmission destination of the request corresponds to the regulation site, the proxy server 30 discards the request without transferring it to the external server (S29). The proxy server 30 notifies the terminal 10 that is the transmission source of this request that the request has been discarded, that is, that the upload data has not been transmitted to the external server (S30). In this way, a series of processes executed for the second request transmitted from the terminal 10 is completed.

  FIG. 10 is a diagram illustrating an example of an alert message displayed on the display of the terminal 10 by the control executed by the information management system 100.

In FIG. 10, (A): it is determined that the data that the user tried to transmit to the external server is the data requiring protection, and the transfer of the request is restricted when the rule “data is determined to require protection”. If so, an alert message indicating that the data transmission has been canceled (request to the external server has been discarded) is displayed. At this time, the user is notified of which protection information causes the data to be determined to be protection required data. In the example shown in this figure, it is shown that the number of pieces of information identified as My Numbers in the data is equal to or greater than a threshold value.
(B) in FIG. 10: The transfer of the request is restricted when the data that the user tries to transmit to the external server is a file with a password and the rule is “when the data is a file that cannot be inspected (file with password)”. If it is set so, an alert message indicating that data transmission has been canceled due to an attempt to transmit a file with a password is displayed.

[Information management program]
FIG. 11 is a configuration diagram of an environment in which the information management program 300 according to an embodiment operates. The information management program 300 can be applied to a general client environment. Here, a case where the information management program 300 is applied to a client environment connected to an in-house LAN in a company will be described as an example.

  As shown in this figure, a network 20 corresponding to an in-house LAN is arranged inside the firewall 60. In addition to the terminal 11 corresponding to the client environment, a proxy server 31 that relays HTTP communication exchanged between the terminal 11 and an external server existing on the Internet 70 (outside the firewall 60) is connected to the network 20. Has been. The request transmitted from the terminal 11 to the external server and the data uploaded with this request are relayed by the proxy server 31.

  The information management program 300 operates on the terminal 11. The terminal 11 has an application used for HTTP communication with an external server such as a web browser or a mail client. For example, a user starts a web browser on the terminal 11 to display an external website or an external website. When attempting to send a mail addressed to a mail address, the terminal 11 sends a request accompanying these operations to an external server. At this time, before the request for the external server is transmitted from the terminal 11, the information management program 300 checks whether or not the protection information is included in the data accompanying the request and performs site determination for the request destination URL. The request is controlled according to these results. The information management program 300 transmits this request when it is determined that there is no problem in transmission, but discards this request when it is determined that the transmission should be restricted.

  When a request is transmitted from the terminal 11, the request is received by the proxy server 31, and then transferred to the external server. The proxy server 31 is not included in the category of the information management program 300, but is also shown in FIG. 12 for explaining the relationship with the terminal 11.

  FIG. 12 is a functional block diagram of the information management program 300. As shown in this figure, the information management program 300 includes a pattern storage unit 310, a policy management unit 320, a rule management unit 330, a request detection unit 340, a data acquisition unit 350, a protection information detection unit 360, and a protection required determination unit 370. A data determination unit 380, a site determination unit 390, a log recording unit 400, a request processing unit 410, and an alert output unit 420.

  In the above-described information management system 100 described with reference to FIGS. 1 to 10, a function for relaying and managing a request is implemented in the proxy server 30, while a function for inspecting data accompanying the request is an inspection server. The information management system 100 functions when these servers 30 and 40 cooperate with each other. On the other hand, the information management program 300 has all the functions including the function for relaying / managing requests and the function for inspecting data accompanying the requests mounted on the terminal 11 and functions only on the terminal 11. .

The pattern storage unit 310 stores various elements constituting the protection information.
The policy management unit 320 provides details (policy) necessary for the information management program 300 to check whether or not the protection information is included in the data accompanying the request, for example, through the policy setting screen by the administrator. The setting contents are set in advance according to the designation, and the setting contents are stored in the internal storage area 16. The policy setting screen provided by the policy management unit 320 is equivalent to the policy setting screen in the information management system 100 shown in FIG.

