JP3823168B1 - Management server and management program - Google Patents

Abstract

[PROBLEMS] To ensure that a file including information to be protected can be searched by efficient processing, and to prevent inadvertent leakage / leakage or unauthorized use of personal information or confidential information.
When a user terminal 10 and a management target file are managed by a management server 20 and a user terminal 10 whose access frequency to the management target file managed by the management server 20 is higher than a reference value is recognized, The search program is automatically and forcibly installed on the user terminal 10. At this time, it is considered that the user terminal 10 whose access frequency to the management target file is less than the reference value has a low possibility of storing the protection target information in its own terminal, and the installation of the exploration program for the user terminal 10 is Don't do it.
[Selection] Figure 1

Description

  The present invention manages an information processing apparatus (user terminal, server, etc.) such as a personal computer, and in a system including the information processing apparatus, a predetermined number of elements related to protection target information such as personal information and confidential information. The present invention relates to a technique for managing the above-mentioned files as management targets.

  In recent years, with an increase in awareness of protection of personal information, it has been desired to reliably prevent inadvertent leakage and leakage of personal information and unauthorized use of personal information. In particular, with the enforcement of the Personal Information Protection Law, there is a need for businesses that handle personal information to more reliably prevent the leakage or leakage of personal information and unauthorized use. Here, personal information is information that can identify a specific individual by itself or in combination, and includes, for example, name, date of birth, contact information (address, address, telephone number, e-mail address, etc.). . Customer information, business partner information, etc. stored and handled in various companies often correspond to personal information.

  Naturally, such personal information corresponds to confidential information with high confidentiality for companies, but as confidential information for companies, in addition to personal information, new products before publication, technology before patent application, Information related to management strategies, etc. According to the Institute of Systems Audits, confidential information is defined as information that may impair the value of management resources when disclosed to anyone other than the authorized person or used for other purposes. Has been.

  In order to reliably prevent the outflow / leakage and unauthorized use of personal information and confidential information as described above, it is desirable to introduce a centralized management system and centrally manage such personal information and confidential information. However, in reality, personal information such as customer information and business partner information in a company includes a plurality of user terminals [personal computers (hereinafter sometimes abbreviated as PCs)] used by individual employees, In many cases, they are distributed and stored in department servers. More specifically, individual employees store their personal information (customer information, etc.) on their PCs for their own work, or a central database or a subset of personal information collected by each employee. It exists in various places on the PC.

  For this reason, when constructing the above centralized management system, the administrator first identifies personal information and confidential information that are scattered in the company, and what kind of personal information and confidential information is located in the company. It is necessary to grasp whether it exists, but personal information and confidential information are identified by the manager instructing each employee and with the cooperation of the entire company and all departments in person-to-person relations. .

  For example, in Patent Document 1 below, in accordance with the enforcement of the Personal Information Protection Law, the technology “Personal Information Protection Service Business Processing Method for Providing Personal Information Protection Service to Prevent Personal Information Outflow / Leakage and Unauthorized Use” And device "have been proposed and disclosed. In this patent document 1, it is possible to identify and warn a company that has acquired personal information inappropriately, and to prevent illegal leakage of personal information from a company that has acquired it appropriately. However, it does not disclose how to deal with the case where personal information is distributed in the company as described above.

Further, for example, Patent Document 2 below discloses a file copy management technique for preventing unauthorized copying of a file in a computer system or other data processing device or system, and in particular, a special copy prohibition measure is taken for a file. Technology for preventing unauthorized copying of source code files written in a specific language or multimedia data files of a specific file format has been disclosed. There is no disclosure of what to do if they exist in a distributed manner.

Further, for example, in Patent Document 3 below, an integrated internal information leakage prevention system is disclosed, and in particular, offline information leakage through an output device and a movable storage device and online information leakage due to a communication program are fundamentally prevented. And the technology to prevent important information from leaking from the internal system by monitoring is disclosed, but again, as mentioned above, coping with the case where personal information is distributed in the company Is not disclosed.
JP 2002-183367 A JP 2001-350671 A Special table 2003-535398 gazette

  As mentioned above, identifying personal information and confidential information with human cooperation such as reporting from each employee is not only time-consuming, but it is also difficult to ensure that all personal information and confidential information are identified without omissions. become. In particular, when personal information and confidential information are being distributed, it is extremely difficult to identify personal information and confidential information. Also, if personal information and confidential information are identified for all user terminals connected to a network such as an in-house LAN (Local Area Network), a great deal of labor is required. It is desired to be able to efficiently identify confidential information.

  The present invention was devised in view of such circumstances, and by efficiently processing, it is possible to reliably search for a file including information to be protected, so that personal information and confidential information are inadvertently leaked. The purpose is to reliably prevent leakage and unauthorized use.

  In order to achieve the above object, the management server of the present invention (Claim 1) is connected to a user terminal through a network so as to be able to communicate with each other, manages the user terminal, and also relates to protection target information. Is a management server that manages a file having a predetermined number or more as a management target file, and collects a log of access to the management target file by the user terminal, and is collected by the log collection unit An access frequency calculation means for accessing the management target file of the user terminal based on the log, and an access for determining whether the access frequency calculated by the access frequency calculation means is equal to or higher than a reference value The access frequency for the management target file of the user terminal is a reference value by the frequency determination unit and the access frequency determination unit. If it is determined that the file is on, a search program that causes the user terminal to self-search a file having a predetermined number or more of elements related to the protection target information is installed on the user terminal via the network. Installation means; search result collection means for collecting self-search results executed by the user terminal via the network; access frequency calculated by the access frequency calculation means; and search result collection means And a management means for managing the user terminal based on the self-exploration results collected by the above.

In the management server, the management means may handle the file searched in the user terminal as the management target file based on the self-search result collected by the search result collection means. ).
Further, in the management server, the management means in the user terminal for preventing outflow of a management target file from the user terminal according to the access frequency calculated by the access frequency calculation means A security level may be set, and operation restriction according to the security level may be executed by the user terminal (claim 3).

  At this time, the management means sets the security level high for the user terminal for which the access frequency to the management target file is determined by the access frequency determination means to be higher than a reference value, and the operation of the user terminal While restricting the restriction, the security level is set low for the user terminal whose access frequency is determined to be less than the reference value by the access frequency determining means, and the operation restriction of the user terminal is released or relaxed. (Claim 4). In addition, the management means may include at least one of prohibition of external access, prohibition of data writing to an external storage medium, prohibition of mail transmission outside the company, and encryption management of attached files as operation restrictions of the user terminal. You may make a user terminal perform (Claim 5).

  Furthermore, in the management server, the management means creates public information regarding the access status for the management target file according to the access frequency calculated by the access frequency calculation means, and publishes the created public information May be. At this time, the management means may create and release the public information when the access frequency determination means determines that the access frequency of the user terminal to the management target file is equal to or higher than a reference value. Further, as the public information, the file name of the management target file, information that can specify the user terminal that has accessed the management target file, and information that can specify the owner of the user terminal May be included, and the result of counting the number of the management target files in the user terminal may be included, or the result of counting the number of accesses to the management target file may be included. .

  Note that the protection target information is personal information, and the search program has a predetermined number or more of personal information elements that can identify a specific individual among the data in the storage unit of the user terminal, that is, the personal The user terminal may be caused to function as exploration means for exploring the information file (claim 6). At this time, the exploration means extracts extraction means for extracting text data included in the determination target file, extraction means for cutting out character sections delimited by delimiters from the text data extracted by the extraction means, By determining whether or not the character string in the character section cut out by the cutting means satisfies one of the preset telephone number determination condition, e-mail address determination condition, and address determination condition, First determination means for determining whether or not any one of a telephone number, an e-mail address, and an address, which is a personal information element other than, and a telephone number, an e-mail address, The number of characters in the character section determined not to correspond to any of the addresses is within a predetermined range, and the characters in the same character section are A character determination means for determining whether or not the character section, and a character section within the predetermined range and determined to be a kanji character by the character determination means, appearing in a character or a character string and a name included in the character section Collation to determine whether the character section includes the inappropriate character or inappropriate character string by verifying with the inappropriate character or inappropriate character string previously set as impossible Chinese character or Chinese character string Means, the number of character sections determined by the first determination means to correspond to any one of a telephone number, an e-mail address, and an address, and the inappropriate character or the inappropriate character string by the matching means. The number of character sections determined not to be included is counted, and based on the count result, whether or not the determination target file is a personal information file Which may be configured to include the determining second determination means (claim 7).

  The management program of the present invention (claims 8 to 14) is connected to a user terminal through a network so as to be communicable with each other, manages the user terminal, and includes a predetermined number or more elements related to the protection target information. The computer is made to function as a management server for managing the held file as a management target file, and the functions as the management server (claims 1 to 7) described above are realized.

  According to the above-described present invention, user terminals and management target files (files having a predetermined number of elements related to protection target information) included in the management range of the management server are managed and managed by the management server. If a user terminal with a frequency of access to the management target file managed by the server is recognized, the user terminal is considered to have a high possibility of holding a file containing protection target information. The search program is automatically and forcibly installed on the user terminal. At this time, the user terminal whose access frequency to the management target file is less than the reference value is considered to have a low possibility of storing the protection target information in its own terminal, and the exploration program is not installed on the user terminal. .

  Then, the search program is automatically and forcibly executed on the user terminal in which the search program is installed, so that a file having a predetermined number or more of elements related to the protection target information (personal information or confidential information) ( Self-exploration files such as personal information files and confidential information files), and the self-exploration results are collected by the management server. In other words, a self-search for a file containing protection target information is forcibly executed on a user terminal that has a high possibility of accessing the management target file and storing the protection target information in its own terminal. The user terminal can be managed based on the self-search result and the access frequency to the management target file.

  As a result, for a user terminal that is likely to have a file containing protection target information, a search program is automatically and forcibly installed and self-exploration of personal information files / confidential information files, etc. is performed. The searched personal information file / confidential information file, etc. are immediately put under the management of the management server, and it is possible to surely prevent personal information and confidential information from being inadvertently leaked or leaked or illegally used. For user terminals that are unlikely to have files containing protection target information, it is not necessary to install a search program or perform self-searching. Personal information files, confidential information files, etc.) can be reliably explored, and there is an advantage that personal information and confidential information can be prevented from being inadvertently leaked or leaked or illegally used.

  At this time, by setting the security level for the user terminal according to the access frequency to the management target file, the user terminal that is likely to have the file containing the protection target information, that is, the protection target information For user terminals that are likely to cause inadvertent outflow / leakage or unauthorized use of files containing files (managed files), set a high security level to restrict operation (external access prohibited, access to external storage media) Data export prohibition, e-mail transmission outside the company, encryption management of attached files will be tightened, but for user terminals with a low possibility, operation restrictions will be lifted or relaxed. . This provides an environment in which the terminal can be used efficiently when the possibility is low, so that the user voluntarily shifts his terminal to the low possibility state. Therefore, it is possible to more surely prevent personal information and confidential information from being inadvertently leaked or leaked or illegally used.

Also, by publishing the access status according to the frequency of access to the management file, the user terminal that is likely to have the file containing the protection target information, that is, the file containing the protection target information (management For user terminals that are likely to cause inadvertent leakage / leakage or unauthorized use of the target file), the access status to the management target file (for example, the file name of the management target file, the user terminal may be specified) Information, information that can identify the owner of the user terminal, the result of counting the number of managed files, the result of counting the number of accesses to managed files, etc.) are disclosed. As a result, an environment in which unauthorized access is easily detected and it is difficult to perform unauthorized activities is provided, and it is possible to more reliably prevent inadvertent leakage / leakage or unauthorized use of personal information or confidential information.

  On the other hand, when the information to be protected is personal information and a personal information file having a predetermined number or more of personal information elements that can identify a specific individual is searched as a management target file, the search means of the present invention uses a telephone number. Character sections that do not correspond to any of e-mail address or address and contain inappropriate characters / inappropriate character strings are not considered to be related to personal information, but are either phone numbers, e-mail addresses, or addresses. And a character section that does not correspond to an inappropriate character / inappropriate character string is considered to be related to a name.

  Therefore, for the character section determined to correspond to any one of the telephone number, e-mail address, and address, the determination process is terminated when the determination is made, and any of the telephone number, e-mail address, or address is terminated. Is also checked for inappropriate characters / unsuitable character strings only for character sections determined to be not applicable, and it is determined that even one inappropriate character / unsuitable character string is included in the character section. At that point, the collation process can be terminated, so that the name collation process can be performed at a higher speed than the method that collates with all the name strings included in the name list, that is, the personal information file search process Can be performed at high speed.

  In addition, since all character sections that do not contain inappropriate characters / inappropriate character strings are considered to correspond to names, there is a possibility that files that do not contain inappropriate characters / inappropriate character strings for names, that is, include name information. Therefore, it is possible to reliably search for a file that is highly likely to be a personal information file. That is, the number of files that are determined to be personal information files by the searching means of the present invention increases, and files that are highly likely to be personal information files (suspicious files) can be reliably identified.

  Furthermore, since it is determined whether or not the number of characters in the character section is within a predetermined range and all the characters in the character section are kanji, and only character sections that satisfy this character determination condition are targeted for verification, The character section is narrowed down to the character section having a higher possibility of the name, so that the name collation accuracy can be improved and the name collation process can be performed at high speed. In addition, since a long character section whose number of characters exceeds the predetermined range is excluded from the object to be collated, it contributes to further speeding up the name collating process, that is, further speeding up the personal information file search process.

Embodiments of the present invention will be described below with reference to the drawings.
[1] Configuration of Personal Information Management System of this Embodiment FIG. 1 is a block diagram showing the configuration of a personal information management system (management system) as an embodiment of the present invention. As shown in FIG. A personal information management system (management system) 1 according to the embodiment includes a management server 20 in addition to a plurality of user terminals 10, and the terminals 10 and the server 20 are connected to a network [for example, an in-house LAN (Local Area Network). ]] Are connected to each other via 40.

  Each user terminal 10 is constituted by a terminal device such as a personal computer (PC) used by each employee (user) in the company or the like, and a search for realizing a personal information file search function (described later). A detailed functional configuration of the user terminal 10 when a program (described later) is installed from the management server 20 as described later will be described later with reference to FIG.

In the present embodiment, when the user terminal 10 is connected to the network 40, the search program is not installed in the user terminal 10, but the search program is installed from the beginning. Good.
The search program is not installed for the user terminal 10 whose access frequency to the management target file (in this embodiment, the personal information file) is always less than a predetermined reference value. As described above, the search program is installed for the user terminal 10 whose access frequency to the management target file is equal to or higher than the reference value, and the user terminal 10 has functions as described later with reference to FIG. Will be provided.

  The management server 20 is connected to a plurality of user terminals 10 through a network 40 so as to be communicable with each other. The management server 20 manages each user terminal 10 and includes elements related to protection target information (in this embodiment, personal information). A file having a predetermined number or more is managed as a management target file (personal information file), and has a functional configuration as described later with reference to FIG. 2 and will be described later with reference to FIG. Such a functional configuration as a file access management server (a server that manages access to a management target file) is also provided.

  The personal information file as the management target file in the present embodiment is searched and specified by executing a search program as described later on condition that a predetermined number or more of personal information elements that can identify a specific individual are held. Personal information is information that can identify a specific individual by itself or in combination as described above (various personal information elements), such as name, date of birth, contact information (address, residence, telephone). Number, e-mail address). In addition to these, personal information includes titles, basic resident register numbers, account numbers, credit card numbers, license numbers, passport numbers, and the like.

[1-1] Functional Configuration of Management Server of This Embodiment FIG. 2 is a block diagram showing the functional configuration of the management server 20 of this embodiment. As shown in FIG. 2, the management server 20 executes various processes. CPU 20a, a database (RDB: Relational DataBase) 20b that stores and saves information about user information, access logs, personal information file search results, and the like collected from each user terminal 10, and the database 20b. And a display unit 20c that displays public information that has been aggregated and created by the management means 28 described later.

  The CPU 20a includes user information collection means 21, log collection means 22, access frequency calculation means 23, access frequency determination means 24, installation means 25, search result collection means 26, management console 27, management means 28, display control means 29, and It fulfills the functions as the transmission / reception means 30, and these functions are realized by the CPU 20a executing the management program. Here, it is assumed that the management program also includes a program (search program) to be installed in the user terminal 10 so that the user terminal 10 functions as the search unit 11 described later. Further, the management program may include a program to be installed in the user terminal 10 so that the user terminal 10 functions as the operation restriction unit 13 described later.

The user information collection means 21 is connected via the network 40 and the transmission / reception means 30 when the system 1 is started up, when it is detected that the user terminal 10 is connected to the network 40, or at predetermined intervals. User information (host information) such as a MAC address is collected from the user terminals 10 that are communicably connected, and the user terminal 10 is connected to the external storage medium 50 in addition to the search program. It recognizes whether or not a program that functions as a driver 14 (see FIG. 4; described later) or an encryption / registration unit 15 (see FIG. 4; described later) is installed. Since the installation status of the program that causes the user terminal 10 to function as the external storage medium driver 14 or the encryption unit / registration unit 15 is used in the processing of the management unit 28 as will be described later, the database 20b stores the user terminal 10 in the database 20b. 1
Registered / saved in association with 0.

  As an external storage medium (see reference numeral 50 in FIG. 4), for example, a flexible disk, CD (Compact Disc), DVD (Digital Versatile Disk), magnetic disk, optical disk, magneto-optical disk, memory card, USB (Universal Serial) Bus) Various storage media such as memory and external hard disk. In the present embodiment, the user information collecting means 21 also collects the number of accesses to the browsing-prohibited site at each user terminal 10 as user information and associates it with each user terminal 10 in the database 20b. Register and save.

  The log collecting unit 22 collects a log of access to the personal information file (management target file) by each user terminal 10. In the present embodiment, files that are open to the user terminal 10 via the network 40 (files stored on the management server 20 and files stored on other servers connected to the network 40). Etc.), by executing a program similar to the search program described later on the management server 20 or each server, etc., the personal information file has been searched and specified, and the file determined to be a personal information file Is set with a flag indicating that it is a personal information file. When access to a file (personal information file) in which such a flag is set is performed by the user terminal 10, information that can identify the user terminal 10 that has made access, an access type, and the like are recorded as an access log. The access log is collected by the log collecting means 22.

  The access log may be collected by the log collecting means 22 every time the personal information file is accessed, or the access log is stored on the server holding the personal information file. Data may be collected by the log collecting means 22 at regular collection timings. In the present embodiment, collection is performed at regular collection timings as described later.

  The access log collected here includes the type of access and the number of accesses. The file name of the personal information file, the information (PC name) that can identify the user terminal 10 that has accessed the personal information, and the use thereof. The user terminal 10 is registered and stored in the database 20b in association with information (owner name) that can identify the owner.

The access frequency calculating unit 23 calculates the access frequency for the personal information file of each user terminal 10 based on the log collected by the log collecting unit 22. Here, the access frequency is calculated as, for example, the number of accesses per unit time (for example, 24 hours) for each user terminal 10, but may be calculated as the total number of accesses so far.
The access frequency determination unit 24 determines whether the access frequency calculated by the access frequency calculation unit 23 is a reference value (for example, 5 times / 24 hours) or more.

  If the access frequency determination unit 24 determines that the access frequency of the personal information file of a certain user terminal 10 is equal to or higher than the reference value, the installation unit 25 has a predetermined number of elements related to personal information. Is installed in the user terminal 10 via the transmission / reception means 30 and the network 40, and the user terminal 10 is executed to execute the search program. The personal information file (management target file) in the storage unit 10b is searched.

The search result collecting means 26 is a self-search result executed by the user terminal 10 via the network 40 and the transmission / reception means 30. Specifically, in addition to the file name and link destination information of the personal information file, It functions to receive and collect P marks and the like and store them in the database 20b in association with each user terminal 10.

  The management console 27 uses the above-described reference value used as a determination criterion by the access frequency determination unit 24 and the determination condition of the personal information file (a quarantine table 10c described later, a predetermined information necessary for determining a personal information file and a P mark). Threshold) and the like are set and managed. In the quarantine table 10c, as described later, a telephone number determination condition, an e-mail address determination condition, an address determination condition, a character determination condition (predetermined range) and inappropriate characters / unsuitable character strings are set.

  Based on the access frequency calculated by the access frequency calculation unit 23 (determination result by the access frequency determination unit 24) and the self-exploration result collected by the search result collection unit 26, the management unit 25 The personal information file is managed, and the personal information file searched by the searching means 11 in the user terminal 10 based on the self-search result collected by the search result collecting means 26 (file to which a P mark described later is given). Are handled as managed files.

  This management means 28 is a user for preventing the personal information file from flowing out of the user terminal 10 in accordance with the access frequency calculated by the access frequency calculation means 23 (result of determination by the access frequency determination means 24). A security level in the terminal 10 is set, and operation restriction according to the security level is executed by the user terminal 10 (operation restriction means 13 described later).

  Specifically, the management unit 28 of the present embodiment sets the security level to a high level for the user terminal 10 for which the access frequency for the personal information file has been determined by the access frequency determination unit 24 to be equal to or higher than the reference value. While restricting the operation restriction of the terminal 10, the user terminal 10 whose access frequency is determined to be less than the reference value by the access frequency determining unit 24 is set to a low security level to restrict the operation of the user terminal 10. Release or relax.

  At this time, the management unit 28 restricts the operation of the user terminal 10, for example, prohibiting external access (Internet connection, etc.), prohibiting data writing to the external storage medium 50 (USB memory, etc.), and sending mail outside the company. At least one of the prohibition and encryption management of the attached file of mail (to be managed by the function of the management server 20 as a file access management server described later) is the user terminal 10 (operation restricting means 13). To run.

  When the management unit 28 performs such security level setting (operation restriction setting), the user terminal 10 having a low access frequency to the personal information file held on the network 40 such as the management server 20 or another server. In other words, for user terminals 10 that are unlikely to hold personal information files and are unlikely to cause inadvertent leakage, leakage, or unauthorized use of personal information files, the operational restrictions are lifted or relaxed. An environment in which the user terminal 10 can be used efficiently is provided to the user.

Here, the operation restriction states include prohibition of external access (Internet connection, etc.), prohibition of data writing to the external storage medium 50 (USB memory, etc.), prohibition of mail transmission outside the company, and encryption of mail attachment files. Of the state (all restricted state) in which all management is performed (to be managed by the function of the management server 20 as a file access management server described later) and the state in which all are not performed (release state) are set In addition, when the security level “low” is set, the state is switched to the release state, while when the security level “high” is set, the state may be switched to the full restriction state. In addition, as the operation restriction state, multiple stages are set between the all restriction state and the release state, and the operation level is changed step by step corresponding to each level from the security level “low” to “high”. It may be.

  In addition, the management unit 28 provides attention information to the user (owner) of the personal information file according to the determination value (or P mark) of the personal information file registered in the P mark table stored in the database 20b. / Notify warning information, forcibly capture and collect personal information files from the user terminal 10 storing the personal information file, or output the personal information file from the user terminal 10 to the outside Forcibly prohibiting the storage, storing the personal information file in a folder (not shown) accessible only to the administrator, or accessing the personal information file as a file access management server function of the management server 20 ( Also fulfills the function of managing by (to be described later).

  For example, when the rank of the P mark is “P1”, the recommendation by the warning information is not performed, but the fact that the personal information file of “P1” exists is recorded as a log. When the rank of the P mark is “P2”, notice information in a pop-up display is notified in order to call attention to the user of the personal information file. If the rank of the P mark is “P3”, the system administrator (administrator terminal; not shown) is notified by email or the like that there is a user who stores the personal information file. At the same time, the user is instructed to return the personal information file. When the rank of the P mark is “P4”, the personal information file is forcibly captured and collected from the user terminal 10 or the personal information file is forcibly output from the user terminal 10 to the outside. Prohibiting, storing the personal information file in a folder accessible only by the administrator, or managing the access to the personal information file by the function of the management server 20 as a file access management server. Even if the P mark rank is not “P4”, if the personal information file of “P3” is left for a predetermined number of days, the rank of the P mark is “P4” for the personal information file. You may make it perform the treatment similar to the case.

Further, the management means 28 has a function of searching the personal information file stored in each user terminal 10 or the database 20b with various accuracy, and a function of causing the display control means 29 to display the search result on the display unit 20c. Have.
The display control unit 29 controls the display state of the display unit 20c so that various types of information, for example, public information described later, is displayed on the display unit 20c. The transmission / reception unit 30 is connected to each user terminal via the network 40. Various information is transmitted / received to / from 10.

  Furthermore, the management unit 28 of the present embodiment uses the information collected by the user information collection unit 21 for the user terminal 10 for which the access frequency determination unit 24 determines that the access frequency for the personal information file is equal to or higher than the reference value. Based on the logs collected by the access log collecting means 22 and the information collected by the search result collecting means 26, the public information regarding the access status to each personal information file and the external storage medium driver 14 are installed. Public information on the user terminal 10 is created, and the public information is displayed on the display unit 20c, disclosed to all user terminals 10 and administrators via the network 40, or via the network 40. Also fulfills the function of notifying all user terminals 10 and administrators by e-mail etc. It is.

Here, as public information, the file name of the personal information file, information (PC name) that can identify the user terminal 10 that has accessed the personal information file, the owner of the user terminal 10 Information (owner name), the total number of personal information files (the number of personal information files and the number of personal information held in the user terminal 10), and the total number of accesses to the personal information file (individuals) Information file / access type). Examples of the access type include printing, writing to the external storage medium 50, deletion, rename (change), overwriting, uploading to an FTP server, and the like.

  Also, as public information, information (PC name) that can identify the user terminal 10 that has a personal information file and that has the external storage medium driver 14 installed, and the owner of the user terminal 10 are specified. Possible information (owner name), the file name of the personal information file held in the user terminal 10, and the number of times of writing the personal information file to the external storage medium 50 executed in the user terminal 10 is there.

Furthermore, the management unit 28 of the present embodiment, in addition to the information regarding the access status with respect to the personal information file, the number of accesses to the browsing-prohibited site in each user terminal 10 (see, for example, FIG. 17) It also has a function of monitoring / collecting the number of accesses to the personal information file in other terminals / servers and creating / disclosing it as public information.
A specific example of the public information created and disclosed by the management unit 28 will be described later with reference to FIGS.

[1-2] Functional Configuration as File Access Management Server of this Embodiment FIG. 3 is a block diagram showing a functional configuration as a file access management server provided in the management server 20 of this embodiment. In this embodiment, the management server 20 has a function as a file access management server. However, the management server 20 is connected to each user terminal 10 via the network 40 so as to be able to communicate with the management server 20. May be realized by a separate server.