  The rule management unit 330 provides details (rules) necessary for the information management program 300 to relay and manage a request to an external server in advance according to the designation made by the administrator via the rule setting screen, for example. The setting contents are stored in the internal storage area 16. When rules are set in advance, the information management program 300 relays and manages requests according to the setting contents stored in the internal storage area 16. On the other hand, if no rule is set, the information management program 300 relays and manages the request according to the contents specified as the initial value in the program.

  In addition, although the form in which a rule and a policy are set with the content previously designated by the administrator via the setting screen was illustrated here, it is not limited to this. For example, a rule or policy set by an administrator is provided as an update file, and the update file is acquired by a user of the terminal 11 via a mail or a file server, or the update file is acquired via the network 20 11 and a function that automatically updates the rules and policies with the contents set in the update file while the information management program 300 is running may be implemented.

The request detection unit 340 constantly monitors communication between the terminal 11 and another computer via the network 20, and temporarily detects a request transmitted from the terminal 11 to the external server. .
The data acquisition unit 350 confirms whether or not the upload data accompanies the request buffered by the request detection unit 340. If the upload data exists, this data is acquired and temporarily stored in the internal storage area 16.
The protection information detection unit 360 detects the protection information included in this data for the data temporarily stored by the data acquisition unit 350. The protection information is detected by matching with information stored in the pattern storage unit 310 or the like. The protection information detection unit 360 outputs the type of detected protection information and the number of detections for each type.

The protection required determination unit 370 determines whether the inspected data is protection required data based on the result output from the protection information detection unit 360 and the policy set in the policy management unit 320.
The data determination unit 380 determines whether or not the upload data is the restriction data based on the detection result output from the protection information detection unit 360 and the rules set in the rule management unit 330.
The site determination unit 390 determines whether the request buffered by the request detection unit 340 should be transmitted to the external server based on the rules set in the rule management unit 330. When there is upload data associated with the buffered request, the site determination unit 390 determines whether the request can be transmitted based on the determination result made by the data determination unit 380 in addition to the rule.

  The log recording unit 400 displays the detection result output by the protection information detection unit 360, the determination result made by the data determination unit 380 and the site determination unit 390, etc. according to the rules set in the rule management unit 330. 16 is recorded.

The request processing unit 410 processes the request buffered by the request detection unit 340 based on the determination result made by the site determination unit 390, and then deletes the data temporarily stored by the data acquisition unit 350. The request processing unit 410 transmits this request to the external server when it is determined that transfer is possible, and discards this request when it is determined that transfer is not possible. Note that the request transmitted when it is determined that transfer is possible is relayed to the external server after being relayed by the function 38 that the proxy server 31 originally has.
When the request is discarded by the request processing unit 410, the alert output unit 420 outputs an alert message indicating that the request is discarded (data transmission is canceled) on the display of the terminal 11.

  FIG. 13 is a flowchart illustrating an exemplary procedure of information management processing by the information management program 300. The information management process starts as the OS of the terminal 11 is started, and continues to operate until the terminal 11 is shut down unless it is forcibly terminated. It is the information management program 300 that executes the processes shown in the flowcharts of FIGS. 13 to 15, and more specifically, the function units 310 to 420 included in the information management program 300. The subject that operates the program 300 is the CPU 12 of the terminal 11. That is, strictly speaking, the information management program 300 functions when the CPU 12 causes each functional unit to execute the processing shown in these flowcharts.

Hereinafter, it demonstrates along the example of a procedure.
Step S300: The CPU 12 causes the request detection unit 340 to detect a request to the external server and temporarily buffer it.
Step S302: The CPU 12 causes the site determination unit 390 to check whether or not the transmission destination of the request buffered in the previous step S300 is an unconditionally permitted site. If it is not an unconditionally permitted site (Yes), the CPU 12 next executes step S304. If the site is an unconditionally permitted site (No), the CPU 12 next executes step S312.
Step S304: The CPU 12 executes an information management main process. Details of the information management main process will be described later.