  As shown in FIG. 3, the function of the management server 20 as a file access management server is, for example, a file encrypted by an encryption unit (described later) at each user terminal 10 or a registration unit of each user terminal 10. A file registered by (described later) and a personal information file (a personal information file with a P mark rank “P4”) are managed. Here, personal information files whose P mark rank is “P4” are managed, but all electronic files that are determined to be personal information files by the exploration means 11 described later, regardless of the rank of the P mark. It may be managed by the file access management server.

  The CPU 20a functions as means 30a to 30d, 31, 32 described later, and these functions are realized by the CPU 20a executing a program for the file access management server. In addition to the above-described various information, the database 20b includes an encryption key for encrypting the personal information file, a decryption key for decrypting the encrypted personal information file, The access authority (to be described later) for the registered personal information file, the user ID / password of a user registered in advance [registrant (employee) permitted to view the encrypted file), and the like are stored.

  In addition to the functions described above, the transmission / reception means 30 functions as a file reception means 30a, an encrypted file transmission means 30b, an authentication information reception means 30c, and a decryption key transmission means 30d described later. In addition, the transmission / reception means 30 of the present embodiment sends a predetermined encryption key used for encryption processing in the encryption means (described later) to each user terminal via the network 40 in response to a request from each user terminal 10. 10 is also fulfilled.

The file receiving unit 30 a receives a file to be registered [file registered by a registration unit (described later)] from each user terminal 10 via the network 40.
The encrypting means 31 is a PDF (Portable Document) that is difficult to falsify a file to be registered (managed object) received from the user terminal 10 by the file receiving means 30a or a personal information file with a P mark rank “P4”. Format) file or the like, and the PDF file is encrypted using a predetermined encryption key. Conversion to a PDF file is realized by, for example, a PDF driver. By starting the PDF driver, the personal information file is converted to PDF and a PDF file as a completed document file is generated.

The encrypted file transmission unit 30 b transmits a file encrypted (keyed) by the encryption unit 31 (hereinafter referred to as an encrypted file) to the user terminal 10 via the network 50.
In the management by the function as the file access management server, various access authorities (permissions such as browsing, printing, copying, etc.) for each encrypted file are set by policy setting at the time of encryption by the encryption unit 31 as described above. Set for each user and each encrypted file. At that time, one type of policy is set in order to simplify the system operation, and the access right at each user terminal 10 for all encrypted files is set by the policy setting [for example, in-house where the present system 1 is installed. Access rights for all employees / all users (all registrants registered in the file access management server function in advance) are automatically set (granted) only viewing rights, and access other than browsing For example, access such as printing, copying, alias saving, and screen capture (screen shot) may not be performed.

  The authentication information receiving unit 30c receives authentication information transmitted from the user terminal 10 via the network 40 when the user terminal 10 accesses the encrypted file. Here, the authentication information is determined by the file access management server 20 that the user of the user terminal 10 trying to open the encrypted file is a valid transmission destination (user / registrant) of the encrypted file. Information necessary for authentication, which includes a user ID and a password registered in advance in the file access management server 20 (database 20b) for the user of the service by the file access management server 20. These user ID and password are input by the user operating the keyboard and mouse when opening the encrypted file.

  The determination unit 32 determines whether or not the user terminal 10 that transmitted the authentication information is a valid transmission destination of the encrypted file based on the authentication information received by the authentication information reception unit 30c. The user ID and password input by the user are determined by determining whether or not the user ID and password registered and stored in the database 20b of the file access management server 20 in advance match the user ID and password. Is to determine and authenticate whether or not is a valid registrant.

The decryption key transmission means 30d reads the decryption key for decrypting the encrypted file from the database 20b and sends it to the user terminal 10 when the determination means 32 authenticates the user as a valid registrant. It is transmitted via the network 40.
Upon receiving the decryption key from the file access management server 20, the user terminal 10 decrypts the encrypted file using the decryption key, restores the original personal information file, and restores the restored personal information file. On the other hand, access (for example, browsing) according to the given access authority is performed.

[1-3] Functional Configuration of User Terminal According to the Present Embodiment FIG. 2 is a block diagram showing the functional configuration of the user terminal 10 according to the present embodiment. As shown in FIG. 2, the user terminal according to the present embodiment. 10 includes a CPU (Central Processin Unit) 10a that executes various processes and a storage unit 10b that can hold data including electronic files such as personal information files, and the installation program 25 of the management server 20 uses a search program ( A user terminal 10 installed with a program that causes the CPU 10a to function as the exploration means 11 is a quarantine table 10c provided from the management server 20 or a P mark (privacy level mark; individual) of an electronic file held in the storage unit 10b. Holds the level that indicates the high possibility of being an information file (the level determined by the judgment value described later) Further provided constituted by a P-mark table 10d that. In the present embodiment, it is assumed that a program for causing the CPU 10a to function as means 13 to be described later is installed from the management server 20 together with the exploration program.

  Here, the storage unit 10b is a hard disk built in the user terminal 10 or a storage device connected to or externally attached to the user terminal 10, such as a flexible disk, CD (CD-ROM, CD-R, CD-RW). Etc.), DVD (DVD-ROM, DVD-RAM, DVD-R, DVD-RW, DVD + R, DVD + RW, etc.), magnetic disks, optical disks, magneto-optical disks, IC cards, ROM cartridges, magnetic tapes and other recording media This is a storage device to be used. The quarantine table 10c and the P mark table 10d described above may be held in a RAM (Random Access Memory), a hard disk, or the like constituting the user terminal 10, or may be held in the storage unit 10b.

  The CPU 10a functions as the exploration means 11, the transmission / reception means 12, the operation restriction means 13, the external storage medium driver 14 and the encryption means / registration means 15. Of these functions, the function as the transmission / reception means 13 is as follows. Originally provided in a terminal such as a PC, the functions of the exploration means 11 and the operation restriction means 13 are that the CPU 10a executes the program installed by the installation means 25 of the management server 20 as described above. Is realized.

  The functions of the external storage medium driver 14 and the encryption unit / registration unit 15 are realized by the user (owner) of the user terminal 10 executing a program installed from the outside by his own will. Shall. Accordingly, the user terminal 10 may or may not have the functions of the external storage medium driver 14 and the encryption means / registration means 15. Blocks indicating the driver 14 and the encryption / registration unit 15 are described with virtual lines (two-dot chain lines).

  The exploration means 11 is a personal information file that satisfies the above conditions from the data in the storage unit 10b immediately after installing a program that causes the CPU 10a to function as the exploration means 11, or when the user terminal 10 is activated or at predetermined intervals. The management target file) is searched and specified, and functions as a text extraction engine that converts each file (search target file) held in the storage unit 10b into a text file and uses the quarantine table 10c in the storage unit 10b. It functions as an exploration engine for exploring personal information files from data.

  That is, the exploration means 11 searches the personal information file with reference to the determination target file according to the condition (quarantine table 10c) instructed from the management server 20, and logs the file determined to be the personal information file (local (Cache database). In this embodiment, the P mark determined based on the determination result (determination value / count value) obtained by the exploration means 11 is registered in the P mark table 10d. Details of the functional configuration of the exploration means 11 will be described later with reference to FIG.

  Note that the determination result (determination value / count value) and the P mark by the exploration means 11 are information for identifying the file (for example, a file name) for each file determined to be a personal information file. The information is transmitted / notified to the management server 20 through the transmission / reception means 12 and the network 40.

  Further, in the user terminal 10 according to the present embodiment, when the access executed in the user terminal 10 is detected for the file determined to be a personal information file by the exploration means 11, the access content is changed for each file. Is recorded and stored as an access log, and the access log is managed through the transmission / reception unit 12 and the network 40 when access is detected, periodically, or when requested by the management server 20 (log collection unit 22). It is transmitted and notified to the server 20. The access contents include access types (for example, printing, writing to an external storage medium, deletion, rename (change), overwriting, uploading to an FTP (File Transfer Protocol) server), and access for each access type. Number of times.

  The transmission / reception means 12 transmits / receives various information to / from the management server 20 and other user terminals 10 via the network 40. Access to the search results by the search means 11 and personal information files in the user terminals 10 is provided. It fulfills the function of transmitting logs and the like to the management server 20.

  The operation restriction unit 13 receives the security level set by the management unit 28 of the management server 20 from the management server 20, and restricts the operation according to the security level, for example, external access prohibition (Internet connection, etc.), external storage medium 50 (USB memory, etc.) data writing prohibition, mail transmission prohibition outside the company, encryption management of mail attachment files (to be managed by the function of the management server 20 as a file access management server described later) ) Is executed at the user terminal 10.

  As described above, the external storage medium driver 14 is a function realized by a user (owner) of the user terminal 10 executing an externally installed program by his / her own will, and is designated by the user. The file is read from the storage unit 10b and written to the external storage medium 50. As described above, the external storage medium 50 in the present embodiment includes various types such as a flexible disk, a CD, a DVD, a magnetic disk, an optical disk, a magneto-optical disk, a memory card, a USB (Universal Serial Bus) memory, and an external hard disk. Examples include storage media.

  As described above, the encryption means / registration means 15 is also a function realized by the user (owner) of the user terminal 10 executing a program installed from the outside by his own will, and this encryption means The / registration means 15 is for realizing an encryption function for automatically encrypting a file sent to the outside.

  When the function as the encryption unit / registration unit 15 is set (installed), particularly when the function as the encryption unit 15 is set, the encryption unit 15 is attached to the mail or externally. The file written to the storage medium 50 and sent to the outside is converted into a completed document file having a container function (here, a PDF (Portable Document Format) file that is difficult to falsify), and the container function is The original file of the electronic file is stored in the PDF file, and then the PDF file is managed by a function as a file access management server in the management server 20 (actually received from the server 20). To create an encrypted file. Note that conversion to a PDF file is performed by, for example, a PDF driver, and when the PDF driver is activated, the electronic file is converted to PDF and a PDF file file is generated.

In addition to the encryption operation, the user (user) who accesses the encrypted file has the authority to access the encrypted file (for example, in addition to viewing, annotation, printing, copying, It is assumed that the setting of the authority to execute the one selected from the access such as fetching, editing of the fetched file, and attachment is automatically performed from the encryption unit 15 to the server 20. Here, for example, only the necessary minimum access authority (for example, viewing authority) is set.

  On the other hand, when the function as the registration unit 15 is set, the registration unit 15 accesses the file attached to the mail or written to the external storage medium 50 and sent to the outside to the file in the management server 20. The file is registered in the server 20 so as to be managed under the function of the management server. At the time of registration, the file to be managed is transmitted to the server 20, and the encryption unit 31 of the server 20 performs the above-described processing according to the registration process. It fulfills the function of receiving the encrypted file created as described above.

[1-4] Detailed Functional Configuration of Searching Unit of Present Embodiment Next, a detailed functional configuration of the searching unit 11 in the user terminal 10 of the present embodiment will be described with reference to FIG. As shown in FIG. 4, the exploration means 11 of this embodiment has functions as an extraction means 111, a cutting means 112, a first determination means 113, a character determination means 114, a collation means 115, and a second determination means 116. These functions are also realized by the CPU 10a executing a program installed from the management server 20 as described later.

The extraction unit 111 extracts text data (for example, CSV (Comma Separated Value) format data) of an electronic file (determination target file) in the storage unit 10b and stores it in a file buffer (not shown). It functions as an engine. In the file buffer, 2-byte code characters (double-byte characters) are captured so as not to be lost at the end of the file buffer. Further, when data is cut out and taken in from a file buffer to a data shaping buffer (not shown), which will be described later, by the cutout means 112, the data is taken into the file buffer accordingly.

The cutout unit 112 cuts out character sections delimited at a predetermined delimiter position from the text data extracted by the extraction unit 111 and sequentially writes them in a buffer (not shown) as a determination target / collation target. .
Here, as the predetermined delimiter position, an appearance position of a delimiter character set in advance or a boundary position between a 1-byte code character and a 2-byte code character (a portion where a single-byte character / ASCII character is followed by a double-byte character) Or, a half-width character / ASCII character is followed by a half-width character / ASCII character), or a boundary position between a full-width arithmetic number “0” to “9” and a character excluding the full-width arithmetic number and the hyphen. The delimiter is a delimiter that is a delimiter of the data. Specifically, a half-width space, half-width comma (half-width comma + half-width space is also regarded as a half-width comma), tab character (half-width), CR (Carrige Return) , LF (Line Feed
), “: (Colon)”, “; (semi-colon)”, “>”, “}”, “]”.

The cutout unit 112 cuts out text data from the file buffer into the data shaping buffer one character at a time, and when the above-described delimiter position appears, the extraction ends. Also at this time, data is fetched so that the 2-byte code character (double-byte character) is not lost at the end of the data shaping buffer. As a result, in the present embodiment, for example, addresses and names written in full-width characters such as “Taro Sato 0912341234 Minato-ku, Tokyo” or “Taro Sato sato@xxxx.com Tokyo Minato-ku” are written in half-width characters. If the text data such as a telephone number or e-mail address is mixed without being separated by a delimiter in the text data, for example, an address or name written in full-width characters such as “Taro Sato 0901341234 Tokyo Minato-ku” Even if there is a mixture of numbers and numbers such as phone numbers written in double-byte characters without being separated by delimiters in the text data, for each personal information element such as address, name, phone number, e-mail address, etc. Character section "Taro Sato", "090123
41234 "," Minato-ku, Tokyo "," sato@xxxx.com ", and" 09012341234 "can be extracted.