Step S306: The CPU 12 confirms the determination result returned in the previous step S304. When it is determined that the upload data accompanying the request is the restriction data (Yes), the CPU 12 next executes step S308. When it determines with it not being regulation required data (No), CPU12 performs step S310 next.
Step S308: The CPU 12 causes the site determination unit 390 to check whether or not the transmission destination of the request buffered in step S300 is a restriction exception site. When it is a regulation exception site (Yes), CPU12 performs step S312 next. If it is not a restriction exception site (No), the CPU 12 next executes step S314.
Step S310: The CPU 12 causes the site determination unit 390 to confirm whether or not the transmission destination of the request buffered in step S300 is a regulated site. If it is not a restricted site (Yes), the CPU 12 next executes step S312. If it is a restricted site (No), the CPU 12 next executes step S308.

Step S312: The CPU 12 causes the request processing unit 410 to transfer the request buffered in step S300 to the external server.
Step S314: The CPU 12 causes the request processing unit 410 to discard the request buffered in step S300.
Step S316: The CPU 12 causes the alert output unit 420 to output on the display of the terminal 11 that the request for the external server has been discarded as an alert message.
When the above processing is finished, the information management processing executed for one request being transmitted from the terminal 11 is finished.

  FIG. 14 is a flowchart illustrating a procedure example of information management main processing by the information management program 300. Hereinafter, it demonstrates along the example of a procedure.

Step S350: The CPU 12 causes the data acquisition unit 350 to check whether or not the request for the external server is accompanied by upload data. If the request is accompanied by upload data (Yes), the CPU 12 next executes step S352. When the request does not accompany upload data (No), the CPU 12 next executes step S364.
Step S352: The CPU 12 executes a protection information inspection process. Details of the protection information inspection process will be described later.

Step S356: The CPU 12 causes the data determination unit 380 to refer to a rule set in advance in the rule management unit 330, and prepares for processing executed in subsequent steps.
Step S358: The CPU 12 causes the data determination unit 380 to check the inspection result returned in step S352. If it is determined that the upload data accompanying the request is data requiring protection (Yes), the CPU 12 next executes step S360. When it is determined that the data is not protection required data (No), the CPU 12 next executes step S364. If it is unknown whether the data is protection required data (unknown), that is, if the data is an uninspectable file, the CPU 12 next executes step S366.

Step S360: The CPU 12 causes the data determination unit 380 to confirm the rule setting relating to the necessity of regulation for the protection required data. When the setting is to permit all transfer of requests accompanied by the protection required data (all are permitted), the CPU 12 next executes step S364. If the setting determines whether to restrict the transfer of the request according to the data size of the protection required data (partial restriction), the CPU 12 next executes step S362. If the setting is to restrict all transfer of requests accompanied by the data requiring protection (all restrictions), the CPU 12 next executes step S370.
Step S362: The CPU 12 causes the data determination unit 380 to check whether or not the data size of the protection required data (upload data) is less than the size set by the rule. When it is less than the prescribed size (Yes), the CPU 12 next executes step S364. When the size is not less than the specified size (No), the CPU 12 next executes step S370.

Step S364: The CPU 12 causes the site determination unit 390 to determine that the uploaded data is not restriction data.
Step S366: The CPU 12 causes the data determination unit 380 to confirm the rule setting relating to the necessity of regulation for the uninspectable file. When the setting is to permit all transfer of requests involving uninspectable files (all are permitted), the CPU 12 next executes step S364. If the setting determines whether to restrict the transfer of the request according to the file size of the uncheckable file (partial restriction), the CPU 12 next executes step S368. If the setting is to restrict all transfer of requests involving uninspectable files (all restrictions), the CPU 12 next executes step S370.