  The data (determination target character section) thus taken into the data shaping buffer is taken into the data analysis buffer (not shown) from the data shaping buffer. Characters, katakana, hiragana, symbols other than kanji, etc. are removed. Examples of characters (unnecessary characters) to be removed at this time include a half-width space, a full-width space, a half-width hyphen, a full-width hyphen, an underbar, a parenthesis symbol, and so on. , #, $,%, =, +, *,? Symbol characters such as, \, /, and | are defined. In the present embodiment, it is assumed that the cutting means 112 has a function of removing unnecessary characters as described above.

  The first determination unit 113 uses a character string taken into the data analysis buffer, that is, a character string (hereinafter simply referred to as a character string) in a character section cut out by the cutting unit 112 to remove unnecessary characters. Other than the personal information element (specifically, any one of a telephone number, an e-mail address, and an address in the present embodiment), the telephone number determination means 113a and the e-mail address determination The function as the means 113b and the address determination means 113c is provided. Note that the first determination unit 113 of the present embodiment performs the character string determination process in order of lighter determination processing load, that is, in the order of telephone number, e-mail address, and address. The first determination unit 113 checks the size of the data fetched into the data analysis buffer. If the size is 3 bytes or less, the first determination unit 113 does not determine the data as personal information and does not perform the determination process. It may be.

  The telephone number determination means 113a determines whether or not the character string corresponds to a telephone number. If the character string satisfies the telephone number determination condition set in the quarantine table 117, the character string is a telephone number. It judges that it corresponds to a number, notifies that to the 2nd judgment means 116, and ends the judgment processing by the 1st judgment means 113 to the above-mentioned character string. In the present embodiment, the phone number determination condition is that the character string is a sequence of 9 to 11 half-width numerals or full-width numerals, the first character (first character) is “0”, and the second character is “0”. ""

  The e-mail address determination unit 113b determines whether or not the character string corresponds to a telephone mail address when the telephone number determination unit 113a determines that the character string does not correspond to a telephone number. If the character string satisfies the e-mail address determination condition set in the quarantine table 117, it is determined that the character string corresponds to the e-mail address, and that is notified to the second determination means 116. The determination process by the first determination unit 113 is terminated.

In the present embodiment, the e-mail address determination condition is “one or more ASCII characters” + “@ (at sign)” + “one or more ASCII characters” + “. (Dot)” in the character string.
”+“ ASCII character of one or more characters ”is included, and the last character of the character string is a half-width alphabetic character. In this case, the shortest e-mail address is, for example, “a @ aa”, and a character string that ends with a non-English character (for example, a number) such as “123@45.67” is determined not to be an e-mail address. It will be. According to the e-mail address determination condition, data less than 5 bytes is not subject to e-mail address determination, and no determination process is performed.

The address determination unit 113c determines whether or not the character string corresponds to an address (residence) when the e-mail address determination unit 113b determines that the character string does not correspond to an e-mail address. When the character string satisfies the address determination condition set in the quarantine table 117, it is determined that the character string corresponds to an address, and that is notified to the second determination means 116.

  In the present embodiment, the address determination condition includes “1 to 13 full-width characters” + “city” or “ku” or “county” + “one or more full-width characters or half-width characters” in the character string. And the first character of the character string matches the initials of 47 prefecture names or city names in Japan. As a result, for example, a character string that includes a “ward” such as “acceptance classification name” in the middle but has no relation to the address is not erroneously determined as an address. At this time, if the arithmetic processing capability of the CPU 10a is sufficiently high, it may be added to the address determination condition that a 7-digit number corresponding to the postal code is included in addition to the character string. According to the address determination condition, data less than 5 bytes is not subject to determination of an e-mail address, and determination processing is not performed.

  The character determination unit 114 sets the character string in the quarantine table 117 when the first determination unit 113 determines that the character string does not correspond to any of a telephone number, an e-mail address, and an address. Whether the number of characters in the character string is within a predetermined range and all the characters in the character string are kanji characters, It is determined whether or not the first character matches the first character of the last name belonging to the predetermined number of surnames that are more common among Japanese.

In the present embodiment, the character determination condition is that, as described above, the number of characters in the character string is within a predetermined range and all the characters in the character string are kanji characters. Is set to a general (appropriate) number range, for example, from 2 to 6 as the number of characters of the name. More specifically, the determination condition by the character determination means 114 is that the character string is a 2-byte code character of 4 bytes to 12 bytes and data within the range of 0x889F to 0xEEEC (Shift-JIS kanji region) ) And the second byte is 0x40-0x7E or 0x80-0xFC
(Shift-JIS specification), and the first letter matches the initial letters of the last names belonging to the top 3000 last names that are common in Japanese. By targeting the top 3000 surnames, more than 80% of Japanese can be covered.

  The collating unit 115 is a character section determined by the first determining unit 113 as not corresponding to any of a telephone number, an e-mail address, and an address, and is further within the predetermined range by the character determining unit 114 and For a character section in which all characters are determined to be kanji, a character / character string included in the character section and an inappropriate character / inappropriate character string preset as a character / character string that cannot appear in the name Is checked to determine whether or not the character section includes an inappropriate character / unsuitable character string, and the result of the verification determination is notified to the second determination means 116.

Here, the inappropriate character / unsuitable character string is preset in the quarantine table 117. For example, Tokyo, Osaka, Nagoya, Yokohama, Kyushu, Hokkaido, Kyoto, capital, individual, school, store, stock, prefecture , University, academy, TSE, research, management, general affairs, accounting, sales, general management, pharmaceutical, sales, school, education, specialization, architecture, machinery, corporation, factory, manufacturing, technology, commerce, books, unknown, deputy director, public , Publishing, Advertising, Broadcasting, Target, Wholesale, Retail, Planning, Human Resources, Information, Department, President, Regulatory, General Manager, Section Manager, Section Manager, Director, Head Office, Branch Office, Business, Business, Education, Precision, Petroleum, Transportation, Management , Strategy, material, engineer, electricity, production, tax, public relations, transportation, chief, computer, finance, office work, development, policy, production, economy, industry, finance, banking, research, English, quality, warranty, equipment, charge , Chief, Secretary, Audit, Support, Design, Insurance, Safe, Business, Representative, Transportation, 1st, 2nd, 3rd, 4th, 5th, 6th, 7th, 8th, 9th, Special Sales, Facility, Name, Mail, Name, Name, City Hall, Affiliation, Features, Childhood, Christianity, Association , Church, union, sect, commerce, nationwide, branch, contact, assembly, life, consumption, promotion, city hall, ward office, general, amendment, function, overview, composition, company, organization, association, deletion, document, deadline, valid Characters / character strings that cannot appear in general names such as, maintenance, that is, characters / character strings that are inappropriate as names.

  The second determination means 116 is based on the determination result by the telephone number determination means 113a, the e-mail address determination means 113b and the address determination means 113c in the first determination means 113 and the collation determination result by the collation means 115. Is a personal information file.

  More specifically, the second determination unit 116 receives notification of determination results from the telephone number determination unit 113a, the e-mail address determination unit 113b, and the address determination unit 113c. Counts the number of character sections considered to be applicable, and receives the collation determination result from the collating means 115, and the character section determined by the collating means 115 as not including an inappropriate character / inappropriate character string as the name Count the number.

  Then, the second determination means 116 is based on the counting results (four count values; the number of telephone numbers, the number of e-mail addresses, the number of addresses, the number of names) for each of the telephone number, the e-mail address, the address, and the name. A determination value that increases as these count values increase is calculated. For example, the second determination means 116 may calculate the sum of four count values as the determination value, or set a weighting factor in advance for each of the telephone number, e-mail address, address, and name. The sum of the multiplication results of the weighting coefficient and the count value for the personal information element may be calculated as the determination value, and various methods for calculating the determination value are conceivable.

  When the determination value as described above is calculated, the second determination unit 116 determines whether or not the determination target file is a personal information file based on the determination value. Specifically, when the determination value exceeds a predetermined threshold, it is determined that the determination target file is a personal information file. When making such a determination, the second determination means 116 further assigns a P mark (private level mark) according to the size of the determination value to the determination target file and sets it in the P mark table 10d. Register and rank. As described above, the P mark is a level indicating the high possibility that the determination target file is a personal information file. The larger the determination value, the higher the P mark is set.

  For example, when the determination value is 10 or more, it is determined that the determination target file is a personal information file. When the determination value is 10 or more and less than 100, “P1” is assigned as the P mark, and when the determination value is 100 or more and less than 1000, “P2” is assigned as the P mark. When it is 1000 or more and less than 10,000, “P3” is assigned as the P mark, and when the determination value is 10000 or more, “P4” is assigned as the P mark. The predetermined threshold for determining the personal information file and the reference value for determining the P mark are set as appropriate from the management server 20 (management console 24). In addition, although the P mark is ranked into four “P1” to “P4” here, the number of ranks is not limited to this. Furthermore, as the above-mentioned predetermined threshold value and reference value, common (identical) values may be set for all user terminals 10, or for each user terminal 10 or for a facility (company) that introduces the present system 1. ) Different ones may be set for each.

  As described above, the P mark (P mark table 10d) added to the determination target file is information for identifying the file (for example, file name) for each file determined to be a personal information file. The data is transmitted to the management server 20 via the transmission / reception unit 12 and the network 40, and stored in the database 20b by the search result collection unit 26 as described above. Then, the management target file (personal information file) to which the P mark is assigned is set as a management target file by the management server 20 (management means 25) according to the rank of the P mark, as will be described later with reference to FIG. It is managed as described later.

[2] Operation of Personal Information Management System of the Present Embodiment Next, the operation of the personal information management system 1 of the present embodiment configured as described above will be described with reference to FIGS.
[2-1] Operation of Management Server FIG. 5 is a flowchart for explaining the operation of the management server 20 of this embodiment. First, according to the flowchart (steps S101 to S129) shown in FIG. The main operation of the management server 20 will be described.

  In the management server 20, it is monitored whether or not the collection timing by the user information collecting means 21 has come (step S101). When the system 1 is started up, when it is detected that the user terminal 10 is connected to the network 40, or when a predetermined collection period has elapsed, it is detected as a collection timing by the user information collection means 21. Then (YES route of step S101), the user information (host information) of each user terminal 10 is collected by the user information collecting means 21, and a program (for example, an exploration program other than the search program, The installation status of the program that causes the user terminal 10 to function as the external storage medium driver 14 and the encryption unit / registration unit 15 is collected by the user information collection unit 21 (step S102). The collected installation status (presence / absence of each program) is registered / saved in the database 20b in association with each user terminal 10.

  When there is a user terminal 10 in which no exploration program is installed (YES route in step S103), one of the user terminals 10 in which no exploration program is installed is selected (step S104), and the user terminal 10 Is collected by the log collection means 22 (access log for the personal information file on the network 40) (step S105).

  When the access log is collected, the access frequency calculation means 23 calculates the access frequency (number of accesses per unit time) for the personal information file of the user terminal 10 based on the log (step S106). Whether the access frequency is equal to or higher than a reference value (for example, 5 times / 24 hours) is determined by the access frequency determination unit 24 (step S107).

  When the access frequency is less than the reference value (NO route in step S108), the user terminal 10 is regarded as having a low possibility of storing personal information in its own terminal, and the search program for the user terminal 10 Without the installation, and the security level is kept low, the process proceeds to step S116.

  On the other hand, if the access frequency is equal to or higher than the reference value (YES route in step S108), it is considered that the user terminal 10 has a high possibility of storing personal information in its own terminal, and the installation means 25 searches for it. A program (a program for causing the user terminal 10 to self-search a file having a predetermined number or more of elements related to personal information) is installed in the user terminal 10 via the transmission / reception means 30 and the network 40 (step S109). ) By transmitting a search execution instruction to the user terminal 10, the user terminal 10 is caused to execute the search program to search for a personal information file in the storage unit 10b of the user terminal 10 (step S110). A detailed search procedure executed by executing the search program on the user terminal 10 will be described later with reference to FIG.

Then, the search result collection means 26 performs the self-search result (specifically, the determination value and the name of the personal information file, the link destination information, etc.) executed on the user terminal 10 via the network 40 and the transmission / reception means 30. P mark etc.) are received and collected (step S111), stored in the database 20b in association with each user terminal 10, and based on the stored search results, the management means 28 manages the personal information file. (Details will be described later with reference to FIG. 7) are executed (step S112).

  Further, the security level is set high for the user terminal 10 by the management means 28 (step S113), and the operation restriction of the user terminal 10 is tightened. In the user terminal 10, the operation restriction means 13 [For example, at least one of prohibition of external access (Internet connection, etc.), prohibition of data writing to the external storage medium 50 (USB memory, etc.), prohibition of email transmission outside the company, and encryption management of email attachments. Is executed in the user terminal 10.

  Furthermore, the search result by each user terminal 10 by the management means 28, the access log collected and recorded by the log collection means 22, and the investigation result collected and recorded by the user information collection means 21 (user terminal 10). On the basis of the presence / absence of a program that causes the external storage medium driver 14 to function, and public information on the access status of each personal information file and public information on the user terminal 10 in which the external storage medium driver 14 is installed. Is created (step S114), and the created public information is displayed on the display unit 20c via the display control unit 29, or is disclosed to all user terminals 10 and managers via the network 40. , All the user terminals 10 and the administrator are notified by e-mail or the like via the network 40. Or (step S115).