Step S368: The CPU 12 causes the data determination unit 380 to check whether or not the data size of the uninspectable file (upload data) is equal to or larger than the size set by the rule. If the size is equal to or larger than the specified size (Yes), the CPU 12 next executes step S370. When it is less than the prescribed size (No), the CPU 12 next executes step S364.
Step S370: The CPU 12 causes the site determination unit 390 to determine that the upload data is restriction data.

Step S372: The CPU 12 causes the log recording unit 400 to record the inspection result returned in step S352 and the determination result as to whether or not the restriction data is obtained in step S364 or step S370. If there is no upload data (step S350: No), this process may be skipped because there is no data to be inspected.
When the above processing is completed, the CPU 12 returns the determination result as to whether the data is the restriction data required in step S364 or step S374 to step S104 in FIG. Return to the management process.

  FIG. 15 is a flowchart illustrating a procedure example of the protection information inspection process by the information management program 300. Hereinafter, it demonstrates along the example of a procedure.

  Step S400: The CPU 12 causes the data acquisition unit 350 to acquire upload data associated with the request.

Step S402: The CPU 12 causes the protection information detection unit 360 to detect protection information included in the data acquired in step S400. The protection information is detected by matching with keywords and patterns stored in the pattern storage unit 310.
Step S404: The CPU 12 determines that the number of protection information types detected by the protection determination unit 370 in the previous step S402 is equal to or greater than the detection number threshold value for each type of protection information preset in the policy management unit 320. Let them check if. If the number of detected cases is equal to or greater than the prescribed threshold (Yes), the CPU 12 next executes step S406. When the number of detected cases is less than the predetermined threshold (No), the CPU 12 next executes step S408.

Step S406: The CPU 12 causes the protection determination unit 370 to determine that the inspection target data is protection data.
Step S408: The CPU 12 causes the protection required determination unit 370 to determine that the inspection target data is not protection required data.
When the above processing is completed, the CPU 12 returns the inspection result of the protection information executed in the above steps to step S352 in FIG. 14 which is the caller of the protection information inspection processing, and returns to the information management main processing.

  FIG. 16 is a sequence diagram illustrating an operation example when the information management program 300 manages data to be transmitted to the external server. In the information management system 100 described above, the proxy server 30 functions as a management / relay device and the inspection server 40 functions as an inspection device, whereas in the information management program 300, the terminal 11 functions as a management / relay / inspection device. Function as. Hereinafter, it demonstrates along an operation example.

  When the user starts a web browser on the terminal 11 to access an external website, inputs some information and clicks the send button, the terminal 11 detects a request to the external server at this timing (S41). The presence / absence of data to be uploaded is confirmed (S42). Since the information input by the user is being transmitted and there is upload data this time, it is checked whether or not the protection information is included in this data (S43), and the upload data accompanying this request is based on this check result. Is determined to be required regulation data (S44), and the inspection result and the determination result are recorded in a log (S45). Then, site determination is performed for the request destination URL (S46). Although the upload data this time is data requiring regulation, since the transmission destination of the request corresponds to the regulation exception site, the terminal 11 transmits the request to the external server (S47). The proxy server 31 receives this request and forwards it to the external server. When the request is transferred, the upload data is transmitted to the external server. In this way, a series of processes for the first request being transmitted from the terminal 11 is completed.

  After a while, when the user accesses a website different from the above on the terminal 11, inputs some information and clicks the send button, the terminal 11 detects a request to the external server at this timing (S51). The presence / absence of data to be uploaded is confirmed (S52). Since the upload data still exists this time, it is checked whether or not the protection information is included in this data (S53). Based on the result of this check, it is determined whether or not the upload data associated with the current request is required data. The determination is made (S54), and the inspection result and the determination result are recorded in a log (S55). Then, site determination is performed for the request destination URL (S56). Since the upload data this time is required data and the transmission destination of the request corresponds to the restricted site, the terminal 11 discards the request without transmitting it to the external server (S57), and the request is discarded. That is, the fact that the upload data has not been transmitted to the external server is displayed as an alert message on the display of the terminal 11 to notify the user (S58). In this way, a series of processes for the second request being transmitted from the terminal 11 is completed.