  When the processes of steps S104 to S115 described above are executed for all the user terminals 10 in which no exploration program is installed (YES route in step S116), or if the user terminal 10 in which no exploration program is installed is If there is not (NO route of step S103), the presence / absence of the user terminal 10 having the installed exploration program is determined (step S117).

  When there is an installed user terminal 10 (YES route in step S117), one of the installed user terminals 10 is selected (step S118), and an access log (on the network 40) for the user terminal 10 is selected. The access log for the personal information file) is collected by the log collecting means 22 (step S119).

  When the access log is collected, the access frequency calculation means 23 calculates the access frequency (the number of accesses per unit time) for the personal information file of the user terminal 10 based on the log (step S120). Whether the access frequency is equal to or higher than a reference value (for example, 5 times / 24 hours) is determined by the access frequency determination unit 24 (step S121).

  When the access frequency is less than the reference value (NO route in step S122), the user terminal 10 is regarded as having a low possibility of storing personal information in its own terminal, and the user is managed by the management means 28. After the security level is set low for the terminal 10 (step S123) and the operation restriction of the user terminal 10 is released or relaxed, the process proceeds to step S129.

On the other hand, if the access frequency is equal to or higher than the reference value (YES route in step S122), the user terminal 10 is considered to have a high possibility of storing personal information in the own terminal, and the management means 28 The security level is set high for the user terminal 10 (step S124), and the operation restriction of the user terminal 10 is tightened. In the user terminal 10, the operation restriction [for example, external access prohibition (Internet Connection)
The user terminal 10 executes at least one of prohibition of data writing to the external storage medium 50 (USB memory or the like), prohibition of mail transmission outside the company, and encryption management of the attached file of the mail.

  Thereafter, a search execution instruction is transmitted to the user terminal 10 to cause the user terminal 10 to execute the search program, and the personal information file in the storage unit 10b of the user terminal 10 is referred to with reference to FIG. The self-search result (specifically the file name and link destination information of the personal information file) executed by the user terminal 10 by the search result collecting means 26 via the network 40 and the transmission / reception means 30 is searched by the procedure described later. In addition to the above, a determination value, a P mark, etc.) are received and collected (step S125). The collected self-search results are stored in the database 20b in association with each user terminal 10, and based on the stored search results, the management means 28 manages the personal information file (see FIG. 7 for details). The process described below is executed with reference to (step S126).

  Further, as in steps S114 and S115, the management means 28 collects and records the search results by each user terminal 10, the access logs collected and recorded by the log collection means 22, and the user information collection means 21. Based on the survey results (information regarding the presence or absence of a program that causes the user terminal 10 to function as the external storage medium driver 14), the public information regarding the access status to each personal information file and the external storage medium driver 14 are installed. Public information regarding the user terminal 10 is created (step S127), and the created public information is displayed on the display unit 20c via the display control unit 29, or all user terminals 10 and management via the network 40 are managed. Publicly, or all via e-mail via network 40 Or it is notified to the user terminal 10 and the administrator (step S128).

  When the processing of steps S118 to S128 described above is executed for all user terminals 10 on which the exploration program has been installed (YES route of step S129), or when no user terminal 10 has been installed (step S117) NO route), the process returns to step S101.

[2-2] Operation of User Terminal In this system 1, a search program is installed in the user terminal 10 by the management server 20 (installing means 25), and the user terminal 10 receives a search execution instruction from the management server 20. Then, the function as the search means 11 is activated, and the search means 11 specifies and searches the personal information file from the data in the storage unit 10b.

  Then, for each personal information file searched by the search means 11, the determination result (determination value / system value) and the P mark together with information for specifying the file (for example, the file name) and the transmission / reception means 12 and the network 40 is transmitted to the management server 20 as a search result.

  Further, when the user terminal 10 detects an access to the personal information file searched by the searching unit 11, the access content is recorded and stored in the storage unit 10b as an access log for each file. At this time, the personal information file to be detected for access may include not only those stored in the storage unit 10b of the terminal itself but also those stored in other terminals / servers. The log collection means 22 of the management server 20 may collect access logs for personal information files on the network 40. The access log recorded / accumulated in the storage unit 10 b is transmitted / notified to the management server 20 through the transmission / reception unit 12 and the network 40, and is collected by the log collection unit 22.

  Further, the user terminal 10 receives the security level set by the management unit 28 of the management server 20 from the management server 20, and the operation restriction unit 13 performs operation restriction according to the security level. If it is set high, for example, external access is prohibited (Internet connection, etc.), data writing to the external storage medium 50 (USB memory, etc.) is prohibited, mail transmission outside the company is prohibited, and mail attachments are encrypted. In the case where at least one of computer management (placed under management by the function of the management server 20 as a file access management server described later) is executed in the user terminal 10 while the security level is set low. Is released or relaxed.

  When the function as the encryption unit 15 is set in the user terminal 10, the file attached to the mail or written to the external storage medium 40 and sent to the outside is stored as the encryption unit 15. The PDF file is converted into a PDF file having a container function by the function, the original file of the file is stored in the PDF file using the container function, and then the PDF file is stored in a predetermined file managed by the file access management server 20. It is encrypted with the encryption key and an encrypted file is created. At this time, for the user who accesses the encrypted file, the access authority (for example, viewing authority) for the encrypted file is automatically set from the encryption unit 15 to the file access management server 20.

  In addition, when the function as the registration unit 15 is set in the user terminal 10, the file attached to the mail or written to the external storage medium 40 and sent to the outside depends on the function as the registration unit 15. The management server 20 is registered in the server 20 so as to be managed under the function of the file access management server. At the time of registration, the file is transmitted from the registration unit 15 to the server 20 via the transmission / reception unit 12 and the network 40, and an encrypted file created by the procedure described later with reference to FIG. Is received from the server 20.

[2-3] Operation of exploration means In the exploration means 11 of this embodiment, the appearance frequency of a telephone number, an e-mail address, an address, and a name is digitized as follows, and a personal information file is determined (specific / exploration). ). At that time, when the character section cut out by the cutting means 112 includes an inappropriate character / unsuitable character string preset as a character / character string that cannot appear in the personal information, the character section is As a character / character string that cannot be seen in the personal information in advance in the character section cut out by the cutting means 112, it is excluded because it is regarded as not corresponding to the personal information element (name in this embodiment). If the specified inappropriate character / inappropriate character string is not included, the character section is regarded as corresponding to the personal information element constituting the personal information, that is, the personal information element appears. , Count up the number of appearances.

The procedure of the personal information file search operation executed by the search unit 11 (search program) described above in the user terminal 10 of the present embodiment will be described with reference to the flowchart (steps S131 to S1147) shown in FIG.
First, a file that is not yet a determination target is selected and read as a determination target file from all data of the user terminal 10 (step S131), and extraction means (text extraction) is selected from the determination target file. Text data is extracted by the engine 111 (step S132).

In this way, from the text captured in the file buffer, the character section is cut out by the cutout unit 112 at the predetermined break position described above, and is passed through the data shaping buffer as a determination target / collation target. The data is sequentially written to the data analysis buffer (step S133). When cutting out a character section, as described above, the cutting means 112 removes unnecessary characters other than alphanumeric characters, katakana, hiragana, and kanji characters, for example, half-width spaces, full-width spaces, half-width hyphens, full-width hyphens. , Underbar, parenthesis,! , #, $,%, =, +, *,? Symbol characters such as, \, /, and | are removed.

  Whether or not the character string (hereinafter simply referred to as a character string) in the character section from which the symbol character has been removed by the cutting means 112 corresponds to any one of a telephone number, an e-mail address, and an address. Are sequentially determined by the telephone number determination means 113a, the e-mail address determination means 113b, and the address determination means 113c (steps S134, S136, S138).

  First, the telephone number determination unit 113a determines whether or not the character string corresponds to a telephone number (step S134). At this time, if the character string satisfies the telephone number determination condition set in the quarantine table 10c, that is, the character string is a sequence of 9 to 11 half-width numbers or full-width numbers, and the first character If the (first character) is “0” and the second character is other than “0”, it is determined that the character string corresponds to the telephone number (YES route of step S134), and that is the second determination means 116. In the second determination means 116, the count value corresponding to the number of appearances of the telephone number is incremented by 1 (step S135), and the process proceeds to step S143.

If it is determined that the character string does not correspond to a telephone number (NO route in step S134), the e-mail address determination unit 113b determines whether the character string corresponds to a telephone mail address (step S136). ). At that time, if the character string satisfies the e-mail address determination condition set in the quarantine table 10a, that is, “one or more ASCII” + “@ (at sign)” + “one or more characters in the character string” ASCII
”+“. (Dot) ”+“ ASCII character of one or more characters ”is included, and if the last character of the character string is a half-width alphabetic character, the character string is added to the e-mail address. It is determined to be applicable (YES route of step S136), and the fact is notified to the second determination means 116. In this second determination means 116, the count value corresponding to the number of appearances of the e-mail address is incremented by 1. (Step S137), the process proceeds to Step S143.

  When it is determined that the character string does not correspond to an e-mail address (NO route of step S136), the address determination unit 113c determines whether the character string corresponds to an address (location) (step S138). ). At that time, if the character string satisfies the address determination condition set in the quarantine table 10a, that is, “1 to 13 double-byte characters” + “city” or “ku” or “ A character string “county” + “one or more full-width characters or half-width characters” is included, and the first character of the character string is the same as the initial name of 47 prefectures or city names in Japan. If so, it is determined that the character string corresponds to an address (YES route in step S138), and that is notified to the second determination means 116. In the second determination means 116, the address (location) The count value corresponding to the number of appearances is incremented by 1 (step S139), and the process proceeds to step S143.

When it is determined that the character string does not correspond to an address (NO route in step S138), that is, the first determination unit 113 determines that the character string does not correspond to any of a telephone number, an e-mail address, and an address. If the character string is determined by the character determination unit 114, the character string is set to the character determination condition (the number of characters is 2 or more and 6 or less, all characters are kanji characters, and the first character of the character string is set in the quarantine table 10a). It is determined whether or not the first letter of the last name belonging to the uppermost predetermined number of surnames in Japanese is satisfied (step S140). When this character determination condition is not satisfied (NO route in step S140), the process proceeds to step S143.

  On the other hand, if this character determination condition is satisfied (YES route in step S140), the collation means 115 determines whether the character / character string included in the character section (the character string) and the name set in the quarantine table 10a are incorrect. The appropriate character / unsuitable character string is collated, and it is determined whether or not the character section includes the inappropriate character / unsuitable character string (step S141). If there is at least one character / character string that matches the inappropriate character / inappropriate character string in the character section (YES route in step S141), the character / inappropriate character string at that point The collation process is immediately terminated, and the process proceeds to step S143.

  If the character section does not contain inappropriate characters / unsuitable character strings (NO route of step S141), the collation determination result is notified to the second determination means 116, and in the second determination means 116, The character section is considered to correspond to the name, and the count value corresponding to the number of appearances of the name is incremented by 1 (step S142), and the process proceeds to step S143.

  In step S143, it is determined whether or not there is a character section that has not yet been extracted from the text data extracted from the determination target file. If there is a character section (YES route), the process returns to step S133, and the same processing as described above (steps S133 to S133). S142) is repeatedly executed. In this way, when all character sections are cut out from the text data and the determination processing, collation processing, counting processing, etc. for all character sections are completed (NO route of step S143), the second determination means 116 uses the telephone number, electronic Based on the count values for each of the mail address, address, and name, the above-described determination value is calculated (step S144).

  Then, in the second determination means 116, as described above, it is determined whether or not the determination target child file is a personal information file based on the determination value calculated in step S144, and the rank of the P mark is determined. Appending (four in the present embodiment, “P1” to “P4”) is performed (step S145).

  Thereafter, it is determined whether or not the personal information has been searched for all the files in the user terminal 10 (step S146). If an unsearched electronic file still exists (NO route of step S146), the process proceeds to step S131. Returning, the same processing as described above is executed, but when the search is completed for all the files (YES route of step S146), the determination result of the personal information file and the ranking result of the P mark in step S145 are the search results. Is notified to the management server 20 via the transmission / reception means 12 and the network 40 (step S147), and the search operation for the personal information file is terminated.

[2-4] Specific Example of Public Information Here, a specific example of the public information created in steps S114 / S127 and released in steps S115 / S128 will be described with reference to FIGS. 10 to 17 are diagrams showing specific examples of public information (screens and lists displayed on the display of the user terminal 10 and the management server 20) created and released by the management unit 28.

FIG. 10 shows a screen 101 for displaying the number of personal information files and the number of personal information held on a display as a bar graph on the display, and “number of cases” (here, “1000 to 100,000” in this example). A list 102 drilled down and displayed on the display, a screen (bar graph display for each department) 103 drilled down from the screen 101 with “Month” and displayed on the display, and a “department name” from this screen 103 A list 104 that is drilled down (here “Sales Department”) and displayed on the display is shown. In the lists 102 and 104, for each personal information file, the file name, the number of personal information included in the personal information file (for example, the number of personal information elements), and the possession of the user terminal 10 that owns the personal information file. The user name, the PC name of the user terminal 10, and the department name and job to which the user terminal 10 belongs are displayed.