FIG. 17 is a flowchart illustrating a different procedure example of the information management main process by the information management system 100 and the information management program 300. This example procedure is that the determination as to whether or not the transmission destination of the request is a regulated site is performed prior to the inspection of the data accompanying the request. This is very different from the information management processing (FIG. 13) by the information management program 300.
Note that the execution subject of this example procedure and the functional units related to each step differ depending on whether the information management system 100 or the information management program 300 is operated. Here, for convenience of explanation, a procedure example in the case of operating by the information management system 100 will be described.

Step S500: The CPU 32 causes the request reception unit 120 to receive a request for the external server transmitted from the terminal 10, and temporarily buffers the request.
Step S502: The CPU 32 causes the site determination unit 160 to check whether or not the transmission destination of the request buffered in the previous step S500 is an unconditionally permitted site. If it is not an unconditionally permitted site (Yes), the CPU 32 next executes step S504. When it is an unconditionally permitted site (No), the CPU 32 next executes step S512.
Step S504: The CPU 32 causes the site determination unit 160 to check whether or not the transmission destination of the request buffered in step S500 is a regulated site. If it is not a restricted site (Yes), the CPU 32 next executes step S506. If it is a restricted site (No), the CPU 32 next executes step S510.

Step S506: The CPU 32 executes an information management main process. Details of the information management main process will be described later.
Step S508: The CPU 32 confirms the determination result returned in the previous step S506. When it is determined that the upload data accompanying the request transmitted from the terminal 10 is the restriction data (Yes), the CPU 32 next executes step S510. If it is determined that the data is not required regulation data (No), the CPU 32 next executes step S512.
Step S510: The CPU 32 causes the site determination unit 160 to check whether or not the transmission destination of the request buffered in step S100 is a restriction exception site. If it is a restriction exception site (Yes), the CPU 32 next executes step S512. If it is not a restriction exception site (No), the CPU 32 next executes step S514.

Step S512: The CPU 32 causes the request processing unit 180 to transfer the request buffered in step S100 to the external server.
Step S514: The CPU 32 causes the request processing unit 180 to discard the request buffered in step S100.
Step S516: The CPU 32 causes the request processing unit 180 to notify the terminal 10 that is the transmission source of the request that the request has been discarded.
When the above processing is completed, the information management processing executed by the proxy server 30 (relay / management device) for one request transmitted from the terminal 10 is completed.

Thus, in this example procedure, the determination as to whether or not the request destination is a regulated site precedes the information management main process (inspection of data accompanying the request, determination as to whether or not the data requires regulation). And executed. If the destination of the request is a regulated site, if the request is not a regulated exception site, the request is discarded without being transferred, and if it is a regulated exception site, the request is forwarded and the data accompanying the request is sent to an external server. Become. Regulated exception sites are sites that have been set as exceptions in advance as rules, and are regarded as reliable sites to some extent, and even if data that can be determined to be regulated data is transmitted, there is little risk of information leakage. It is done.
Therefore, by adopting such a procedure example, it is possible to save the resources on the computer required for processing by minimizing the data inspection accompanying the request, and to improve the processing efficiency of the information management system 100 and the information management program 300. It becomes possible to improve.

  The present invention can be implemented with various modifications without being limited to the above-described embodiments. For example, the storage location of the inspection result log and the rule / policy setting is the internal storage area of the computer functioning as a relay / management device. However, it may be stored in an external storage medium or a database connectable via the network 20. Good.