  FIG. 11 shows a screen 105 that displays the number of accesses (personal information access records) to the personal information file aggregated for each department / access type on the display as a bar graph, and from this screen 105, “Department name” and “Access Lists 106 and 107 drilled down by “type” and displayed on the display are shown. The list 106 is drilled down for “sales department” and “file save”, and the list 107 is drilled down for “sales department” and “USB”. In these lists 106 and 107, For each owner name of the accessing user terminal 10, the PC name of the user terminal 10, the access date and time, the file name of the accessed personal information file, the document path / document operation / printer name / FTP server / FTP command and the like are displayed. In the figure, the access type “FTP” is upload / download to / from the FTP server, “USB” is access to the external storage medium (USB memory), “change” is rename, and “save” is file overwriting save. That is. With such lists 106 and 107, it is possible to record and grasp access to personal information files that may lead to personal information leakage.

  FIG. 12 shows a simplified example of the screen 105 shown in FIG. 11. In FIG. 12, the number of accesses to the personal information file (personal information access records) aggregated for each department is displayed on a display as a bar graph. A screen 108 to be displayed and a list 109 that is drilled down from this screen 108 with a “department name” (here “sales department”) and displayed on the display are shown. In the list 109, for each owner name of the user terminal 10 in the selected department, the PC name of the user terminal 10, the access date and time, the file name of the accessed personal information file, the document path, and the operation The contents are displayed. With such a list 109, it is possible to grasp user operations that may cause personal information leakage.

  FIG. 13 shows a screen 110 for displaying on a display the number of target PCs that have a personal information file and installed a large-capacity storage device (external storage medium driver 14) as a bar graph. A list 111 that is drilled down from the screen 110 with “Department name” (here “Sales Department”) and displayed on the display is shown. In the list 111, for each owner name of the accessing user terminal 10, the PC name of the user terminal 10, the file name of the personal information file held by the user terminal 10, the document path, and the operation content are displayed. Is displayed. With such a list 111, it is possible to grasp user operations that may leak personal information.

  FIG. 14 shows a screen 112 for displaying the number of times of writing personal information files to an external medium (external storage medium 40), which is aggregated for each department, on the display as a bar graph. A list 113 that is drilled down by "Sales Department") and displayed on the display is shown. In the list 113, for each owner name of the user terminal 10 in the selected department, the PC name of the user terminal 10, the date and time of writing, the file name of the personal information file to be written, the document path, and Operation details are displayed. With such a list 113, it is possible to grasp user operations that may cause personal information leakage.

FIG. 15 shows a screen 114 that displays the number of FTP transfers of the personal information file that is aggregated for each department as a bar graph on the display, and is drilled down from this screen 114 with “Department name” (here “Sales Department”). A list 115 displayed on the display is shown. In the list 115, for each owner name of the user terminal 10 in the selected department, the PC name of the user terminal 10, the FTP transfer date and time, the file name of the personal information file to be transferred, the FTP server Name and FTP command are displayed. Such a list 115 makes it possible to grasp user operations that may cause personal information leakage.

  FIG. 16 shows a screen 116 for displaying the number of renames of the personal information file as a bar graph on the display totaled for each department, and drilled down from this screen 116 with “Department name” (here “Sales Department”). A list 117 displayed on the display is shown. In the list 117, for each owner name of the user terminal 10 in the selected department, the PC name of the user terminal 10, the renaming date and time, the file name and document path of the personal information file to be renamed, Is displayed. With such a list 117, it is possible to grasp user operations that may leak personal information.

  FIG. 17 shows a screen 118 for displaying the number of accesses counted for each prohibited browsing site as a bar graph on the display, and drilling down from this screen 118 with “site name” (here “file service”) to display on the display. A list 119 to be played is shown. In the list 119, for each owner name of the user terminal 10 that has accessed the selected site, the PC name of the user terminal 10 and the access time are displayed. With such a list 119, access to a browsing-prohibited site can be monitored.

[2-5] Management Operation of Management Server Based on P Mark Next, the management operation of the personal information management server 20 (management unit 28) based on the P mark obtained as a search result by the search unit 11 is shown in FIG. The description will be made according to the flowchart (steps S20 to S29).

  The management means 28 refers to the determination result (P mark table) of the personal information file obtained from the user terminal 10 and determines the presence or absence of the personal information file (file to which the P mark is assigned) (step S20). If a personal information file exists (YES route of step S21), the management means 28 performs the following management / operation on each personal information file according to the search result of the personal information file [here, the P mark level (rank)]. (Steps S21 to S29).

  First, it is determined whether or not there is a personal information file of P mark level “P1” (step S21). If there is a personal information file of P mark level “P1” (YES route of step S21), the personal information file is monitored for access. It is set and registered as a target (access log recording target) (step S22).

  When there is no personal information file of P mark level “P1” (NO route of step S21), or after registration in step S22, it is determined whether or not there is a personal information file of P mark level “P2” (step S23). If there is a personal information file of the P mark level “P2” (YES route in step S23), the personal information file is set and registered as an access monitoring target, and the user of the personal information file is cautioned Attention information by pop-up display is notified (step S24).

When there is no personal information file of P mark level “P2” (NO route of step S23), or after the notice information is notified in step S24, it is determined whether or not there is a personal information file of P mark level “P3” (step S25). ), If there is a personal information file of P mark level “P3” (YES route of step S25), the personal information file is set and registered as an access monitoring target, and the user who stores the personal information file is The fact that it exists is notified to the system administrator by e-mail or the like as warning information, and the user is instructed to return the personal information file (step S26).

  If there is no personal information file of P mark level “P3” (NO route of step S25), or after issuing alarm information notification and return instruction in step S26, whether there is a personal information file of P mark level “P4”. If there is a personal information file of P mark level “P4” (YES route of step S27), the personal information file is forcibly captured and collected from the client terminal 10 (step S28). The personal information file is placed under the management of the file access management server 20, and the file access management server 20 manages the access to the personal information file (step S29). When there is no personal information file of the P mark level “P4” (NO route in step S27), or after the processing in step S29 is completed, the management operation is terminated.

  As described above, with respect to the personal information file of the P mark level “P4”, the personal information file is forcibly prohibited from being output from the user terminal 10 to the outside, or the personal information file is only for the administrator. May be stored in an accessible folder. Further, when a personal information file having a P mark level “P3” is left for a predetermined number of days, the same processing as that for a personal information file having a P mark level “P4” may be executed. Furthermore, all of the personal information files of the P mark levels “P1” to “P4” may be placed under the management of the file access management server 20.

[2-6] Operation of File Access Management Server Next, the operation of the file access management server 20 will be described with reference to FIGS.
First, the file conversion operation by the file access management server 20 of this embodiment will be described with reference to the flowchart shown in FIG. 8 (steps S31 to S34).

  In the file access management server 20, when a file to be managed is received by the personal information file receiving means 30a from each user terminal 10 via the network 40 so as to be registered as a management target by the file access management server 20 (step S31). The YES route) is converted into a PDF file by the encryption means 31 (step S32), and further, encryption processing (keying processing) is performed using a predetermined encryption key (step S33). Then, the encrypted file is transmitted to the user terminal 10 via the network 30 by the encrypted file transmitting means 27b (step S34).

Next, an authentication operation performed by the file access management server 20 according to the present embodiment will be described with reference to a flowchart (steps S41 to S45) illustrated in FIG.
When the user of the user terminal 10 tries to view the contents of the encrypted file, authentication information is input by the user and transmitted to the file access management server 20. When the authentication information is received by the authentication information receiving means 30c via the network 40 (YES route in step S41), the determination means 32 searches the database 20b with the user ID included in the authentication information, and the user ID Is read from the database 20b, the password included in the authentication information is compared with the registered password read from the database 20b, and a determination is made as to whether these passwords match (user authentication; step S42) is performed.

If these passwords match and it is authenticated that the user of the user terminal 10 is a legitimate registrant (legitimate transmission destination) (YES route in step S43), the decryption key transmission means 30d performs encryption. A decryption key for decrypting the file is read from the database 20b and transmitted to the user terminal 10 via the network 40 (step S44).

  Then, when the decryption key is received at the user terminal 10, the encrypted file is decrypted using the decryption key, the original file is restored, and the file is subjected to access authority given in advance. Access is performed. For example, when only the viewing authority is given as the access authority as described above, the user can browse the contents of the restored file, but access other than browsing, for example, print output by a printer or other Access to the recording medium, copy of the screen (screen capture), and saving as another name cannot be performed at all.

  On the other hand, if the determination unit 32 of the file access management server 20 determines that the passwords do not match, or if the registered password corresponding to the user ID is not registered in the database 20b, the user is valid. It is determined that the user is not a registrant (authorized transmission destination) (NO route in step S43), and an error notification is sent from the file access management server 20 to the user terminal 10 via the network 40 (step S45).

[3] Effects of the personal information management system of the present embodiment As described above, according to the management system 1 and the management server 20 as an embodiment of the present invention, the user terminal 10 included in the management range of the management server 20 and A personal information file (a file having a predetermined number or more of personal information elements) is managed by the management server 20, and the user terminal 10 whose access frequency to the personal information file managed by the management server 20 is equal to or higher than a reference value. When recognized, the user terminal 10 is regarded as having a high possibility of having a personal information file, and the search program is automatically and forcibly installed in the user terminal 10. At this time, it is considered that the user terminal 10 whose access frequency to the personal information file is less than the reference value is unlikely to store the protection target information in its own terminal, and the installation of the exploration program for the user terminal 10 is Don't do it.

  Then, the personal information file is self-explored by the user terminal 10 installed with the exploration program being automatically and forcibly executed, and the self-exploration result is collected in the management server 20. In other words, in the user terminal 10 that has a high possibility of accessing the personal information file and storing the protection target information in the own terminal, the personal information file is forcibly searched, and such a file is stored in the management server 20. The user terminal 10 can be managed based on the self-search result and the access frequency to the personal information file.

  As a result, for the user terminal 10 that is likely to have a personal information file, the search program is automatically and forcibly installed, and the personal information file is self-searched. Is immediately put under the management of the management server 20, and it is possible to reliably prevent inadvertent leakage / leakage or unauthorized use of personal information. Further, since it is not necessary to install a search program or perform a self-search for the user terminal 10 that is unlikely to have a personal information file, the personal information file is reliably searched by an efficient process. This has the advantage that personal information can be prevented from being accidentally leaked or leaked or illegally used.

At this time, by setting the security level for the user terminal 10 according to the frequency of access to the personal information file, the user terminal 10 that is likely to have the personal information file, that is, the personal information file For user terminals 10 that are likely to cause inadvertent leakage / leakage or unauthorized use, the security level is set high to restrict operation (external access prohibited, data writing to external storage medium 50 prohibited, outside the company The user terminal 10 having a low possibility is set to a low security level and the operation restriction is released or relaxed. This provides an environment in which the terminal 10 can be used efficiently when the possibility is low, so that the user voluntarily shifts his terminal 10 to the low possibility state. As a result, inadvertent leakage / leakage or unauthorized use of personal information can be prevented more reliably.

  Further, by disclosing the access status according to the access frequency with respect to the personal information file, the user terminal 10 that is likely to have the personal information file, that is, the personal information file is inadvertently leaked or leaked. As for the user terminal 10 that is likely to cause unauthorized use or the like, as shown in FIGS. 10 to 17, for example, the access status to the personal information file (for example, the file name, PC name, ownership of the personal information file) (Name of person, counting result of the number of personal information files, counting result of the number of accesses to the personal information file, etc.) are disclosed. This provides an environment in which users do not voluntarily access personal information files, and an environment in which unauthorized access is likely to be detected and it is difficult to perform fraudulent activities. Inadvertent information leakage / leakage and unauthorized use can be prevented more reliably.

  Information about the user terminal 10 in which the external storage medium driver 14 is installed (for example, the PC name of the user terminal, the owner name of the user terminal, the file name of the personal information file, the name of the personal information file) (Such as the number of times of writing) is released, so that the user will not voluntarily install the external storage medium driver 14, or even if it is installed, the personal information file is written using the driver 14. An environment in which personal information is no longer used is provided, and it is possible to more reliably prevent inadvertent leakage / leakage or unauthorized use of personal information.

  At this time, as in this embodiment, when a personal information file having a predetermined number or more of personal information elements that can identify a specific individual is set as a management target file, the second determination unit of the exploration unit 11 of this embodiment In 116, the character section that does not correspond to any of the telephone number, the e-mail address, and the address and includes the inappropriate character / inappropriate character string is considered not to be related to the personal information, while the telephone number, the e-mail address. A character section that does not correspond to any of the addresses and does not include inappropriate characters / unsuitable character strings is considered to be related to the name.

  Therefore, for the character section determined to correspond to any one of the telephone number, the e-mail address, and the address by the first determination means 113, the determination process is terminated when the determination is made, and the telephone number, the e-mail Only a character section determined not to correspond to either an address or an address is subjected to a matching process with an inappropriate character / unsuitable character string, and the matching unit 115 also includes one inappropriate character / unsuitable character string. However, when it is determined that it is included in the character section, the matching process can be terminated, so the name matching process is faster than the method of matching with all name strings included in the name list. It is possible to perform the determination, that is, the personal information file determination process at high speed.

At this time, in the first determination unit 113, the determination process is performed at a higher speed by performing the determination process of the character string in the character section in order from the lighter determination process load, that is, in the order of the telephone number, the e-mail address, and the address. Can be executed efficiently.
In addition, since the second determination unit 116 regards all character sections that do not include inappropriate characters / unsuitable character strings as corresponding to names, electronic files that do not include inappropriate characters / unsuitable character strings for names, It is possible to reliably determine an electronic file that is highly likely to contain name information and is likely to be a personal information file. That is, it is possible to reliably identify an electronic file (suspicious electronic file) that is highly likely to be a personal information file.