  In addition, the procedure example of the information management main process may be subdivided according to the type of uninspectable file. Do not handle uninspectable files together, for example, depending on the reason why it is impossible to inspect, for example, branching into three cases: “for a file with a password”, “for an encrypted file”, and “for other reasons” The subsequent procedures can be configured according to the rule settings for each case. If conditions corresponding to other reasons are known in advance, more branches may be added.

  In “Rule for Site Determination” in the rule settings, sites targeted for three classifications are specified by URL, but the target site is specified by the category prepared by this tool in cooperation with existing web filtering tools. May be. For example, in cooperation with a web filtering tool, the category of “discrimination” and “drag” defined in this tool is specified as the target of “regulatory site”, and the site recognized as corresponding to “discrimination” and “drag” by this tool Can be implemented as a “regulated site”.

  In addition, in the rule setting “whether or not the request can be transferred based on the data inspection result”, the data is classified into cases, and for each case, one of three options “permit all”, “partial restriction”, and “all restriction” is selected. However, if this option is selected, the data can be sent to the external server (request request). Processing may be configured to display an intention confirmation alert message asking whether or not the transfer is actually executed on the display of the terminal, and to execute it in accordance with an answer transmitted from the user. However, when the information management system 100 is configured in this way, the request must be buffered until the reply from the user is transmitted to the proxy server 30, and the proxy server 30 identifies the communication with each terminal. There is a risk that server resources will be consumed significantly for the session management required above. Therefore, in order to employ such a configuration, it is assumed that the proxy server 30 has sufficient resources.

10, 11 Terminal 20, 20d Network 30, 31 Proxy server 40 Inspection server 50 Dictionary database 60 Firewall 70 Internet 100 Information management system 300 Information management program

Claims (6)

An inspection means for inspecting whether or not the protection information is included in the data using elements constituting the protection information stored in the database, and outputting an inspection result;
Recording means for recording the inspection result output by the inspection means;
Based on the inspection result, it is determined whether or not the data corresponds to protection required data that is one of the classifications according to the degree of necessity of protection, while the inspection means performs the inspection. A protection necessity determination unit that determines that the data corresponds to indeterminate data of a classification different from the protection required data when a result is not output;
When it is determined by the protection necessity determination means that the data does not correspond to the protection required data, it is determined that the data does not correspond to the required regulation data of a different classification, while the data is required protection data or cannot be determined. An information management system comprising a restriction necessity determination unit that determines whether the data corresponds to restriction data based on a predetermined determination condition when it is determined that the data corresponds to the data. In the information management system according to claim 1,
The protection necessity determination means includes
When the number of pieces of protection information included in the data is equal to or greater than a preset threshold for the protection information, it is determined that the data corresponds to protection required data, and when the number is less than the threshold, the data is An information management system characterized in that it is determined that the data does not fall under protection required data. In the information management system according to claim 1 or 2,
An information management system, further comprising a rule pre-setting unit that presets the determination condition as to whether or not the data determined by the restriction necessity determining unit corresponds to restriction required data. In the information management system according to claim 3,
The rule presetting means is:
In addition to setting a data size threshold as the determination condition, when the data is determined to be protected data or non-determinable data by the protection necessity determination unit, the data uniformly corresponds to required data. Determining whether to determine that the data does not correspond to the restriction data uniformly, or to determine whether the data corresponds to the restriction data according to the data size,
The regulation necessity determination means includes
An information management system for determining whether or not the data corresponds to data requiring regulation based on a determination condition set in advance by the rule presetting means. In the information management system according to any one of claims 1 to 4,
Receiving means for receiving a request for an external server transmitted from the user terminal;
The inspection means includes
An information management system for examining whether or not protection information is included in user data uploaded in response to the request received by the receiving means. The computer sending the request to the external server,
An information management program for causing the information management system according to any one of claims 1 to 4 to function as each of the means,
The function as the checking means includes an execution of checking whether or not protection information is included in data being transmitted to the external server in response to the request.

Images