  Furthermore, in this embodiment, the character determination means 114 determines whether the number of characters in the character section is 1 or more and 6 or less and all the characters in the character section are kanji characters, and the characters satisfying this character determination condition. Since only the section is a collation target by the collation means 115, the character section to be collated by the collation means 115 is narrowed down to a character section having a higher possibility of a name, and the collation accuracy of the name can be improved. At the same time, name verification processing can be performed at high speed. In addition, since a long character section having more than 6 characters is excluded from the collation target by the collating means 115, it contributes to further speeding up the name collating process, that is, further speeding up the personal information file determining process. Become.

  In particular, according to the exploration means 11 of the present embodiment, even when elements in the text data are not separated by clear delimiters when the cutout means 112 cuts out text data as a determination target character section. Boundary position between 1-byte code character and 2-byte code character, that is, boundary position between a half-width character and a full-width character (a portion where a half-width character is followed by a full-width character or a half-width character followed by a half-width character), or a full-width character The text data is divided and cut out as a character section at the boundary position between the arithmetic number and the character excluding the full-width arithmetic number and the hyphen.

  This makes it possible to mix addresses and names written in double-byte characters and strings such as phone numbers and e-mail addresses written in single-byte characters without being separated by delimiters in text data. Address, name, phone number, and e-mail address even if the address, name, etc. written in and the numeric string such as a phone number written in full-width characters are mixed in the text data without being separated by a delimiter A character section can be cut out for each personal information element. Therefore, it becomes possible to reliably determine personal information elements such as an address, name, telephone number, and e-mail address, and it is possible to efficiently and reliably determine a personal information file in a short time.

Further, as an e-mail address determination condition by the e-mail address determination means 113b, the character string in the character section to be determined includes “one or more ASCII characters” + “@ (at mark)” + “one or more ASCII characters” + “ . (Dot) "+" AS of one or more characters
“@ (At sign)” is used to display the unit price and unit by setting that the character string “CII character” is included and the last character of the character string is a half-width alphabetic character. A string of numbers that is “@ (at sign)” followed by “one or more half-width numbers” + “. (Dot)” + “one or more half-width numbers” (for example, “123@45.67 ") Can be reliably prevented from being erroneously determined as an e-mail address. Accordingly, it is possible to reliably determine the personal information element such as an e-mail address, and it is possible to efficiently and reliably determine the personal information file in a short time.

In the electronic mail address, the character string after the last “. (Dot)” after “@” is always an alphabetic character string such as “com”, “net”, and “jp” at present. In general, “@” is often used to display a unit price or a unit. For example, one of an article
When displaying the price and weight per piece, “@” may be used, such as “@ 100.00” or “@ 10.55”. For this reason, the e-mail address determination condition is simply that “one or more ASCII characters” + “@ (at mark)” + “one or more ASCII characters” + “. (Dot)” in the character string in the character section to be determined. + If a character string that is “one or more ASCII characters” is included, the above character strings containing “@ 100.00” or “@ 10.55” may be mistakenly recognized as e-mail addresses. However, by adding that the last character of the character string is a single-byte alphabetic character to the e-mail address judgment condition, the character string including the numeric character strings “@ 100.00” and “@ 10.55” as described above It is possible to reliably prevent erroneous recognition as an e-mail address.

  Further, as an address determination condition by the address determination means 113c, “one or more full-width characters” + “city” or “ku” or “county” + “one or more full-width characters or half-width characters is added to the character string in the character section to be determined. ”And the first character of the character section to be judged and the initials of the 47 prefectures or city names. , When a character string that includes "county" in the middle but is not related to the address at all is mistakenly determined as an address, and when 47 prefecture names or city names are determined to match completely Compared with an extremely short time, it is possible to efficiently and reliably determine a character section with high accuracy as an address.

  Furthermore, the first character of the character string to be determined matches the initial character of the last name belonging to the upper predetermined number (for example, the top 3000 types) common to Japanese in the character determination condition (name determination condition) by the character determination unit 114. By adding this, it is possible to efficiently and surely determine a character section with high accuracy as a name in a very short time compared with the case of determining perfect match of the last name.

  Then, the management unit 28 of the management server 20 manages the electronic file determined to be a personal information file in accordance with the counting result (determination value level) obtained by the second determination unit 116, thereby For each information file, it is possible to select and execute a management method according to the determination value level (high possibility of being a personal information file / the number of personal information elements).

  On the other hand, by converting a file sent to the outside from the user terminal 10 into an encrypted file in the user terminal 10 or the file access management server 20, the file to be externally sent is converted into an encrypted file. So that the file can be prevented from being taken out from each terminal 10 in a state where everyone can refer to it, and personal information and confidential information can be prevented from being inadvertently leaked or leaked or illegally used. Can be prevented.

  At this time, if the authorized user of the encrypted file is authenticated by the file access management server 20 as being authorized, the encrypted file is decrypted with the decryption key received from the file access management server 20. The content of the encrypted file can be accessed, but other users cannot decrypt the encrypted file and cannot access the content. In other words, the file is sent to the outside after being converted into an encrypted file that can be accessed only by legitimate users. As described above, inadvertent leakage / leakage of personal information or confidential information, unauthorized use, etc. Access to a legitimate user is possible while ensuring prevention, so the convenience of the legitimate user is not impaired.

  At this time, since the original of the file is stored and encrypted in the complete document file, the original of the file remains as it is, that is, in a state where everyone can refer to the user terminal 10. Therefore, it is possible to more reliably prevent inadvertent leakage / leakage and unauthorized use of personal information and confidential information.

[4] Modifications of the Embodiments The present invention is not limited to the above-described embodiments, and various modifications can be made without departing from the spirit of the present invention.
For example, in the above-described embodiment, the case where the management target file is a personal information file has been described. However, the present invention is not limited to this, and a confidential information file including confidential information other than personal information is managed. It may be a file. In this case, the predetermined condition for determining the confidential information file is that a predetermined number or more of records (sensitive information elements) including the confidential information are held, and the confidential information element includes, for example, a new product before the announcement, It is a character string used in technology and management strategy before patent application. Note that such a confidential information file can also be searched by the searching means 11 in the same manner as the personal information file, and the same effect as the above-described embodiment can be obtained.

[5] Others The above-described search means 11, operation restriction means 13, user information collection means 21, log collection means 22, access frequency calculation means 23, access frequency determination means 24, installation means 25, search result collection means 26 and management The functions (all or a part of the functions of each unit) are realized by a computer (including a CPU, an information processing device, and various terminals) executing a predetermined application program (an exploration program, a management program). The

  The program is, for example, a computer such as a flexible disk, CD (CD-ROM, CD-R, CD-RW, etc.), DVD (DVD-ROM, DVD-RAM, DVD-R, DVD-RW, DVD + R, DVD + RW, etc.). It is provided in a form recorded on a readable recording medium. In this case, the computer reads the management program from the recording medium, transfers it to the internal storage device or the external storage device, stores it, and uses it. Further, the program may be recorded in a storage device (recording medium) such as a magnetic disk, an optical disk, or a magneto-optical disk, and provided from the storage device to a computer via a communication line.

  Here, the computer is a concept including hardware and an OS (operating system), and means hardware operating under the control of the OS. Further, when the OS is unnecessary and the hardware is operated by the application program alone, the hardware itself corresponds to the computer. The hardware includes at least a microprocessor such as a CPU and means for reading a program recorded on a recording medium. The application program as the management program is stored in the computer as described above in the search means 11, the operation restriction means 13, the user information collection means 21, the log collection means 22, the access frequency calculation means 23, the access frequency determination means 24, and the installation. The program code for realizing the functions as the means 25, the search result collecting means 26 and the management means 28 is included. Also, some of the functions may be realized by the OS instead of the application program.

  Furthermore, as a recording medium in the present embodiment, in addition to the flexible disk, CD, DVD, magnetic disk, optical disk, and magneto-optical disk described above, an IC card, ROM cartridge, magnetic tape, punch card, computer internal storage device (RAM) In addition, various computer-readable media such as an external storage device or a printed matter on which a code such as a barcode is printed can be used.

[6] Appendix (Appendix 1)
A management server that is connected to a user terminal via a network so as to be communicable with each other and manages the user terminal, and manages a file having a predetermined number of elements related to protection target information as a management target file. And
Log collection means for collecting a log of access to the management target file by the user terminal;
Based on the log collected by the log collecting means, the access frequency calculating means calculates the access frequency of the user terminal to the management target file;
Access frequency determining means for determining whether or not the access frequency calculated by the access frequency calculating means is greater than or equal to a reference value;
When it is determined by the access frequency determining means that the access frequency of the user terminal with respect to the management target file is equal to or higher than a reference value, a file having a predetermined number of elements related to the protection target information is stored in the user Installation means for installing a search program to be self-searched by the terminal on the user terminal via the network;
Exploration result collection means for collecting the self-exploration results executed at the user terminal via the network;
And a management means for managing the user terminal based on the access frequency calculated by the access frequency calculation means and the self-search results collected by the search result collection means. Management server.

(Appendix 2)
The management server according to appendix 1, wherein the management means treats the file searched at the user terminal as the management target file based on the self-search result collected by the search result collection means. .

(Appendix 3)
The management means sets a security level in the user terminal for preventing outflow of a management target file from the user terminal according to the access frequency calculated by the access frequency calculation means, The management server according to appendix 1 or appendix 2, wherein the user terminal is caused to perform operation restriction according to a security level.

(Appendix 4)
The management means sets a high security level for the user terminal for which the access frequency for the management target file is determined to be equal to or higher than a reference value by the access frequency determination means, and strictly restricts the operation of the user terminal. On the other hand, for the user terminal for which the access frequency is determined to be less than the reference value by the access frequency determination means, the security level is set low to cancel or relax the operation restriction of the user terminal. The management server according to appendix 3, which is characterized.

(Appendix 5)
As the operation restriction of the user terminal, the management means includes at least one of prohibition of external access, prohibition of data writing to an external storage medium, prohibition of mail transmission outside the company, and encryption management of attached files. The management server according to Supplementary Note 3 or Supplementary Note 4, wherein the management server is executed by a terminal.

(Appendix 6)
The management means creates public information regarding the access status for the management target file according to the access frequency calculated by the access frequency calculation means, and publishes the created public information. The management server according to any one of supplementary notes 1 to 5.

(Appendix 7)
When the access frequency determination unit determines that the access frequency of the user terminal with respect to the management target file is equal to or higher than a reference value, the management unit creates and discloses the public information. The management server according to appendix 6.

(Appendix 8)
The public information includes a file name of the management target file, information that can specify the user terminal that has accessed the management target file, and information that can specify the owner of the user terminal. 8. The management server according to appendix 6 or appendix 7, wherein

(Appendix 9)
9. The management server according to any one of appendix 6 to appendix 8, wherein the public information includes a count result of the number of files to be managed in the user terminal.
(Appendix 10)
The management server according to any one of appendix 6 to appendix 9, wherein the public information includes a total result of the number of accesses to the management target file.

(Appendix 11)
The protected information is personal information,
As the exploration means for exploring a file having a predetermined number or more of personal information elements that can identify a specific individual from data in the storage unit of the user terminal, that is, a personal information file, the user The management server according to any one of Supplementary Note 1 to Supplementary Note 10, which causes a terminal to function.

(Appendix 12)
The exploration means is
Extraction means for extracting text data contained in the determination target file;
Cutting out means for cutting out character sections delimited by delimiters from the text data extracted by the extracting unit;
By determining whether or not the character string in the character section cut by the cutting means satisfies any one of the preset telephone number determination condition, e-mail address determination condition, and address determination condition, First determination means for determining whether or not any one of a telephone number, an e-mail address, and an address, which is a personal information element other than a name,
Whether or not the number of characters in the character section determined not to correspond to any of the telephone number, the e-mail address, and the address by the first determination means is within a predetermined range, and whether or not the character in the character section is a Chinese character Character determining means for determining;
A character section that is determined by the character determining means to be within the predetermined range and to be a kanji character is a character or character string included in the character section and a kanji or kanji character string that is not set in advance in the name. Collating means for collating appropriate characters or inappropriate character strings to determine whether the character section includes the inappropriate characters or inappropriate character strings;
The number of character sections determined to correspond to any one of a telephone number, an e-mail address, and an address by the first determination means and the inappropriate character or inappropriate character string is not included by the matching means. The number of character sections determined is counted, and based on the count result, the second determination means for determining whether the determination target file is a personal information file is provided. The management server according to appendix 11, which is characterized.

(Appendix 13)
As a management server that is connected to a user terminal via a network so as to be able to communicate with each other and manages the user terminal, and that manages a file having a predetermined number of elements related to protection target information as a management target file, A management program that causes a computer to function;
Log collection means for collecting a log of access to the management target file by the user terminal;
Based on the log collected by the log collecting means, the access frequency of the user terminal to the management target file is calculated as an access frequency calculating means,
Access frequency determining means for determining whether or not the access frequency calculated by the access frequency calculating means is greater than or equal to a reference value;
When it is determined by the access frequency determining means that the access frequency of the user terminal with respect to the management target file is equal to or higher than a reference value, a file having a predetermined number of elements related to the protection target information is stored in the user Installation means for installing an exploration program to be self-explored by a terminal on the user terminal via the network;
Exploration result collection means for collecting the self exploration results executed by the user terminal via the network; and
The computer is caused to function as management means for managing the user terminal based on the access frequency calculated by the access frequency calculation means and the self-search results collected by the search result collection means. And management program.

(Appendix 14)
The management means causes the computer to function so as to handle the file searched in the user terminal as the management target file based on the self-search result collected by the search result collection means. The management program according to appendix 13.

(Appendix 15)
The management means sets a security level in the user terminal for preventing outflow of a management target file from the user terminal according to the access frequency calculated by the access frequency calculation means, 15. The management program according to appendix 13 or appendix 14, wherein the computer is caused to function so as to cause the user terminal to perform operation restriction according to a security level.

(Appendix 16)
The management means sets a high security level for the user terminal for which the access frequency for the management target file is determined to be equal to or higher than a reference value by the access frequency determination means, and strictly restricts the operation of the user terminal. On the other hand, for the user terminal whose access frequency is determined to be less than the reference value by the access frequency determining means, the security level is set to be low so that the operation restriction of the user terminal is released or relaxed. The management program according to appendix 15, characterized by causing the computer to function.

(Appendix 17)
As the operation restriction of the user terminal, the management means includes at least one of prohibition of external access, prohibition of data writing to an external storage medium, prohibition of mail transmission outside the company, and encryption management of attached files. The management program according to appendix 15 or appendix 16, wherein the computer is caused to function so as to be executed by a terminal.

(Appendix 18)
The management unit creates public information related to the access status of the management target file according to the access frequency calculated by the access frequency calculation unit, and the computer is configured to publish the created public information. 18. The management program according to any one of appendix 13 to appendix 17, wherein the management program is made to function.

(Appendix 19)
When the access frequency determination unit determines that the access frequency of the user terminal with respect to the management target file is equal to or higher than a reference value, the management unit sets the computer to create and release the public information. The management program according to appendix 18, wherein the management program is made to function.

(Appendix 20)
The public information includes a file name of the management target file, information that can specify the user terminal that has accessed the management target file, and information that can specify the owner of the user terminal. The management program according to appendix 18 or appendix 19, wherein

(Appendix 21)
21. The management program according to any one of appendix 18 to appendix 20, wherein the public information includes a count result of the number of files to be managed in the user terminal.
(Appendix 22)
The management program according to any one of appendix 18 to appendix 21, wherein the public information includes a count result of the number of accesses to the management target file.

(Appendix 23)
The protected information is personal information,
As the exploration means for exploring a file having a predetermined number or more of personal information elements that can identify a specific individual from data in the storage unit of the user terminal, that is, a personal information file, the user The management program according to any one of Supplementary Note 13 to Supplementary Note 22, which causes a terminal to function.

(Appendix 24)
The exploration program
Extraction means for extracting text data contained in the determination target file;
Cutting means for cutting out character sections delimited by delimiters from the text data extracted by the extracting means;
By determining whether or not the character string in the character section cut by the cutting means satisfies any one of the preset telephone number determination condition, e-mail address determination condition, and address determination condition, First determination means for determining whether or not any one of a telephone number, an e-mail address, and an address, which is a personal information element other than a name,
Whether or not the number of characters in the character section determined not to correspond to any of the telephone number, the e-mail address, and the address by the first determination means is within a predetermined range, and whether or not the character in the character section is a Chinese character Character judging means for judging,
A character section that is determined by the character determining means to be within the predetermined range and to be a kanji character is a character or character string included in the character section and a kanji or kanji character string that is not set in advance in the name. Collating means for determining whether or not the character section includes the inappropriate character or the inappropriate character string by verifying the appropriate character or the inappropriate character string, and
The number of character sections determined to correspond to any one of a telephone number, an e-mail address, and an address by the first determination means and the inappropriate character or inappropriate character string is not included by the matching means. The number of determined character sections is counted, and the user terminal is caused to function as second determination means for determining whether the determination target file is a personal information file based on the count result. The management program according to appendix 23, wherein the user terminal is caused to function as the exploration means.

It is a block diagram which shows the structure of the personal information management system (management system) as one Embodiment of this invention. It is a block diagram which shows the function structure of the management server of this embodiment. It is a block diagram which shows the function structure as a file access management server provided in the management server of this embodiment. It is a block diagram which shows the functional structure of the user terminal of this embodiment, and the detailed functional structure of the search means in this user terminal. It is a flowchart for demonstrating operation | movement of the management server of this embodiment. It is a flowchart for demonstrating operation | movement of the search means of this embodiment. It is a flowchart for demonstrating operation | movement of the management server of this embodiment. It is a flowchart for demonstrating operation | movement (authentication operation | movement by the function as a file access management server) of the management server of this embodiment. It is a flowchart for demonstrating operation | movement (file conversion operation | movement by the function as a file access management server) of the management server of this embodiment. It is a figure which shows the specific example of the public information created and published by the management means of the management server of this embodiment. It is a figure which shows the specific example of the public information created and published by the management means of the management server of this embodiment. It is a figure which shows the specific example of the public information created and published by the management means of the management server of this embodiment. It is a figure which shows the specific example of the public information created and published by the management means of the management server of this embodiment. It is a figure which shows the specific example of the public information created and published by the management means of the management server of this embodiment. It is a figure which shows the specific example of the public information created and published by the management means of the management server of this embodiment. It is a figure which shows the specific example of the public information created and published by the management means of the management server of this embodiment. It is a figure which shows the specific example of the public information created and published by the management means of the management server of this embodiment.

Explanation of symbols

1 Personal information management system (management system)
10 User terminal 10a CPU
10b Storage section 10c Quarantine table 10d P mark table 11 Search means 111 Extraction means 112 Extraction means 113 First determination means 113a Telephone number determination means 113b Email address determination means 113c Address determination means 113c Address determination means 114 Character determination means 115 Collation means 116 Second Determination means 12 Transmission / reception means 13 Operation restriction means 14 External storage medium driver 15 Encryption means / registration means 20 Management server 20a CPU
20b Database 20c Display unit 21 User information collection unit 22 Log collection unit 23 Access frequency calculation unit 24 Access frequency determination unit 25 Installation unit 26 Search result collection unit 27 Management console 28 Management unit 29 Display control unit 30 Transmission / reception unit 30a File reception unit 30b Encrypted file transmission means 30c Authentication information reception means 30d Decryption key transmission means 31 Encryption means 32 Determination means 40 Network (in-house LAN)
50 External storage media (USB memory, etc.)
101, 103, 105, 108, 110, 112, 114, 116, 118 screen (public information)
102, 104, 106, 107, 109, 111, 113, 115, 117, 119
List (public information)

Claims (14)

A management server that is connected to a user terminal via a network so as to be communicable with each other and manages the user terminal, and manages a file having a predetermined number of elements related to protection target information as a management target file. And
Log collection means for collecting a log of access to the management target file by the user terminal;
An access frequency calculating unit that calculates an access frequency of the user terminal to the management target file based on the log collected by the log collecting unit;
Access frequency determining means for determining whether or not the access frequency calculated by the access frequency calculating means is greater than or equal to a reference value;
When it is determined by the access frequency determining means that the access frequency of the user terminal with respect to the management target file is equal to or higher than a reference value, a file having a predetermined number of elements related to the protection target information is stored in the user Installation means for installing a search program to be self-searched by the terminal on the user terminal via the network;
Exploration result collection means for collecting the self-exploration results executed at the user terminal via the network;
And a management means for managing the user terminal based on the access frequency calculated by the access frequency calculation means and the self-search results collected by the search result collection means. Management server.   2. The management according to claim 1, wherein the management means handles the file searched in the user terminal as the management target file based on the self-search result collected by the search result collection means. server.   The management means sets a security level in the user terminal for preventing outflow of a management target file from the user terminal according to the access frequency calculated by the access frequency calculation means, The management server according to claim 1 or 2, wherein the user terminal is caused to execute an operation restriction according to a security level.   The management means sets a high security level for the user terminal for which the access frequency for the management target file is determined to be equal to or higher than a reference value by the access frequency determination means, and strictly restricts the operation of the user terminal. On the other hand, for the user terminal for which the access frequency is determined to be less than the reference value by the access frequency determination means, the security level is set low to cancel or relax the operation restriction of the user terminal. The management server according to claim 3, wherein the management server is characterized.   As the operation restriction of the user terminal, the management means includes at least one of prohibition of external access, prohibition of data writing to an external storage medium, prohibition of mail transmission outside the company, and encryption management of attached files. The management server according to claim 3, wherein the management server is executed by a terminal. The protected information is personal information,
As the exploration means for exploring a file having a predetermined number or more of personal information elements that can identify a specific individual from data in the storage unit of the user terminal, that is, a personal information file, the user The management server according to any one of claims 1 to 5, wherein a terminal is caused to function. The exploration means is
Extraction means for extracting text data contained in the determination target file;
Cutting out means for cutting out character sections delimited by delimiters from the text data extracted by the extracting unit;
By determining whether or not the character string in the character section cut by the cutting means satisfies any one of the preset telephone number determination condition, e-mail address determination condition, and address determination condition, First determination means for determining whether or not any one of a telephone number, an e-mail address, and an address, which is a personal information element other than a name,
Whether or not the number of characters in the character section determined not to correspond to any of the telephone number, the e-mail address, and the address by the first determination means is within a predetermined range, and whether or not the character in the character section is a Chinese character Character determining means for determining;
A character section that is determined by the character determining means to be within the predetermined range and to be a kanji character is a character or character string included in the character section and a kanji or kanji character string that is not set in advance in the name. Collating means for collating appropriate characters or inappropriate character strings to determine whether the character section includes the inappropriate characters or inappropriate character strings;
The number of character sections determined to correspond to any one of a telephone number, an e-mail address, and an address by the first determination means and the inappropriate character or inappropriate character string is not included by the matching means. The number of character sections determined is counted, and based on the count result, the second determination means for determining whether the determination target file is a personal information file is provided. The management server according to claim 6, wherein the management server is characterized. As a management server that is connected to a user terminal via a network so as to be able to communicate with each other and manages the user terminal, and that manages a file having a predetermined number of elements related to protection target information as a management target file, A management program that causes a computer to function;
Log collection means for collecting a log of access to the management target file by the user terminal;
Access frequency calculating means for calculating the access frequency of the user terminal to the management target file based on the log collected by the log collecting means;
Access frequency determining means for determining whether or not the access frequency calculated by the access frequency calculating means is greater than or equal to a reference value;
When it is determined by the access frequency determining means that the access frequency of the user terminal with respect to the management target file is equal to or higher than a reference value, a file having a predetermined number of elements related to the protection target information is stored in the user Installation means for installing an exploration program to be self-explored by a terminal on the user terminal via the network;
Exploration result collection means for collecting the self exploration results executed by the user terminal via the network; and
The computer is caused to function as management means for managing the user terminal based on the access frequency calculated by the access frequency calculation means and the self-search results collected by the search result collection means. And management program.   The management means causes the computer to function so as to handle the file searched in the user terminal as the management target file based on the self-search result collected by the search result collection means. The management program according to claim 8.   The management means sets a security level in the user terminal for preventing outflow of a management target file from the user terminal according to the access frequency calculated by the access frequency calculation means, The management program according to claim 8 or 9, wherein the computer is caused to function so as to cause the user terminal to execute an operation restriction according to a security level.   The management means sets a high security level for the user terminal for which the access frequency for the management target file is determined to be equal to or higher than a reference value by the access frequency determination means, and strictly restricts the operation of the user terminal. On the other hand, for the user terminal whose access frequency is determined to be less than the reference value by the access frequency determining means, the security level is set to be low so that the operation restriction of the user terminal is released or relaxed. The management program according to claim 10, which causes the computer to function.   As the operation restriction of the user terminal, the management means includes at least one of prohibition of external access, prohibition of data writing to an external storage medium, prohibition of mail transmission outside the company, and encryption management of attached files. The management program according to claim 10 or 11, wherein the computer is caused to function so as to be executed by a terminal. The protected information is personal information,
As the exploration means for exploring a file having a predetermined number or more of personal information elements that can identify a specific individual from data in the storage unit of the user terminal, that is, a personal information file, the user The management program according to any one of claims 8 to 12, which causes a terminal to function. The exploration program
Extraction means for extracting text data contained in the determination target file;
Cutting means for cutting out character sections delimited by delimiters from the text data extracted by the extracting means;
By determining whether or not the character string in the character section cut by the cutting means satisfies any one of the preset telephone number determination condition, e-mail address determination condition, and address determination condition, First determination means for determining whether or not any one of a telephone number, an e-mail address, and an address, which is a personal information element other than a name,
Whether or not the number of characters in the character section determined not to correspond to any of the telephone number, the e-mail address, and the address by the first determination means is within a predetermined range, and whether or not the character in the character section is a Chinese character Character judging means for judging,
A character section that is determined by the character determining means to be within the predetermined range and to be a kanji character is a character or character string included in the character section and a kanji or kanji character string that is not set in advance in the name. Collating means for determining whether or not the character section includes the inappropriate character or the inappropriate character string by verifying the appropriate character or the inappropriate character string, and
The number of character sections determined to correspond to any one of a telephone number, an e-mail address, and an address by the first determination means and the inappropriate character or inappropriate character string is not included by the matching means. The number of determined character sections is counted, and the user terminal is caused to function as second determination means for determining whether the determination target file is a personal information file based on the count result. 14. The management program according to claim 13, wherein the user terminal is caused to function as the exploration means.

Images